ASTM F3178-16

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: F3178 − 16
Standard Practice for
Operational Risk Assessment of Small Unmanned Aircraft
Systems (sUAS)
This standard is issued under the fixed designation F3178; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
INTRODUCTION
An operational risk assessment (ORA) offers to an applicant of small unmanned aircraft systems
(sUAS) a standardized approach to examine their operations for potential hazards and assess those
hazards for risk. The ORA is then used to mitigate or avoid risks associated with those hazards to
achieve acceptable levels of safety. ORAis a key component of operational risk management (ORM),
which seeks to identify hazards endemic to an operation, assign risks to those hazards based on
quantitative and qualitative analysis, and mitigate unacceptable levels of risk. The main functions of
the ORM are to: (1) Minimize risk to acceptable levels while providing a method to manage resources
effectively; (2) Enhance decision-making skills based on systematic, reasoned, and repeatable
processes; (3) Provide systematic structure to perform risk assessments; (4) Provide an adaptive
process for continuous feedback through planning, preparation, and execution; and (5) Identify
feasible and effective control measures, particularly where specific standards do not exist.
Through a risk-based approach to operations, design, and airworthiness, an applicant can quickly
understand the operational environment and threats to the operation. The ORA offers a methodology
toidentifysystemandoperationalhazards,applyquantitativeandqualitativeanalysistothosehazards,
analyze the outputs of the ORA, and then apply appropriate mitigations to satisfy safety of flight
requirements.
The ORA is an integral component of any sUAS application and is an important tool for gaining
access to the national airspace, or especially into increasingly higher risk environments, such as
controlled airspace where other manned aircraft are likely to be present.
1. Scope qualitative and quantitative safety requirements. The ORA,
however, remains the same for all risk profiles and will be a
1.1 This practice focuses on preparing operational risk
part of any sUAS operation.
assessments(ORAs)tobeusedforsupportingsmallunmanned
aircraft systems (sUAS) (aircraft under 55 lb (25 kg)) design,
1.3 In mitigating and preventing incidents and accidents, it
airworthiness, and subsequent operational applications to the
is understood that people generally do not seek to cause
civil aviation authority (CAA).
damage or injure others, and therefore, malicious acts are
1.2 It is expected that manufacturers and developers of
beyond the scope of this practice.
larger/higher energy sUAS designs, intended to operate in
1.4 As part of the ORA, the applicant should clearly
controlled airspace over populated areas, will adopt many of
understand and be able to articulate their intended mission for
the existing manned aircraft standards in use. These include
purposes of assessing safety and providing information to
standards such as SAE ARP4754A and ARP4761, which
regulators. This documentation of a sUAS operation (mission,
prescribe a “design for safety” top-down design approach to
or set of missions) is what many refer to as a concept of
ensure the sUAS designs can reasonably meet more stringent
operations (CONOPS).
This practice is under the jurisdiction ofASTM Committee F38 on Unmanned
1.5 This practice is intended primarily for sUAS applicants
Aircraft Systems and is the direct responsibility of Subcommittee F38.02 on Flight
seeking approval or certification for airworthiness or opera-
Operations.
tions from their respective CAA, though sUAS manufacturers
Current edition approved Nov. 1, 2016. Published January 2017. DOI: 10.1520/
F3178-16. may consider this practice, along with other system safety
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
F3178 − 16
design standards, as appropriate to identify sUAS design and (RPIC)orvisualobserver(VO))responsibleforcontrollingthe
operational requirements needed to mitigate hazards. flight of the small unmanned aircraft (sUA) cannot maintain
direct visual contact with the sUA unaided other than by
1.6 Units—The values stated in inch-pound units are to be
corrective lenses (spectacles or contact lenses) or sunglasses or
regarded as the standard. The values given in parentheses are
both.
mathematical conversions to SI units that are provided for
3.1.3.1 Discussion—Technological means may be used for
information only and are not considered standard.
determining the sUA’s movement relative to intruding aircraft,
1.7 This standard does not purport to address all of the
obstacles, and terrain; observe the airspace for other air traffic
safety concerns, if any, associated with its use. It is the
or hazards; and determine that the sUA does not endanger the
responsibility of the user of this standard to establish appro-
life or property of another.
priate safety and health practices and determine the applica-
3.1.4 concept of operations, CONOPS, n—user-oriented
bility of regulatory limitations prior to use.
document that describes systems characteristics and limitations
2. Referenced Documents for a proposed system and its operation from a user’s perspec-
tive.
