Assignment

Copyright © 2014 RMIT UAS Corporation (RUASC)
Assignment
AERO 2370 – Engineering Risk Management in Aviation Master of Engineering (Aerospace and
Aviation)
Prepared by: Guan Kai No. 3407535
VERSION
No: 1.0
Date: 7th September 2014

Copyright © 2014 RMIT UAS Corporation (RUASC) 2
TABLE OF CONTENTS
1 INTRODUCTION 5
1.1 BACKGROUND 5
1.2 RMIT UNMANNED AIRCRAFT SYSTEMS CORPORATION 5
1.3 SCOPE OF DOCUMENT 5
2 ESTABLISHING THE CONTEXT 6
2.1 AIMS AND OBJECTIVES 6
2.2 STAKEHOLDERS 6
2.3 RISK FRAMEWORK AND CRITERIA 6
2.3.1 CONSEQUENCE 7
2.3.2 LIKELIHOOD 8
2.3.3 RISK 8
2.3.4 RISK CRITERIA 9
2.4 ADMINISTRATION AND RESOURCES 9
3 RISK IDENTIFICATION 10
3.1 PRELIMINARY HAZARD LIST 10
3.2 FUNCTIONAL HAZARD ANALYSIS 11
3.3 EVENT TREE 19
3.4 MASTER LOGIC DIAGRAM 20
3.5 BARRIER BOW TIE DIAGRAM 21
3.6 RISK REGISTER 21
4 RISK ANALYSIS 22
4.1 CONSEQUENCE ASSESSMENT 22
4.2 LIKELIHOOD ASSESSMENT 22
4.2.1 FAULT TREE 22
4.2.2 DATA SOURCES 23
4.3 LEVEL OF RISK 23
4.4 UNCERTAINTY ANALYSIS 23
5 RISK EVALUATION 23
6 RISK TREATMENT 24
6.1 TREATMENT OPTIONS 24
6.2 EXAMPLE TREATMENT ASSESSMENT 25
6.3 RESIDUAL RISK ASSESSMENT 27
7 MONITOR AND REVIEW 28
8 COMMUNICATION AND CONSULTATION 28
9 CONCLUSIONS 29
10 REFERENCES 30
11 ACRONYMS 31
12 APPENDIX A – RPAS AND CONOPS 32

13 APPENDIX B – HIGH LEVEL SYSTEM DESCRIPTION 33
14 APPENDIX C – RISK REGISTER 35
15 APPENDIX D – RELIABILITY BLOCK DIAGRAM WORKING 37

FIGURES
FIGURE 1 – RISK MATRIX..............................................................................................................................................8
FIGURE 2 – EVENT TREE (SEE APPENDIX E FOR MORE CLEAR VIEW)..............................................................................19
FIGURE 3 – MASTER LOGIC DIAGRAM (SEE APPENDIX F FOR MORE CLEAR VIEW) ...........................................................20
FIGURE 4 – BARRIER BOW TIE MODEL (SEE APPENDIX G FOR MORE CLEAR VIEW) .........................................................21
FIGURE 5 – FAULT TREE (SEE APPENDIX H FOR MORE CLEAR VIEW)..............................................................................22
FIGURE 6 – EXAMPLE BBT FOR TREATED RISK SCENARIO............................................................................................25
FIGURE 7 – RELIABILITY BLOCK DIAGRAM – TRIPLEX SYSTEM.......................................................................................26
FIGURE 8 – RELIABILITY BLOCK DIAGRAM – REDUNDANT SYSTEM.................................................................................26
FIGURE 9 – RUASC RPAS, SHIP LAUNCH SYSTEM AND SHIP RECOVERY WIRE SYSTEM ..................................................32
FIGURE 10 – PRIMARY SUB-SYSTEMS OF AN RPAS (RED) AND ASSOCIATED FUNCTIONS (BLUE AND GREEN)....................34
TABLES
TABLE 1 – CONSEQUENCE SCALE .................................................................................................................................7
TABLE 2 – LIKELIHOOD SCALE.......................................................................................................................................8
TABLE 3 – RISK SCALE .................................................................................................................................................8
TABLE 4 – APPLICATION OF THE ALARP FRAMEWORK ...................................................................................................9
TABLE 5 – FUNCTIONAL FAILURE CLASSIFICATION LEVELS (EUROCAE 2013)..............................................................11
TABLE 6 – FUNCTIONAL HAZARD ANALYSIS (FHA) .......................................................................................................12
TABLE 7 – RELIABILITY TREATMENT ANALYSIS .............................................................................................................26
TABLE 8 – RISK REGISTER..........................................................................................................................................36

1 Introduction
1.1 Background
Unmanned Aircraft Systems (UAS), more commonly referred to as drones, are the fastest
growing sector of the Australian aviation industry. It has many advantages when comparing
with manned aircrafts. People do not need to worry about the human safety when flying into
dangerous area for surveillance. It could help scientists get much more useful knowledge in the
dangerous area. In addition, using UAV for some mission could save the cost for fuel because
the aircrafts will be lighter without human on board. Furthermore, because the UAVs do not
have human on board, they do not need to carry life support and human injured protect system
which could make the UAV lighter. On the other hand, without those systems means the UAV
could carry more equipment to support them complete the mission more easily and completely.
In accordance with regulations contained in Civil Aviation Safety Regulation 1998 (CASR 1998),
Part 101, an organisation wishing to operate an UAS for purposes other than hobby and
recreation, must obtain approval from the Civil Aviation Safety Authority (CASA). An approval
can take the form of an area approval or through the issuing of an Unmanned Operator
Certificate (UOC) to the organisation. In order to obtain such approvals, a detailed safety risk
management plan must be submitted to CASA.
For more information on applicable safety regulations see(CASA 2012a).
1.2 RMIT Unmanned Aircraft Systems Corporation
RMIT UAS Corporation (RUASC) are preparing their application to CASA for an UOC. The
particular UAS and the concept of operation proposed by RUASC are detailed in Appendix A.
RUASC is a small organisation, and have recently contracted the services of Guan Kai to
assist with the preparation of the safety case. This safety case will form a critical part of their
UOC application to CASA.
1.3 Scope of Document
This document describes the application of the safety risk management process to the UAS
and concept of operation detailed in Appendix A.

