Page 1 de 13
RPAS safety study
DATE: dd.mm.yy
Página 2 de 13
INDEX
1.
SCOPE OF THE DOCUMENT ......................................................................................................... 3
2.
ANALISYS OF OPERATIONAL SAFETY ....................................................................................... 3
2.1
Competition area ....................................................................................................................... 3
2.2
Flight operational conditions ..................................................................................................... 3
2.3
Daily safety briefings ................................................................................................................. 5
2.4
Validation flight tests ................................................................................................................. 6
2.5
General safety measures .......................................................................................................... 6
2.6
Preflight checklist ...................................................................................................................... 6
2.7
Aircraft safety countermeasures ............................................................................................... 7
2.7.1
Response to GPS failure ..................................................................................................... 7
2.7.2
Response to communication losses .................................................................................... 7
2.7.3
Battery protection levels ...................................................................................................... 7
2.8
Flight termination system .......................................................................................................... 7
2.9
AIRCRAFT OPERATIONAL LIMITS ......................................................................................... 7
2.9.1
Distance range and autonomy............................................................................................. 7
2.9.2
Take-off and landing ............................................................................................................ 7
2.9.3
Speed limitations ................................................................................................................. 7
2.9.4
Aircraft operational conditions ............................................................................................. 7
2.10
RPAS maintenance ............................................................................................................. 8
2.11
Meteorology ......................................................................................................................... 8
3.
RISK DETECTION AND MITIGATION ............................................................................................ 9
4.
Annex: methodology for aeronautical safety analysis .................................................................... 12
Página 3 de 13
1. SCOPE OF THE DOCUMENT
Highlighted information is provided as an example. Please, review it and complete with the information
that applies to your RPAS system removing what does not apply to your system.
This document contains the safety analysis for the RPAS system to be used by ENTITY NAME during
its operation in the euRathlon 2015 competition that is being held in Piombino (Italy).
2. ANALISYS OF OPERATIONAL SAFETY
2.1 Competition area
All the operations will be performed in the proximity of an abandoned building by the coastline (latitude
42.954241° and longitude 10.599855°). This building is owned by Piombino local authorities who have
already given the permissions and provided euRathlon consortium with local support. Access to the
building and the competition area will be restricted and under direct control of euRathlon staff as
organizers of the competition.
Flights will be conducted in uncontrolled airspace and the distance to the nearest airport is bigger than
8 km (the closest airfield is Aliscarlino located 17 km from the competition site). The competition area
is located at about 200 meters from an ENEL power plant, still partially out of service. No electrical
wiring is present in the whole competition area.
2.2 Flight operational conditions
All the operations will be held in VLOS and daylight conditions with a maximum distance between the
RPA and the security pilot of 160 meters and a maximum altitude above ground level of 40 m, within
the volume of space “V70”. Only VTOL aircrafts with a Maximum Take-Off Weight less than 25 kg will
be allowed to participate in the competition. Only one aircraft will be allowed to fly at a time.
Different flight volumes within which RPA operation is considered safe have been defined (see Figure
1). The areas shown in this figure are:

Pink zone: access path to the competitions area.

Orange: zone for spectators and exhibitors.

Purple: zones for the team that is participating in the competition at that time. The safety pilot
will be located in one of these areas.

Green: take-off and landing areas.

Yellow: flight volume with an altitude limit of 10 meters.

Cyan: flight volume with an altitude limit of 20 meters.

Blue: flight volume with an altitude limit of 40 meters.

Red: area where the RPA can fall in the very worst case, when a motor failure is experienced
in the limits of the flight volumes.
Página 4 de 13
Figure 1. Flight volumes defined for euRathlon 2015 competition.
In order to define these volumes, the distances that can be reached by an RPA in free falling after a
motor failure from altitudes of 40 m, 20 m and 10 m have been calculated considering an initial
velocity of 15 m/s (54 km/h) and an inclination of 0 o with respect to the horizontal plane. For the VTOL
RPAs that are expected during the competition, these are worst-case values. The parabolic
trajectories obtained after the study are shown in Figure 2. The minimum distances between the flight
volumes and people on the ground are:

Flight volume with maximum height of 40 m: 43 m.

