Cross Domain Relationships with Standards and Regulations

Author – Jamie Sayer CEng MBA SIIRSM RPP, Senior Principal Systems Engineer & UAV Expert, QinetiQ

1 Introduction

This paper explores details of the regulations currently applicable to the different drone domains (Aviation, Maritime & Land).

2 Aviation - Unmanned Air Systems (UAS)

The European Directive 2019/945 sets certain conformity requirements for Open Class UAS. These requirements were due to become enforceable on 1st January 2023. However, due to the lack of a current set of harmonized standards within the European Union (EU) to deal with the EASA 945 requirements, there is now a delay to the implementation for at least for 12 months – with further discrete allowances to continue to operate non-conforming products under certain circumstances.

The EASA 945 Directive was a sensible step to ensure better control over products in the European market; to move away from a current ‘wild-west’ manner of doing business. It also provided freedoms for National Authorities to set their own basis or ‘Scheme’ for product conformity and hence ensure quality, airworthiness and safety. Unfortunately, National Authorities have so far seemed to be unable to grasp the baton and conclude the means to achieve CE marking iaw EASA 945. Otherwise, EASA 945 was a wise and welcome step towards a provision of a safe market for UAS.

EASA 945 was enshrined into UK law in 2020. Close ties with the EU will be clearly important for the UK UAS industry, so it is important to note that, unless the law changes in the UK to alter the regulation implementation date, these rules are currently enforceable in the UK on 1 January 2023 - with obvious implications for producers, importers, insurance agents and operators of Open Class UAS.

There are already many standards available to a Drone Design Company CEO to utilise to achieve product quality, repeatable airworthy and aerodynamic performance, and safety of product and operations. There are also many manned aviation standards available. So, the Drone Designer CEO could literally pick and choose from best practice within the standards already available, but they need direction. That direction depends upon the class of UAS provided and the type of operation in a risk-based architype, best depicted by the navigation of scenarios depicted in the diagram below.

 

At the moment there appears to be a severe lack of direction or best practice dictated by National Authorities – a lack of ‘Schemes’. If Schemes were in place, then just like manned aviation regulations, conformity audits/assessments could take place and hence the UAS ‘wild-west’ would then become regulated. It is important to point out that a National Authority does not necessarily need to dictate the conformance with certain standards, but must assure the desired outcomes – of quality, repeatable airworthy/aerodynamic performance, a safe product and safety of operation amongst other more objective requirements, such as noise levels, voltage levels, etc.

A rather complicated example of the EASA 945 requirements is the need to have geo-awareness capability. For Class 1 systems and above the requirements are as follows:
The UAS must be equipped with a geo-awareness function that provides:

  • an interface to load and update data containing information on airspace limitations related to UA position and height imposed by the UAS geographical zones, as defined by Article 15 of Implementing Regulation (EU) 2019/947, which ensures that the process of loading or updating such data does not degrade its integrity and validity
  • a warning alert to the remote pilot when a potential breach of airspace limitations is detected
  • information to the remote pilot on the UA’s status as well as a warning alert when its positioning or navigation systems cannot ensure the proper functioning of the geo-awareness function;

If the UA has a function that limits its access to certain airspace areas or volumes, this function shall operate in such a manner that it interacts smoothly with the flight control system of the UA, without adversely affecting flight safety. In addition, clear information shall be provided to the remote pilot when this function prevents the UA from entering these airspace areas or volume;

It would be interesting to muse over likely means of compliance assessment with this requirement, as some UAS can exhibit strange behaviours when trying to deal with a geography restriction whilst also dealing with other operating constraints and environmental conditions; such as wind gusts, turbulence, GPS/RF blackspots and some conduct; such as guided mode (common on most pix-hawk systems). UAS autopilots on ‘guided modes’ may attempt to predict breaches of geo-fence and set up sudden loiter orbits. When these orbits are faced with certain environmental conditions, the geo-fence can be breached by rather large margins.

There has been some speculation (in SME panels and innovation meetings) that the UK may make geo-fence capability, rather than awareness, mandatory for UK operations. Whilst this may make sense to protect Critical National Infrastructure and airports, etc, the means of compliance and market surveillance could become tricky. Hence, the geo-awareness capability is not likely to be purely left up to the OEM to prove adequate and repeatable performance, but a UK National Scheme may require the OEM to undergo a specific test at recognised specialised testing sites that place the UAS into situations likely to be encountered in arduous conditions to prove a credible capability. This clearly has implications for the OEM and/or importing agents and sets the scene for specific infrastructure investment for UAS testing in the UK.