2 Establishing the Context
2.1 Aims and Objectives
The aim of this activity is to ensure the safe conduct of RUASC UAS operations in accordance
with the concept of operations described in Appendix A.
The objectives of this safety risk management activity are to:
1. Apply the safety risk management process to the UAS and concept of operations
described in Appendix A;
2. Provide high level of assurance to CASA that the safety risks associated with the
proposed UAS operations have been managed to acceptable levels;
3. Support RUASC’s application for an UOC.
2.2 Stakeholders
This RPAS is operated by RUASC, so that the first stakeholder must be the RUASC itself.
Because this UAV will used for fisheries protection, the private fisher and fishing companies will
also interested in this program. On the other hand, ATC and the navy will also pay attention on
it, because the UAV may fly into their operation area. Thus, the ATC need to have a clear
information about the UAV flight line and flight situation to make sure it will not collision with
other manned aircrafts. Also, the navy need to make sure the UAV will not fly into restricted
area. In addition, the airline companies and tourist flight companies will also interested in the
RPAS because their airlines may be affected by this UAV. Same situation also occur on
shipping companies because the UAV could help them realize the ocean condition and the
UAV may also affect their ships if it loss of control. Furthermore, because this UAV also used
for maritime surveillance, the maritime organizations, such as maritime safety administration
and maritime first-aid organization will also pay attention on it. This UAV could help to
surveillance the ocean to reduce those organizations work load. Additional, some scientists,
scientific organization and universities from the program such as ocean environment,
geography and biologic will also interested in this UAV that could help them explore the ocean
safely. At the end, the government would also be the stakeholder because it is operated on its
country’s area and need to pay tax for the RPAS.
2.3 Risk Framework and Criteria
The risk management framework used in this report is consistent with International Standard
ISO 31000 (ISO 2009) and the Aviation Common Risk Framework (DIRD 2013).

2.3.1 Consequence
The primary concerns of a range of stakeholders were presented in Section § 2.1. These
particular dimensions of consequence associated with these stakeholder objectives were
varied. Of principle concern to the preparation of an UOC is the safety and wellbeing of people.
This must include those associated with the activity (i.e., employees of RUASC, and those
benefiting from the UAS service offered by RUASC) and those people not associated with the
activity (e.g., members of the public). The consequence scale to be used in this risk
management plan reflects these primary concerns and is presented in Table 1.
severity level meaning
Catastrophic A
Fatal
UAV destroyed
Damage to others (cause destroyed or lose ability to complete
mission)
Hazardous B
cause human injured
UAV major damage (cannot fly without repairing)
Major damage to others (need equipment replace or cost much to
repair) but can complete mission
Major C
UAV minor damage (cannot complete mission, but still could fly)
Minor damage to others (can be fixed easily)
Moderate D
Cause RPAS crew, ATC or other parties significant increase work load
Cause others' mission delay but no damage occur
UAV cannot fly without manned remote
Minor E
Minor incident
Affect other parties normal work but not cause delay
Cause RPAS crew, ATC or other parties slight increase work load
Cause UAV mission delay
Negligible F
Not affect to complete mission on time
Nearly no financial lost
Table 1 – Consequence Scale

2.3.2 Likelihood
The likelihood scale to be used in the risk management process is presented in Table 2. The
scale provides a qualitative label, a word description of the likelihood, and a description of the
frequency of occurrence per unit of operation.
Likelihood Level Description
Frequent 6 expect to occur in many flight circles
Probable 5 possible occur in several flight circles
Occasional
4
possible occur in some times in individual UAV's
life time
Remote
3
unlikely to occur, but will occur at least once in
individual UAV's life time
Improbable
2
unlikely to occur, individual UAV may not occur
during its whole life time
rare
1
almost cannot occur (have not occurred with
current data)
Table 2 – Likelihood Scale
2.3.3 Risk
Risk is the composite of consequence and likelihood. The risk scale to be used in the risk
management process is presented in Table 3. The scale provides a qualitative label (with
indicative cell colouring), a word description of the level of risk, and a column identifying the
different combinations of consequence and likelihood that give rise to each level of risk. The
combinations are also presented graphically as a risk matrix in Figure 1.
High Serious Medium Low
Table 3 – Risk Scale
Figure 1 – Risk Matrix
Risk probability
Risk severity
Catastrophic
A
Hazardous
B
Major
C
Moderate
D
Minor
E
Negligible
F
Frequent 6 6A 6B 6C 6D 6E 6F
Probable 5 5A 5B 5C 5D 5E 5F
Occasional 4 4A 4B 4C 4D 4E 4F
Remote 3 3A 3B 3C 3D 3E 3F
Improbable 2 2A 2B 2C 2D 2E 2F
rare 1 1A 1B 1C 1D 1E 1F

2.3.4 Risk Criteria
In accordance with the aviation CRMF, RUASC will adopt the As Low As Reasonably
Practicable (ALARP) decision-making framework. Only a qualitative assessment is provided.
The application of the ALARP framework to the risk levels defined in § 2.3.3 is presented in
Table 4. A description of the decision-making and risk treatment criteria applicable to each
ALARP region is also provided in Table 4.
Table 4 – Application of the ALARP Framework
2.4 Administration and Resources
The risk management process must be completed by 1730 Monday the 8th of September in
order to be included in the UOC application to CASA. Thus, only a qualitative assessment, to
an appropriate level of detail, is expected. The report must be submitted to the Managing
Director of RUASC, Dr Reece Clothier, via the RUASC office report drop-off box (SAMME
Reception Building 57, Level 3).

