Design Considerations for Safer Small Unmanned Aerial Systems

Michael J. Logan NASA Langley Research Center, Hampton, VA
Jay Gundlach FlightHouse Engineering, Portland Oregon
Thomas L. Vranas National Institute of Aerospace, Hampton, VA

There is an increasing demand for capable and affordable small UAS for a variety of potential mission applications. Some of these applications would notionally require significant improvements in the level of safety offered by current commercial sUAS.

This paper explores some of the concepts and potential solutions to the improvement of safety for small UAS.

A portion of the safety issues associated with sUAS operations involves the vehicle’s
response to an “off-nominal” event. Recent flight tests have demonstrated the need for more robust recoveries from failures such as rotor failures for multi-rotors and control surface failures for fixed-wing vehicles. The paper explores what mitigations or design improvements could be made while keeping to affordability and utility constraints. These include design-for-control aspects as well as basic lessons learned from 15 years of small UAS design,building, and flying at NASA’s Small Unmanned Aerial Vehicle Laboratory.

Another element to providing for additional safety mitigations involves a reduction in the hazard posed by a failed system. Many of today’s small UAS are rigid structures complete with sharp edges and high-density components which can cause serious harm to any person on the ground below where a sUAS might crash or to other aircraft in the event of a collision. The paper explores the use of non-rigid structures, modified components, and proposes other methods for reducing the hazard associated with a crash.


BVLOS = Beyond Visual Line of Sight
EFC = Effects of Failure Categorization
FMEA = Failure Modes and Effects Analysis
GCS = Ground Control Station
sUAS = Small UAS, generally considered as under 55lbs.
UAS = Unmanned Aircraft System
IMU = Inertial Measurement Unit
UTM = UAS Traffic Management
WOT = Wide Open Throttle
V/TOL = Vertical Take Off and Landing

I. Introduction

The integration of sUAS into the National Airspace System is desirable for a variety of reasons including economics, public safety, and enabling new missions. Many of the envisioned use cases involve not only BVLOS flight but also flight over people. This would entail a significant improvement in the robustness of sUAS to failures as well as a reduction in the overall hazard associated with those flights. Each of these two areas will be discussed below.

II. Improvement in sUAS Robustness

Recent research (Ref. 1) gives a good indication of how failures of primary control devices affect the ability of vehicles to navigate, ascend or descend. Mitigating the impact of those failures should be considered during the sUAS system design. The two categories of vehicles addressed are multi-rotors and fixed-wing sUAS.

For multi-rotors, mitigating the loss of a single rotor can be problematic. The number of rotors is generally inversely proportional to their efficiency but reduces the need for mitigating techniques so there is a tradeoff to be considered. In the case of a conventional quad-copter, loss of a single rotor will lead to a general loss of control, particularly in the yaw axis and is likely to cause the vehicle to tumble and crash. For hexacopters, flight tests indicated that while complete loss of a rotor will not cause a complete loss of control, however, the vehicle will lose the ability to turn to follow a waypoint pattern. Further testing will be required to determine what control impacts occur with octocopters and whether their impacts are less or similar to the hexacopter.

In examining possible mitigating strategies for multi-rotors, several possibilities have been considered. Currently, many commercially available vehicles use two motors and rotors on each arm of the vehicle. However, as was shown in Ref. 1, even this does not guarantee the vehicle will be able to navigate. Therefore, some other mitigation must be in place. One such possibility is the installation of small aerodynamic surfaces within the flow stream of the rotors. Figure 1. shows how such a device might be installed. Two such devices would need to be installed such that the failure of the rotor above one of the control surfaces does not impact the ability to navigate, albeit with less authority.

Figure 1. Aerodynamic control surface addition to multi-rotor arms.

Other possibilities include having at least two rotors with collective and cyclic (for redundancy in case one fails).

It is not clear how effective that may be in a multi-rotor compared to the additional weight and complexity of the enhanced rotors, however. Similarly, having the ability to pivot arms to re-position rotors might allow some relief.

However, since virtually all “pure” multicopters use a differential throttle to effect yawing moment, this approach may not be sufficient. Being able to rotate one or more arms (or motor mounts) along the arm axis might be useful to affect a yawing moment. Tricopters generally use one independently actuated pivoting rotor for yaw control and cancellation of rotor torque. Again the additional weight would have to be considered and compared to other approaches.