Whichever way the UK decides to go with this, it is important to highlight that operators who intend to disregard the current EASA 945 & 947 rules without a waiver from National Authorities (CAA) risk breaching of the law and, probably with more potential serious consequences, breaches in relation their insurance policies.

What is now urgently needed is for the public bodies responsible for all of this, namely the Department for Transport and the CAA, to create the UK Scheme to facilitate conformity and desirable outcomes for the UK UAS market. The UK Scheme must be able to handle the simplest form of Open Class of UAS to the more complicated Specific Class. The UK Scheme must not dictate standards but highlight methods to achieve desirable outcomes.

In other words, present measures of success for each criteria to be examined / assessed. This is not that hard to do within an environment that has been operating aviation for decades being very used to regular evolutions in technical and safety outcomes.

3 Maritime Standards and Regulation

3.1 Who is involved:

Lloyds Register is concerned principally with type approval and certification of key elements of a maritime capability.

IMO – International Maritime Organisation – as a regulator of international commercial shipping, appears to have little to say on drone standards, although https://docs.imo.org/Shared/Download.aspx?did=114675 gives a useful example in the use of drones for marine environment monitoring. The IMO has published Interim Guidelines for MASS trials in MSC.1/Circ.1604.

MCA – The Maritime and Coastguard Agency - has many references to drone applications but nothing on the infrastructure to underwrite operations in increasingly contested space or assure safety.

MASS UK - Maritime Autonomous Surface Ship has produced The Industry Conduct Principles and Code of Practice Version 3 which is very instructive.

3.2 Levels of control

A number of systems for categorising the level of control applicable to MASS have been developed, notably by the European Defence Agency’s Safety and Regulations for European Unmanned Maritime Systems (SARUMS) group.

Table 1-4: Level of Control Definitions

Level

Name

Description

0

Manned

MASS is controlled by operators aboard

1

Operated

Under Operated control all cognitive functionality is within the human operator. The operator has direct contact with the MASS over e.g., continuous radio (R/C) and/or cable (e.g., tethered UUVs and ROVs). The operator makes all decisions, directs and controls all vehicle and mission functions.

2

Directed

Under Directed control some degree of reasoning and ability to respond is implemented into the MASS. It may sense the environment, report its state and suggest one or several actions. It may also suggest possible actions to the operator, such as e.g. prompting the operator for information or decisions. However, the authority to make decisions is with the operator. The MASS will act only if commanded and/or permitted to do so.

3

Delegated

The MASS is now authorised to execute some functions. It may sense environment, report its state and define actions and report its intention. The operator has the option to object to (veto) intentions declared by the MASS during a certain time, after which the MASS will act. The initiative emanates from the MASS and decision-making is shared between the operator and the MASS.

4

Monitored

The MASS will sense environment and report its state. The MASS defines actions, decides, acts and reports its action. The operator may monitor the events.

5

Autonomous

The MASS will sense environment, define possible actions, decide and act. The Unmanned Vessel is afforded a maximum degree of independence and self-determination within the context of the system capabilities and limitations. Autonomous functions are invoked by the on-board systems at occasions decided by the same, without notifying any external units or operators.

Table 1-4: Level of Control Definitions

Definitions for Level of Control (LoC) are shown at Table 1-4 and should be considered alongside the Degrees of Autonomy Table 1-2. In practice, levels of control may be different for different functions aboard the same MASS (e.g. a MASS navigating under LoC4, may also deploy a payload that is controlled at LoC2). The LoC applied to the MASS may also change during a voyage (e.g. LoC 1 in a VTS, but LoC 4 in open ocean passage)

3.3 Degrees of Autonomy

The following Degrees of Autonomy have been established by the International Maritime Organization for their Regulatory Scoping Exercise (RSE) in IMO MSC.1/Circular.1638:

Table 1-2: Degrees of Autonomy (IMO)

1

Ship with automated processes and decision support.

Seafarers are on board to operate and control shipboard systems and functions. Some operations may be automated and at times be unsupervised but with seafarers on board ready to take control.

2

Remotely controlled ship with seafarers on board.

The ship is controlled and operated from another location. Seafarers are available on board to take control and to operate the shipboard systems and functions.

3

Remotely controlled ship without seafarers on board.

The ship is controlled and operated from another location. There are no seafarers on board.

4

Fully autonomous ship.

The operating system of the ship is able to make decisions and determine actions by itself.

