Mälardalen University

School of Innovation Design and Engineering

Västerås, Sweden

Thesis for the Degree of Master of Science in Engineering - Dependable

Systems 30.0 credits

TOOLS STUDY FOR HAZARDS

IDENTIFICATION IN SYSTEMS OF
AUTONOMOUS ROBOTS IN FARMING

Alireza Ebrahimi
[email protected]

Mohammed Mustafa
[email protected]

Examiner: Håkan Forsberg

Mälardalen University, Västerås, Sweden

Supervisor: Baran Curuklu

Mälardalen University, Västerås, Sweden

11/03/2022
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Acknowledgment
This thesis would be quite challenging without our supervisor Baran Curuklu at Mälardalen Uni-
versity, for his academic knowledge and aid during this master thesis. We have to address that
we are warmly grateful that our supervisor has guided us and put energy into this master thesis.
Lastly, we want also to thank our supervisor for allowing us to have meetings continuously, which
has led to us having the necessary discussions together, and in its way, it enabled this thesis to
become of higher quality.

i
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Abstract
Autonomous Unmanned Aerial Vehicles (UAVs) in agriculture are increasingly in demand to
reduce cost, labour and increase effectiveness and quality in farming. However, it is necessary
to improve reliability for this technology to perform its full potential without harming humans,
animals or the environment. The reliability increases by identifying the hazards and mitigating
them. Therefore the risks are identified, analyzed and mitigated using analysis tools. Two different
methods are used to analyze and reduce hazards, and each method utilizes various analysis tools. In
addition, redundancy and preventive action are proposed to eliminate or minimize the danger. This
thesis identifies risks by studying and reviewing a generic use-case from the AFarCloud project and
compares the two hazard analysis methods to determine which method provides the most reliable
result.

Keywords: Hazard identification; Hazard analysis; Autonomous UAV

ii
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Contents
1. Introduction 1

2. Background 2
2.1 Unmanned Aerial Vehicle (UAV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 UAV operation field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.3 Autonomous Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4 Reliability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5 Hazard Identification and Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5.1 Hazard identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.5.2 Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6 Analysis Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6.1 Preliminary Hazard List (PHL) . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.6.2 Preliminary Hazard Analysis (PHA) . . . . . . . . . . . . . . . . . . . . . . 6
2.6.3 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.6.4 Functional Hazard Assessment (FHA) . . . . . . . . . . . . . . . . . . . . . 9
2.6.5 Fault Tree Analysis (FTA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6.6 Functional Hazard Assessment system (FHAs) . . . . . . . . . . . . . . . . 11
2.6.7 Preliminary System Safety Assessment(PSSA) . . . . . . . . . . . . . . . . 11
2.6.8 Common Mode Analysis (CMA) . . . . . . . . . . . . . . . . . . . . . . . . 12

3. Related Work 13
3.1 Hazard Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.4 Hazard Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4. Problem Formulation 15
4.1 Outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5. Method 16
5.1 Severity and Probability hazard analysis . . . . . . . . . . . . . . . . . . . . . . . . 17
5.2 Top-Down hazard analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

6. Ethical and Societal Considerations 18

7. The Use-Case 19
7.1 Mission Management Tool (MMT) . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.2 The concept of Visual Line Of Sight (VLOS) . . . . . . . . . . . . . . . . . . . . . 20
7.3 Collars (SensoWave) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.4 UAV Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

8. Results 22
8.1 Severity and Probability Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . 22
8.1.1 Preliminary Hazards List (PHL) . . . . . . . . . . . . . . . . . . . . . . . . 22
8.1.2 Preliminary Hazards Analysis (PHA) . . . . . . . . . . . . . . . . . . . . . . 23
8.1.3 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
8.2 Top-Down Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
8.2.1 Functional Hazard Assessment (FHA) . . . . . . . . . . . . . . . . . . . . . 24
8.2.2 Fault Tree Analysis (FTA) . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
8.2.3 Functional Hazard Assessment system (FHAs) . . . . . . . . . . . . . . . . 25
8.2.4 Preliminary System Safety Assessment (PSSA) . . . . . . . . . . . . . . . . 26
8.2.5 Common Mode Analysis (CMA) . . . . . . . . . . . . . . . . . . . . . . . . 27
8.3 Hazards Analysis Methods - Comparison . . . . . . . . . . . . . . . . . . . . . . . . 28
8.3.1 Methods attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

iii
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

9. Discussion 30

10.Conclusion 32
10.1 Research Question 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
10.2 Research Question 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

11.Future Work 33
11.1 Number of Hazard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
11.2 Probability estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
11.3 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
11.4 Other analysis tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

References 36

Appendix A Preliminary Hazard List (PHL) 37

Appendix B Preliminary Hazards Analysis (PHA) 38

Appendix C Functional Hazard Assessment (FHA) 40

Appendix D Fault Tree Analysis (FTA) 41

4.1 Loss of communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
4.2 Loss of VLOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.2.1 New Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
4.3 Loss of animal’s location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
4.3.1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.4 Loss of collision avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.4.1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.5 Loss of UAV mission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.5.1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.6 Loss of power . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.6.1 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Appendix E Functional Hazard Assessment system(FHAs) 53

Appendix F Preliminary System Safety Assessment (PSSA) 55

iv
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

List of Figures
1 Autonomous unmanned aerial vehicle in agriculture [8] . . . . . . . . . . . . . . . . 2
2 Hazard Identification and Risk Analysis [21]. . . . . . . . . . . . . . . . . . . . . . 4
3 Flowchart for Preliminary Hazard Analysis (PHA) [26]. . . . . . . . . . . . . . . . 7
4 Risk Assessment Matrix according to MIL-STD-882E . . . . . . . . . . . . . . . . . 9
5 Fault Tree Analysis events and gates [41] . . . . . . . . . . . . . . . . . . . . . . . 11
6 Method for answering Research question 1 & 2 . . . . . . . . . . . . . . . . . . . . 16
7 Identifying and analysing Process 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8 Identifying and analysing Process 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
9 Animals position in farm premises . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
10 UAV Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
11 Preliminary Hazard List (PHL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
12 Preliminary Hazard Analysis (PHA) . . . . . . . . . . . . . . . . . . . . . . . . . . 38
13 Preliminary Hazard Analysis (PHA) . . . . . . . . . . . . . . . . . . . . . . . . . . 39
14 Functional Hazard Assessment (FHA) . . . . . . . . . . . . . . . . . . . . . . . . . 40
15 Fault Tree Analysis - Loss of communication . . . . . . . . . . . . . . . . . . . . . 41
16 Communication Network Failure Redundancy . . . . . . . . . . . . . . . . . . . . . 42
17 Fault Tree Analysis - Loss of Visual Line of Sight . . . . . . . . . . . . . . . . . . . 43
18 New architecture for Loss of UAV position . . . . . . . . . . . . . . . . . . . . . . . 44
19 Fault Tree Analysis - Permanently loss of animal’s location . . . . . . . . . . . . . 45
20 Three navigation systems are added as redundancy into the Fault Tree Analysis . . 46
21 Fault Tree Analysis - Loss of collision avoidance . . . . . . . . . . . . . . . . . . . . 47
22 Added Closed-Loop RRT and Robust Physical Perturbation as redundancy . . . . 48
23 Fault Tree Analysis - Loss of UAV mission . . . . . . . . . . . . . . . . . . . . . . . 49
24 Forward recovery and N-version programming are added as redundancy with an
AND-ed gate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
25 Fault Tree Analysis - Loss of power . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
26 Auxiliary battery added in the design as redundancy . . . . . . . . . . . . . . . . . 52
27 Functional Hazard Assessment system (FHAs) . . . . . . . . . . . . . . . . . . . . 53
28 Functional Hazard Assessment system (FHAs) . . . . . . . . . . . . . . . . . . . . 54
29 Preliminary System Safety Assessment (PSSA) . . . . . . . . . . . . . . . . . . . . 55

v
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

List of Tables
1 Preliminary Hazard List (PHL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Preliminary Hazard Analysis (PHA) . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Probability Levels according to MIL-STD-882E . . . . . . . . . . . . . . . . . . . . 7
4 Severity Categories according to MIL-STD-882E . . . . . . . . . . . . . . . . . . . 8
5 Functional Hazard Assessment (FHA) [35] . . . . . . . . . . . . . . . . . . . . . . . 10
6 Functional Hazard Assessment system (FHAs) [35] . . . . . . . . . . . . . . . . . . 11
7 Preliminary System Safety Assessment (PSSA) [44] . . . . . . . . . . . . . . . . . . 12

vi
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Acronyms
AFarCloud Aggregate Farming in the Cloud . . . . . . . . . . . . . . . . . . . . . . 1

BVLOS Beyond Visual Line Of Sight . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

CCA Common Cause Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

CMA Common Mode Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

FAA Federal Aviation Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

FHA Functional Hazard Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

FMEA Failure Modes and Effects Analysis . . . . . . . . . . . . . . . . . . . . . . . 13

FTA Fault Tree Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

GCS Ground Control Station . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

GNSS Global Navigation Satellite System . . . . . . . . . . . . . . . . . . . . . . . . 20

