IdentIfIcatIon of Major Safety ISSueS for a futurIStIc PerSonal Plane concePt

The paper describes activities related to the safety assessment of a futuristic personal plane concept, done by researchers at the Institute of Aerospace Engineering (IAE), Brno University of Technology, as a part of the FP7 PPlane research project. Activities under the PPlane project were carried out in joint cooperation with an international research team led by ONERA (France). The aim of the FP7 EU project PPlane (Personal Plane) is to identify new potential concepts and technologies for future air transport, namely to create a future Personal Air Transport System (PATS). The personal air vehicle is understood to be analogous to a private car in terms of accessibility and ease of operation. Such a novel transportation system could help to reduce congestion on roads and enable more efficient transportation of passengers to their destinations. The introduction of PATS is a long-term goal which requires considerable progress beyond the current state-of-the-art technology as well as in related areas. The major enabling technology is believed to be a high level of automation in new air vehicles which would require either no or minor piloting skills of passengers. The paper was presented at the READ 2013 conference in Brno (Czech Republic) and is reprinted with the permission of the conference organizers.


Introduction
Currently increasing congestion on roads and constantly growing demand for fast and comfortable transportation to final destinations leads to research into new alternative means of personal transportation. One of the possible solutions is the utilization of small personal aircraft able to transport a small number of passengers close to their final destinations. For example, in the USA, NASA has launched the Small Aircraft Transportation System (SATS) initiative aimed at showing that emerging aviation technologies can be integrated into the operations in a small airport environment. In Europe, the European Commission (EC) supports several research projects dedicated to the use of small aircraft for personal transportation. The new term Personal Air Transportation System (PATS) has become standard in the field. The most recent activity supported by the EC is the PPlane project, joining 13 international partners from 11 European countries. The project, under the coordination of French aerospace research institute ONERA, is focused on the definition of operational concepts leading to the implementation of PATS (Fig. 1). The personal air vehicle is understood as being analogous to a private car in terms of accessibility and ease of operation. A major difference is seen in the level of automation compared to existing small aircraft. PPlane vehicles are expected to be fully automated, thus enabling the transportation of passengers (users) without significant piloting skills. Attention is given to several critical areas, where the most significant progress is expected. These areas include: "Security and Safety", "Automation and Control", "Human Factors" and "Environment". The PPlane project should build the first operational concepts with the implementation expected in 2030 and beyond the tim-escale. Recommendations for the implementation and most critical areas are expected to be the outcomes of the project. These will help the EC to find the most efficient way for the implementation of PATS as an alternative transportation means. The PPlane consortium includes partners from the whole of Europe and Israel, namely ONERA, IAI, AirNet, Bologna university, Brno university, CIRA, Intergram, Warsaw university, DLR, INTA, NLR, Patras university and REA-TECH.
Researchers of the Institute of Aerospace Engineering (IAE), Brno University of Technology (BUT) are involved in several key areas of the PPlane project. Most IAE activities are connected with the safety assessment of the proposed PATS concept. The safety assessment performed in PPlane is based on recent practices used for safety and reliability analyses of current aircraft. In addition, the results of research carried out on the reliability of different aircraft systems in the Czech Aerospace Research Centre have helped to analyse critical elements of the proposed PATS better.
The methodology selected for PPlane safety assessment at the first stage involves using surveys of typical systems and equipment used on existing aircraft (more details are given in Chapt. 2). Based on the analysis, the identification of the most perspective systems for future PATS was possible.
The identified systems are subject to a Functional Hazard Assessment (FHA) with the aim to identify the most critical items. The FHA is described in Chapt. 3. All activities are closely connected to the work of other partner organizations on the PPlane project. For example, the safe design of selected critical systems is a subject of the activities of multiple partners. The paper is limited to the activities done mainly by BUT-IAE researchers.

a study of existing aircraft systems in general aviation aircraft
A significant decision factor for the definition of a future PPlane concept is the current state-of-the-art in aircraft categories close to the defined PPlane aircraft. Therefore, an extensive study of existing aircraft was carried out with particular focus on typical systems and equipment. The outcome of the study was a database of aircraft representing the current situation in different aircraft categories. Special attention was given to typical avionic equipment and aircraft systems. The full database includes 59 aircraft in 5 categories. Although the aircraft in the database do not cover all the existing aircraft, they represent the majority of aircraft used in the given categories. This was secured by a careful selection of aircraft types based on their importance for current general aviation: considering the number of airplanes built and the year of development. The major sources for the study were (Jackson 2009;Gama 2009). Table 1 shows a fragment of the created aircraft database.