2.1 SAE Standards:
3.1.4.1 Discussion—A CONOPS also describes the user
ARP4754A Guidelines for Development of Civil Aircraft
organization, mission, and objectives from an integrated sys-
and Systems
tems point of view and is used to communicate overall
ARP4761 Guidelines and Methods for Conducting the
quantitative and qualitative system characteristics and opera-
SafetyAssessment Process on CivilAirborne Systems and
tional procedures to stakeholders.
Equipment
3.1.5 control station, CS, n—interface used by the remote
3. Terminology
pilot or the person manipulating the controls to control the
flight path of the sUA.
3.1 Definitions:
3.1.1 airworthiness, n—condition in which the small un-
3.1.6 extended visual line of sight, EVLOS, n—operation
manned aircraft systems (sUAS) (including the aircraft,
when the sUAcannot be seen by the individual responsible for
airframe, engine, propeller, accessories, appliances, firmware,
see and avoid with vision that is unaided by any device other
software, and control station elements) conforms to its design
than corrective lenses or sunglasses or both and where the
intent, including as defined by the type certificate (TC), if
location of the sUA is known through technological means;
applicable, and is in condition for safe operation.
however, the individual responsible for see and avoid shall be
able to see intruding aircraft with vision unaided by any device
3.1.2 applicant, n—may be one of the following entities:
other than corrective lenses or sunglasses or both so that the
3.1.2.1 manufacturer, n—sUAS manufacturer that makes
sUA can be maneuvered clear of collision with other aircraft,
changes to the design of an sUAS with a civil aviation
terrain, or obstacles, or combinations thereof.
authority (CAA) airworthiness approval or kinds of flight
3.1.6.1 Discussion—Either the remote pilot in command
operations or both not specifically allowed in the original
(RPIC) or, alternatively, the visual observer (VO) can use said
airworthiness approval. A manufacturer may also be an opera-
technological means for determining the location of the sUAto
tor.
determineitsmovementrelativetointrudingaircraft,obstacles,
3.1.2.2 operator, n—entity that applies for CAAapproval to
and terrain; observe the airspace for other air traffic or hazards;
operate an sUAS with a CAA airworthiness approval for
and determine that the sUA does not endanger the life or
already approved flight operations or who seeks operational
property of another.
approval for additional kinds of flight operations not presently
3.1.7 fly-away, n—unintended flight outside of operational
allowed under that airworthiness approval. If this entity pro-
boundaries(altitude/airspeed/lateral)astheresultofafailureof
poses to operate sUAS for additional kinds of flight operations,
the control element or onboard systems or both.
then the entity shall use normal CAA processes to obtain
airworthiness or operational approval or both for the additional
3.1.8 hazard, n—potentially unsafe condition resulting from
kinds of flight operations. This entity can be the original failures, malfunctions, external events, errors, or combinations
equipment manufacturer (OEM), a manufacturer, or an entity
thereof and this term is intended for single malfunctions or loss
that proposes to operate an sUAS procured from an OEM or a of function that are considered foreseeable based on either past
manufacturer. service experience or analysis with similar components in
comparable manned aircraft applications or both.
3.1.2.3 original equipment manufacturer, OEM, n—sUAS
manufacturer for the original airworthiness approval of a
3.1.9 likelihood, n—estimated probability or frequency, in
specific sUAS design and kinds of flight operations and an
quantitative and qualitative terms, of a hazard’s effect or
OEM may also be an operator.
outcome.
3.1.3 beyond visual line of sight, BVLOS, n—operation
3.1.10 non-participant, n—any individual in the vicinity of
when the individuals (for example, remote pilot in command
a sUAS operation who is not participating in the operation of
the sUAS.