GPS Global Positioning System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

HAZOP Hazard and Operability Analysis . . . . . . . . . . . . . . . . . . . . . . . . 13

HIRA Hazard Identification and Risk Analysis . . . . . . . . . . . . . . . . . . . . . 4

HW Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

INS Inertial Navigation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

MCS Minimal Cut Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

MMT Mission Management Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

PHL Preliminary Hazard List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

PHA Preliminary Hazard Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

PSSA Preliminary System Safety Assessment . . . . . . . . . . . . . . . . . . . . . . 5

SW Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

UAS Unmanned Aerial System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

UAVs Unmanned Aerial Vehicles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

UGV Unmanned Ground Vehicle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

VLOS Visual Line Of Sight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

vii
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

1. Introduction
Autonomous Unmanned Aerial Vehicles (UAVs) have been rapidly developed in recent years, due
to advancements in several areas, such as electronics, system design, sensor technologies, material
science, as well as computer and computing sciences. The use of UAVs has become widespread, and
depending on their application, UAVs can be used for military or civilian purposes. A significant
advantage of using UAVs is the growing need for aerial surveillance, reconnaissance, and inspection
in complex and dangerous environments and more routine operations such as data collection. The
higher confidence of using UAVs and low downside risk due to technological improvements are two
strong motivators for continuing expansion use of UAVs [1]. Smart agriculture has expanded due
to massive demand for food production to increase 70 % by 2050, according to the "Agriculture
in 2050 Project" [2]. UAVs in agriculture have decreased working hours, increasing measurement
accuracy and productivity. Furthermore, UAV applications expanded in many areas, e.g. insect-
icide and fertilizer prospecting and spraying, seed planting, weed recognition, fertility assessment,
mapping, and crop forecasting [3].
The starting point of this thesis work is the ECSEL JU project Aggregate Farming in the Cloud
(AFarCloud) [4][5]. The project implements a distributed system of (semi-)autonomous UAVs
and Unmanned Ground Vehicle (UGV)s combined with sensors for precision farming. In this so
called multi-robot approach, autonomous UAV play a major role regarding data collection from
the fields. For any type of farming knowing the current conditions (fields and weather) is central,
thus collecting data is of major importance. Thus, the AFarCloud project concerns the integration
of a multi-robot system to increase the maximum desired result in the agricultural industry and,
at the same time, decrease costs. The project is also concerned with avoiding dangerous condi-
tions involving humans. Eliminating accidents by replacing humans with autonomous systems, or
using artificial intelligence and other solutions for avoiding accidents are also essential part of the
AFarCloud project.
A central part of the the AFarCloud project as well as this thesis work is the concept of a mission.
Simply put, a mission is any activity that is concerned at a farm that contributes to the farm’s
agricultural activities, e.g. data collection using an UAV, data collection from a weather station,
planning fertiliser usage, maintaining a specific agricultural machine, etc. Thus, every activity
performed at a farm can be seen as a mission. The used UAV is so called for Open Drone. Open
Drone’s scientific and technological objective within the AFarCloud project has been to design
and implement a cost efficient, reliable drone solution, which can be accepted by companies active
in the precision agricultural domain, and it is an initiate for involving “ the Master of Science
(MSc) program in dependable systems” students in the AFarCloud project [6]. The motivation
for this approach is that all these activities should be formulated in terms of a mission plan (note
that, planning of missions is not in the scope of this thesis work). This thesis will aim to identify
what are the hazards in these missions that incorporate autonomous UAV within the scope defined
in the AFarCloud project and how can these hazards be mitigated and with proposed mitigation
principles in the work do not have to reflect a real system, but are selected to illustrate the strength
of certain tools in the method. This thesis will also investigate a tool study to determine which
attributes define most reliable results from different tools for identifying and analysing hazards.
The structure of this thesis is as following; Background Section 2. explains and provide essential
information surrounding this thesis, autonomous UAVs, tools that are used to identify, analyse and
mitigate hazards. Related Work Section 3. discusses and describes previous work in the scope of
this thesis, such as hazards identification, hazards analysis, risk assessment and hazard mitigation.
Section 4. presents the Problem Formulation of this thesis. The Methods used to answer research
questions are described in Section 5.. Section 6. presents the Ethical and Societal Considera-
tions addressed in this thesis. Section 7. describes the experiment which will be formulated as a
Use-Case, and this Use-Case contains a mission where an autonomous UAV flies over the farm to
collect data. Section 8. provides the Results of this thesis. A Discussion of results are provided in
Section 9.. Section 10. contains the Conclusions of this thesis, and Section 11. addresses possible
Future Work.

1
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

2. Background
This section provides background information that is needed to understand the thesis work. In
addition, this section will inform knowledge regarding autonomous UAVs, tools that will be used
to identify, analyse and mitigate hazards.

2.1 Unmanned Aerial Vehicle (UAV)

An unmanned aerial vehicle (UAV) operates without a human operator onboard and is also known
as a "drone". There are considerable differences regarding UAVs’ sizes, functions, and more com-
plex features, which we can referred to as abilities. Some UAVs are large vehicles similar to
human-crewed aircraft, while others can be launched and operated by a single person. There are
essential obstacles to implementing civilian use of UAVs, with respect to autonomy and Beyond
Visual Line Of Sight (BVLOS). However, it seems to be only a matter of time before this devel-
opment will result in mature products, in Sweden, Europe, as well as in other regions. Nowadays,
in civilian applications the UAVs are used in various applications such as in survey, delivery of
packages, even critical material such as medical equipment and samples, precision agriculture, see
figure 1, and monitoring of various areas (e.g., critical infrastructure, traffic) or phenomena, even
weather observations [7]. Thus, in general, UAVs are used mainly since they are considered to be
a solution when a mission is dangerous, dirty, and simply not practical if managed by humans.

Figure 1: Autonomous unmanned aerial vehicle in agriculture [8]

2.2 UAV operation field

Civilian UAVs have been used broadly in many applications because of high mobility, and deploy-
ment efficiency. Therefore, UAVs can be used in applications such as real-time monitoring of road
traffic, search and rescue operations, security and surveillance, agricultural activities, for example,
paddy monitoring and spraying [9][10].
Technologies that make up a UAV have developed considerably, and it is seen that UAVs can be
used in several different areas. In the AFarCloud project several Unmanned Aerial System (UAS)
are developed in order to address the agricultural sector’s needs. UAS have several primary sub-
systems (Unmanned Aerial Vehicle (UAV), Ground Control Station (GCS), Payloads (PLD), Data
Link (DLK)), and these subsystems together can meet the farming needs. UAS has been enabled
to develop precision farming methods and thus increase the yield from the existing agricultural
land. These methods provide reliable and very detailed monitoring of assets such as livestock,
crops, etc. The ambition of this project is that the farmer should be able to collect data with
minimal effort. To make this available, UAS needs to be developed with respect to autonomy,
flexibility, robustness, and the system provides high availability [11].

2
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

2.3 Autonomous Systems

The notion of autonomy in the literature has diverse viewpoints because performing by oneself can
have various aspects and defining features. An autonomous system can act by itself to complete
a task towards the achievement of predefined goals. It also depends on where it is applied to, for
example, a system that can learn to improve its activity or a living being [12]. Autonomous UAVs
are all technologists’ vital target goal since it is a challenging and essential topic for the ability to
take off, perform a mission and suddenly turn to its base without a human influence [13].
One can view autonomy as a spectrum from non to full autonomy with intermediate steps, or levels
[14]. There are different frameworks that define autonomy. In the framework assume in this thesis
work autonomy is divided into five different levels.

Level 0: No Automation: In level 0, there is no automation since the pilot (or operator) fully
controls every movement and action. In practice, this level is used for drone racing and model
aircraft.

Level 1: Pilot Assistance: The drone can at least take over one necessary function for a specific
time but can never control flight direction or speed at the same time. Thus the pilot must still
be in control of the overall operation of the vehicle. However, the drone can support navigation
and keep altitude and position. In practice, this type of level of the drone is used for inspection,
detection, photography and filming.

Level 2: Partial Automation: In level 2, the pilot is still in full command and is responsible
for the vehicle’s safe functioning. The drone can only take control under specific circumstances
in terms of speed, altitude, and heading. The platform can aid with navigation and let the pilot
focus on other duties; however, the pilot must still be prepared to control the drone if something
goes wrong. Nowadays, many drones are built at this level. In practice, this type of level of the
drone is used for mapping, surveying, and measuring.

Level 3: Conditional Automation: The drone can fly without a pilot, but the pilot needs to
control if something goes wrong. In level 3, the drone is similar to level 2. A level 3 of a drone
means that the drone can perform all functions under specific circumstances. In practice, this type
of level of the drone is used for mapping and delivery.

Level 4: High Automation: The drone does not need always to be controlled by a pilot.
The drone can fly itself almost full-time at this level. The drone system has redundancy, and if
something fails in the system, the drone can still perform the proper function with a failure. In
practice, this type of level of drone is used for photography and filming.