3 Risk Identification
3.1 Preliminary Hazard List
 Collision with birds. This UAV is operate at 400-2500 ft in which area has a lot of sea
birds. Also because the UAV speed is very quickly, it is quite easily to collide with birds
which are out of cameras’ view.
 Aircrafts frequency area. This UAV is operated within aircraft frequency area which
makes the mid-air collision become a serious high risk that need to be treated.
 Structure corrosion. The air over the sea is very wet and full of salt. It will make the
corrosion much quickly if not take great care of the UAV.
 Thunderstorm. The weather over the ocean changes quickly and has many kinds of
extreme weather. This UAV only weight 25 kg which make it quite easy to loss control with
heavy winds.
 Fixed-wing control system fail. This UAV is a fixed-wing aircraft. Thus, if the wing
control system fail, the UAV will out-of control.
 Single engine. This UAV only has one engine. Thus, if the engine fail, the UAV will totally
loss of propulsion.
 Launching system fail. This UAV is launched using a rail system. If the system fail, such
as not enough power to push the UAV reach the take-off speed, the UAV will drop into the
sea.
 GPS signal. This UAV use GPS to realize its position. Without GPS, the UAV will loss
way and cannot complete the mission. In addition, delay GPS will cause the UAV flight
control delay and may even cost collision.
 Recovery system structure break. This UAV is recovered with a recovery system which
will suffer a high load when pull the UAV to stop. With careless maintenance, the recovery
system structure may break by fatigue.
 UAV structure damage cause by recovery system. Same with recovery system, the
UAV also need to suffer a high load recovering. If the UAV speed is too high, the UAV
wings may be tear by the recovery system.
 Flight plan error. This UAV use autonomously flight system which need human to type in
flight plan before it take-off. The system will follow the command even it is wrong.
Therefore, flight plan error which include both plan making error and plan type in error will
cause serious consequence.
 Man remote error. This UAV has three man remote crew for emergency operation. So
human error may also occur during the manned remote operation.
 Fuel measure system. Fuel is an important material for keep the propulsion for the UAV.
Without fuel measure system, the operator cannot get the fuel information, such as, fuel
temperature, how much fuel remain and abnormal fuel decrease. The UAV may run out of
fuel and loss of propulsion.
 Loss communication. This UAV’s mission is maritime surveillance and fisher protection.
Without communication, the UAV is totally loss the ability for real time surveillance. Also,
without communication, the remote crew cannot realize and take action when the UAV get
problems.
 Loss flight altitude system. The autonomously flight system need the data from the flight
altitude measure system to keep the UAV balance and fly in the air. Loss of the altitude
system is equal loss autonomously system. Even remote crew, can only get limited
altitude information through the cameras on the UAV.

 Crew fail to regulate. With the current technology, the UAV cannot automatically avoid
collision with a not complete sense and avoid system. Thus, remote crew fail to regulate
will increase the rate of collision much.
 Recovery wire system damage the propeller. The recovery system is just a wire to pull
the UAV to stop. If the UAV’s wing miss the wire, the propeller at the end may collide with
the wire which make the wire hank with the propeller and damage the propeller.
 Camera system out of work. Same with communication, the camera system is used to
complete the UAV’s mission. If the camera break, the UAV will totally loss its function.
 The visual difference. The view comes from camera and the real view of human’s eyes
are different. It will affect the crews’ judgement about the distance which may cause
collision. Also, the wide of the view through camera is limited. The crew can hardly realize
the real situation around the UAV.
Beside those preliminary hazards, there are also many secondary hazards. For example,
when the UAV collision with birds or get structure damage by other reasons, the pieces
drop down may hurt the people because the UAV fly quite low. Also, if the whole UAV out
of control and drop down, with the acceleration of gravity, the 25 kg’s UAV will hurt human
or ships seriously, even cause fatal. In addition, the out of control UAV may also collision
with manned aircrafts which could cause a serious accident happen. On the other hand,
another main secondary hazard is other aircrafts or ships do some dangerous action to
avoid UAV. It may cause injured, even fatal.
3.2 Functional Hazard Analysis
A Functional Hazard Analysis (FHA) provides a description of the potential outcomes of a
failure in a top-level system function. These failures provide a first pass on the set of your
initiating events.
The system functions provided by each of the sub-systems comprising the RPAS are described
in Appendix B. The FHA for these functions is presented in Table 6. The classification of the
severity of the failure condition (i.e., consequence of the failure) used in the FHA is presented
in Table 5. Note, where a particular failure can lead to a number of potential consequential
outcomes, the worst consequential outcome is used to assign the failure condition class (from
Table 5). The completed FHA is presented in Table 6.
Failure
Condition
Description
Class I
Failure condition that is expected to directly or indirectly lead to physical hit of third parties in the air
or on the ground.
Class II
Failure condition that is not expected to lead to physical hit of third parties in the air or on the
ground but is expected to lead to stress to third parties in the air or on the ground as a result of a
nearby collision or crash nearby third parties.
Class III
ground nor to stress to third parties in the air or on the ground but is expected to lead to a
significant increase in workload to RPAS crew, to ATC or other parties.
Class IV
ground nor to stress to third parties in the air or on the ground but is expected to lead to a slight
increase in workload to RPAS crew, to ATC, or to other parties.
Class V
ground nor to stress to third parties in the air or on the ground and will not lead to an increase in
workload to RPAS crew, to ATC, or to other parties.
Table 5 – Functional Failure Classification Levels (EUROCAE 2013)

Table 6 – Functional Hazard Analysis (FHA)
Function Failure Condition Phase
Effect of Failure Condition on
UAV
Classifi
cation
Reference to
supporting material
Launching
rail system
complete loss with no
annuciated
launching fail to launch UAV
IV
partial loss with no
annuciated
launching low speed for takeoff, resulting
UAV drop into sea
III
autonomously
operation
loss of system cruise/
recovery
a. unannuciated cruise loss of control, resulting in
collision with water, ship or
aircraft
I
b. annuciated cruise remote control IV
c. unannuciated recovery loss of control, resulting in fail
recovery or collision with water
or customs vessel
III
d. annuciated recovery remote control V
develop or type-in
flgiht plan incorrect
cruise
a. unannuciated cruise mission fail/ out of control of
collision
I
b. annuciated cruise man remote control IV

Functional Hazard Analysis (FHA) (continued)
UAV
Classifi
cation
Reference to
supporting material
Flight
altitude
measure
system
(include
altitude,
height and
speed)
complete or partial
loss of system
within the
line of
sight/
cruise
beyond the
line of
sight/
recovery
a. unannuciated within sight loss of control, resulting in drop
into sea/ collision with ship
II
b. annuciated within sight remote crew sight control the UAV
landing
IV
c. unannuciated cruise loss of control, resulting in drop
into sea/ collision with ship/
collision with other aircraft
I
d. annuciated cruise crew try to control the UAV with
the cameras on the UAV fly back
and landing
IV
all sides cameras on
the UAV
e. unannuciated recovery loss of control, resulting in drop
into sea/ collision with customs
vessel
III
f. annuciated recovery remote crew control the UAV to
recover
V

UAV
Classifi
cation
Reference to
supporting material
engine
situation
surveillance
loss of system cruise
a. unannuciated cruise cannot notice when engine get
problems
I
b. annuciated cruise man take actions try to solve the
problem
III
satellite
communicatio
n
loss of communication cruise cannot remote control the UAV/
loss real-time maritime
surveillance
III
storage device on UAV
to record the views
inadvertent close the
communication
cruise
a. unannuciated cruise loss real-time maritime
surveillance/ no annucuated of the
UAV when emergency event happen
IV
b. annuciated cruise reconnect with UAV
V
warning system for
manned dangerous
activation
fuel measure
loss of system cruise
a. unannuciated cruise no warning when low fuel,
resulting in run out of fuel I
b. annuciated cruise man remote control the UAV to fly
back, in case run out of fuel V