3.1.11 operational risk assessment, ORA, n—engineering
Available from SAE International (SAE), 400 Commonwealth Dr.,Warrendale,
PA 15096, http://www.sae.org. evaluation of the proposed design and operation of the sUAS,
F3178 − 16
its intended mission, and proposed area of operation to “Should” statements also represent parameters that could be
determine potential risk to persons and property and identify used in safety evaluations and could lead to development of
mitigation strategies to reduce that potential risk reasonably future requirements. “May” statements are provided to clarify
through operating procedures or limitations. acceptability of a specific item or practice and offer options for
satisfying requirements.
3.1.12 operational risk management, ORM, n—continual,
cyclic, process and the evaluation of the effectiveness of those 3.1.24 small unmanned aircraft, sUA, n—unmanned aircraft
weighing less than 55 lb (25 kg) on takeoff, including every-
controls, which includes risk assessment, risk decision making,
and implementation of risk controls, that results in acceptance, thing that is on board or otherwise attached to the aircraft.
mitigation, or avoidance of risk.
3.1.25 small unmanned aircraft system, sUAS, n—small
unmanned aircraft (under 55 lb (25 kg)) and its associated
3.1.13 pilot, n—person other than the RPIC who is control-
elements (including communication links and the components
ling the flight of a sUAS under the supervision of the RPIC.
that control the sUA) that are required for the safe and efficient
3.1.14 qualitative, adj—those analytical processes that ap-
operation of the sUA in a national airspace system.
ply mathematical or numerically based methods to assess the
3.1.26 unmanned aircraft system, UAS, n—unmanned air-
system and airplane safety.
craft and associated elements (including communication links
3.1.15 radio line of sight, RLOS, n—operational state in
andthecomponentsthatcontroltheunmannedaircraft)thatare
which radio communications are over distances where the path
required for the RPIC to operate safely and efficiently in a
between the transmitter and receiver is not obstructed by the
national airspace system.
curvature of the earth or other obstructions such as terrain or
3.1.27 visual line of sight, VLOS, n—with vision that is
structures.
unaided other than by corrective lenses or sunglasses or both,
3.1.16 reliability, n—determine that a system, subsystem,
the pilot or visual observer shall be able to see the sUA
unit, or part will perform its intended function for a specified
throughout the entire flight to determine its movement relative
interval under certain operational and environmental condi-
tointrudingaircraft,obstacles,andterrain;observetheairspace
tions.
for other air traffic or hazards; and determine that the sUAdoes
3.1.17 remote pilot-in-command, RPIC, n—person who is
not endanger the life or property of another.
directly responsible for and is the final authority as to the
3.1.28 visual observer, VO, n—person who is designated by
operation of the sUAS; has been designated as remote pilot in
the RPIC to assist the RPIC and the person manipulating the
command before or during the flight of an sUAS; and holds the
flight controls of the sUAS to see and avoid other air traffic or
appropriate CAA certificate for the conduct of the flight.
objects aloft or on the ground.
3.1.18 residual risk, n—any risk that remains after mitiga-
4. Summary of Practice
tion or other control actions.
3.1.18.1 Discussion—Residual risk is usually accepted if it 4.1 This practice is intended to provide an understanding of
is within the risk tolerance of the applicant or CAA or both.
the risk assessment process as a baseline standard for appli-
cants of sUAS designs and operations covered under the
3.1.19 risk, n—composite of predicted severity and likeli-
“small” designation of a CAAkinetic energy spectrum and that
hood of the potential effect of hazards.
are not generally designed with the rigorous design assurance
3.1.20 risk mitigations, n—means to reduce the risk of a
standards that exist in more complex unmanned aircraft with
hazard.
higher kinetic energy characteristics.
3.1.21 safety risk, SR, n—projected likelihood and severity
4.2 It is expected that manufacturers of larger/higher energy
of the consequences or outcomes from an existing hazard or
UAS designs, which are intended to operate in controlled
situation.
airspace over populated areas, will adopt many of the un-
3.1.21.1 Discussion—The outcome may be an accident or
manned aircraft standards in use, such as SAEARP4754A and
an “intermediate unsafe event/consequence” may be identified
ARP4761, that prescribe a “design for safety” top down design
as the “worst credible outcome.”
approach to ensure the sUAS designs can reasonably meet the
3.1.22 severity, n—consequence or impact of a hazard’s
morestringentqualitativeandquantitativesafetyrequirements.
effect or outcome in terms of degree of loss or harm.