Level 5: Full Automation: At level 5, the drone can control itself and does not need any human
intervention. The drone can, under all circumstances, fly and do tasks with full-time automation.
Using AI tools to plan the flights and be able to modify routine defining behaviours [14][15].

3
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

2.4 Reliability
Reliability is the system’s capability, or the component, to perform a specific function under a
particular situation. The level of the ability can be measured, such as the average lifetime [16].
Through the ages, the term reliability has had different interpretations and usually depends on the
context of the discussion [17]. The elements that define reliability are ability, conditions, specified
time and, essential function. The element ability is expressed quantitatively with probability.
Stated conditions usually refer to environmental conditions of the process. The specified time is
also referred to as mission time which delivers the expected duration of the operation and required
function related to expected performance. There are different stages in the life cycle ranging from
birth to death of a system or component, and reliability is essential in each step. In the design
stage of the system, the reliability can be improved just by simplifying the design or using de-
rating/factor of safety and redundancy. In the production stage, the reliability can be improved by
using suitable components and quality control practices. Safety is a combination of reliability and
consequences. Apart from increasing the reliability for enhancing safety, the consequences must
be reduced by delivering safety systems that anticipate the failure and ensure consequences are at
an acceptable level [18]. Some factors can immediately impact or affect the reliable performance
of an autonomous drone. Thus factors are societal, industry, and technology factors [19].

2.5 Hazard Identification and Risk Analysis

Hazards shall first be identified and then should be evaluated and determined to be tolerated or
not. Hazard Identification and Risk Analysis (HIRA) involve identifying unacceptable events that
lead to a hazard, analyzing the danger by which this undesirable event could occur and estimating
the probability and severity of each risk. HIRA aims to identify and analyze possible hazards
and incidents during the system’s life cycle to eliminate or mitigate the risks, see figure 2. Many
analysis tools are available to identify and analyze hazards [20][21][22][23]. The result of HIRA is
typically documented in a worksheet form, depending on the stage of the work and analysis tool
used [21].

Figure 2: Hazard Identification and Risk Analysis [21].

2.5.1 Hazard identification

Hazard identification is a crucial part of the system safety process. It is impossible to safeguard a
system or control risks sufficiently without first identifying the hazards [24]. Identifying the hazard
is the first and most crucial part, and it is the base stone to building up the analysis. That is why

4
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

the system, process or component shall be studied and reviewed accurately. Identified hazards
can even increase reliability by analysing the danger to provide the solution to mitigate or reduces
risk. The idea is to identify hazards within the system, process or in the components. Studying
malfunctioning and unprotected components or inefficient processes are some of the examples to
identify the hazard. The tools used to identify the hazards are Preliminary Hazard Analysis (PHA),
Functional Hazard Assessment (FHA) and Fault Tree Analysis (FTA) [25]. In addition, these tools
analysis identified hazards.

2.5.2 Risk Analysis

Risk analysis is a systematic method process, and this method is used to identify, evaluate and mit-
igate hazards. The hazards and their source causes shall then be identified by analyzing through
the system step by step and assuming what the hazards associated with this system under all
operating conditions are [24]. Analyzing identified hazard listed in Preliminary Hazard List (PHL)
by different tools reveal the causes and their effect. In addition, it provides the solution and safe-
guards to reduce or mitigate the hazard. Hazards analysis use different analysis tools such as PHA,
FTA, Preliminary System Safety Assessment (PSSA), Common Mode Analysis (CMA), FHA, etc.

2.6 Analysis Tools

Several analysis tools are used to identify and mitigate hazards, such as PHL, which will list all
possible risks within the system. PHA, FTA, CMA, PSSA and Risk Assessment, which can be
used to identify and analyze the hazards. These tools reveal the cause of the danger, the effect
on the system and the consequences. The solution and safeguard will be found based on Causes,
Effects and Consequences.

2.6.1 Preliminary Hazard List (PHL)

Identification of the hazard is a vital part of the system process. The Preliminary Hazard List
is used at the start of each hazard analysis to collect a complete list of dangers in the system.
There are different methods to gather the hazards list to develop a PHL. The techniques used are,
as Study and analyzed a similar system, Check previous accidents, Review related technical data
(electrical analyses, operator manuals, engineering reports) [24][25]. Once the Study is done, the
list will have a combination of hazards and effects [26] see table 1.

Preliminary Hazard List (PHL)

Hazard Nr. Item Hazard Effect

Table 1: Preliminary Hazard List (PHL)

PHL worksheet includes:

• Item: Use-Case, Project or Component
• Hazard: The hazard is identified by studying the Use-Case component to find the possible
existent risk that can lead to a Catastrophic or Hazardous/Severe-Major failure condition.
In addition, reviewing the previous accidents in a similar operation can give the number of
hazards which are already identified.
• Effect: The identified hazard affects the process, operation or component, which leads to a
failure condition. The effect of the hazard describes the consequence of each risk.

5
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

2.6.2 Preliminary Hazard Analysis (PHA)

Preliminary Hazard Analysis (PHA) identifies and evaluate hazards in relation to the probability
of occurrence and the severity of consequences and propose solutions that will reduce, control or
eliminate hazards [27][28]. It also reviews each primary subsystem and identifies specific risks and
safety issues, including failures, faults, processes or procedures, and human errors [24][29]. The
degree of the risk is evaluated based on how often danger can happen and the severity of the
consequences, see table 2.
PHA consider the essential risk to every aspect of an operation. The PHA often serve as hazard
identification. In addition, PHA provides the safeguard to reduce or mitigate the hazard based on
the severity and probability of the risk [26], see the flowchart for PHA in figure 3. It is customary to
divide Probability and Severity into different levels/categories. According to the MIL-STD-882E,
Probability is divided into six levels and Severity is divided into four categories.

Preliminary Hazard Analysis (PHA)

Hazard Hazard Cause of Consequences Preventive Probability Severity Risk As-

Nr. Descrip- Event Action sessment
tion

Table 2: Preliminary Hazard Analysis (PHA)

PHA worksheet includes:

• Hazard Description: It is the hazard that is identified and collected in PHL.

• Cause of event: Describe the cause of each hazard. It answers the question How the hazard
can occur within the process or component and specifies the main reason for the identified
risk.
• Consequences: Consequences are the result of the failure condition and its effect caused by a
hazard.
• Preventive Action: In order to increase the reliability, the hazard shall be eliminated or
reduced to an acceptable risk. The causes of the event, and consequences reveal the nature of
the danger to find effective preventive action. Preventive action is the solution to eliminate
or reduces the hazard.
• Probability: Probability shows how often the hazard can arise, and it is divided into six levels
according to MIL-STD-882E.
• Severity: Severity is the degree of the consequences divided into four categories according
to MIL-STD-882E. Each category describes the fatality level of the result on the human or
environment. The reliability decreases, and the cost increases by increasing the severity.
• Risk Assessment: Risk assessment uses the combination of severity and probability, and the
result can be one of the four levels (High, serious, Medium, Low) according to MIL-STD-882E,
see figure 4.

6
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Figure 3: Flowchart for Preliminary Hazard Analysis (PHA) [26].

2.6.3 Risk Assessment

Risk is the severity of the consequences of an accident multiplied by the probability that it will
occur. Risk Assessment is the process utilised to determine how to control the risks that have been
identified based on the analysis [22]. Once the hazards are identified, risk must be assessed. Risk
assessment principles are used to the identified hazards based on their Severity and Probability of
occurrence to define that the risk is acceptable, or it shall be reduced to an acceptable risk. Risk
assessment uses PHA as a tool for identification, analysis, evaluation and mitigation [29]. The
combination of hazard identification and risk assessment produces a significant contribution to the
prevention of accidents [30].

Probability: The likelihood of the occurrence of the hazard and how often the specific risk leads
to an accident [31]. Probability, according to MIL-STD-882E, is divided into six levels (Frequent,
Probable, Occasional, Remote, Improbable, and Eliminated). Each level describes the likelihood
of the hazard occurrence; however, Eliminated is not so common in civilian projects. The Cause
of event (used in the worksheet (PHA)) can reveal the possibility of occurrence and estimate how
often a risk can occur, see table 3.

Category Description Aspects

A Frequent Likely to occur often in the life of an item.
B Probable Will occur several times in the life of an item
C Occasional Likely to occur sometime in the life of an item
Unlikely, but possible to occur in the life of
D Remote
an item.
So unlikely, it can be assumed occurrence may
E Improbable
not be experienced in the life of an item.
Incapable of occurrence. This level is used
F Eliminated when potential hazards are identified and
later eliminated.

Table 3: Probability Levels according to MIL-STD-882E

7
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Severity: When the hazard causes an accident, how severe will be the consequences? [31] Sever-
ity, according to MIL-STD-882E, is divided into four categories (Catastrophic, Critical, Marginal
and Negligible), and each category describes the degree of the consequences of the hazard. Hazard
consequences affect humans, the environment or the economy. In the worst case (Catastrophic),
consequences result in fatality or death, irreversible impact on the environment or enormous mon-
etary loss, and in the best case (Negligible), its result is minimal injury, reversible environmental
impact or minimal monetary loss. The consequences of each hazard analyzed and studied by PHA
can reveal the severity of the hazard, see table 4. For example cows give birth to a calf once per
year, and each time only calf is born. The worst thing that can happen is that the cow loses its
life during this period, or that the cow receives permanent damages leading to risks in calving in
the future. These events can be defined as catastrophic/severe according to AFarCloud [32].

