For unmanned aerial vehicles (UAVs) or drones that fly in commercial air space, it is reasonable to require applying the same software standards to drone software as are used for conventional aircraft, e.g., strict compliance with and certification against a standard such as DO-178B or its successor DO-178C. And the FAA and similar organizations elsewhere (e.g., NATS in the UK) have been insisting on this approach. We know how to write software reliably for this kind of application. There has never been a life lost due to a software implementation error in any commercial flight. Yes, achieving such a high level of reliability does increase the initial development effort, but the appalling cost of a bug in such software makes this effort worthwhile.
If a drone and a commercial jetliner collided and many lives were lost, it would cause a major uproar. We simply cannot afford to let that happen, and beating the drum for rigorous certification requirements for drone software is a natural inclination.
However, recent news gives another perspective on how the industry should address drone safety. This type of news includes incidents such as three Al-Jazeera journalists being arrested for flying a drone in Paris, someone flying a drone onto the White House grounds causing a security scare, and a runner in an Australian race being taken out of the race by an unauthorized drone hitting him on the head (controlled by some journalist).
In these three incidents, would people somehow have been safer if the software on these small drones had been furiously certified? It would not have made one bit of difference in any of these situations. Unreliable software can surely cause accidents, but in cases like this we can’t blame faulty software.
Of course we should insist that drone software be reliable, just as we should insist that software for automobiles be reliable. As an aside, we actually don’t do a very good job in the latter case. Cars on the road have millions of lines of complex software aboard, and right now the standards used to establish the safety and security of automotive software are quite inadequate, especially compared to the requirements for commercial aircraft. That’s a strange state of affairs, given that cars kill hundreds of times as many people as planes do, and it’s a problem that needs to be addressed (and is being paid some attention, at least to an extent). It makes similar good sense to push for a regulatory framework that can provide confidence in the reliability of drone software.
With today’s interconnected and remotely controllable technology, an essential aspect of safety is security. Sloppily written software – whether for cars, drones, or refrigerators – opens up these devices to hacking, and in the case of a drone we have to worry about someone grabbing control for nefarious purposes. Iran claims to have downed a U.S. drone by such hacking. Although this allegation is contested by many, the bottom line is that we can’t be sure what actually happened. We know how to write secure software, and it is reasonable to insist on drone system standards that take security into account.
There are known steps we can take in terms of technology regulation to help achieve safe and secure software on drones. These are necessary, but they are just a tiny part of the big picture. Going back to commercial airliners again, one important point is that no matter how reliable the software, it is the pilot who ultimately determines the safety of the aircraft and the passengers. In the case of commercial aircraft, the number of pilots is relatively small, and they are carefully trained and vetted. Nevertheless, we most certainly have lost lives as a result of pilot errors.
Now turning to drones: These devices are getting cheaper and cheaper, and they are definitely valuable for all sorts of recreational, professional, and governmental purposes. (There are of course privacy concerns with many such uses, but that’s another story.) Do a web search for “uav” and you’ll find any number of resources for buying and selling drones and their parts. Although the field is still in its infancy, it is not too extreme to imagine that in several years drones will reach the popularity of other high-tech devices. Let’s suppose that eventually one in forty people owns a drone of some sort. In the U.S. that means that we’ll have eight million drone “pilots” at work (or at play). That’s rather an alarming figure; even if it’s off by factor of ten, and it is only eight hundred thousand, that’s still worrisome; on the other hand, it could easily be off in the other direction.
Eight million pilots — with the ability to cause accidental or deliberate mischief on a massive scale. This is definitely alarming, and the alarm would not be even a little bit alleviated if we knew that the software in these eight million drones met the highest levels of safety-critical software certification.
This is a human problem and not a technological issue. For cars, there are 210 million drivers on the road in the U.S., all licensed (which requires knowledge of various safety regulations), yet they still manage to kill more than 30,000 people every year. We will thus be facing a pretty massive issue with millions of drone pilots – many of whom are incompetent or malevolent – flying drones around, when even the smallest drone can hurt people (talk to that Australian athlete). Compounding the problem, at least an automobile driver has the personal incentive to drive safely, whereas the harm or havoc brought on by a drone pilot is remote.
So what shall we do? We can require licensing and institute some kind of testing for drone pilots. We can issue safety regulations, as we do for cars, governing where and when drones can be flown. It’s safe to think no one wants to see hundreds of drones controlled by spectators flying over the field during a Super Bowl game. We can insist upon insurance. We can prosecute those who disobey the rules (although that raises the interesting technical issue of how to locate the owner/pilot of a rogue drone). We can mount massive education campaigns. All these steps are likely to be necessary and desirable.
But will they be sufficient? We have not been able to stop the carnage on the nation’s highways, even though we have improved the situation somewhat with such steps (the number of fatal accidents ten years ago was 40,000 with fewer drivers on the roads). It seems the answer is no. In practice we won’t be able to prevent accidents, and drone injuries and fatalities are likely to become a part of our lives in the near future. Technology has a habit of advancing much more rapidly than our ability to manage it, and coping with its challenges will require some creative thinking. Let’s hope we make significant progress, or in a few years we may see some intellectual descendant of Ralph Nader publish an exposé titled “Unsafe at Any Altitude.”
Robert B.K. Dewar is Co-founder of AdaCore.