For fixed-wing vehicles, mitigations are somewhat more straightforward. For the experiments in Ref. 1, a failure of one aileron, either mid-point, full up, or full down, had varying degrees of impact. If the aileron simply stopped in its neutral mid-point position, the remaining aileron was still able to roll the vehicle with sufficient authority to maintain the flight path around the waypoint pattern. From a design perspective, this would impact the sizing of the ailerons to be able to manoeuvre with only one aileron. If the aileron gets stuck in the full up position, the remaining aileron usually can overcome the induced rolling moment because generating lift on the functional side overcomes the moderate decrease in lift on the failed side. Little rolling moment can be generated, however. The inverse of that problem is that having one aileron get stuck in the full down position would end up forcing the ailerons to act like deployed flaps while losing the ability to generate pure rolling moment. From a design perspective, possible approaches to overcome aileron failures might include:

– Use spring hinges to return the control surface to the neutral mid-point in the event of a servo failure
– Have a large enough rudder effector (CN,δR) coupled with dihedral effect (Cl,β) such that the vehicle can make a turn successfully if an aileron fails
– Separate each aileron into two segments driven independently so that 3/4 of the aileron control will always be available in the event of a single servo failure
– Have spoilers which can be controlled differentially to provide proverse yaw with roll input
– Have flaps which can be controlled differentially (flaperons)
– Have a multi-segment elevator which could be used as elevons in the event of an aileron failure

In the case of an elevator failure, similar issues arise. Recent experiments have demonstrated that even with an elevator of two segments if one portion of the elevator is stuck down, the remaining elevator may not be capable of generating sufficient up elevator resulting in a shallow dive. This would likely be configuration dependent in terms of the magnitude of the problem. However, there are several design approaches which could be used to increase elevator robustness such as:

– Design the elevator to use 3 or more independent segments. In that case, 2/3 of the elevator would be available to overcome a single servo or control surface failure.
– Use multiple devices to generate pitching moment (e.g. canard and elevator)
Recall that in the case of an aileron failure, rudder could alternatively be used to turn the vehicle. In the case of the elevator, there is not normally an alternative.

A prolific configuration for sUAS is a flying with elevons for control. The elevons provide pitch and roll control through a combination of same-direction deflections and opposite deflections, respectively. Most such UAS have a single elevon control surface per side. The advantage of this simple arrangement is that only two control surfaces and actuators are required for controlled flight, which reduces system cost and complexity. Since each surface actuated individually produces a rolling and pitching moment, this arrangement requires that both elevons are functional for control. The loss of either elevon would likely result in the loss of the aircraft. This configuration would benefit from redundant elevon segments on each side.

Other failures known to cause issues for sUAS include GPS failure, control link failure, IMU sensor failure(s), and battery failures. For GPS, redundant GPS are advised in safety-critical situations. Flight experiments have shown that two GPS units failing simultaneously is an exceedingly rare event and the additional weight is well worth the increase in reliability. Complete control link failures can be avoided by using more than one RF-independent link mechanism. For example, having one link be a point-to-point RF link and the other a cell or satellite-based link provides diversity in RF environments as well as redundancy, reducing the impact of RF fratricide and/or deliberate jamming in a specific frequency band. Sensor failures in on-board IMUs are typically handled by having multiple redundant sensors with some sort of Kalman filter or voting scheme to detect and ignore bad or spurious sensor data. As was shown in the Ref. 1 experiments, care must be taken to design each of the sensor units to be independent of other sensors such that the loss of one will not cause the loss of others. Battery failures sometimes can be mitigated by using more than one battery in parallel although two batteries typically weigh more than one larger battery of the same capacity. A predictive battery health monitor which notifies the operator of an impending battery failure would also be advantageous in conjunction with parallel batteries.

III. Hazard reduction

Even with increases in sUAS robustness, failures can still occur which could cause the vehicle to be forced to land or cause the vehicle to encounter a loss of control. In such instances, sUAS need to be designed in such as way as to reduce the damage caused during either collision or crash. Two recent studies, Ref. 3 & 4, relate to collision hazards of sUAS with people and other aircraft, respectively. Mitigations for these two types of hazards are discussed below.

A. Reducing the possible injuries to people by sUAS crashes

The magnitude of potential injury to humans is set by two main factors which are somewhat related, namely, kinetic energy and the impulse imparted during the crash. Kinetic energy, KE, is:

where M is the vehicle mass and V is the velocity at impact. Here it can be seen that more massive and faster vehicles have more kinetic energy during a collision with an object. Impulse is the product of force that acts over time and it is related to the vehicle’s momentum at impact:

The only way to decrease the average force of impact is to extend the time of the impact reaction. Increasing time requires an increase in reaction distance, potentially by introducing crush zones as used in automotive applications, padding of some sort, or elastic structures.

The two most likely injury mechanisms in the event of a sUAS collision with a person are lacerations/penetrations, and blunt force trauma. Typically the components causing the two types of injuries are different. Addressing both types of injury mechanisms, which components cause them, and how those effects can be mitigated through design changes are discussed below.

Superficial lacerations are most often caused by spinning propeller blades. These blades are typically very sharp, very stiff, and are spinning at high velocity. Efforts to reduce these types of injuries are usually centred around a protective barrier around the edge of the propeller, either as a small shroud, wire “bumper guard” or having the propellers embedded in the body of the sUAS. While embedding the propellers in the body provides the highest level of potential protection, it also imposes the largest penalty in terms of size and weight.