UAV
Classifi
cation
Reference to
supporting material
GPS system
loss signal of GPS or
GPS system
cruise/
recovery
a. unannuciated cruise lose way/ if cannot reconnect, run
out of fuel and collision with
water or ship
II
b. annuciated cruise man remote control the UAV
III
radar system to find
the position of UAV
c. unannuciated recovery cannot judge the position of
vertical wire system, resulting in
fail to recover or collision with
customs vessel
III
d. annuciated recovery remote crew control the UAV to
recover
V
recovery
system
complete loss of
system
recovery
a. unannuciated recovery fail to recover III
b. annuciated recovery swap another recovery system IV
recovery system
structure break
recovery
a. unannuciated recovery fail to recover/ collision with
customs vessel/ hurt surrounding
people
III
b. annuciated recovery swap another recovery system IV

UAV
Classifi
cation
Reference to
supporting material
propulsion
system
engine fail cruise
a. unannuciated cruise cannot keep flying, resulting in
collision with water or ship
I
b. annuciated cruise remote control to try to restart
the engine
III
engine restart system
inadvertent reduce the
power or stop the
engine
cruise
a. unannuciated cruise cannot keep flying, resulting in
collision with water or ship
I
b. annuciated cruise remote control to increase the
power or restart the engine
IV
engine restart system,
warning system for
manned dangerous
activation
propeller break cruise/
recovery
loss of propulsion
I

UAV
Classifi
cation
Reference to
supporting material
fixed wing
control
loss of system launching/cr
uise/recover
y
a. unannuciated launching loss of control, resulting in
collision with water or customs
vessel
I
b. annuciated launching cancel flight and fix UAV or swap
UAV
IV
swapped UAVs are
needed
c. unannuciated cruise/
recovery
loss of control, resulting in
collision with water, ship or
aircraft
I
d. annuciated cruise/
recovery
notice surrounding ships and
aircrafts to avoid the UAV III
connection with ship
manager and air
control

UAV
Classif
ication
Reference to
supporting material
maritime
surveillance
system
lose of system launching/c
ruise
a. unannuciated launching/c
ruise
cannot complete the mission
III
b. annuciated launching swap to another UAV IV swapped UAVs are needed
c. annuciated cruise cannot complete the mission, need
swapped UAV to continue the mission
III
swapped UAVs are needed
forget to open camera cruise
a. unannuciated cruise mission fail III
b. annuciated cruise open the camera V
forgot to take off
camera lens cover
launching
a. unannuciated launching mission fail III
b. annuciated launching take off the cover V
camera break cruise
a. unannuciated cruise mission fail III
b. annuciated cruise cannot complete the mission, need
swapped UAV to continue the mission
IV
loss of record system cruise
a. unannuciated cruise no record data remain IV
b. annuciated cruise record at operation center with
satellite communication
V

3.3 Event Tree
Event Trees (ETs) describe how an undesired initiating event (e.g., losses of function or
failures in systems) lead to consequential outcomes. High level ETs can be conducted at the
same time as the FHA to support the assignment of failure condition levels (e.g., those in Table
6) to particular failures. To illustrate, one top-level/initiating event (given in the FHA) is depicted
as an ET in Figure 2.
Figure 2 – Event Tree (see Appendix E for more clear view)

3.4 Master Logic Diagram
Master Logic Diagrams (MLDs) are a hierarchical description of a system that describes how
top-level events relate to failures in system functions and components of a system. The MLD
for the proposed UAS operation is provided in Figure 3.
As can be observed in Figure 3, the top level of the MLD is the single state of an accident. The
second level comprises each of the primary hazards (Section § 3.1). The third level describes
each of the system functions that could potentially contribute to each of the primary hazards
(i.e., based on the FHA and ET).
Figure 3 – Master Logic Diagram (see Appendix F for more clear view)

3.5 Barrier Bow Tie Diagram
From (ADF 2012), the Barrier Bow Tie (BBT) links hazards and their consequences through
event lines, illustrating the routes to accidents. Preventive and recovery controls show the
fundamental components of the safety management system. Understanding of hazards and
their consequences is gained through examining the routes by which the controls can fail and,
identifying the critical components of the system that prevent these failures. Additional
guidance on the development of BBTs can be found in Annex E to Section 3, Chapter 7 of
(ADF 2012).
BBTs help to identify potential preventative and recovery/mitigative barriers to the realisation of
a top event and the consequential outcomes. An example BBT for the same initiating/top event
described in Section § 3.3, is presented in Figure 4. No escalation factors or escalation controls
are presented in the example.
Figure 4 – Barrier Bow Tie Model (see Appendix G for more clear view)
3.6 Risk Register
A summary of the identified risks are presented in the risk register in Table 8 of Appendix C. The
template risk register is based on that presented by CASA (CASA 2012a).

4 Risk Analysis
4.1 Consequence Assessment
The level of consequence assigned to each scenario can be determined from the identified risk
scenarios. Each of the scenarios identified in the previous section, can be assigned a
consequence level in accordance with the scale defined in Table 1. A report describing the
potential harm caused by RPA (striking people and buildings) is available here (Clothier et al.
2010). This report was used to guide the consequence assessment made in the risk register
(presented in Appendix C). It was also generally assumed that any RPA larger than 2 kg had
the potential to cause catastrophic damage to another aircraft.
4.2 Likelihood Assessment
4.2.1 Fault Tree
There are numerous techniques, models, and data sources that could be used to determine the
likelihood of each risk scenario occurring. An example of one technique is the Fault Tree (FT).
An example FT is developed for the same initiating/top event described in Section § 3.3. The FT
is presented in Figure 5.
Figure 5 – Fault Tree (see Appendix H for more clear view)