Description of the proposed PPlane system:
Based on extensive studies, a necessity to ensure practical operations, PPlane consortium partners defined a basic PPlane system concept that is fully automated. PPlane vehicles are operated from small airports close to urban areas. The users/passengers onboard the aircraft are only able to perform high-level tasks such as the decision to change destination. The operations of PPlane vehicles are supported by a ground infrastructure (ground segment) that includes remote pilot stations (RPS), air traffic control (ATC) and a PPlane system operation management centre (PSOMC). In the case of an emergency situation (failure, health problems onboard, etc.), a pilot at a ground pilot station takes over the control and brings the PPlane vehicle to the nearest airport. The ground pilot can also be contacted by the users/passengers onboard. In normal situations, the ground pilot supervises multiple aircraft, he takes over in emergency situations only. Even in an emergency situation, the ground pilot can only change the aircraft's trajectory and has general control over aircraft systems: direct handling and control of the aircraft is not foreseen. The proposed PPlane system requires the development of highly reliable components and systems. Many of them can be based on existing UAVs (Unmanned Aerial Vehicles). However, even if we consider the existence of systems necessary for the realization of the PPlane concept, practical realization cannot be expected before the year 2030. This aviation vision should be understood as being similar to the automotive industry or railways with an increasing level of automation.
A graphical presentation of the basic PPlane concept is shown in figure 2.

Example of today's typical "Personal Plane"
The aircraft included in the study were divided into several categories. The first main category includes fixed-wing aircraft. The fixed-wing aircraft are divided according to seat configuration into 2-seats, 4-seats and 5-6 seats. The next main category is rotary-wing aircraft also subdivided into 2-seats, 3-4 seats and 5-7 seats. All of the aircraft in these categories were factory-built in either a small or a large aviation manufacture. The last category of aircraft consists of homebuilt aircraft or kit planes. Those aircraft usually have 2-4 seats.
Each category includes very detailed additional information about general parameters, performance, aircraft systems and equipment. The dimensions and performance correspond to each individual category and fulfill PPlane requirements. These requirements were determined in the first period of the PPlane project. The structure is either composite or all-metal (but it can also be combined). All-composite construction prevails only for kit-built aircraft. Only a few aircraft are designed with a pressurized cabin for flying at high altitudes. No revolutionary changes related to the airframe structure are expected in future PPlanes, with the exception of continuous improvements, i.e. use of fail-safe structural concepts.
Fixed-wing aircraft are mostly powered by a single piston engine driven by a two-blade or three-blade constant-speed propeller. The typical construction of a small aircraft engine is a flat piston engine with four or six pistons. While more powerful fixed-wing aircraft are powered by turbo-diesel engines, turboshaft engines are the typical propulsion for 5-6 seated rotorcraft. New propulsion (engine) types are expected to be available in the timeframe supposed for the PPlane. Current engine types will lead to the need for multi-engine PPlanes (Chapt. 4.).
Aircraft systems have evolved into reliable products, often with back-up. New generation aircraft rely heavily on electric power because of the wide use of aircraft instrument systems. The usual electrical power system is 28 VDC with one alternator and one battery. The modern trend is to use a dual electric system with two alternators and two batteries. Small two-seater fixed-wing aircraft and rotorcraft usually use 12 VDC electrical power systems with one back-up battery. Such an amount of power is sufficient for them. Future PPlane vehicles will require more sophisticated, highly redundant electric systems. The flight control system in most current GA aircraft is conventional, manual mechanical. The main control surfaces of a fixed-wing aircraft (e.g. ailerons, rudder, and elevator) are mechanically controlled via cables and pushrods. Secondary and other control surfaces, especially flaps and trims, are controlled electrically by the actuator in most of new modern aircraft. The hydraulic system is mostly used for brakes and retractable landing gear. Rotorcraft have different flight controls. Cyclic and collective controls achieve a steady aerodynamic flight. Both are controlled by a mechanical or hydraulic system (an electro-hydraulic system in rare cases). A major technological breakthrough is needed in flight control systems to enable the PPlane concept in the given aircraft category -the transition to a fly-by-wire (FBW) system.
There are two arrangements of avionic systems. The first is the traditional "T" configuration, where the basic flight instruments (HSI, ADI, airspeed indicator, altimeter) are arranged exactly as a shape of the letter "T", together with a turn-coordinator and a vertical-speed indicator. The second arrangement is an electronic flight instrument system (EFIS). The EFIS is an aircraft cockpit that features electronic instrument displays rather than electromechanical. It usually includes a primary flight display (PFD), a multi-function display (MFD) and an Engine Indicating and Crew Alerting System (EICAS). These display units are the most obvious parts of an EFIS, which because of this fact is commonly known as "a glass cockpit". The PFD displays all information critical to a flight, including calibrated airspeed, altitude, heading, attitude, vertical speed and yaw. The MFD displays navigational and weather information from multiple systems. MFDs can also display the status of aircraft systems. Small 2-seat rotorcraft still use an old Basic Six configuration, also known as a "six pack". This panel arrangement includes a set of six essential flight instruments (altimeter, airspeed indicator, turn and bank indicator, vertical speed indicator, artificial horizon and directional gyroscope or heading indicator). Future PPlane vehicles will have a totally different presentation of data in the cabin (with the absence of a pilot on-board) and, probably, also at remote pilot. New technology has to be developed.
Small aircraft are standardly equipped with one navigation panel and one mechanical back-up navigation system, if necessary, one or two communication receivers and transmitters and one mode S transponder. In most cases, the mentioned avionic equipment is doubled in bigger and more powerful aircraft. Most of the new modern aircraft are also equipped with an autopilot. The autopilot is usually of a two-axis or three-axis type. In kit-built aircraft the autopilot is optional. Engine instruments and indications are standalone devices or a part of the Electronic Flight Instrument System (EFIS). If the EFIS is built into the cockpit, the information taken from the weather radar, stormscope and collision avoidance system is displayed on the MFD. If the EFIS is not installed, such information is not available. Future PPlane vehicles need to have an integrated "flight control-navigation-communication" system. New technology has to be developed.
Outputs from the database helped to define existing systems and the necessary extension to new systems adopted within the designed PPlane concept. The definition of systems for future PPlane (based on the above mentioned study) was performed by a partner organization, one of the big aviation producers -Israeli Aerospace Industries. Special focus was given to the high level of automation necessary for the practical realization of PATS. The use of PATS vehicles by individuals with low or no piloting skills creates safety and security related problems in several areas.