Flight volume with maximum height of 20 m: 37 m.

Flight volume with maximum height of 10 m: 21 m.
In this study no friction has been considered so in the real world these distances will be smaller due to
this effect. The red polygon in Figure 1 shows the area where the RPA can fall in the very worst case,
when a motor failure is experience in the limits of the flight volumes. None of the areas for spectators
and team members are overlapped with the falling area and there is some extra distance between
them. Blue, cyan and yellow prisms represent flight volumes with heights of 40 meters, 20 meters and
10 meters respectively. Note that the distance between the bounds of the flight volumes and ENEL
power plant is much bigger than the distances calculated in the free-falling study.
Página 5 de 13
Figure 2. Parabolic trajectories for free falling RPAs.
Two different take-off and landing areas have been set (shown as green rectangles in Figure 1).
These areas will be prepared for this purpose so they will be flat solid surfaces marked with visible
markers so it can be easily identified by the pilot. These zones will be about 3 x 3 meters with no
obstacles in the surrounding area. Each of these take-off and landing areas have an associated
control area close to them from where team members can control the RPAS operation.
The coordinates that define each of the flight volumes will be provided to the RPAS operators in
advance. In the case that an RPA gets out of the flight volumes the security pilot will have to take
control of it, return it to the flight volumes and safely land it in the defined landing areas. In the case
that the safety pilot cannot take control of the aircraft and the organization experts consider that the
flight can pose any risk for spectators and critical infrastructure, the flight termination system
(described in section 2.7.4) will be activated.
Fences will have to be installed on the sides of the public area that is closer to the abandoned building
where the competition is to be held in order to protect the public for potential RPA crashing. Using
these fences will also ensure that spectators won’t go into the competition area.
2.3 Workshop and safety briefings
Before the beginning of the competition, a workshop on RPAS operations will be given by the
aeronautical experts from CATEC. CATEC staff has already participated as teachers in the basic and
Página 6 de 13
advanced RPAS pilot training courses organized by the ATO SENASA (Services and Studies for Air
Navigation and Aeronautical Safety). The content of this workshop will follow the general content of
SENASA RPAS operation courses and will be mainly focused on those operation aspects that have a
major incidence in the safety of the operation.
Additionally, at the beginning of each of the competition days all teams will have to assist to a safety
briefing, given by the CATEC experts. In these briefings, the procedure and rules for the safe
operation of the RPAS will be explained again to refresh participant’s memories.
2.4 Validation flight tests
Flight teams will have to provide the organization committee with the flight plan that will be performed
during each of the competition’s days in advance. The organization committee can require the teams
for introducing modifications in the flight plan to ensure safe flight operations. The flight plan will have
to be approved by the organizing committee before the flights can be authorized.
2.5 General safety measures
EuRathlon organization will coordinate with local and national authorities including fire fighters and
civil protection. Also, there will be fire fighting means on the site.
2.6 Preflight checklist
Before authorizing the flights each team will have to conduct pre-flight checks following the operations
manual of the RPAS and under the supervision of aerial experts from euRathlon organization. Preflight
checks are always performed on the ground to check that all the critical RPAS systems works
correctly. The preflight checklist includes:

Visual inspection of the airframe, propellers, etc.

Visual inspection of wiring and connections.

Check the battery levels (of the aircraft and the RC emitter).

Turn on the RC radio.

Using the RC radio switch between manual and attitude mode.

Test the operation of the motors gradually increasing the collective up to a 20% for 3 seconds.
Move the RC radio stick that changes pitch and yaw and check that the motors react as
expected.