4.3 The industry “best practices” embodied herein are
3.1.23 shall versus should versus may, v—use of the word
subject to continuous improvement as safety theory develops
“shall” implies that a procedure or statement is mandatory and
and more advanced technologies facilitate greater safety
must be followed to comply with this practice, “should”
knowledgeandapplicationormethodsforclarificationdevelop
implies recommended, and “may” implies optional at the
and refine.
discretion of the applicant.
5. Significance and Use
3.1.23.1 Discussion—Since “shall” statements are
requirements, they include sufficient detail needed to define 5.1 Use—This practice is intended for use by parties who
compliance (for example, threshold values, test methods, desire access to the national, or international, airspace as
oversight, and reference to other standards). “Should” state- regulatedbytheirrespectiveCAA(s)eitherforavehicledesign
ments are provided as guidance towards the overall goal of (airworthiness)oravehicle’suse(operationalapproval).Inthis
improving safety and could include only subjective statements. practice, it is recognized the varying levels of complexity, need
F3178 − 16
for risk assessment(s), and due diligence that should be 6.3.1 Define the Operations—Include a brief description of
determined in an ongoing dialogue between the CAA and the the types of operations that are allowed in the application. For
applicant. Users should consider their requirements, the pur- example, types of operations include agriculture, line
pose that the ORA is to serve, and their risk acceptance level inspection, industrial inspection, photography, surveying,
before undertaking the ORA. Use of this practice does not research, and film or television production.
preclude other initiatives or processes to identify hazardous 6.3.2 Describe the nature of the applicant’s business
conditions or assess and mitigate associated risks. (manufacturer, operator, system integrator, and so forth).
6.3.3 Define geographic operating boundaries (lack of spe-
5.2 Risk Reduced, not Eliminated—No ORA can eliminate
cifics implies very broad national airspace system (NAS)
all risk or uncertainty with regard to operations. Preparation of
access).
an ORAin accordance with this practice is intended to reduce,
6.3.4 Describe any intent to launch/fly/recover over private
but may not necessarily completely eliminate, the risk of an
property with owner’s permission (implies very limited NAS
operation in which system complexity is minimal, the opera-
access).
tion is conducted in a lower risk environment, and the
6.3.5 Define the minimum and maximum operating charac-
likelihood for harm to people or property, though present, is
teristics as well as all other operationally relevant flight
reduced to an acceptable level. As mission complexity
characteristics of the aircraft.
increases, the operational environment may become less risk
6.3.6 Describe intentions to operate withinVLOS or outside
tolerant. For example, as the kinetic energy associated with the
of VLOS or both: BVLOS, EVLOS, night operations, inclem-
aircraft increases, more complex assessment/analysis tools and
ent weather, and so forth.
greater time may be required to conduct the ORA.
6.3.7 Identify the occupants of the proposed operating area
(both on the ground and in the air).
6. Concept of Operations (CONOPS)
6.3.8 Describe location of the control station.
6.1 Purpose—This section provides guidance to applicants
6.4 Summary of the Anticipated sUAS Operations from the
on suggested data an descriptions to include in their CONOPS
Perspective of Other Users of the Airspace and Those on the
so that they may better evaluate safety of the operation in the
Ground:
ORAandprovidethedocumentationneededtoobtainapproval
6.4.1 Identify types of airspace in which the sUAS is to be
from a CAA to conduct operations. It is up to the applicant to
flown in as well as any special considerations to be taken
reach agreement with the CAA on the specific contents and
because of the type of airspace in which it is being flown.
format of any CONOPS required. This guidance is not meant
6.4.2 Give launch and recovery details/location(s).
to be an exhaustive listing of what is required for approvals or
6.4.3 Identify and describe the operation’s proximity to
to provide a completed CONOPS to a regulator. Rather, it is
people, vehicles, structures, and infrastructure on the ground as
meant to clarify some of the key elements that a CAA and the
well as their density.
applicant may take into consideration to determine if risks are
6.4.4 Identify and describe the aircraft’s proximity to other
acceptable.