Examples of this include the Parrot AR Drone and the Drone America DAX-8. Small shrouds and outer rings are often not sufficiently stiff to keep the propeller from impacting objects like fingers (or the head) with the propeller either slicing through the shroud or the propeller disintegrating and the shards are thrown into the person. Options for changing small propeller technology are limited. Some possible mitigations might include the use of:

– Propellers made from a very stiff inner core surrounded by a soft elastic material to create the proper aerodynamic shape
– Use larger, slower turning propellers
– Devise slip shaft devices that cause the propeller to slip on the shaft in the event of resistance (such as striking an object)
– Use of soft tip devices or “bumpers” attached to the propeller tips

Deep penetrating wounds are exceptionally rare but are typically caused by sharp edges on either the sUAS body, landing gear, payload or payload bay, or battery encasement. Damage due to landing gear can be mitigated by the use of inexpensive, lightweight padding. Figure 2. shows an example of using pool noodles to encase the carbon
fiber tubes of the landing hear. This approach has the added benefit of providing some protection from hard landings as well.

For sUAS bodies as well as payloads and batteries, care should be taken to have no sharp acute angles. If a component has a sharp angle, it is likely to cause more injury than if it is blunter. Rounding and/or padding should be considered.

Blunt force trauma is typically a pressure or impact force applied to a larger region not resulting in a penetration yet still causing significant injury. As such, there are mitigations which can be considered to reduce this hazard as well. These include:

– Reducing the impact velocity via active or passive means (eg. Parachute, speed brakes, etc.)
– Reducing the impulse load by extending the area and time of the energy transfer (e.g. padding, airbag, etc.)
– Reducing the mass of the overall vehicle
– Provide for semi-elastic, energy absorbing structures which deform and deflect the kinetic energy
– Distribute the mass of the vehicle and its impulse over a larger area such that the impact energy is dispersed
– Inflatable airframe structural elements would have less blunt force trauma potential than rigid metal or composite structures.

Figure 2. Simple landing gear hazard reduction.

These and other mitigations should be considered during the system design phase. The level of mitigations used should be commensurate with the type of operation the system is expected to perform. Operating over an open-air concert is much different than operating over a cornfield, for example. It is, therefore, reasonable to match the level of hazard mitigation to the expectation of risk.

B. Reducing the possible hazards to other aircraft in the event of a collision

Similarly to collisions with people, collisions with other aircraft could occur during an operation where multiple failures of the system and/or operator have occurred. The preliminary work published in Ref. 4, along with practical experience with sUAS leads to an identification of the largest contributors to possible damage to other aircraft along with potential mitigating strategies.

Electric motors, owing to their higher density and typical construction, represent the most damage causing devices. Options for mitigating their hazard might include:
– Replacing all-metal casings with composite material
– Replacing center shafts with lower density materials
– Replacing metal propeller shaft adapters with plastic or other semi-rigid materials
– Reduce the mass and/or mass density of the motor as a whole
– Reduce the size of the motor (without increasing its density)
– Provide an energy absorbing shell around the motor
– Provide break-away propeller adapters and motor mounts
– For fixed-wing sUAS, avoid tractor configurations and use the sUAS structure to provide some energy absorption.

Batteries also can prove damaging in a collision owing to their mass and density. Mitigations to these forms of damage causes can be considered such as distributed cells, parallel batteries, softer polymer usage, and energy absorbing cases around the batteries. Obviously, the battery mass should be minimized to the extent practicable.

Payloads should be considered as well. As discussed above, payload mass and density reduction should be the primary mitigation with non-acute angles and energy absorbing casings used. With the current pace of miniaturization, it should be expected that payload weights and densities will fall over time.

Structures for sUAS are probably the least likely to cause damage to other aircraft with some exceptions. Most multi-rotor structures are either soft plastic shells or thin-walled carbon fibre or aluminium tubes. Having break-away connections between components will help dissipate the kinetic energy more quickly, with the drawback of causing a marginal increase in the likelihood of a structural failure due to the connections. For fixed-wing sUAS, typically rigid structures such as landing gear can have a significant effect on the damage level caused during a collision. If possible, replacement of these highly rigid structures with more elastic ones should be considered. Some commercial firms have eliminated landing gear altogether via parachute recovery, airbag deployment, or V/TOL operation.

IV. Conclusions

Many use cases for small UAS will require a significant reduction in the hazards associated with their operation under specific conditions such as BVLOS and flight over people. It is important to consider these hazards and incorporate mitigations into the overall design of the sUAS. Trade studies unique to each configuration, operational environment, and payload suite should be used to determine the appropriate level, type, and number of hazard mitigation strategies for the operation intended to be performed. Several possible mitigation strategies have been identified in the paper at a qualitative level. More study is required to define the potential quantitative reductions in the hazards and to assess appropriate levels of safety for these various operations as well as their impacts on the sUAS size, weight, cost, and utility.


1    Michael J. Logan and Louis J. Glaab, “Failure Mode Effects Analysis and Flight Testing for Small Unmanned Aerial Systems”, 17th AIAA Aviation Technology, Integration, and Operations Conference, AIAA AVIATION Forum, (AIAA 2017-3270)



4   Gundlach, Jay, Civil and Commercial Unmanned Aircraft Systems, AIAA Education Series, 2016