Category Description Mishap Result Criteria

Could result in one or more of the following: death,
permanent total disability, irreversible significant
1 Catastrophic
environmental impact, or monetary loss equal to or
exceeding $10M.
Could result in one or more of the following:
permanent partial disability, injuries or occupational
illness that may result in hospitalization of at least
2 Critical
three personnel, reversible significant environmental
impact, or monetary loss equal to or exceeding $1M
but less than $10M.
Could result in one or more of the following:
injury or occupational illness resulting in one or more
3 Marginal lost work day(s), reversible moderate environmental
impact, or monetary loss equal to or exceeding $100K
but less than $1M.
Could result in one or more of the following:
injury or occupational illness not resulting in a lost work
4 Negligible
day, minimal environmental impact, or monetary loss
less than $100K.

Table 4: Severity Categories according to MIL-STD-882E

8
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Risk Assessment: The risk assessment level is the multiplication of the hazard probability
level and the hazard severity categories [30][31]. Other standards use other parameters in the risk
assessment matrix; for example, Controllability and Exposure are used according to ISO26262 [33].

Figure 4: Risk Assessment Matrix according to MIL-STD-882E

The figure 4 shows the Risk Assessment Matrix. The risk is divided into four degrees, according
to MIL-STD-882E; High, Serious, Medium and Low. It is possible to determine the severity and
probability of the hazard using analysis tools such as PHA and find the degree of risk using the
Risk Assessment Matrix. The degree of risk will indicate which action should be considered to
mitigate the risk.

High risk: Stop the process or activity immediately and execute adequate control.

Serious risk: Investigate the process or activity to perform the appropriate check and correct it
immediately.

Medium risk: Process or activity can keep going. The control plan shall be developed and
implemented as soon as possible. Necessary correction is required.

Low risk: Monitor regularly process and activity while the process can keep going. The risk
shall be corrected [31][34].

2.6.4 Functional Hazard Assessment (FHA)

Functional Hazard Assessment (FHA) is recommended (ARP 4754 [SAE94]) to perform hazard
identification [35]. FHA examines the functions systematically to identify and classify failure
conditions of those functions according to their severity and considers both loss of function and
malfunction [36], see table 5. The FHA shall provide the following information relative to each
function:
– Identification of related Failure Condition(s)
– Identification of the effects of the Failure Condition(s)
– Classification of each Failure Condition based on the identified effects (Catastrophic, Hazardous/Severe-
Major, Major, Minor, or No Safety Effect)
FHA analysis aims to identify the severity of each failure condition. In addition, this inform-
ation will be used as a base to be evaluated by PSSA [37].

9
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Functional Hazard Assessment (FHA)

Hazard Nr. Function Failure Condition Failure Effect Classification

Table 5: Functional Hazard Assessment (FHA) [35]

2.6.5 Fault Tree Analysis (FTA)

Fault Tree Analysis (FTA) is a top-down procedure for analyzing reliability using simple Boolean
logic to determine the failure rate [38]. FTA can be used for other purposes, but in this thesis, FTA
will list different sequential and parallel events of fault that can occur for the undesired top event.
FTA does not provide a graphical presentation of all possible system failures or possible causes.
Instead, a visual display of particular system failure modes and faults can lead to the top event
[24]. The key to using FTA is to solve a wide variety of problems. FTA is a success, including
a productive hazard identification tool. Using FTA aims to prevent and resolve hazards and
failures and is often used by the professional reliability community. Identifying areas in a system
most critical to a safe operation needs qualitative and quantitative methods, and qualitative and
quantitative methods are used for different purposes. The first step is to use a qualitative fault
tree since it is a cost-effective and invaluable engineering tool. Quantitative FTAs are very hard
to perform if there is lack of information of the system.
The professional user of FTA must develop insight into system behaviour, especially those aspects
that might lead to hazard under investigation. By looking closely, an FTA is similar to a Logic
Diagram, which means the analytical tool is "deductive" and is used to study specific undesired
events. The FTA starts with a defined undesired event. It is usually based on a theoretical
accident condition, where all known faults or events that can contribute to an undesired event are
systematically considered [26].
The functional representation of the system must be present in the logical analysis. Therefore,
it must include all combinations of faults in the operating system that may contribute to the
undesired event. Each contributing fault event should be analyzed with underlying fault events to
determine the logical connection. As a result of the tree, it becomes a logical gate network of fault
paths [26]. These paths contain combinations of events and conditions with primary and secondary
inputs that can command to or affect the dangerous situation.
There are different symbols in the Fault Tree Diagram, and those are divided into two notations,
gates and events. This paragraph will describe those selected symbols gates and events that will
be used in this thesis for the FTA [39][40], see figure 5.
Gates:
• OR gate - The event will occur if at least one of the input events takes place
• AND gate - The event will occur as long if all input conditions are met
• Exclusive OR gate - The event will not occur if all conditions are reached, only if one of the
input conditions is met
• Priority AND gate - The event will occur only after a special sequence of conditions
• Inhibit gate - The event only occurs if all the input events take place and whatever is defined
in a conditional event
Events:
• Basic Event - An failure or error in a system component
• Conditioning Event - If there are conditions that need to be defined
• External Event - This event is used when accepted to occur and can be used as a switch
• Intermediate Event - Detailed descriptions of events.
• Undeveloped Event - Lack of information, end of the investigation.

10
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Priority
Exclusive
Inhibit

AND Gate OR Gate

AND Gate OR Gate Gate

Basic
Conditioning
External
Intermediate 
Event Event Event Event

Undeveloped

Event

Figure 5: Fault Tree Analysis events and gates [41]

2.6.6 Functional Hazard Assessment system (FHAs)

FHAs analyzes the basic events in FTA that its failure can lead to loss of function in the top event.
This analysis is similar to FHA but this analysis focuses on Minimal Cut Set (MCS) events in FTA
in a system level. FHAs analyze the failure conditions, the lowest event in FTA, to find the failure
effect. The failure effect provides the degree of risk and classifies the functional hazard, see table
6.

Minimal Cut Set (MCS) is a set of lowest-level events that causes the top event to occur and
causes the system to fail. Cut set analysis is a qualitative analysis performed based on the gate
logic [42]. The MCS can be identified once the FTA is drawn, and an MCS is a cut-set that cannot
be reduced [43].

Functional Hazard Assessment system (FHAs)

Hazard Nr. Function Failure Condition Failure Effect Classification

Table 6: Functional Hazard Assessment system (FHAs) [35]

2.6.7 Preliminary System Safety Assessment(PSSA)

The Preliminary System Safety Assessment (PSSA) is a systematic examination of the proposed
system architecture. PSSA is a top-down approach to determine how failures can lead to the
functional hazards identified by the FHA. Implementing PSSA should consider all the significant
failure conditions identified by the FHA [44], see table 7.
PSSA examines system architecture to discover how failures can cause the functional hazards
identified by the FHA and aims to verify the system’s safety requirements and determine that
the architecture can meet the safety objectives identified by the FHA. The PSSA is conducted in
the design definitions of systems, components, and hardware/software [37]. Implementation of the
PSSA depends on the system architecture, system complexity, related failure condition severities,
and the function of the system conduct. For those simple systems and applications or modifications
of the supplemental type certificate for the specific system, it does not need to implement the PSSA
or modify the PSSA [44].

11
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Preliminary System Safety Assessment (PSSA)

Hazard Nr. Failure Condition Requirement(s)

Table 7: Preliminary System Safety Assessment (PSSA) [44]

2.6.8 Common Mode Analysis (CMA)

Functions or components shall be independent of each other, and it is required to satisfy the re-
liability. It is necessary to ensure that such independence exists or that the lack of independence
is acceptable. Suppose the independence of function or component is not valid due to the system
design and implementation. In that case, the estimated FTA event probabilities will be more op-
timistic than what is found in practice [45].
Common Mode Analysis (CMA) identifies individual failure modes that can lead to a Catastrophic
or Hazardous/Severe-Major Failure Condition. CMA verifies that failure events identified in the
FTA are independent of the actual implementation by verifying that ANDed events in the FTA
are truly independent. CMA contributes to the verification that independent principles have been
applied when necessary. The effects of development, crew errors, and failures of system compon-
ents that defeat the independence should be analyzed to ensure the independence of functions.
Systems, items or components with identical hardware and/or software could be susceptible to
common cause faults, which could cause failures in multiple systems. The CMA process is based
on analyzing designs and implementation for elements that may defeat the redundancy or inde-
pendence of functions within the design [37].

12
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

3. Related Work
This section will provide related research work and describing previous work to the scope of the
thesis. This part mentions methods and literary studies that have been used in previous research
work. However, every research paper is reviewed and is similar/related to the thesis work. It
includes hazard identification, hazard analysis, risk assessment and hazard mitigation.