functional hazard assessment
Detailed safety assessment was performed to ensure the safety of the perspective PATS vehicle. Safety assessment was based on current modern methods. Furthermore, it was done in accordance with requirements in recent regulations CS-23 and AC 23.1309-1D (Cs-23… 2004; Advisory… 2011). According to the requirements for the identification of critical aircraft functions, Functional Hazard Assessment (FHA) was selected as the basis for the assessment.
FHA is usually used at early design stages, during concept development and before a more detailed design of particular systems. The main purpose is to find and accurately identify critical aircraft systems and parts using a comprehensive structured assessment (leaving no or less space for omission of an important element). As a consequence, the identified critical systems should have a more robust design (i.e. redundancy). All the identified functions are further classified according to type of failure conditions and severity level on whole aircraft. The primary classification of failure conditions includes the following categories: no safety effect, minor, major, hazardous and catastrophic. Aircraft functions are sorted by ATA Spec 100. The ATA Chapter numbers provide a common referencing standard for all commercial aircraft documentation. In other words, ATA Chapters is the instruction on how to divide the entire aircraft and its functions into groups, systems and subsystems. A fragment of the developed FHA can be seen in table 2.
The FHA devised for PPlane describes failure conditions for 100 functions including respective classifications. In terms of worst classification, a total of 40 functions with CATASTROPHIC consequences were revealed, 22 functions with HAZARDOUS, 18 functions with MAJORand 16 functions with MINOR consequences were found. To simplify understanding, the functions are distinguished into 7 major functional categories, as shown in figures 3 and 4.  The failure/loss of some functions of these systems may have critical consequences and, therefore, needs to be assessed carefully and implemented with the necessary precaution.