The RSE provides the assessment of the degree to which the existing regulatory framework under the purview of IMO might be affected in order to address MASS operations.

3.4 Classes of Maritime Autonomous Surface Ship (MASS)

The MASS The Industry Conduct Principles and Code of Practice Version 3 identifies several classes of MASS based on the intended use, size, speed and potential hazard to other ships and shipping. The intention of these classes is to discriminate those MASS that are inherently unlikely to cause a hazard to most other marine users, by virtue of their size and speed, from those classes of MASS that by nature of their size and speed, are likely to pose an equivalent hazard to that posed by manned vessels to other marine users. These classes are primarily derived from the existing categories that are contained within either the COLREGS1 or the Load Line convention2 and are purposely selected to maintain commonality of requirement with those instruments wherever possible.


Notes:

1. Convention on the International Regulations for Collisions at Sea, 1972 (COLREGs).
2. Load Line Convention (1966) ensures: adequate structural strength, protection of safe means of access for the crew, ensures the watertight integrity of ship's hull below freeboard deck and preserves the reserve buoyancy by establishing minimum permissible freeboards.


The classes also reflect the feasible level of situational awareness that can be provided, given size and payload constraints.

Classes of MASS are shown below at Table 2-1. It should be noted that this Code will primarily apply to Ultra- Light, Light, Small classes and some High-Speed MASS. Exemptions may be specially considered on a case- by-case basis. Operating speeds need to be taken into account in all risk assessments, noting the various requirements of the COLREGS.

Table 2-1: Classes of MASS

  • Ultra-light Length overall <7m
  • Light Length overall ≥ 7m to <12m
  • Small Length overall ≥ 12m to <24m
  • Large Length ≥24m
  • High-Speed Operating speed V is not less than V = 7.19 ∇1⁄6 knots

For the purposes of this Code, these classes will apply to MASS constructed on or after 1 January 2019. Derogations from these classes may be appropriate in certain circumstances where risk to other marine traffic can be proven to be reduced and may be considered by the relevant authority. However, this will normally be the exception to the rule. 22

3.5 MASS Standards

This Code provides standards which may be appropriate for Owners/Operators to select to use for the various categories of MASS envisaged. The Code is based on an approach to which appropriate standards can be applied, noting that many of the existing Instruments and Regulations are derived from the SOLAS Regulations, which, for some MASS, may not be appropriate.

Ultra-Light MASS, as defined above, which are not used for financial gain or reward do not have to comply with the requirements for registration, or certification. This comparative freedom from regulation is in part based on an assumption that the sector will, as a matter of self-discipline and shared safety responsibility, pay proper regard to safety matters.

If an unmanned MASS is not a “pleasure or recreational MASS” it is considered to be used for reward for the purposes of this Code unless engaged on Government business.

It is the responsibility of the Owner/Operator to ensure that a MASS (and any associated RCC) is properly maintained, examined and manned in accordance with the Code. The Code applies whether the Owner/Operator is corporate, private or of a charitable nature.

3.6 Certification

As per current national and international processes and practices, a MASS must comply with all the requirements of this Code for the relevant class of MASS and for the intended operating area where it is considered necessary, to the satisfaction of an appropriate Regulatory Organisation (RO) to be issued with a certificate for a particular area of operation. The requirement for, and issue of, certificates, will reflect the development of best practice and is included in this Code to demonstrate the clear intent of the Industry to show to the wider maritime community that unmanned MASS should not be exempt from established procedures wherever they are relevant and specifically where they will contribute to overall safety standards.

When issued to a MASS, a certificate should normally be valid for a period not exceeding five years.

3.7 Interpretation

Where a question of application of the Code or an interpretation of a part of the Code arises, the Owner/Operator of the MASS concerned should in the first instance seek clarification from the RO. In situations where it is not possible to resolve an issue of interpretation the RO may apply in writing for advice on interpretation to the Administration, who may consult with others as deemed appropriate.

3.8 Equivalent Standards

When the Code requires that a particular piece of equipment or machinery should be provided or carried in a MASS, or that any particular provision should be made to a specified standard, consideration may be given to application to the Administration to permit any other piece of equipment or machinery to be provided or carried, or any other provision to be made. For MASS less than 24 metres in length this is likely to be unnecessary. If an application is made, the Administration will need to be satisfied by trials or otherwise that the alternative is at least as effective as that stipulated within the Code.