4.2.2 Data Sources
There is no comprehensive database of accidents and incidents involving RPAS/UAS that can
be used to provide an accurate quantitative assessment of the likelihood of particular failures
and scenarios. A reliability study conducted by the US Office of the Secretary of Defense (OSD
2003) perhaps represents the best publically available resource on UAS mishaps. This
resource was used to assist in the analysis of the likelihood of realising the consequence
associated with each of the identified risk scenarios. The likelihood assignment in the risk
register is based on the likelihood scale defined in Table 2.
4.3 Level of Risk
Table 3 is used to assign the level of risk in the risk register for each of the risk scenarios
based on the assessed consequence and likelihood (Sections § 4.1 and § 4.2, respectively).
4.4 Uncertainty Analysis
Uncertainty is prevalent in all stages of the risk management process and is an important factor
in decision-making.
For the consequence assessment, without professional academic knowledge and huge number
of experiment, some consequence is hardly to be assessed. Take bird collision as an example,
which level of damage the UAV will get? When this UAV collision with other birds, the
consequence will be quite different, depending on the weight of the birds, the UAV speed, the
UAV structural strength and the collision altitude. This need mathematics calculate and real
experiment to get correct consequence for different kinds of collision. At the same time, without
experiment data, it cannot be assessed the consequence for UAV crash water. The intensity of
the UAV structure should be tested for analysing the crash risk. In addition, if the UAV will not
destroy after crash water, another problem is whether the UAV could float on the water and
whether it could be recovered. For the likelihood assessment, without real-world data, it is
hardly to get detailed data such as how many hours the system will fail. Those uncertainty of
the consequence will make the risk assessment not reliable enough. In addition, there also lack
of the data about the operating area. It cannot be assessed how busy this area is. Furthermore,
the meteorological situation is an uncertainty as well. People could predict the weather for
some days in the future, but cannot predict what the weather will like some months later.
Because operate UAV in different weather condition has different risk level. Therefore, to get a
more reliable risk assessment, a long term weather data analysis will be needed to find out the
weather patterns of the operation area.
5 Risk Evaluation
The ALARP framework, as given in Table 4, was used to evaluate each of the risk scenarios.
As quantitative analysis is not expected, a quantitative evaluation of gross disproportion and
the cost benefit analysis was not undertaken. The resulting assessment (i.e., Broadly
Acceptable, Tolerable, Unacceptable) is included in the risk register (see Appendix C). A
description of one evaluation is provided as follows.

6 Risk Treatment
6.1 Treatment Options
There are a wide range of treatment options available to address each of the RPAS risk
scenarios (see (Clothier & Walker 2015)). An example of the different treatment options that
exist is presented in this section.
Mid-air collision is a serious problem, especially collision with manned aircrafts. It will cost a
huge financial lost and may even cause many fatal. However, this problem cannot be totally
avoid because the UAV and custom aircrafts are operating in same airspace. Therefore, it is
quite necessary to find out risk treatments to reduce the risk for mid-air collision. With current
technology, UAV cannot fully avoid collision without manned regulation operation.(FRC)
Therefore, the main treatment for reducing the risk of mid-air collision is see and avoid system
which need men remote regulation and operation to avoid collision. Crew need to regulate the
UAV fly situation through the camera view on the UAV and control the UAV avoid collision
when the crew find out other aircrafts on the display.(EUROCONTROL 2010) This treatment
could help to reduce the collision likelihood and it is the risk reduction. Thus, this treatment is
belong to elimination. Furthermore, the remote crew will be set more than one, so that others
could have double check to avoid human operate errors. This could be describe as risk
reduction and belong to administrative. On the other hand, ICAO has Airborne Collision
Avoidance System (ACAS) for ATC help to protect mid-air collision.(EUROCONTROL 2010)
This is another way to reduce the likelihood, but it is on the contrary way. Instead UAV avoid
manned aircrafts, ACAS help the manned aircrafts to avoid UAVs. Therefore, this treatment
could be describe as risk transfer, and it is also belong to the elimination. In addition, there is
also one way to avoid collision by risk avoidance. That is UAV flight plan maker. The flight plan
could be made avoiding airlines, it could help to protect most of collision consider to the normal
flight plan. The hierarchy for this treatment could be describe as administrative.
However, all of these three treatments have weaknesses. The crew could only get the view
through the cameras on the UAVs. Therefore, the aircrafts which come from the way that the
camera cannot see, the collision cannot be avoid by crew remote control. In addition, the ACAS
will increase the air-controller’ workload much, the traffic controller have to pay attention to
many small UAVs at the same time when managing many manned aircrafts. It will make the
air-controller make more mistakes. Also, the flight plan could just avoid the aircrafts which fly
as the plan made before. However, the aircrafts may change flight line for some reason, such
as weather problem, emergency landing and busy air traffic. Thus, plan making cannot avoid
the collision real-timely. A new technology which is still under experiment could make up the
weakness for those treatment. That is sense and avoid system. With this system, the UAV
could automatically avoid other aircrafts without manned remote control.(Insinna 2014) This
treatment could also be treat as risk avoidance and it belong to the design level.

The scenario, with implemented barriers/treatments, can be represented graphically as a BBT.
The BBT for the example discussed above is presented in Figure 6.
Figure 6 – Example BBT for Treated Risk Scenario
6.2 Example Treatment Assessment
The RUASC chief engineer suggested that pursuing higher levels of reliability should be
considered as a treatment option. One way of doing this is to use redundant flight critical
avionics systems on-board the RPA. Two architectures are being considered:
1. A triplex redundant system – i.e., where three of the are arranged in parallel;
2. A redundant system – i.e., where one of the standard avionics systems is arranged in
parallel with a single high reliability avionics system;
The standard avionics system has a MTBF of 2000 hours and cost $15,000 each. The high
reliability avionics system has a MTBF of 5000 hours but costs $25,000.

A Reliability Block Diagram (RBD) for each of the two proposed architectures is presented
respectively in Figure 7 and Figure 8.
Figure 7 – Reliability Block Diagram – Triplex System
Figure 8 – Reliability Block Diagram – Redundant System
The system level probability of failure for a mission of 100 hours duration and total cost is
presented in Table 7. It was assumed that failure rate was constant. Detailed working for the
figures presented in Table 7 is provided in Appendix D.
Architecture Probability of Failure (100 Hour Mission) Cost
Triplex System 0.012% $45,000
Redundant System 0.0047% $55,000
Table 7 – Reliability Treatment Analysis