Recommendations for future regulations regarding PATS vehicles
Existing regulation requirements impose reduced safety and reliability requirements on small aircraft. This is a result of historic development, where application of some of the most advanced redundant systems was not possible in small aircraft. Also, accident rate due to human factors (especially pilot failures) was significantly greater than in the case of transport aircraft. This seems to be unacceptable for future PATS since users/passengers (and also aviation authorities) will require a similar level of safety as in transport aircraft. A detailed analysis of the current situation was done within the PPlane project and described in project report D2.1 "Safety and Security" (PPlane 2011). The results indicate that currently 1,01 fatal accidents per 100 000 flight hours (approx. 1•10 -5 per flight hour) occur for general aviation aircraft (both, single-engine and multi-engine). However, only approx. 15% of fatal accidents are related to mechanical/maintenance problems (0.155 fatal accidents per 100 000 flight hours). At the same time, the accident rate of large air carriers is 0,01 fatal accidents per 100 000 flight hours (1•10 -7 per flight hour) for the Northern America region (Database…2013). Worldwide, 0.049 fatal accidents per 100 000 flown hours (4.9•10 -7 per flight hour) were tracked in the period 1997-2006. Compared to other transportation means, the target safety statistics should be comparable (i.e. close to 0.05 per 100 000 flight hours). Although US databases were a major source for the safety data, the situation in Europe (and the whole developed world) can be considered as being similar.
Furthermore, lessons learned from UAVs lead to the application of more strict requirements on aircraft with a high level of automation.
A graphical interpretation of the author's recommendations for regulation requirements on PATS is shown in figure 5.

Recommendations for future PATS vehicle systems
The performed safety assessment revealed the critical functions (and systems) of the proposed PPlane system, especially: -Flight and Flight Control System (FCS) -functions related to maintaining flight parameters (attitude, speed, altitude, etc.) and direct control of the vehicle. Loss of such functions is highly critical and should be subject to a major design focus.
Higher criticality of functions at PPlane (compared to existing aircraft) leads to the need to develop a new type of a highly reliable flight control system and autopilot, integrated in a single system, if possible. A completely different design of the FCS is expected (a FBW instead of a mechanical system). A higher degree of redundancy compared to existing autopilots in similar aircraft categories is required. The design of the FCS system could be based on existing designs for higher category aircraft. Some elements could be based on existing technology. -Emergency -the second most critical group of functions is related to emergency systems (performing emergency procedures). Since it would be difficult to adopt some of today's existing and commonly used procedures in the PPlane system (i.e. emergency landing out of airstrips,  The PPlane study also indicated relatively low percentage of accidents caused by instruments and electrical systems (0.11% of all accidents, and 0.67% of fatal accidents). Therefore, a higher level of automation may eventually lead to a lower accident rate. This conclusion is also supported by operational experience with recent Technologically Advanced Aircraft (TAA). -The PPlane System (PATS) can be a single-engine aircraft -After careful analysis, an important conclusion for the PPlane project is that the number of engines is not a decisive factor for current PPlane sized aircraft safety. The use of additional emergency equipment is more decisive. It is recommended to enable the design of single-engine PPlane vehicles, if stricter safety goals are met (Chapt. 4.1). However, stricter regulation requirements today lead to multi-engine vehicles (no single-engines able to meet the requirements mentioned in 4.1 exist today). Moreover, operations over urban areas may lead to the need to design multi-engine PPlane vehicles. -It is highly recommended to use a BRS (Ballistic Recovery System) for PPlane vehicles The study indicated that, for current aircraft, a BRS increases the survivability rate by approx. 33% (the current rate of initiation is 6.98•10-6 per flight hour for an aircraft equipped with this system).
Additionally, the lack of a skilled pilot on board even increases this percentage, because the handling of an emergency situation after failures by automated systems leads to more complex systems with a high number of functions (prone to fail). Therefore, it is highly recommended to use a BRS for the PPlane system. However, BRS initiation should be limited to areas, where a PPlane vehicle performs an emergency landing without inflicting damage to material assets or injuries to the population on the ground.

Summary and conclusions
The paper describes an effort to define a future Personal Air Transport System (PATS). Within the dedicated PPlane project, supported by the European Commission under contract no. 233805, studies of different aspects were realized with the aim to help with the introduction of PATS (in the form of a PPlane system). The IAE took part in the studies dedicated to the safety of the PPlane system. The paper provides details on the FHA done for the PPlane System (Chapt. 3) and summarizes the recommendations for future PATS (Chapt. 4). The FHA analysis revealed the critical systems (including the systems fundamental for the PPlane concept) and provided recommendations for their future design. The study also revealed that some of those systems and elements could be based on existing technology. New modern technologies and a high level automation have the potential to decrease the accident rate of small transport aircraft.
If all legislative and technical challenges are successfully solved, personal air transport may become one of the most important and broadly used areas of the whole transportation system.
The paper was originally presented in READ 2013 conference in Brno (Czech Republic), and it is reprinted with the permission of the conference's organizers.

acknowledgments
Presented activities were supported by the European Commission under the frame of contract No 233805 "Personal Plane".