NAS users.
6.2 Operational System Description of the Primary Ele-
6.4.5 Identify the meteorological conditions in which opera-
ments of a sUAS—The aircraft, control station, crew, control
tions are intended or likely to occur (visual/instrument, icing,
link, and data/telemetry communications link parameters shall
and so forth) and, if other than visual meteorological
be documented as follows (where applicable):
conditions, the equipment provided to allow such operations.
6.2.1 Aircraft—Description of limitations, normal
6.4.6 Identify the flight rules in which operation is intended
procedures, emergency procedures, supplemental information,
(visual/instrument flight rules).
and systems information as it pertains to each type of sUA
6.4.7 Identify whether the geographic and airspace bound-
desired to be operated. Specific detail should be given to
aries are physically contiguous.
onboard subsystems critical for the safety of flight including,
6.4.8 Identify the automation level (autopilot, manual
but not limited to, flight guidance systems, power plant, fuel
control,stabilizationassistances,returntohome,loiter/position
and batteries, propellers and rotors, electrical systems and
hold, height hold, course lock, waypoint navigation, point of
equipment, radio and navigation equipment, and so forth.
interest orbit, and so forth.
6.2.2 Control Station—Description of structure,
6.4.9 Identify minimum crew and their roles.
components, mobility, and occupancy, if applicable.
6.4.10 Identify pilot/aircraft ratio (1:1 and so forth).
6.2.3 Crew Members—Description of required crew mem-
6.4.11 Identify day or night operations or both.
bers and their responsibilities, credentials, experience, or
6.4.12 Define plan for safety of crew members.
training, or combinations thereof.
6.4.13 Describe community outreach plans, if any, being
6.2.4 Command and Control (C2) Link—Description of
used to minimize risk (notices to airmen (NOTAMs), opera-
frequency and power, susceptibility to compromise and miti-
tional awareness information distributed to flying/non-flying
gation strategies, and range of operation.
public, outreach meetings with municipalities, airports, and so
6.2.5 Data/Telemetry Communications Link—Description
forth).
of data and telemetry being gathered and strategies for using
6.4.14 Describe when/if flight plans will be filed with air
data/telemetry to assure safe operations.
traffic control (ATC).
6.3 Description of Operational Scenarios for the sUAS: 6.4.15 Identify liaisons with ATC, if necessary.
F3178 − 16
6.4.16 Identify accident and incident reporting procedures. 7. Operational Risk Assessment (ORA)
6.4.17 Summary of any sUAS interaction with ATC and
7.1 Introduction—System safety is the discipline and prac-
traffic management as well as see-and-avoid strategies.
tice of identifying, analyzing, and mitigating hazards of a
6.4.18 Describe communication means between the crew
particular system, program, project, or activity using a “sys-
members and other air traffic in the area (direct voice, visual,
tems” approach throughout its life cycle. The application of
radio, and so forth).
safety management systems (SMS) methodology is a best
6.4.19 Detail plans involving command and communication
practice in aviation operations for overall safety and risk
functions between different components of the sUAS and other
management. System safety analysis and use of a structured
NAS stakeholders.
hierarchy of controls (to affect hazards and their associated
6.4.20 Describe command and communication functions
risks) during unmanned system design, manufacturing,
between the various components of the sUAS (aircraft, control
modification, or integration is the precondition of an appli-
station, control link, observers, and so forth).
cant’s SMS program.There are several system safety and SMS
6.4.21 Describe the security of the C2 link.
process outputs that can serve as evidence to support an
6.4.22 Describe the physical security of the crew members
applicant’s case that a sUAS or sUAS operation is safe. An
and control station.
applicant can show an unmanned system will be operated
6.4.23 Describe ability to maintain real-time situation
safely by providing approval authorities evidence of hazards
awareness (terrain, weather, obstacles, and traffic).
identified, analyzed, and mitigated. Applicants of unmanned
6.4.24 Describe the number of pilots, hand-off procedures
aircraft operations should scale their system safety analysis for
between control stations (direct, daisy-chain, and so forth) and,
hazardsandmitigationsneededtothelevelofrigorappropriate
if more than one pilot is used, procedures to ensure only one
for their CONOPS, which should include operational size,
PIC is in control of the operation.
complexity, and mission scenario as discussed in Section 6.