3.1 Hazard Identification

Identifying hazards involves finding the situations that could potentially cause harm to people
involved by the UAV system. Identification of hazards is based on collected data from different
sources and potential dangers from the specified field [46].
Even risk is identified by collecting the UAS accidents and incidents in the database (see Refs
[47] and [48]) to be further analyzed in terms of precursor sequences and worst-case precursor
combinations and sequences. Other sources to contain the hazard include government accident
reports and media reports [49]. Collected data are divided into two categories, direct group and
indirect group. The main attempt is to identify those hazards that will have the most implications
on the strategic choice [46].
Hazard identification characterizes the risk scenario. Risk scenario identifies how a particular
hazard can occur. There are different hazard identification methodologies such as FHA, Failure
Modes and Effects Analysis (FMEA), Hazard and Operability Analysis (HAZOP), Common Cause
Analysis (CCA) and FTA. Isolated individual components from other components of the system
and its environment can fail to identify the risks fully. The hazard identification process is reviewed
periodically to obtain information or identification techniques by S. Basavaraju et al [50]. The
pre-flight assessment process is developed by Federal Aviation Administration (FAA) to identify
the Hazard and the risk mitigation strategies to ensure that unacceptable risk can not occur
during the UAV mission. Furthermore, the identification of the Hazard has been followed by the
combination of qualitative and quantitative analyses. The qualitative approach performs the risk
analysis process, and it is used for the risk management process to identify hazards [51]. It is
very important that the hazard identification process is periodically reviewed to make use of new
knowledge, information, or identification techniques.

3.2 Hazard Analysis

The method used to analyze accidents was achieved based on the sequential predecessor model
to define an accident as a series of related events that in turn lead to an undesirable outcome by
C. M. Belcastro et al [49]. The mishap can be prevented if the intervention can eliminate the
precursor event. The methodology was intended to recognize dominant precursors for each UAS
accident and associated sequences. In contrast to common source cause analysis, the precursors
were selected by identifying all relevant hazards that led to the accident [49]. The variety and level
of each identified hazard situation are described through hazard risk analysis by S. Basavaraju et al
[50]. Hazard analysis can even be analyzed by a probabilistic analysis approach that is performed
for the top event, and this approach considers the basic events. FTA estimates the probability of
the top event failure rates. Still, it is not simple to obtain failure rates for all basic events by R.
Abdallah et al [52], This hazards analysis is related to this thesis work since this thesis work uses
probability in the first method and FTA in the second method.

3.3 Risk Assessment

The risk can be described as a function of probability and consequences of undesirable events. Such
a description of the risk is beneficial with the use of UAVs for bridge inspection, particularly in the
cold operating environment, since there is a lack of data and information. This project is related
to this thesis since the UAV operates outdoors in the AFarCloud project. The overall ranking of
the identified hazards is based on their associated risk, and estimation is based on the Equation
(1). The result, showing that the cold operating related hazards such as low temperature, ice and
snow are listed on the top of the risk rank as hazards with high risks [46].

13
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Risk = P ue(ue) ∗ Cue(ue) (1)

The hazard can be assessed by refinding the analysis result to a combined set of risks; Hazards
Set Formulation, Current Hazards Set, and Future Hazards Set. These combined hazards set is
used for a preliminary risk assessment [49]. The risk’s level is described using a range of scales,
either qualitative or quantitative. According to S. Basavaraju the hazard is assessed by MIL-STD-
882E on the qualitative ordinal scale divided into four levels, high, serious, medium and low. The
probability in conjunction with the severity of the measured component need to be classified into
one of these levels of risk. The risk matrix is the method to show these classifications. Assessed risk
gives the potential consequences in order to determine its potential outcome. Because of several
consequential outcomes connected with a single risk scenario, a mapping will be applied based on
the worst outcome identified [50].

3.4 Hazard Mitigation

Hazard mitigations or safeguards can be documented once the overall risk is estimated. A potential
hazard is reduced when safeguards are implemented [46]. Analyzing accident reports can provide a
means of identifying UAS risks and mitigation strategies. These mitigation strategies are suitable
for commercial UAS operations. In addition, High-fidelity vehicle simulation models define nominal
and off-nominal vehicle behaviour to develop and evaluate mitigation systems [49]. The process of
evaluation of the UAV hazard reveals the state of risk to be either unacceptable or tolerable. This
approach reduces the severity and probability of the risk occurrence. Unacceptable is intolerable
because of its high probability and severity of the consequence. The aim of mitigation or redesigning
the system is to reduce the probability or severity of the hazard consequences to an acceptable
level. By mitigation of the risk, the level shall reduce to a reasonably low level to be tolerable. The
risk scenario that is not tolerable needs to be reduced, eliminated or be modified. Risk mitigation
strategies to reduce the risk are done by eliminating the hazard, reducing the probability of risk
occurrence, and reducing the potential severity. Ground Impact Fatality and Mid-air Collision
Fatality hazard can be mitigated by the elimination of the hazard, reduce the probability and
severity of hazard occurrence [50].

14
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4. Problem Formulation
Within the framework of the AFarCloud project a number of key Use-Cases will be defined. These
Use-Cases will represent common situation in which drones are used for various problems from data
collections for offline data analysis, to monitoring activities in real-time, as well as supervision of
such activities. Whereas monitoring is a passive activity supervision means that the operator can
change the course of a mission.
In this context all relevant failure conditions of autonomous drone shall be reviewed. Single faults
and failures can decrease the reliability of the system. This effects the safety as well, since it is
essential to avoid harm-damage to humans and the environment. Therefore, identification of the
hazards within the system is critical. Hazards are the primary concern in this thesis because they
reveal the causes of the event, and failure effect on the system. Identifying and analyzing the
hazards, help to understand the nature of them to gain the solution to eliminate-reduce them into
an acceptable risk. Several analysis tools are available to identify and mitigate hazards, combining
tools gives different solutions for reliability to the open drone solution; therefore, research is needed
on which combination provides the most reliable results.

Research Question 1 : What are the hazards in missions that incorporate autonomous drones
within the scope defined as above-mentioned Use-Cases (common situation as identified in the
AFarCloud project) and how can these hazards be mitigated?

Research Question 2 : Which attributes define “most reliable results” from different tools for
identifying and analyzing hazards from the RQ1?

4.1 Outcomes
The thesis aims to identify hazards and analyze them so that the reliability of the systems can
increase. Furthermore, the aim is to reach a reliable solution to mitigate or eliminate risks and
compare two different combinations of tools to provide the most reliable solution for a system
(Integration of Open drone solution).

4.2 Limitations
There are different types of solutions for avoiding each hazard. Still, not all of them can be applied
or considered because they may significantly change the system design into an integration of the
Open drone solution.

15
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

5. Method
The thesis work will start with designing experiments that will be conducted within this work.
These experiments will be formulated as the Use-Cases. These Use-Cases will be the foundation
of data collection with the aim of understanding the missions that involve robotic systems. Based
on these experiments in the thesis work different types of hazards will be identified and evaluated.
A case study is a method where an event/process are being studied in depth [53]. This method will
be used to answer the questions, identify the hazards, causes, effects on the system, and finally,
solutions and recommendations to mitigate each danger. The process will be reviewed and studied
to find probable and possible risks within the system. Known hazards provide guidelines for un-
derstanding the nature of the dangers. Subsequently, these data are used to find the causes of each
hazard. There can be several causes for creating a risk that needs to be analysed and documented.
Research and study following by listing the failure effects on the system caused by the hazard.
All these data reveal the nature of the dangers and will be used to give a solution to mitigate
them. Tools will be used to identify and analyse hazards; therefore, a combination of them can
give different results to mitigate risks. This thesis uses two different combinations and then com-
pare those combinations to achieve the most reliable results, see figure 6.

Figure 6: Method for answering Research question 1 & 2

16
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

5.1 Severity and Probability hazard analysis

PHL list identified hazard, PHA analysis identified hazard, and Risk Assessment evaluate the
danger to determine how to control and mitigate the risk. The severity of the consequences and
probability of occurrence studied by these tools gives the safeguard and solution to mitigate the
identified hazard, see figure 7.

Figure 7: Identifying and analysing Process 1

5.2 Top-Down hazard analysis

Hazard is identified by FHA. FTA analyzes each identified risk as a top event. FTA uses the
top-down method to list the different sequential and parallel events or combinations of faults that
must occur for the undesired top event. PSSA examines system architecture to discover how fail-
ures can cause the functional hazards identified by the FHA and aims to verify the system’s safety
requirements and determine that the architecture can meet the safety objectives identified by the
FHA. CMA analyzes the AND-gate used in the Top-Down analysis FTA to verify that the ANDed
event is independent [54], see figure 8.

Figure 8: Identifying and analysing Process 2

In both analysis processes, the tools are used to mitigate the hazard for a reliable system. In
the first case, the mitigated risk is based on Severity and Probability analysis. In the second case,
the mitigation of the hazard is followed by Top-Down analysis. The comparison will be based on
the most reliable results between the Top-Down analysis and Severity and Probability analysis.
The method using the case study aims to answer questions to increase the reliability of the system.