3.9 Procedures to Ensure Safe Operation of Mass

The regulations and rules, not addressed by this Code, which apply to all MASS include, but are not limited to:

  • The IMO Instruments
  • Local navigation rules
  • National health and safety regulations
  • The Code of Safe Working Practices for Merchant Seamen; all relevant national shipping or guidance notices

The Operator should pay due adherence to the many and varied statutes, legislations, rules, regulations and Codes of practice that apply to seafaring. Although the autonomous nature of the MASS operation may seem to negate some requirements, it is the unmanned aspect that should demand increased awareness. Any procedures produced should pay particular attention to this detail, especially those systems and equipment procedures that are required to avoid collision.

The Operator should formulate and document procedures to ensure that safe working practices are carried out in the operation of the MASS. These may be in the form of checklists, which can be followed by all personnel irrespective of their location.

Simple procedures should be developed for the operation of the MASS.

These should include, but not be limited to:

  • Testing of equipment, including propulsion and steering gear, prior to commencing a passage
  • Navigation and handling of the MASS
  • Maintenance routines
  • Bunkering operations
  • Watertight/weathertight integrity
  • Stability of the MASS
  • Conduct of passengers and crew if utilised on board
  • Due to the autonomous nature of MASS operation the following areas should be considered on top of traditional vessel operating procedures
  • Anti-Collision, unmanned MASS and the ability to detect and avoid collision
  • Cyber Security, anti-hacking and vessel hijacking for remote operated MASS 35.12
  • Anti-Piracy, close protection, remote control etc
  • SOLAS Reg 14, Considerations pertaining to evidence of minimum manning level requirements
  • SOLAS Reg 33, Distress situations and how the Operator meets its obligations and responsibilities to other mariners in distress

4 Sub-Surface Drones

Underwater drones may be used for a wide range of purposes, such as research and monitoring, exploration, inspecting and repairing ship hulls and other installations, surveys, measurement of water and habitat quality, search and rescue, and military purposes, e.g. underwater mine warfare. Underwater drones will continue to find application in areas where there is hard and soft economic benefit i.e. removing people from operations which are dull, dangerous or dirty or where the drone permits some activity which has historically proved impossible or prohibitive.

The relatively low usage (compared to the other domains), the complexities and rigours of the underwater environment (corrosion, poor communications) and the specialised nature of most operations (oil and gas installation inspection etc) means that take-up will be slow for the foreseeable future and most applications will be confined to RP vehicles in a fly-by-wire configuration.

Whilst there are, for example, ISO/BSI references to marine installations, ships and O&G exploration, there are no specific standards for the design and or operation of underwater vehicles of the type contemplated here.

4.1 Land Standards and Regulation

Automation in the land environment is taking us all on an evolutionary journey from which all environments can take lessons. From the introduction of cruise control to driverless vehicles, requires evermore technology but more importantly deeply researched risk analysis in this highly complex and frenetic environment. The car is no longer simply a mobile box controlled by a driver. It is a system within a system that relies on many external inputs and the interaction or hardware and software to keep us safe.

4.1.1 Automotive precedents

Accepted practice defines levels of automation in relation to system or operational function. Therefore, while set-ups are different for vehicles operating on land and sea, the Society of Automotive Engineers’ (SAE) J3016 Recommended Practice: Taxonomy and Definitions for Terms Related to Driving Automation Systems for On-Road Motor Vehicles provides extensive food for thought.

SAE offers an industry-standard scale from zero to five to describe this continuum, commonly referenced as the SAE Levels of Driving Automation. The accepted explanations of SAE levels of driving automation are summarised as follows:

Level 0: No Automation. The driver is completely responsible for controlling the vehicle, performing all steering, braking, accelerating, etc., but additional safety features can be incorporated as backup. These may include cameras, collision warnings and even automatic emergency braking that is applied in the event of an imminent collision.