There are numerous additional factors (other than cost and improvement in reliability) that
should be considered when choosing between the two treatment options. Including:
1. The redundant architecture offers software and hardware diversity as it uses different
avionics systems. Thus, there is less chance that both avionics systems would
experience a common failure/fault. Whereas, the triplex system uses all the same
components, hence there is a higher chance that if one avionics system encounters a
failure, the others may experience the same failure (due to the commonality in
software and hardware).
2. Having two different types of avionics systems increases the logistics cost of the
system, as both systems need to be supported (in terms of guaranteed supply and
availability of spare parts, etc.).
3. Having two different types of avionics systems increase the cost of engineers. Different
avionics system contain different technology, so that the maintenance engineers need
to be trained more. On the other hand, using high-tech avionics system also need
more advanced engineers. It will also increase the cost.
4. When the avionics systems break down, it will need to be repaired, and that will also
cost money. Therefore, although the redundant system cost more to buy, but the
maintenance cost will be lower because it has less probability to fail. At the same time,
when the avionics systems fail, the aircraft need to be repaired which means the
aircraft cannot work. Therefore, less probability to fail means more time on work and
could make more profit. On the other hand, high reliable avionics systems could also
help to reduce the number of swap aircrafts which are used when working aircraft need
to repair.
5. Using redundant system could decrease the risk by reducing the likelihood. Therefore,
it is a good way to make the risk reach the acceptable level which do not need further
risk reduction and could save money. On the other hand, if the risk is already reach the
acceptable level much, using triplex system could save money without increase risk
level.
6. Low probability to fail could lead to less accident and less delay. It could help to set a
good impression of the organization. More and more customs will be attracted because
the safety level is quite high. The customs will put more money here because they
believe their money will also be safe within a safe organization. It makes organization
have more cash flow to develop and increase the safety more.
To sum up, redundant system cost more money at the very beginning, but it will help to save a
lot of potential money. In addition, redundant system could also give a good impression to the
customs because the high level of safety which could attack more customs and more
investigation.
6.3 Residual Risk Assessment
The treatments considered for each scenario are listed in the risk register. The residual risk
columns in the risk register (Appendix C) were evaluated using the scales defined in Table 1,
Table 2, and Table 3.

7 Monitor and Review
There are wide range of factors that warrant the need to review the risk management plan and
treatment options for an identified risk scenario. These are listed in the risk register. A detailed
example of some of the conditions that could trigger a review is provided below.
This UAV is operated over the ocean where full of wet and salted air. Thus, the UAV structure is quite easy
to get corrosion. Most times the corrosion part will be replaced in order to keep the structure hard enough
and avoid mid-air breakup. Therefore, when the new material is installed, the UAV must be review to make
sure that the new material is installed correct and the UAV reach the safe level again. At the same time,
even the structure does not break, periodically review is still needed to assess the corrosion level to keep the
UAV safe.
8 Communication and Consultation
It is widely known that “Drones” invoke mixed feelings from the general public. These feelings
can influence how the public perceive and accept the risks associated with their use.
The UAS is a new technology that come out in the recent years. Thus, public people have
limited knowledge about this new technology. People will show less interesting on it and will be
afraid of this new technology because lack of knowledge. Therefore, perfect propaganda could
help public to realize the UAS and the RPAS program more detailed and clear. With the logical
risk analysis, people could realize that this program is safely enough and has a quite slight
opportunity to hurt people or other equipment, such as fishing ships and manned aircrafts. Also,
the hazards and risks are totally controllable and have ability of future reduction. In addition,
people should be known about the consequence of the risk and how much it will affect
individuals. On the other hand, public could get the knowledge about the huge benefits from
this RPAS, such as increase the fishers’ safety much and create a good maritime management.
It will also attract more people to come into the RPAS program to realize more information.
Furthermore, because some of the organization in RPAS operating area, such as ATC, need to
share the risk with RUASC, a risk-benefit balance analysis should be made to make sure other
organizations could get enough benefit.
Besides those perception factors, there are also some factors that would affect public’s position.
In order to attract more stockholders, the RPAS operation need to have a good and clear
management structure to make the RPAS program stable even for some emergency event.
People will not investigate their money to a poor management organization because this
organization can hardly suffer emergency event which has a not low rate to occur. In addition,
to attract more pubic, the RPAS also need to show that the system has a good learning skill
which means the organization could improve their safety and equipment with new technology
easily without affect the RPAS normal mission. Also, the organization should has the ability of
reducing future risk which came out through new technology and new equipment to accept
level. Furthermore, the RUASC also need to claim the current dangerous situation, such as
fisher attack by sharks and delay first-aid to fishers, without the RPAS. With the comparison
between current dangerous and future benefits, public will more interested in this new program
and willing to support this program to become function.
Communication and engagement strategies will need to be developed to help mitigate these
effects.

9 Conclusions
This document has described the systematic application of the risk management process to the
operations planned by RUASC.
A number of high-level hazards were identified. However, and as can be observed in the risk
register, all of the identified risks can be managed tolerable/acceptable levels. Thus, it is
concluded that the RPAS operations planned by RUASC can be conducted safely.
RUASC recognises the need to continually seek safety improvement, promote a sound safety
culture, and provide assurances in the safety management of its activities. As such, this risk
management plan is considered as a living document and part of the RUASC’s over-arching
safety management system.

