Safety Board Conducts its First Unmanned Aircraft Accident Investigation

The National Transportation Safety Board (NTSB) on Oct. 16 entered a new era of oversight, making a “historic” ruling on the probable cause of an unmanned aircraft accident.

While the reasons for the crash were not unexpected, the Safety Board’s numerous recommendations growing out their accident investigation could have far-reaching effects on how unmanned aerial systems (UAS) are built and operated and how pilot training and qualifications are set.

In its first investigation of an accident involving an unmanned aircraft (UA), also referred to as unmanned aerial vehicles (UAV), the Safety Board issued a total of 22 safety recommendations to address what NTSB Chairman Mark V. Rosenker said were “a wide range of safety issues involving the civilian use of unmanned aircraft.”

The safety recommendations approved by the Safety Board stemmed from the April 25, 2006, accident in which a $6.5 million General Atomics Aeronautical Systems, Inc. (GA-ASI) turboprop- powered Predator B looking for illegal immigrants for the U.S. Customs and Border Protection (CPB) crashed within 100 yards of a house in a sparsely populated residential area near Nogales, Arizona. Luckily, no one on the ground was injured, but The remotely piloted 66-foot wingspan drone was substantially damaged.

The Predator B flight originated from the Libby Army Airfield (HFU), Sierra Vista, AZ.

The flight was being flown from a ground control station (GCS) located at HFU. The GCS contains two nearly identical consoles, pilot payload operator (PPO)-1, and PPO-2.

During a routine mission, a certified pilot controls the UAV from the PPO-1 console and the camera payload operator (typically a U.S. Border Patrol Agent) controls the camera from PPO-2. The aircraft controls (flaps, stop/feather, throttle, and speed lever) on PPO-1 and PPO-2 are identical. However, when control of the UAV is being accomplished from PPO-1, the controls at PPO-2 are used to control the camera.

The pilot employed by GA-ASI as part the Predator B turn-key operation reported that during the flight the console at PPO-1 “locked up”, prompting him to switch control of the UAV to PPO-2. Checklist procedures state that prior to switching operational control between the two consoles, the pilot must match the control positions on the new console to those on the console, which had been controlling the UAV.

The pilot stated in an interview that he “got in a hurry and did not use the checklist.” The result was that the stop/feather control in PPO-2 was in the fuel cutoff position when the switch over from PPO-1 to PPO-2 occurred. As a result, the fuel was cut off to the UAV when control was transferred to PPO-2.

The pilot stated that after the switch to the other console, he noticed the UAV was not maintaining altitude but did not know why. As a result he decided to shut down the GCS so that the UAV would enter its ‘lost link’ procedure, which called for the UAV to climb to 15,000 feet above mean sea level and to fly a predetermined course until contact could be established.

But with no engine power, the UAV continued to descend below line-of-site communications and further attempts to re-establish contact with the UAV were not successful.

NTSB investigators said lockups involving either PPO-1 or PPO-2 had occurred 16 times over the four months preceding the accident. Although the presence of redundant control consoles could mitigate the safety risks associated with a console lockup event, repeated reliance on this backup system increases pilot workload and the corresponding risk that an undesirable outcome will result.

Although a backup console is available to the pilot in the event of a lockup of PPO-1, it likely that this backup console will be in the fuel cutoff position when it’s needed to backup PPO-1. Should the UA pilot fail to complete the condition lever reconfiguration step on the console transfer checklist to address the PPO-1 failure, inadvertent engine shutdown is all but assured.

Although some aural and visual indications were provided to the pilot by the Predator B ground control station, the most critical indication during the accident sequence, the engine out condition, was buried among other less critical information in the heads down display making the warning indication inconspicuous to the pilot. When the console locked up during the accident sequence, there was no warning indication presented to alert the pilot to the loss of control.

Rather, the pilot detected the condition using indirect queues such as frozen images on the display screen. These indications do not provide the pilot with the ability to quickly and precisely determine the nature and urgency associated with unsafe conditions such as an engine-out / or console lockup event.