  • Level 1: Driver Assistance. Automated systems take over aspects of control in specific situations, but do not take full control of the vehicle. An example is adaptive cruise control, which controls acceleration and braking on the highway, meaning drivers can take their feet off the pedals.
  • Level 2: Partial Automation. At this level, the vehicle can perform more complex functions that pair lateral control (steering) with longitudinal control (acceleration and braking,) due to additional sensors that have a greater awareness of the surroundings.
  • Level 3: Conditional Automation. At Level 3, drivers can disengage from the act of driving in specific situations and focus on other tasks. Nevertheless, the driver is expected to take over when the system requests it. In this case, the vehicle would also monitor whether driver has resumed control, and come to a safe stop, if this is not the case. The driver must remain in the driver’s seat and have direct access to the steering wheel, brake and transmission controls.
  • Level 4: High Automation. The vehicle’s autonomous driving system is fully capable of monitoring the driving environment and handling all driving functions for routine routes and conditions defined within its operational design domain. The vehicle alerts the driver when it is reaching its operational limits in conditions that require human in control. Again, the driver must remain in the driver's seat and have direct access to the steering wheel, brake and transmission controls.
  • Level 5: Full Automation. Level 5-capable vehicles are considered fully autonomous. No driver is required behind the wheel at all. In fact, Level 5 vehicles might not even have a steering wheel or pedals. (The best know fully autonomous transport system in the UK is the London based ‘Docklands Light Railway’ (DLR) where there is no ‘Driver’ as such although there are train ‘Guards’ who do have indirect control of the vehicle from internal controls located in certain carriages.)

The definitions of Autonomy above have received criticism for being too vague in some respects. In May 2021, SAE International and the International Organization for Standardization (ISO) jointly released a significant update, which included clarification of Levels 0-2 as “driver support features” because the driver is still heavily involved with vehicle operation, with Levels 3-5 distinguished as “automated driving features”.
In addition to the Vehicle regulations, it is critical that any vehicle electronics associated with safety or autonomous driving – of any category 1 to 5, is designed with a preeminent concern for the safety critical nature of the driving activity.

In essence, this means that any company involved in the supply chain responsible for delivering hardware and software electronics for any vehicle, complies with certain safety specific design and development standards above and beyond the widely accepted ISO9001 standard.

The most far-reaching of these is the ISO 26262 Functional Safety standard.
Companies (suppliers and vehicle manufacturers) who are not certified or audited as competent to this standard should not be involved in the design, development, validation or supply of Autonomous vehicle systems of any type or category 1 to 5 as defined above.

Certified, auditable or demonstrable compliance to this standard therefore enables any third party to verify the design and development chain is competent.

5 Supplementary Information

5.1 About the Author

Retired Commander - Jamie Sayer joined the Royal Navy in 1995 as an Air Engineering Officer (AEO). For his first front-line squadron tour, he was appointed to 801 Naval Air Squadron – operating the mighty Sea Harrier aircraft. On 801 NAS, he undertook deployments in support of Op Southern Watch (the IRAQ no fly zone) and Op Palliser (Sierra Leone). In 2005, he was appointed to Fleet HQ as the Release to Service Manager, responsible for the airworthiness for all 13 types of Royal Navy aircraft, including the more peculiar Dauphin helicopter and Mirach towed target. Whilst in this post, he oversaw the clearances for the Sea King Mk4 modifications that would facilitate the aircraft’s use in Afghanistan. After leaving Fleet HQ he was fortunate enough to convince the RN that he would be a perfect candidate for an MBA course at the Cranfield School of Management. Whilst on course he wrote a thesis analysing the contractual relationship between MoD and the UK Defence Aerospace Sector.

After requesting a “junglie” unit, Jamie was surprised and delighted that he ended up as AEO of 845 Commando Helicopter Sqn, providing vital support on Operations in Afghanistan. Whilst on 845, he saw the Sqn receive the prestigious Breitling Trophy and Bambara Flight Safety Trophy. He then completed a number of tours at DE&S Abbey Wood, including a valuable role as the Lightning II Deputy Sustainment Lead and UK Fleet Manager. His last job in the Royal Navy was as the Type Airworthiness Authority for several Unmanned Air Systems within the UAS Team at Abbey Wood.

Since leaving the armed forces Jamie has been employed as an engineering systems, safety and autonomous systems expert at Ebeni, Boeing and now currently QinetiQ. He is an aviation focused specialist member of the IIRSM and has a wealth of experience managing and teaching risk and safety management. He also a mentor within the IIRSM.

5.2 Download the pdf version

To download the full pdf version, click here


Subscribe to our Newsletter

Get in Touch

Drone Delivery Group Limited
Swift House Ground Floor
18 Hoffmanns Way
Chelmsford
Essex
England
CM1 1GU

Phone: +44(0)207 3055518
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Reg No: 12441309

Get involved and have your say

Join the Drone Delivery Group today and put your weight behind the drone industry's voice...it's free forever!


© 2020 Drone Delivery Group Ltd Rights Reserved | Registered Office: Swift House Ground Floor, 18 Hoffmanns Way, Chelmsford, Essex, England, CM1 1GU | Reg No: 12441309