10 References
ADF 2012, Australian Air Publication 6734.001, Defence Aviation Safety Manual, Australian Defence
Force, Canberra, Australia
CASA 2012a, SMS for Aviation - A Practical Guide - Safety Risk Management (Book 3), Civil Aviation
Safety Authority (CASA), Canberra, Australia
---- 2012b, UNMANNED AIRCRAFT AND ROCKETSMODEL AIRCRAFT, viewed 14 August 2014,
<http://www.casa.gov.au/wcmswr/_assets/main/rules/1998casr/101/101c03.pdf>.
Clothier, RA, Palmer, JL, Walker, RA & Fulton, NL 2010, 'Definition of Airworthiness Categories for Civil
Unmanned Aircraft Systems (UAS)', paper presented to 27th International Congress of the
Aeronautical Sciences (ICAS), Nice, France
Clothier, RA & Walker, RA 2015, 'The Safety Risk Management of Unmanned Aircraft Systems ', in KP
Valavanis & GJ Vachtsevanos (eds), Handbook of Unmanned Aerial Vehicles, 1st edn,
Springer Science + Business Media B.V., Dordrecht, Netherlands.
DIRD 2013, Common Risk Management Framework for Airspace and Air Traffic Management,
Department of Infrastructure and Regional Development, Department of Defence, Civil
Aviation Safety Authority, Airservices Australia, Canberra, Australia
Ehredt, LD (ed.) 2010, NATO - Joint Air Power Competence Centre, 8th edn, 2010-2011 UAS Yearbook.
EUROCAE 2013, UAS / RPAS Airworthiness Certification "1309" System Safety Objectives and
Assessment Criteria, The European Organisation for Civil Aviation Equipment (EUROCAE),
Malakoff, France
EUROCONTROL 2010, Unmanned Aircraft Systems – ATM Collision Avoidance Requirements viewed
5th september 2014,
<http://www.eurocontrol.int/sites/default/files/content/documents/nm/safety/ACAS/acas-
unmannedaircraftsystemsatmcollisionavoidancerequirements-2010_.pdf>.
FAA 2014, UNMANNED AIRCRAFT SYSTEMS, viewed 14 August 2014, <http://www.ecfr.gov/cgi-
bin/ECFR?SID=1538429851f8bdb1a971f324c898611b&page=browse>.
Fahlstrom, P & Gleason, T 2012, Introduction to UAV Systems, Wiley,
<http://RMIT.eblib.com.au/patron/FullRecord.aspx?p=967284>.
FRC Sense and Avoid for Unmanned Aerial Vehicles, viewed 30th August 2014,
<http://www.frc.ri.cmu.edu/projects/senseavoid/index.html>.
ICAO 2011, CIR 328, Unmanned Aircraft Systems, International Civil Aviation Organisation (ICAO),
Montreal, Canada.
Insinna, V 2014, Military, Industry Racing to Create Sense-and-Avoid Systems, national defense
magazine, viewed 3rd september 2014,
<http://www.nationaldefensemagazine.org/archive/2014/May/pages/Military,IndustryRacingtoC
reateSense-and-AvoidSystems.aspx>.
ISO 2009, ISO 31000 Risk management - Principles and guidelines, International Organization for
Standardization (ISO), Geneva, Switzerland
Navy, RA 2001, UNMANNED AERIAL VEHICLES AND
THE FUTURE NAVY, viewed 17 August 2014,
<http://www.navy.gov.au/sites/default/files/documents/Working_Paper_6.pdf>.
OSD 2003, Unmanned Aerial Vehicle Reliability Study, , Office of the Secretary of Defense (OSD), US
Department of Defense, Washington DC, USA
Watts, AC, Ambrosia, VG & Hinkley, EA 2012, 'Unmanned Aircraft Systems in Remote Sensing and
Scientific Research: Classification and Considerations of Use', Remote Sensing, no. 4, pp.
1671-92.
(CASA 2012b; FAA 2014; Fahlstrom & Gleason 2012) (Ehredt 2010; Navy 2001; Watts, Ambrosia &
Hinkley 2012)

11 Acronyms
ACAS Airborne Collision Avoidance System
ADF Australian Defence Force
BBT Barrier Bow Tie
CASA Civil Aviation Safety Authority
CASR Civil Aviation Safety Regulation
CCL Command and Control Link
DM Dependency Matrix
ET Event Tree
FHA Functional Hazard Analysis
FT Fault Tree
ICAO International Civil Aviation Organization
MLD Master Logic Diagram
MTBF Mean Time Between Failures
RP Remote Pilot
RPA Remotely Piloted Aircraft
RPAS Remotely Piloted Aircraft System
PRS Remote Pilot Station
UAS Unmanned Aircraft System
UAV Unmanned aerial vehicle
UOC Unmanned Operators Certificate

12 Appendix A – RPAS and CONOPS
RUASC intends to develop and operate a small RPAS for the purposes of maritime surveillance and
fisheries protection. A picture of the RPAS is provided respectively in Figure 7.
Characteristics of the RPAS:
 A fixed wing aircraft with a mass of 25kg
 Autonomously operated (pre-programmed
flight plan and autonomous take-off and
landing)
 Satellite communications are used to allow the
RP to monitor the flight
 Launched using a rail system
 Maximum endurance of 24 hours
 Single petrol engine
 Three man Remote Crew
 Capable of 150 km.hr-1 max speed
 Has no parachute or emergency landing
system
 Recovered using a vertical wire system
Characteristics of the operation:
 Take-off and recovery on-board a working
naval / customs vessel
 RPA flight altitudes between 400 to 2,500ft
 Flights can be conducted in clear visibility
 Flights can be beyond the line of sight of the
naval / customs vessel
 Flights can be conducted in day light hours
only
 RPA must over-fly target vessels to get clear
images
Characteristics of the operational area:
 Tourist flights, other fisheries and customs
aircraft frequent the area
 There are small fishing vessels in the area
 Tropical weather environment
 Operations are only over the ocean
Figure 9 – RUASC RPAS, ship launch system and ship recovery wire system

13 Appendix B – High Level System Description
A Remotely-Piloted Aircraft System (RPAS) is defined by ICAO (ICAO 2011) as “A set of configurable
elements comprising a Remotely-Piloted Aircraft, its associated remote pilot station(s), the required
command and control links and any other system elements as may be required, at any point during
flight operation.” Remotely-Piloted Aircraft/Vehicle (RPA) is defined as “an aircraft where the flying pilot
is not on board the aircraft.” RPA come in all shapes and sizes, from small hovering multi-rotor craft,
through to large fixed wing aircraft that can fly for days at a time.
The Remote Pilot Station (RPS) is “the station at which the remote pilot manages the flight of an
unmanned aircraft.” The RPS can be as simple as a laptop computer or as sophisticated as mobile
truck with power generation and multiple crew stations.
The RPS and RPA are connected via a Command and Control Link (CCL), which is defined as “The
data link between the remotely-piloted aircraft and the remote pilot station for the purposes of managing
the flight.” The primary function of the CCL is to transmit and receive data between the RPA and RPS,
to allow each component to perform its functions.
Most RPAS have a degree of autonomy, whereby the RP’s main role is to monitor the RPA while it
performs a pre-programmed mission. Some RPAs have a low level of autonomy, whereby the RP is
required to input all of the commands necessary for the RPA to maintain flight and perform its mission
(like a remote controlled plane). The primary role of the RP is to ensure the safe flight of the RPA and
secondarily, to ensure the mission objectives are met. If the CCL is lost, most RPA with autonomy will
abort their mission and execute a “lost link” procedure, such as return to base. However, for RPA with a
low level of autonomy, the loss of the CCL will result in the loss of the RPA as RP control input
commands can no longer be sent to the RPA.
A diagram showing the primary subsystems and associated functions of a RPAS is provided in Figure
10. All of the functions can be further decomposed to lower levels, and examples are shown for the
RPA Power and Payload Support functions. The RPA must perform all of its functions to sustain flight
and achieve its mission. These functions are not independent. For example, a loss of power generation
on-board the RPA will influence the ability of the RPA to perform its mission, and communicate with the
RPS. The CCL has modems and antennas which are situated on-board the RPA and the RPS.
Not shown is the environmental system, which will have interactions with all components of the RPAS
(e.g., people and property on the ground, wind, electromagnetic interference, icing, storms, clouds, etc.)
or the airspace system (e.g., Air Traffic Control, other airspace users, communications and navigation
systems).