17
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

6. Ethical and Societal Considerations

This thesis aims to increase the reliability of the Open drone solution by identifying and analyzing
hazards in order to mitigate and reduce risks. A reliable autonomous drone used in large agri-
cultural areas can increase performance, efficiency and reduce costs and farm labour costs. When
it comes to the social aspect, farmers have more productivity and cost-effectiveness by using a
reliable autonomous drone. In addition, productivity and cost-effectiveness are essential economic
factors in farming. Since the overall goal of the project is to allow non-expert users of advanced
cyber-physical systems to use advanced UAS the assumption is that the outcome of this work will
contribute to democratisation of usage of these technologies. Regarding ethics, the thesis work does
not assume collection of data that can effect integrity of people that work in the farm, however
this fact still needs to be considered in a real-world case.

18
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

7. The Use-Case
This Use-Case, which represented several Use-Cases, describes a mission where an autonomous
UAV flies over the farm to collect data. The main goal of this mission is to monitor the health
of the cows continuously, and if communication from a cow is lost, it is safety-critical from AFar-
Cloud’s perspective. Once the cows move freely, they are in good health, and no anomalies are
present.
The UAV flies from the base to a specified destination within the farm’s premises. The farm is
divided into different operating zones, and no physical fences will be used in this case but only
so-called virtual fences. UAVs shall fly at a specified altitude for an operating zone to collect in-
formation about soil, crops or herds of animals or individual animals. UAVs may fly over country
roads, over or around high voltage power lines, around windmills, over or around houses, barns
and silos in the farm [55].
This Use-Case focuses on collecting information about animals in the farm area. The animals
roam freely around the farm’s premises and may gather in the same place or spread over the farm
area (Fig. 9). Each animal has collars (in this case by the company SensoWave who is one of the
partners in the AFarCloud project), and it sends a signal to the Mission Management Tool (MMT).
MMT uses the information sent by the collars to monitor and surveillance the animal’s position
and movement. A moving cow displayed on MMT counted as an accepted and safe signal, indic-
ating no anomaly. The missing signal or immobilized signal on MMT indicate some anomaly and
problem. When this happens the operator in the MMT a new mission that tells the UAV to fly
over this specific position where the cow is located.

Figure 9: Animals position in farm premises

19
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

The whole procedure is as follows:

1) The operator/farmer detects in the MMT that one of the collars in not responding, or the
data it send to the MMT is static. There may be 2 reasons for this phenomenon:

(a) The collar is not attached to the cow,

(b) The collar is malfunctioning.

2) The operator/farmer needs to understand the status, thus s/he defines a mission that incor-
porates one UAV.
3) The mission is autonomous so that the UAV can go to the location to take a picture. The
picture is later sent to the MMT so that the operator can inspect the location visually.
4) Based on the outcome the operator can decide the next step, which can be to look for the
cow if the collar is found on the ground.

7.1 Mission Management Tool (MMT)

MMT is a software solution developed at MDH with the purpose of planning multi-robot mission,
data visualisation, mission monitoring and supervision. Mission Management Tool (MMT) plans
and monitors the ongoing operation performed by UAVs and acts as a command and Control
Center [56]. MMT provides operators with a central user interface and a set of services such as
planning, monitoring, control, analysis and storage of assignment-related data for an operation
accessed through this interface. After that the UAV has taken off all the interaction between the
UAV and the operator is through the MMT. This also means that the operator is not the person
as the pilot. The operator may be located in an office, whereas the pilot is on the field to monitor
the UAV.

7.2 The concept of Visual Line Of Sight (VLOS)

Visual Line Of Sight (VLOS) is the normal visible range that drone pilot or visual observer can
easily see the drone without any obstacles. Potential obstacles can include structures, natural
features like mountains or trees, houses or barns. VLOS gives a clear understanding of the attitude
and location of the drone all the time and provides situational information of any nearby hazards
[57].

7.3 Collars (SensoWave)

Collars (SensoWave) are used as a solution to help farmers take care of their animals and locate
them easily without limiting the mobility of the animals [58]. Collars have Inertial Navigation
System (INS) and Global Navigation Satellite System (GNSS) to monitors cow´s activity (position,
movements) [59].

7.4 UAV Operation

UAV receives the command to fly from MMT when an anomaly is detected and must fly over the
position and coordinates provided by MMT. UAV missions should operate in a VLOS and take
the shortest path to the specified position. UAVs fly autonomously through this path, avoiding
dynamic and stationary objects such as windmills, houses or barns. The flight altitude is limited,
and the UAV must fly at the specified altitude for an operating zone. The next UAV’s limitation
is the farm premises border, which means UAVs can not fly beyond the operating zone. UAVs fly
the path using the position data to reach the selected destination. UAV approaches the chosen
area, and when it is above the indicated position, it is time to take an image of this specific point.
The image sends to the MMT to further be analysed by the operator/farmer and take action to
solve the problem. The mission is completed, and UAV can come back into the base station. The
UAV route, both approaching the position and come back to the base, shall be in VLOS range
(Fig. 10).

20
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

Figure 10: UAV Operation

21
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

8. Results
This section presents results from the experiment and the case study. The results are divided
into two sections, one for each method. The experiment is formulated as the Use-Case and the
designed Use-Case represented several Use-Cases, and the case study answers questions, such as
hazard identification, causes, effects on the system, and solutions to mitigate each danger. The
Use-Case help explain how the system should behave, and in the process, they also help brainstorm
what could go wrong. Reviewing and studying the Use-Case can identify possible hazards. All
identified risks are listed in the PHL and FHA. Two different analysis methods use the same hazard
to compare the results and determine which one gives the most reliable results.

8.1 Severity and Probability Hazard Analysis

In this topic, the hazard analysis is based on the severity of consequences and probability of
occurrence. Analysing identified hazards shows the nature of the risk to simplify understanding of
preventing or mitigating the hazard.

8.1.1 Preliminary Hazards List (PHL)

Sect. 7. is explained how the process can monitor the animal’s health and activities (Fig. 10).
Studying and reviewing the Use-Case reveal the possible and potential hazards. The Use-Case
process is divided into several parts, and each part is analysed to identify hazards. Each part’s
possible failure or malfunction can generate a risk, and this hazard can affect the whole system.
UAV, Collars and MMT are involved in this process to achieve the goal. Studying the different
devices and process provide possible hazard that can occur. The study was focused on finding the
most relevant danger that can have a significant impact on reliability. Those identified risks are
listed in PHL Appendix A.

– HAZ01: All devices communicate with each other to complete the mission. The collars send
the information about the cow’s health and activities, and MMT receives that information.
In case of some anomaly, MMT communicates with the UAV. The UAV will fly over the
determined position and send the image to the MMT. Therefore this process requires reliable
communication, and communication failure lead to a hazard.

– HAZ02: The UAV operates in a visual line of sight (VLOS), which means that the operator
must see the UAV at any time during the mission. The hazard occurs if the UAV is beyond
visual line of sight (BVLOS).

– HAZ03: Collars sends the movement and activity of the animal to determine the animal’s
location. The failure of the collars can lead to permanent loss of the animal’s position. Fur-
thermore, the operator and UAV can not find or reach the animal’s location.

– HAZ04: The autonomous UAV operation takes place outdoor where static and dynamic
obstacles are inevitable, and therefore the collision avoidance is essential for autonomous
UAVs. The failure of collision avoidance leads to the hazard and decrease the reliability.

– HAZ05: The autonomous UAV mission is to reach the determined position and return to its
base. Identified hazard is the UAV mission failure that can happen in different phases, e.g.
before or during the mission.

– HAZ06: All devices need a power supply to complete the mission. Lack or failure of energy
sources stop the operation of one or more units, and this failure can create hazard.

22
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

8.1.2 Preliminary Hazards Analysis (PHA)

PHA analyzes identified hazards from PHL to find the causes of the event and its consequences.
Causes and corresponding consequences that can lead to the risk are studied to determine the
probability and severity. Probability is based on examining the event’s causes and how often that
event can occur during an item’s life. Each hazard’s consequences show its impact on the human
or environment and determine how severe it is. Preventive action is the proposed action and solu-
tion to mitigate the identified hazard. The preventive action focuses on the causes of the event to
eliminate them or reduce them to an acceptable risk (Appendix B). The probability (Table. 3) and
severity (Table. 4) define the levels and category of hazard.

– HAZ01: Different events cause communication failure, such as the collars are out of function
and do not send the signal, or LoRa and WiFi are disconnected. The consequences signi-
ficantly impact the animal and environment, e.g. the animal’s health, localization of the
animal’s position or UAV operation. The probability category is C (occasional), which means
that danger is likely to occur at some point during a product’s lifetime. The severity category
is S1 (catastrophic). Since the cows are outside and even sometimes further away from the
main farm facilities, real-time monitoring is critical. I this case communication can be the
weakest link, and all issues in communication must be avoided. In addition, the ambition of
the farm is to have a solution that can allow other animals (mainly lamb and sheep) to leave
the farm area and relocate near the Pyrenees mountains (10 km from the farm) it is important
that wireless communication is reliable [32]. According to the risk matrix, the multiplication
of C and S1 is a High degree of risk, indicating to stop the process or activity immediately
and perform adequate control. The preventive measures are provided according to the causes,
e.g. redundancy network (Sigfox, Bluetooth LE).