6.4.25 Describe lost-link procedures for loss or interruption
Just as there are multiple sizes and missions of unmanned
of positive control.
systems, there are multiple ways to approach safety hazard
6.4.26 Describe emergency procedures (in the event of lost
identification, analysis, mitigation, and documentation of re-
link, the UA shall squawk appropriate code if transponder
sidual risk to be provided to CAA or approval authorities. A
equipped).
key to successful and appropriate evidence to support argu-
6.5 Non-VLOS Operational Considerations—For the fol-
ments that an unmanned system and its operation is safe lies in
lowing flight operations, address the specific factors necessary
appropriately determining severity and likelihood of undesired
to maintain safe operational control of the aircraft, accurate
events occurring during mission execution.
knowledge of its location, and the capability to see and avoid
7.1.1 An operational risk assessment for any system shall
other traffic or objects aloft or on the ground:
document the system, its operation (including mission scenario
6.5.1 EVLOS.
or CONOPS), and the hazards identified that might occur as a
6.5.2 EVLOS using VOs who are collocated with the PIC.
resultofunexpectedorexpectedeventsduringamission.Next,
6.5.3 EVLOS using VOs who are not collocated.
applicants shall show how those hazards will be addressed and
6.5.4 EVLOS using VOs using aided vision.
mitigated to manage adverse results within the operation. Once
6.5.5 Daisy chaining of VOs or VOs on a moving platform
mitigations have been determined, the residual risk will be
(chase plane, boat, vehicle, and so forth).
assessed and accepted or rejected by the CAA or approval
6.5.6 BVLOS.
authority charged with approving the operation. However,
6.5.7 BVLOS when the PIC and VO are unable to track
before seeking CAA approval of any residual risk, the appli-
visually the aircraft because of night-time flying visual meteo-
cant shall determine its risk tolerance, that is, the level of
rological conditions (VMC).
residual risk acceptable to the applicant. This risk tolerance
6.5.8 BVLOS using technological support to PIC only.
should include a rationale to support selection of the risk
6.5.9 BVLOS using technological support to the PIC and
criteria that supports an organization’s risk tolerance.
VO requiring aided vision or technological support or both.
7.1.2 To provide information adequately about the
6.5.10 Night operations using technological support to PIC
operation,theapplicantshoulddeterminetheappropriatedetail
or VO or both.
needed for the system and its operation based on complexity of
the system and is operational environment. This system/
6.6 The above suggested elements of a CONOPS will assist
mission description is explained in detail in Section 6. The
applicants in both evaluating their operation as part of safety
CONOPS and ORA are tightly coupled since higher than
management processes and provide a foundation of documen-
acceptable risks identified in the ORA may often need to be
tation needed to ensure all parties to the operation understand
mitigated by operational procedures or limitations that are
the mission context and safety overall. As noted in Section 7,
documented in the CONOPS. When such operational changes
a complete and fully vetted CONOPS will provide applicants a
result in acceptable risk levels, the associated risk mitigations
framework to evaluate safety in an organized and deliberate
are documented in the ORA. This relationship is illustrated in
way without underestimating or overextending the scope of
Fig. 1.
their effort in conducting an ORA. With this foundation
document to refer to, applicants will find that the work of 7.1.3 As shown in Fig. 1, if an ORAresults in an unaccept-
conducting an ORA will be streamlined, more efficient, and able risk, changes need to be made in the product itself in the
produce cost savings in operations overall. way in which the product will be operated (documented in the
F3178 − 16
FIG. 1 CONOPS and ORA Relationship Flowchart
CONOPS) or in required training before operation. It is also substations, high-power electrical transmission lines, water
critical that applicants understand that conducting sUAS op- treatment plants, and so forth. They may also include sensitive
erations in a manner other than intended in the original areasforflightsuchasschools,hospi
...