Check that GPS signal is available and at least 6 satellites are on sight.
Página 7 de 13
2.7 Aircraft safety countermeasures
2.7.1 Response to GPS failure
If there is a GPS loss while flying in position and attitude mode, the autopilot automatically switches to
attitude mode. If the GPS signal is recovered for 2 seconds or more, the autopilot will switch back to
position and attitude mode.
2.7.2 Response to communication losses
If the command and control data link is lost for more than 3 seconds, the autopilot will switch to failsafe
mode. Two different configurations can be set:

Hovering.

Return to Home.
2.7.3
Battery protection levels
Describe the different protections levels that can be set and what the system does when the battery
level falls below those thresholds.
2.7.4 Flight termination system
Describe what does the RPAS when the crash button is pushed. This could be just switching off all the
motors, or could include additional devices such as parachutes.
2.8 AIRCRAFT OPERATIONAL LIMITS
2.8.1 Distance range and autonomy
The aircraft can fly for 10 minutes with the nominal payload elements. The autopilot can be configured
to restrict the distance between the aircraft and the home point and set a limit for the maximum
altitude above the ground level. The maximum distance between the aircraft and the home point will
be about 200 meters and the maximum altitude above ground level will be restricted to 50 meters.
2.8.2 Take-off and landing
The RPAS is VTOL so take-off and landing operations are performed vertically from and to any flat
surface. Therefore, a runway is not needed for taking-off and landing.
2.8.3 Speed limitations

Maximum climb rate and descent speed: 6 m/s.

Maximum speed: 15 m/s.

Maximum roll/pitch angle: 35º.

Maximum angular speed: 150º/s.
2.8.4 Aircraft operational conditions

Maximum wind speed: 8 m/s.

Temperature operational range: -5º C to +60º C.
Página 8 de 13

The RPAS cannot operate in rain/snow conditions.

The RPAS cannot operate when the meteorological conditions can cause the formation of ice.

