Beyond Visual Line
of Sight for UAS

D-Risq - icon


Led by the leading UK UAS developer, Callen Lenz Ltd,. the aim of the project was to enable an autonomous Unmanned Air Vehicle (UAV) to operate safely Beyond Visual Line of Sight (BVLOS). The project needed to demonstrate the principles of how compliance to software standards (while developing a capability) could be further evolved. As the air environment can change very quickly, and reaction times can be very short,  BVLOS operations have to be capable of being conducted without an operator oversight, as potentially communications are intermittent or i may even be completely lost.

In such circumstances it would not be acceptable for such an air vehicle to fly without assurance of its behaviour. Even low endurance UAVs can have ranges exceeding 10 km potentially constituting a significant safety hazard. D-RisQ built upon lessons learned in the development of a Safety Monitor in the USMOOTH marine based project (see Client Projects) but now had to cope with far higher speeds in 3-dimensions.

Aircraft routing (path planning) was based upon unverifiable, risk- based software with significant limitations on its algorithms for making safety claims. While such algorithms can provide significant benefits, a weakness is that they may fail to come up with a solution to a path planning problem in time, or indeed, at all. D-RisQ was asked to provide a safety monitor that would ensure that the UAV always complied with the rules-of-the-air (Standardised European Rules-Of-The-Air, SERA) for collision avoidance;. The project needed to show that the aircraft would behave exactly as another air user would expect an aircraft to behave, which includes not only manned aircraft but also Air Traffic Controllers. An additional complexity was that the results needed to be able to show that this approach would work for both fixed wing and for hover capable aircraft.

D-risq - Architecture image


The Safety Monitor system architecture was developed to enable the appropriate safety claims to be made to a certification authority. This included allowing an operator to take control for launch and recovery. Given the UAS speed, especially potential closing speeds with other aircraft, reaction times needed to be very fast. Air traffic that was apparently far away could be a collision risk in a very short time. It was therefore assumed from the start that the UAV would have to have an autonomous capability to manoeuvre in emergency scenarios, unless there was a direct override by a controller in situations where, for example, they had a line of sight. In normal operations a controller will be communicating with a UAV. However, if it can be shown that once the UAV is beyond line of sight communications, it will always behave correctly and be able to complete its task, then that may negate the need for the weight and expense of satellite communications.

A key issue for the project was to demonstrate that an independent control algorithm (Safety Monitor) within the UAV control system could take the information from a sensor and use it to apply control in the emergency scenarios. Although only the ADS-B sensor was used in this project, it was recognised that sensor fusion from multiple sensors such as optical or/and radar, might be required in future to be able to make decisions on the correctly classified threats. A key component of the project was how to account for some major faults that might affect the ability of an aircraft to safely complete its task. Whilst for demonstration purposes, hover capable UAVs would be used, hovering as an potential behaviour for collision avoidance was disallowed in the proposed architecture. A final consideration was that while the default operating mode would be behaving in accordance with the rules of the air, there was scope to allow the aircraft to behave in a non-standard manner, should the situation demand.


Software Standard

The aerospace software certification standard DO-178C would be used for this project and compliance would make use of D-RisQ’s automatic formal verification tools and technologies throughout the project utilising DO-333, the Formal Methods Supplement to DO-178C. DO-330 would also be used as part of the guidance for the development of those verification tools. Because of this DO-178C and DO-330 compliance can be achieved in a quite straightforward and relatively cheap way. It was decided that, as far as possible given the constraints of the project, the software development would be conducted to comply with DO-178C Level A, the highest level of verification.

D-risq - Software Standard image
D-risq - Requirements image


The system behavioural requirements for the Safety Monitor were developed in a series of project workshops which generated a System Requirements Document reviewed and approved by the project partners. These requirements covered many different facets of the UAV, the use case, the COLREGS the environment it had to operate in together with the safety requirements that had to be met. The System Requirements were then developed by D-RisQ into a set of Software High Level Requirements (HLRs). At this stage, a prototype of the D-RisQ Kapture® tool was used to develop the software design requirements in a verifiable format. As part of Kapture®, the semantics for a set of templates had been developed showing that there was sufficient expressivity for use by 3rd parties in a future commercial tool. The HLRs were reviewed against the System Requirements and claims could be made that the appropriate DO-333 objectives had been met.


Design, code and verification

A design for the decision- making software was undertaken based upon the HLRs and using Simulink / Stateflow. The question that needed to be answered by the project was “Does this design satisfy the HLRs?” To prove this D-RisQ Modelworks® tool was utilised to undertake the automatic verification of the design against the HLRs. This again supported meeting the DO-333 objectives.

System validation simulation was done to show that the system behaviour was as intended at the system level. C code was then automatically generated from the design into subset of the C  programming language for which a formal semantics had been provided. Beyond the scope for this project was the verification of the source code or the compiled code in order to claim the appropriate DO-178C or DO-333 objectives, although some successful test cases were run.

A considerable number of simulations were run by D-RisQ and, with the hardware in the loop, by Callen-Lenz. The scenarios included pathological situations in order to see how the vehicle would behave in extreme circumstances. The results in all cases were that the UAV avoided all other objects and in every case, the manoeuvre was one that would be recognised by another air user as the way they too, would react. This included the extreme, pathological scenarios where the UAV sometimes had to interpret the Rules-Of-The-Air in a manner that was unconventional. A successful set of air based trials  were conducted by Callen-Lenz with both static and moving obstacles (see video).

D-risq - Design, Code, Verification image
D-risq - Outcomes image


The automatic decision-making Safety Monitor software worked exactly as required. A limited number of air tests were run by Callen-Lenz that showed that the behaviour was exactly as intended. This is backed up by the mathematical proof of the system’s behaviour, against the requirements described in English. The project accelerated the development of the D-RisQ Kapture® tool and expanded the capabilities of Modelworks®. A safety summary and certification material for future use was also generated to aid future development. The next steps for D-RisQ will be to commercialise automatic formal verification of the automatically produced source code (CLawZ® tool) and then an automatic formal verification of the executable object code (FEVER tool).


Artificial Intelligence, Safety and Costs

This project extended the knowledge D-RisQ had, of how to produce safety monitoring software for embedded real time systems that exploit risk- based or AI- based software. It means that a solution exists allowing the benefits of AI without having to worry about its safety. A route was provided to independent, high integrity decision-making  software that allows safe operations of the Unmanned Air Vehicles for Beyond Visual Line of Sight operations. Utilising D-RisQ tools and technology, this was achieved at very low cost and showed how a developer could comply with internationally recognised software standards. The approach is therefore an enabler of AI systems as the project showed that the required trust in such autonomous systems at a cost that is affordable can be provided.

D-risq - Artificial intelligence image


Get in touch



The autonomous underwater vehicle developed under A2I2 will be further developed and demonstrated with our partners Rovco and National Oceanography Centre. Predicate Guard will be further validated in trials for wind farm mono-pile inspection and intervention.

D-Risq - Square image
D-Risq - Square image
D-Risq - Square image
D-Risq - Square image
D-Risq - logo