– HAZ02: Obstacles, long-distance, bad weather, darkness and human error cause the beyond
visual line of sight. This hazard can lead to consequences, e.g. it is not possible to control
the unpredictable behaviour of UAV in the presence of failure. Causes even determine the
probability of occurrence, and the probability level for this hazard is A (frequent), i.e. likely
to occur often in the life of an item. The severity category is S2 (critical), i.e. can cause
animal’s injury or reversible significant environmental impact. Risk assessment gives High
degree for this risk. The preventive actions are provided according to the causes, e.g. position
tracking or flashing light.

– HAZ03: Animal localization is permanently lost if communication between collars and MMT
is disconnected or collars are out of function and can not send the animal’s position. The
consequences are significant, e.g. the animal life may be in danger and not reaching the
animal’s position can lead to death or severe damage to the animal. The probability is C (oc-
casional), i.e. likely to occur sometime in the life of an item. The severity category based on
consequences is S1 (catastrophic), i.e. hazard can result in animal’s death or severe damage.
Risk assessment is High (multiplication of probability and severity). The preventive actions
are, e.g. using GNSS tracking position to send the animal’s position at any time.

– HAZ04: Dynamic and static obstacles can lead to UAV collision under UAV missions. This
hazard interrupts the UAV operation and can damage the environment. More redundancy
added into the system architecture prevent the collision avoidance failure, e.g. Closed-Loop
Rapidly- exploring Random Tree (RRT) which can generate smooth trajectories much more
efficiently. The probability is C (occasional), and the severity is S2 (critical). Risk assessment
is Serious, which indicates that investigating the process or activity to perform the appropri-
ate check and correct it immediately.

– HAZ05: UAV mission fails if Hardware (HW) fails, Software (SW) fails, or communication
with MMT fails. This hazard generates consequences, e.g. UAV cannot provide the image of
a specified animal’s position because the UAV mission is failed. The hazard probability of the

23
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

occurrence is C (occasional), and the severity of the consequences is S2 (critical). According

to the severity and probability, risk assessment is Serious. To prevent SW failure, forward
recovery and N-version programming are added into the design architecture.

– HAZ06: Power supply failure for both collars and UAV is caused by the outside temperat-
ure, wear out, short circuit, overcurrent or undercurrent. Failure of power supply can lead
to devices interruption and, in turn, fails to complete the mission. The auxiliary battery is
added into the design architecture as redundancy to increase reliability. The hazard probab-
ility is D (remote), i.e. unlikely, but possible to occur in the life of an item. The severity of
the consequences is S1 (catastrophic), and risk assessment is Serious for this identified hazard.

8.1.3 Risk Assessment

Once the hazards are identified, risk must be assessed. Multiplication of the severity and probability
analysed by PHA determines the degree of the risk using the Risk Assessment Matrix (Fig. 4) The
degree of risk will indicate which action should be considered to mitigate the risk (Sect. 2.6.3).
Risk Assessment results are shown in PHA-table Appendix B.

8.2 Top-Down Hazard Analysis

In this section, the hazard analysis is based on Top-Down analysis. Top-Down analysis analyzes
functional hazard or loss of function as a top event and breaks it down into smaller events until
the basic events are obtained.

8.2.1 Functional Hazard Assessment (FHA)

FHA identifies failure condition and analyzes functional hazard. Identified failure condition is the
top event in FTA. Furthermore, FHA determines the effect of the failure condition and classify
(Table. 4) the failure condition based on the identified effect (Appendix C).

– HAZ01: The failure condition identified by FHA is loss of communication. The failure effect
is, e.g. unknown animal’s position, movement and health leading to losing the animal(s). The
hazard is classified as catastrophic based on the failure effects.

– HAZ02: The failure effect of loss of visual line of sight are unpredictable UAV’s behaviour,
the UAV can operate beyond the limited altitude, and farm premises or uncontrollable UAV’s
conduct. The failure effect can damage the animal or environment, and the hazard classific-
ation is critical.

– HAZ03: This hazard is classified as catastrophic since the effect of permanent loss of animals
location can lead to the animal’s death or severe damage because the health and activity of
the animals are unknown to the operator. The operator shall know the position of the animal
to rescue the animal’s life if the animal health is in danger.

– HAZ04: Loss of collision avoidance effects are UAV collisions with obstacles or damage the
environment and harm animals and humans. The failure condition is classified as critical.

– HAZ05: When an anomaly occurs, the UAV flies over the specified position, takes the image,
sends it to the operator to complete the operation. The failure effect of this operation results
in a lack of required information, and therefore this failure condition is critical.

24
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

– HAZ06: The power source is essential for the operability of the devices to complete the mis-
sion, and hence loss of power is classified as catastrophic based on the failure effect.

8.2.2 Fault Tree Analysis (FTA)

Failure condition identified by FHA is the top event in FTA. The top event breaks it down into
smaller events. Each contributing fault event should be analyzed with underlying fault events to
determine the logical connection. As a result of the tree, it becomes a logical gate network of fault
paths. The logic gates show the relation between events and how the base event can lead to the
top event causing a hazard (Appendix D).

– HAZ01: The events that can cause the top event are communication network failure, UAV
crash, transmitter and receiver device failure, collars failure or loss of power. In turn, these
events are affected by basic events. The OR-gate indicate that failure of one event can cause
the top event, which is the loss of communication between UAV/Collars/MMT.

– HAZ02: Events, e.g. VLOS prevented by obstacles, long-distance vision failure, visual de-
tection failure, bad weather, or day and night vision failure, can cause VLOS loss. Basic
events cause these events. The following example explains how a basic event can cause the
top event; darkness can cause night vision failure, and improper UAV’s colour and human
error can cause day vision failure. in turn, failure of day vision or night vision can cause day
and night vision failure, which lead to the top event (loss of VLOS).

– HAZ03: Loss of communication between UAV/Collars/MMT, collars failure, and loss of power
leads to the permanent loss of the animal’s location. Basic events, e.g. physical damage, wear
out, or malfunction, induce the top event.

– HAZ04: IMU failure and (AND-gate) GNSS failure or depth camera failure and (AND-gate)
LiDAR failure cause static collision avoidance failure. AND-gate between two events IMU
and GNSS, indicate that IMU and GNSS must fail to cause static collision avoidance failure.
Otherwise, if one fails, the event (static collision avoidance failure) does not occur. The same
principle is valid for dynamic collision avoidance failure.

– HAZ05: Loss of UAV mission is affected by HW failure, SW failure, loss of power or loss of
communication. If one of these events fails, the loss of the UAV mission occur.

– HAZ06: The basic events overcurrent/undercurrent, short circuit or overheating cause dis-
charge. In turn, discharge, low supply voltage or unstable voltage cause battery failure. Top
event occur when battery failure, physical damage, or wear out ensue.

8.2.3 Functional Hazard Assessment system (FHAs)

FHAs analyzes the basic events in FTA that its failure can lead to loss of function in top event.
The analysis has more focus on Cut-Set one events in FTA. Failure of the events with Cut-Set one
(derived by OR-gates) can cause the loss of functional hazard in the top event. In order to increase
the reliability, the redundant event is added to that basic events with AND-gate (Appendix E).

– HAZ01: The failure condition identified in FTA is a long-range and short-range communica-
tion failure. The failure effect is, e.g. networks disconnection or lack of monitoring animal(s)
movement and position. These hazards are classified as catastrophic based on the failure
effects.

25
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

– HAZ02: The failure effect of failure conditions, e.g. VLOS prevented by obstacles, long-
distance vision failure, bad weather, day and night vision failure, and visual detection failure,
is that the UAV is beyond the visual line of sight. These functional hazards classification is
critical.

– HAZ03: This hazard is classified as catastrophic since the effect of collars failure is that the
animal’s position is unknown (Permanently lost), and animals’ movements and health are not
available.

– HAZ04: Dynamic collision avoidance failure effects are UAV collision with obstacles or damage
the environment and harm animals and humans. Therefore the failure condition is classified
as critical.

– HAZ05: The failure effect of UAV SW and HW are, e.g. operator can not receive the image
of the animal’s activity, safe landing issue, increase the risk of collision or UAV fails to take
off. The failure condition is critical.

– HAZ06: The failure condition affects devices or systems functionality, and operation cannot
start or finish the mission, or it is impossible to send the required information. This hazard
is classified as catastrophic.

8.2.4 Preliminary System Safety Assessment (PSSA)

PSSA examines system architecture to discover how failures can cause the functional hazards iden-
tified by the FHA and aims to identify the system’s safety requirements, architecture and determine
that the architecture can meet the safety objectives identified by the FHA (Appendix F). A new
system architecture is designed to meet those identified safety requirements provided by PSSA;
therefore, redundancy is added into the design to meet the requirements and increase reliability.
Function or component used as redundancy in new system architecture shall be independent of
each other.