The RPAS cannot operate in low-visibility conditions (e.g. foggy days) and during night.
2.9 RPAS maintenance
RPAS maintenance will be performed according to the Maintenance Manual.
2.10 Meteorology
The pilot will not authorize the flight if unfavorable weather conditions are experienced or expected in
the short term. Weather forecast information will be consulted one day in advance and they will be
updated every 5 hours. Special attention will be paid to the aircraft operational limits indicated in
section 2.8.4.
Page 9 de 13
3. RISK DETECTION AND MITIGATION
Complete the chart indicating what does your system under the indicated conditions.
The methodology that has been used for the aeronautical safety analysis is based in that developed by the Norwegian company Scandiavia and used by the
Civil Authorization Authorities of Norway and Spain. A detailed description is provided in section 4.
P/S/E1
Risk
Index
Mitigation
P/S/E2
Control loss due to
unfavorable weather
conditions
4/3/-2
10
2/2/-2
Run out of battery during
the flight
3/3/-2
7
2/2/-2
2
RC radio link lost
3/3/-2
7
2/2/-2
2
Interferences in the RC
radio link
3/3/-2
7
The pilot and director of operations will not authorize the flight if unfavorable weather conditions
are experienced or expected in the short term. Weather forecast information will be consulted
one day in advance and they will be updated every 5 hours. Special attention will be paid to the
aircraft operational limits indicated in section 2.8.4. In the event of losing control of the aircraft a
Return To Home mission will be commanded from the safety pilot RC radio or the flight
termination system (crash button) will be pushed. The flight volumes have been defined such
flights will always be conducted in line of sight and with a safety distance from areas where
people on the ground are located.
During the preflight the levels of the batteries are checked. Given the length and nature of the
flights it is unlikely that the battery drains if proper battery levels were checked during preflight
operations. The battery level can be monitored on the ground using the Ground Control station
or an OSD system. In the unlikely case of draining the battery during the flight, the autopilot is
configured with two protection levels and in the last one an emergency landing will be
performed.
The RC radio link has a range of more than 3 km. As the maximum distance between the
aircraft and pilot during the flight will be 160 meters and the electromagnetic line of sight will be
not blocked it is highly improbable that the RC radio link get lost.
In the case that the RC link got lost, the aircraft will enter into a failsafe mode in which a Return
to Home flight will be performed as described in section 2.7.2.
RC radio link uses FHSS (Frequency Hopping Spread Spectrum) techniques which makes the
link more robust against interferences.
Before taking-off, a spectrum analyzer will be used to scan the radioelectric spectrum to be
sure that no other signal is being transmitted in the frequency band used by the RC radio.
Residual
Risk
Index3
2
2/2/-2
2
Cause
1
Probability [1, 5] / Seriousness [1, 5] / Exposure to risk [-3, 3], before mitigation measures are adopted. Risk index = Probability x Seriousness + Exposure.
Probability / Seriousness / Exposure to risk, after mitigation measures are adopted.
3 Risk index: 0-6 acceptable risk; 7-14 RPAS operation should be avoided and can only be performed under special authorization; 15-25 RPAS operation
cannot be performed.
2
Página 10 de 13
GPS lose
5/3/-2
13
Pilot lose visual contact
with the aircraft
3/4/-2
10
Another aircraft enters the
same airspace
3/4/-2
10
People or ground/maritime
aircraft enters the flight
area
4/4/-2
14
The aircraft goes out of the
defined flight volumes
3/4/-2
10
Failure of the electronic
systems
3/3/-2
7
Aircraft structural failure
3/3/-2
7
In the case that the RC link got lost, the aircraft will enter into a failsafe mode in which a Return
to Home flight will be performed as described in section 2.7.2.
Before taking-off, the number of GPS satellites in view will be checked. The aircraft will only
take-off if the number of satellites in sight is bigger than 6.
In the event of a degradation of the quality of the GPS signal or if this signal is lost, the
autopilot will immediately switch to operating in attitude mode (this mode does not require GPS
signal). The safety pilot will be warned by indicators in the Ground Control Station or the video
with OSD data.
Flights will be performed in daylight conditions and the maximum distance between the aircraft
and the safety pilot will be 160 meters. If during the flight, the pilot does not feel confident about
the position and/or attitude of the aircraft, he/she can command a Return to Home mission so
the aircraft can automatically fly to the home point. When the safety pilot considers that proper
visibility conditions have been recovered, he/she can take control of the aircraft again.
Only one aircraft will be allowed to fly at a time in the competition. Flights will be conducted in
uncontrolled airspace and the closest airfield is 17 km apart from the flight area. Nevertheless,
aeronautical radio devices will be used in order to listen to aeronautical communications in
order to anticipate to any aircraft incursion into the airspace of the competition. Flights will be
conducted in visual line of sight conditions so the incursion of another aircraft will be easily
detected. If this happens the safety pilot will take control of the aircraft and proceed to land it.
euRathlon staff will control the access to the different areas of the competition to avoid
unauthorized people entering the different areas. Those members of the organizing staff that
will have to be closer to the competition area (e.g. competition judges) will use Personal
Protective Equipment (PPE) including helmets and security glasses. Fences will be installed in
the areas for spectators to avoid unauthorized incursions. In addition, flights will be conducted
in visual line of sight conditions so the incursion of people or vehicles in the flight area will be
easily detected. If this happens the safety pilot will take control of the aircraft and proceed to
land it.
Flights will be conducted in visual line of sight conditions so, if the safety pilot observes that the
RPA deviates from the desired trajectory, he/she will take manual control of the aircraft. If the
aircraft goes out of the flight volumes and the safety pilot cannot take manual control of it, he
will command a return to home mission. If this doesn’t work either the flight termination system
will be commanded if there is any danger for people or infrastructure. The flight termination
system will cause the aircraft to fall so the safety pilot will activate this system when the aircraft
is expected to fall in an area such that the damages will be minimized.
Qualified pilots and technicians for aircraft maintenance will be present before, during and after
the flights. Preflight checks will always be carried out before any flight. These checks include
inspection of the electronic systems and wiring of the aircraft.
The airframe structure is examined by the pilot, technicians and organization members before
4/1/-2
2
2/2/-2
2
2/2/-2
2
2/3/-2
4
2/2/-2
2
2/2/-2
2
2/2/-2
2
Página 11 de 13
Failure of a single motor
during the flight
4/3/-2
10
Failure of a multiple
motors during the flight
3/3/-2
7
RC radio runs out of
batteries
2/3/-2
4
Control system failure
(software or hardware)
3/3/-2
7
Potential damages in
populated areas around
the flight area
2/3/-2
4
each flight during the preflight
During the preflight, the operation of the aircraft motors is checked. In the event of a motor
failure operating in attitude or position mode, the aircraft will still be able to fly but it will start to
rotate with respect to its vertical axis. The safety pilot will try to lead the aircraft to a safe area
where it can go down slowly and finally landed.
During the preflight, the operation of the aircraft motors is checked. In the event of a failure in
multiple motors, the safety pilot will try to take control of the aircraft and lead it to an area such
that the potential damages are minimized.
Flight volumes have been defined such that in the event of failure of multiple motors, the
aircraft will not crash against people or critical infrastructure.
During the preflight, the levels of the batteries of the RC radio are checked. The RC radio
includes an indicator of the battery level on a screen so the pilot can estimate the remaining
flight time. The batteries of the RC radio have autonomy of 4 hours, much longer than the
duration of any of the flights to be performed. In the event that the indicator of low battery level
gets active, the safety pilot will immediately land the aircraft.
Both the software and hardware in charge of controlling the aircraft have been already widely
tested in flight. If any failure is experienced during the flight, the safety pilot will take control of
the aircraft and land it safely.
Flights will be performed in an unpopulated area. Flight volumes have been defined such that
no houses will be overflown during the competition.
3/1/-2
1
2/2/-2
2
1/1/-2
-1
2/2/-2
2
1/3/-2
1
Page 12 de 13
4. Annex: methodology for aeronautical safety analysis
The methodology that has been used for the aeronautical safety analysis is based in that developed
by the Norwegian company Scandiavia and used by the Civil Authorization Authorities of Norway and
Spain.
The safety level is calculated using the following formula: (Frequency Index) x (Seriousness Index) +
Exposure Index.
The frequency index reflects the probability of current of the event:

5: the event may occur once in 10 flights.

4: the event may occur between 1 and 10 times in 100 flights.

3: the event may occur between 1 and 10 times in 1000 flights.

2: the event may occur between 1 and 10 times in 1000 flights.

1: the event may occur less than once in 1000 flights.
The seriousness index is defined as follows:


5. The event may cause:
o
Dead or permanent total disabilities to people.
o
Economic losses higher than 700000 €.
o
Irreversible damage to the environment.
4. The event may cause:
o
Permanent partial disabilities to people, or injury or disease that may result in
hospitalization of at least three people.
o
Economic losses between 150000 € and 700000 €.
o
Severe damage to the environment that can be reversed applying corrective
measures.

3. The event may cause:
o
Injury or disease causing sick leaves.
o
Economic losses between 7000 € and 150000 €.
o
Damage to the environment that can be reversed without applying corrective
measures.

2. The event may cause:
o
Injury or disease that doesn’t cause sick leaves.
o
Economic losses between 1500 € and 7000 €.
o
Damage to the environment that can be reversed without applying corrective
measures.

1. The event may cause:
o
Economic losses lower than 1500 €.
The exposure index reflects depends on the number of flights to be performed. Its value must be in the
range between -3 and 3.
Página 13 de 13
According to the value of the risk index, the following cases are considered:

0-6. RPAS operation can be carried out with acceptable risk.

7-14. RPAS operation should be avoided and can only be performed under special
authorization from the Civil Aviation Authority.

15-25. RPAS operation cannot be performed.