When the engine shut down during the accident sequence, the UA lost its primary source of electrical power and this caused critical systems to revert to battery power to continue operation. However, a momentary surge caused by the immediate transfer of these systems to the battery compelled the system to reduce the load on the battery, and, as a result, electrical power was cut to critical systems such as the transponder and the satellite communication link.

Because the accident pilot sent the UA to its lost link mission following the engine shutdown, communications between the GCS and the UA were discontinued at the time the transponder dropped off line. Without its transponder, no live link to the GCS, and no pilot onboard to report its position, the accident UA was invisible to ATC. The burden of separation was placed solely on other aircraft in the NAS, and their ability to see and avoid a potential conflict with the uncontrolled UA.

An additional concern related to the loss of engine power was the inability to restart the engine during the accident sequence. The investigation revealed that the engine on CBP’s Predator B can only be restarted in-flight if commanded by the pilot using the line of sight, or LOS, communication link between the GCS and the UA. This means that engine restart is not possible when the UA is in lost link mode or when LOS control is lost.

Maintenance plans, procedures, and oversight were also issues identified in this investigation.

Because CBP had contracted maintenance operations to its contractor, General Atomics Aeronautical Systems, the continuing airworthiness of its UAS was dependent on both GA staff and CBP’s oversight of the maintenance work. However, CBP staff did not possess detailed technical knowledge related to UAS engineering and maintenance, knowledge that is critical to evaluating the effectiveness of maintenance program plans and the quality of work done in compliance with those plans.

In the area of operational matters, the investigation revealed several safety issues.

In the event of a loss of communication between the ground control station and the aircraft, the UA is designed to autonomously initiate a lost-link emergency mission and fly this route until communications can be reestablished. A review of the process used to develop these emergency missions revealed that no standardized, safety-based method was used to define the route. As a result, the corresponding safety risk to persons and property on the ground, should UA communications become permanently non-recoverable, was not well understood.

When presented with the console lockup, the accident pilot did not follow the established emergency procedures and he did not declare an emergency when he could not reestablish communication with the UA. Dealing correctly with emergencies is a critical skill for all pilots, and failure to do so in this accident is a concern because it resulted in an unmanned aircraft flying uncontrolled into unprotected airspace. Pilot training for emergency operations is essential to ensuring the safe operation of UAs in the NAS.

Further, air traffic controllers expect the UA to fly the lost link mission route defined in the COA, but the investigation found that UA pilots routinely modified portions of the lost link mission without coordinating such changes with ATC in advance. This prevented ATC from effectively tracking UA position during emergency situations because they were unfamiliar with the actual lost link profiles that CBP had programmed into the UA.

Independent accident and incident investigation is a critical tool for safety assurance. To fully exercise this tool, the collection of certain types of perishable information, such as verbal conversations between operational staff, is essential. This investigation revealed that conversations among CBP assets inside the GCS and some conversations between those assets and ATC were not recorded. As a result, investigators were not able to perform a full evaluation of the effectiveness of communications during the accident sequence.

The investigation also revealed that controllers did not handle the UA using established procedures for dealing with an in-flight emergency as well as those related to accident reporting. As a result, controllers were unaware of the UA’s whereabouts for nearly 2 1/2 hours before they were advised that the aircraft had crashed.

The Safety Board determined that the probable cause of the accident was the pilot’s failure to use checklist procedures when switching operational control from a console that had become inoperable due to a “lockup” condition, which resulted in the fuel valve inadvertently being shut off and the subsequent total loss of engine power.

Contributing to the accident was the absence of a flight instructor in the Ground Control Station as required by CPB rules. The pilot did not have enough hours to fly the drone solo, but the instructor was in another building when the trouble occurred.

Factors associated with the accident were repeated and unresolved console lockups, inadequate maintenance procedures performed by GA-ASI, and the CPB’s inadequate monitoring of border surveillance program.

At the Board meeting, the NTSB probed several areas of particular interest including: the design and certification of the unmanned aircraft system; pilot qualification and training; the integration of UAs into the air traffic management system; and the lack of UA communications record keeping. These issues were addressed by their recommendations.