Figure 10 – Primary sub-systems of an RPAS (red) and associated functions (blue and green)
Remotely Piloted
Aircraft System (RPAS)
Remotely Piloted
Aircraft (RPA)
Sustain Controlled Flight
Structure Propulsion Power
Generation Storage Distribution Management
Guidance and
Navigation
Control
Perform
Mission
Payload
Management
Support
Payload
Payload Structure Power
Remote Pilot
Station (RPS)
Provide Crew with
Situational Awareness
Displays
Remote Pilot /
Crew
Provide Mechanism for
Command and Control
Controller
interfaces
Remote Pilot /
Crew
Protection and
Security
Shelter
Support for
RPS
Power
Command and
Control Link
Transmit & Receive Data
Between RPA and RPS
Modems Antennas

14 Appendix C – Risk Register
RUASC Risk Register Log Number
NO. Description of risk scenario
Existing
Controls
Outcome of Scenario
ALARP
Region
Additional
Controls
Residual Risk
Monitor and
Review
Requirements
Severity Likelihood
Level of
Risk
Severity Likelihood
Level of
Residual
Risk
1 Collision with birds
Remote crew
regulation
Catastrophic Remote Serious
Not suggest
tolerable
All sides camera/
sense and avoid
system
Catastrophic Improbable Medium
When sense
and avoid
system is
available
2 Structure damage by corrosion
Maintenance/
Paint for
protection
Catastrophic Occasional High Unacceptable
Corrosion
material replace
Catastrophic Improbable Medium
Double check
after replace
3 Loss control by Thunderstorm
Weather
forecast
Catastrophic Improbable Medium Tolerable
Emergency
landing
Major Improbable Medium
Real-time
weather
forecast
4 Fixed-wing control system fail
Maintenance/
Spare system
Catastrophic Rare Medium Tolerable Parachute Moderate Rare Acceptable
Periodically
check
5 Engine fail maintenance Catastrophic Improbable Medium Tolerable
Engine monitor
and restart
system
Catastrophic Rare Medium
Periodically
engine check
6 Autonomously flight system error
Remote crew
regulation
Moderate Remote Remote Tolerable
Double check
flight plan before
take-off
Moderate Rare Acceptable
System
upgrade
7 Launching system low power Maintenance Moderate Occasional Medium Tolerable
no-load testing
before launching
Moderate rare Acceptable
Periodically
check
8 Loss or delay GPS signal
Remote crew
regulation
Moderate Probable Serious
Not suggest
tolerable
Making flight
plan avoid GPS
weak area
Moderate Remote Medium
Upgrade GPS
signal map
9 UAV structure damage cause by recovery system
Remote crew
regulation
Hazardous Improbable Medium Tolerable
Landing speed
control system
Hazardous Rare Medium Safety check
10 Recover equipment damage Maintenance Major Remote Medium Tolerable
Sense and avoid
system
Major rare Acceptable
Double check
after repair
11 Man remote error
More than one
crew to
regulate
Catastrophic Occasional High Unacceptable
Warning system
for man incorrect
action
Catastrophic Improbable Tolerable Safety check
12 Run out of fuel because fuel measure system fail Maintenance Catastrophic Remote Serious
Not suggest
tolerable
Warning system Hazardous rare Medium Safety check

13 Refuelling error Regulation Hazardous Remote Serious
Not suggest
tolerable
Electric control
when no power
Major Remote Medium
Pre-flight
check
14 Loss of control cause by loss power Maintenance Catastrophic Improbable Medium Tolerable
Electric control
when no power
Hazardous Improbable Medium Safety check
15 Loss communication Hazardous Occasional Serious
Not suggest
tolerable
Making flight
plan avoid signal
weak area
Hazardous Improbable Medium
Upgrade map
for signal
weak area
16
Loss of control cause by loss of flight altitude
system
Remote crew
regulation
Catastrophic Improbable Medium Tolerable All sides camera Major Improbable Medium
Periodically
check
17 Remote crew fail to regulate Regulation Catastrophic Improbable Medium Tolerable Adjust work load Catastrophic rare Medium
Human factor
analysis
18 Propeller damage cause by recovery system
Remote crew
regulation
Hazardous Probable High Unacceptable
Manned control
for landing
Hazardous Improbable Medium Skill training
19 Camera system out of work Maintenance Major Occasional Serious
Not suggest
tolerable
More reliable
camera/ better
wet air protect
equipment
Major Improbable Medium Safety check
20 Man controlled collision cause by visual difference Catastrophic Remote Serious
Not suggest
tolerable
Visual sight flight
training
Catastrophic rare Medium
21 Collision with aircrafts
Remote crew
regulation/
avoiding
through flight
plan making
Catastrophic Improbable Medium Tolerable
Sense and avoid
system
Catastrophic rare Medium Safety check
Table 8 – Risk Register

15 Appendix D – Reliability Block Diagram Working
(‘s’ represent standard avionics system;
‘h’ represent high reliability avionics system)
MTBF =
1
𝜆
∴ λ =
1
𝑀𝑇𝐵𝐹
∴ 𝜆 𝑠 =
1
𝑀𝑇𝐵𝐹𝑠
=
1
2000
= 0.0005
𝜆ℎ =
1
𝑀𝑇𝐵𝐹ℎ
=
1
5000
= 0.0002
F(t) = 1 − 𝑒−𝜆𝑡
(𝑡 = 100)
∴ 𝐹(𝑡) 𝑠 = 1 − 𝑒−𝜆𝑡
= 1 − 𝑒−0.0005×100
= 0.0488
𝐹(𝑡)ℎ = 1 − 𝑒−𝜆𝑡
= 1 − 𝑒−0.0002×100
= 0.0198
Because the triplex system could continue work unless all of the three single systems
are break down. Therefore, the probability of failure for triplex system is 𝐹(𝑡) 𝑠
3
=
0.00012 = 0.012%. On the other hand, the redundant system will break down when
all of the standard system break down and the high reliable system break down at the
same time. Therefore, the probability of failure for redundant system is 𝐹(𝑡) 𝑠
2
×
𝐹(𝑡)ℎ = 0.000047 = 0.0047%. At the same time, the cost for triplex system is
15000 × 3 = 45000 , and the cost for the redundant system is 15000 × 2 +
25000 = 55000

Assignment

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (20)

Similar to Assignment

Similar to Assignment (20)

More from Kai Guan

More from Kai Guan (9)

Assignment