“This investigation has raised questions about the different standards for manned and unmanned aircraft and the safety implications of this discrepancy,” said Rosenker. “Why, for example, were numerous unresolved lock-ups of the pilot’s control console even possible while such conditions would never be tolerated in the cockpit of a manned aircraft?”

Expressing concerns about how manned and unmanned aircraft will share the same airspace, Chairman Rosenker said, “The fact that we approved 22 safety recommendations based on our investigation of a single accident is an indication of the scope of the safety issues these unmanned aircraft are bringing into the National Airspace System.”

The Safety Board’s investigation revealed that the pilot was not proficient in the performance of emergency procedures, which led to the accident.

“The pilot is still the pilot, whether he is at a remote console or on the flight deck. We need to make sure that the system by which pilots are trained and readied for flight is rigorous and thorough. With the potential for thousands of these unmanned aircraft in use years from now, the standards for pilot training need to be set high to ensure that those on the ground and other users of the airspace are not put in jeopardy,” said Rosenker.

On the issue of UA operations-related communications, the Safety Board noted that there is no equivalent of a cockpit voice recorder at the pilot’s control console and that the pilot’s communications with air traffic controllers and others were not recorded.

As a result of the investigation, the NTSB made the following safety recommendations to the CBP:

• Require GA-ASI to modify the UAS to ensure that inadvertent engine shutdowns do not occur.
• Require GA-ASI to modify the UAS to provide adequate visual and aural indications of safety-critical faults, such as engine-out conditions and console lockups, and present them in order of priority, based on the urgency for pilot awareness and response.
• Review the CBP’s methods of developing the lost-link mission profiles to ensure that lost-link mission profile routes minimize the potential safety impact to persons on the ground, optimize the ability to recover the data link, and, in the absence of data-link recovery, provide the capability to proceed to a safe zone for crash landing.
• Following completion of the action requested in Safety Recommendation 3, require that pilots be trained concerning the expected performance and flightpath of the UA during a lost-link mission.
• Require that the UAS be modified to ensure that the transponder continues to provide beacon code and altitude information to air traffic control even if an engine shuts down in flight and that the pilot is provided a clear indication if transponder function is lost for any reason.
• Review all UAS functions and require necessary design changes to the UASs that the CBP operates to ensure that electrical power is available to UA control following loss of engine power.
• Develop a means of restarting the UA engine during the lost-link emergency mission profile that does not rely on line-of-sight control, for example, through an autonomous capability in the UAS’s control system or through use of control functions enabled via a backup satellite communication system available to the pilot on the ground.
• Participate in periodic operational reviews between the UAS operations team and local air traffic control facilities, with specific emphasis on face-to-face coordination between the working-level controller and UA pilot(s), to clearly define responsibilities and actions required for standard and nonstandard UA operations.
• Require that all conversations, including telephone conversations, between UA pilots and air traffic control, other UA pilots, and other assets that provide operations support to UA operations, be recorded and retained to support accident investigations.
• Identify and correct the causes of the console lockups.
• Implement a documented maintenance and inspection program that identifies, tracks, and resolves the root cause of systemic deficiencies and that includes steps for in-depth troubleshooting, repair, and verification of functionality before returning aircraft to service.
• Require that aviation engineering and maintenance experts oversee the definition of maintenance tasks, establishment of inspection criteria, and the implementation of such programs. The CBP also should ensure oversight of contractor(s) implementing such programs.
• Develop minimum equipment lists and dispatch deviation guides for the CBP’s UAS operations.
• Assess the spare-parts requirements for CBP’s UAS operations to ensure the availability of parts critical to UA launch, as defined by the minimum equipment list requirements.
• Revise CBP’s pilot training program to ensure pilot proficiency in executing emergency procedures.
• Require that a backup pilot or another person who can provide an equivalent level of safety as a backup pilot be readily available during the operation of a UAS.
• Develop a safety plan, which ensures that hazards to the National Airspace System and persons on the ground introduced by the CBP UAS operation are identified and that necessary actions are taken to mitigate the corresponding safety risks to the public over the life of the program. The plan should include, as a minimum, design requirements, emergency procedures, and maintenance program requirements to minimize the safety impact of UAS malfunctions in flight, continuous monitoring of the CBP’s UA operation, analysis of malfunctions and incidents, and lessons learned from other operators of similar UAS designs.

The Safety Board offered the Federal Aviation Administration five recommendations:

• Require that UA transponders provide beacon code and altitude information to air traffic control and to aircraft equipped with traffic collision avoidance systems at all times while airborne by ensuring that the transponder is powered via the emergency or battery bus.
• Require that all conversations including telephone conversations, between UA pilots and air traffic control, other UA pilots, and other assets that provide operational support to UAS operations be recorded and retained in accordance with Federal Aviation Orders 7210.3 and 8020.11.
• Require periodic operational reviews between the UAS operations teams and local air traffic control facilities, with specific emphasis on face-to-face coordination between working-level controllers and UA pilot(s), to clearly define responsibilities and actions required for standard and nonstandard UAS operations. These operational reviews should include, but not be limited to, discussion on lost-link profiles and procedures, the potential for unique emergency situations and methods to mitigate them, platform-specific aircraft characteristics, and airspace management procedures.
• Require that established procedures for handling piloted aircraft emergencies be applied to UAS.
• Require that all UAS operators report to the Federal Aviation Administration, in writing within 30 days of occurrence, all incidents and malfunctions that affect safety; require that operators are analyzing these data in an effort to improve safety; and evaluate these data to determine whether programs and procedures, including those under air traffic control, remain effective in mitigating safety risks.

The NTSB recommendations “make it clear that significant design and operational safety improvements must be made before UAS can safely share airspace with airliners carrying passengers, cargo, and crews or fly above populated areas,” says the Air Line Pilots Association (ALPA).

“This first-of-its-kind NTSB investigation shows that these unmanned vehicles and ground support equipment simply aren’t designed or built to the same high standard as airliners and that they don’t have the same operational capabilities that ensure safety,” said Capt. Brian Townsend, chairman of ALPA’s National Airspace System Modernization Committee. “We are extremely encouraged by the NTSB’s discussion of the progress that is essential before unmanned aircraft can truly be ready for unrestricted operation.”

“This crash shows what can happen when the multiple layers of safety that are the bedrock of the U.S. air transportation system are missing. A robust design, a well-trained operator, thorough corporate oversight, and scrutiny by the regulator are all essential elements of a safe aviation system,” continued Townsend. “The NTSB investigation pointed out that current UAS operations can have flaws in each of these areas – flaws that must all be corrected before UAS can be allowed unrestricted access to the nation’s airspace.”

ALPA has long advocated that UAS should be allowed access to the national airspace only if the same level of safety currently in place for other NAS users is ensured. Outstanding concerns for ALPA include the aircraft’s capability to maintain continuous contact with the operator, detect weather, avoid collisions with airliners, and operate in congested air traffic areas.

ALPA believes that a well-trained and highly qualified flight crew remains the most important safety component of our air transportation system. “Preventing an accident or reducing its toll depends on years of training, an ability to quickly evaluate options, and the pilots’ response to hands-on control pressures,” concludes Townsend. “The safety net must be made more robust to protect the public, both in the air and on the ground. Training qualified pilots for UAS operations is an essential thread in that safety net.”

For its part, the FAA said in a statement that: “The introduction of UASs to the NAS is a challenging enterprise for the FAA and the aviation community. UAS proponents have a growing interest in expediting access to the NAS. There is an increase in the number and scope of UAS flights in an already busy NAS. The design of many UASs makes them difficult to see, and adequate “detect, sense and avoid” technology is years away. Decisions being made about UAS airworthiness and operational requirements must fully address safety implications of UASs flying in the same airspace as manned aircraft, and perhaps more importantly, aircraft with passengers.”

After ruling on probable cause and adopting safety recommendations, the Safety Board voted to convene a public forum on the safety of UA operations and the methodologies to use when investigating UA accident and incidents. The date and agenda for the 2-3 day forum will be announced once details are finalized, but the forum is expected to take place in April 2008. The UA Public Forum will be chaired by NTSB Member Kathryn Higgins.