– HAZ01: Identified requirements for this hazard are:

– The UAV shall be robust to loss of communication links, preferably by providing redund-
ant communication links.
– Remote animal monitoring shall be implemented by the communication from body-worn
sensor nodes (Collars on animal(s))
– The AFarCloud communication architecture shall support various transmission ranges.

– HAZ02: Identified requirements for this hazard are:

– The UAV shall be in VLOS at any time.
– The operator shall see the UAV location on a map.

– HAZ03: Identified requirements for this hazard are:

– The body-worn sensor shall send the animal(s) location at any time.
– Require robustness to loss of communication link.

– HAZ04: Identified requirement for this hazard is:

– UAV shall avoid collision with Static/Dynamic obstacle.

– HAZ05: Identified requirement for this hazard is:

– The UAV shall complete the mission.

26
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

– HAZ06: Identified requirements for this hazard are:

– No single fault shall lead to Loss of power.
– The UAV mission shall be completed.
– UAV shall have enough power to apply safe landing in the worst-case scenario.

8.2.5 Common Mode Analysis (CMA)

Functions or components shall be independent of each other, and it is required to satisfy the re-
liability. It is necessary to ensure that such independence exists or that the lack of independence
is acceptable. CMA verifies that failure events identified in the FTA are independent of the actual
implementation by verifying that ANDed events in the FTA are truly independent. The following
analysis verifies that ANDed events (redundancy) are truly independent, and failure of one of them
can not lead to loss of function.

Loss of communication: Communication network failures are caused by the failure of long-
range communication or short-range communication. Long-range communication is supported by
three networks (Sigfox, LoRa, Cellular Network), and they are connected with the same AND-gate
(Sect. 4.1.1). All three networks operate independently and have different frequency bands and
different signal bandwidths. This means that long-range communication can still operate in the
presence of the failure of one or two networks. Short-range communication is supported by three
networks (Bluetooth LE, WiFi, Ultra-wideband), and they are connected with the same AND-gate
(Sect. 4.1.1). The Networks are independent of each other, which means that they operate inde-
pendently. Short-range communication can continue to operate in the presence of the failure of
one or two networks. Six different communication links become too expensive and complicated.
Still, since all these six communication links have been chosen in the AFarCloud project, these can
be used as redundancy.

Loss of VLOS: Loss of Visual Line Of Sight is caused by different events, e.g. obstacles, long-
distance, visual detection error, bad weather or day and night vision failure. PSSA provides two
requirements for VLOS.
– The UAV shall be in VLOS at any time.
– The operator shall see the UAV location on a map.

The new system architecture is designed to meet the requirements (Sect. 4.2.1). Two devices
that are added into the new system architecture are INS and GNSS for tracking position. The
two devices are connected to the priority AND-gate, which means that the event will occur only
after a particular sequence of conditions. GNSS operates as a primary navigation system in the
new architecture to provide the UAV’s position that the operator can see it on display. If GNSS
disconnection occurs during the operation, INS takes the last UAV’s position and velocity from
GNSS and continues to provide the location of the UAV.

Permanently loss of animal’s location: The Collars provide the animal’s position using
Global Positioning System (GPS), Glonass and Galileo as a navigation satellite system. All naviga-
tion systems operate independently, and if collars are disconnected from one or two of them, collars
can still provide the position using a third navigation satellite system (Sect. 4.3.1). Independency
between all navigation satellite systems increase the reliability within the system and provide the
animal’s position in the presence of one or two navigation satellite systems failures.

Loss of collision avoidance: The static and dynamic collision avoidance failure affects the
loss of collision avoidance. Inertial Measurement Unit (IMU), GNSS, Depth camera and Light
Detection and Ranging (LiDAR) failure lead to a static collision. Dynamic collision is affected

27
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

only by Artificial Neural Networks (ANN) and Stereo Cameras failure. The Closed-Loop Rapidly-
exploring Random Tree (RRT) is added into the system architecture as redundancy to increase
the reliability of Dynamic collision avoidance (Sect. 4.4.1). ANN and Closed-Loop RRT have
dissimilar algorithms and diverse implementations to detect dynamic obstacles. This dissimilarity
and diversity indicate independence between ANN and Closed-Loop RRT. ANN is vulnerable to
adversarial examples because small perturbations added to the input can result in ANN failure.
Adversarial examples can deceive the system and cause dangerous situations. Robust Physical
Perturbations are added in the new architecture because they generate robust visual adversarial
perturbations under different physical conditions (Sect. 4.4.1).

Loss of UAV mission: Incorrect commands execution and viruses can lead to software failure
and, in turn to the loss of UAV mission. Forward recovery and N-version programming are added
to the architecture as redundancy to detect and correct errors. Forward recovery continues from an
erroneous state by making corrections to the system state, while N-programming masks and accur-
ately distinguishes the erroneous results. These selected redundancies can tolerate SW design fault.
Forward recovery (Dynamic Software Redundancy) and N-version programming (Static Software
Redundancy) are independent since they detect and correct the error by executing differently and
they do not depend on each other (Sect. 4.5.1). Forward recovery and N-version programming are
software redundancies for fault tolerance to give the ability into the system to continue operating in
the presence of faults, for a limited period, with no significant loss of functionality or performance.
N-Version Programming is the static software redundancy, and the program executes with the
same inputs, and their results will be compared to determine if the results are identical. N-Version
programming corrects the error if the results are not identical. Forward recovery is the dynamic
software redundancy. Forward recovery detect and correct the error and relies on continuing from
an erroneous state by making selective corrections to the system state [60].

Loss of power: A power failure has a significant impact on the system function. It can lead to
loss of communication, loss of mission, and loss of animal’s location; therefore, an auxiliary battery
is added into the design as redundant to reduce the hazard. The primary battery supplies an energy
source to the system. Suppose the primary battery fails because of discharge, low supply voltage or
unstable voltage. In that case, the auxiliary battery will take over and continue to generate power
to finish the mission or execute a safe landing. Two battery is independent of each other, and they
are added into the architecture with a priority AND-gate. It indicates that the auxiliary battery
is disconnected initially, and it will connect into the system if and only if the primary battery fails
(Sect. 4.6.1).

8.3 Hazards Analysis Methods - Comparison

The comparison between Severity and Probability analysis and the Top-down analysis method
began with analyzing and comparing the results between the methods. The comparison was made
by finding differences and similarities between these methods and then discussing these differences
and similarities to achieve a relevant result. The methods have the same main goal (identifying,
analyzing, and mitigating hazards) using different analysis tools. These analysis tools contain dif-
ferent parameters to analyze the risks. The parameters can be decisive and affect the result. Apart
from focusing on the analysis tools and what these analysis tools use for parameters to analyze
and find a mitigation solution, the mitigation solution must also be analyzed to achieve a reliable
result and inspect if the mitigation solution is acceptable.
Two methods used in this thesis analyze the same hazards in two different ways. The first method,
Severity and Probability analysis, explore the dangers based on the probability of an event’s oc-
currence and its consequences. In order to reduce or eliminate the hazard, this method suggests
preventive action according to the degree of the risk. The degree of the risk is determined by the
Risk matrix , which is a multiplication of the severity and probability of the risk. This method
does not give further analysis on the preventive action if the possible solution to the system offers
to continue operating in the presence of a fault. Further investigation on the preventive action
could be, e.g. the possible solutions are genuinely independent or checking if the solution met the

28
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

requirements.
The second method, Top-Down analysis, analyze the events that can cause the top event. The
preventive action and solution are added in the new architecture as redundancy. This method
provides further analysis on the added redundancy in the new architecture. It determines if the
new architecture can meet requirements supplied by PSSA and analyze and investigates if or not
the redundancies are truly independent. These two methods analyze and examine the hazards
to provide excellent solutions and redundancy to reduce or eliminate the danger into an accept-
able risk. The results and redundancy provided by these two methods shall be reexamined and
analyzed to define the most reliable results. The first method, Severity and Probability analysis,
lack further analysis on the results and redundancy, but the second method, Top-Down analysis,
provide requirements and further analysis on the results and redundancy.The reliable results in-
crease the system’s reliability and provide the continuity of the function in the presence of the fault.

8.3.1 Methods attribute

Severity and Probability analysis attribute:

• Identifying the hazard.
• Analyze each hazard.
• Specify Causes of event, Consequences, Probability, Severity and Risk assessment.
• Provide the Preventive action to eliminate or reduce the risk.

Top-Down analysis attribute:

• Identifying the hazard.
• Analyze each hazard.
• Specify Failure condition, Failure effect, Classification.
• Specify events that can cause the top even using Fault Tree Analysis.
• Provide redundancy to eliminate or reduce the risk.
• Provide the requirements using PSSA.
• Further analysis on the redundancy/preventive action to investigate independence between
ANDed events.

29
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

9. Discussion
The thesis aims to identify hazards and analyze them using analysis tools in two different methods,
i.e. Severity and Probability hazard analysis and Top-Down hazard analysis. These two methods
use their analysis tools to identify, analyze and mitigate hazards. The mitigation of the risks in-
creases the reliability, but the main goal is to answer the question of which attributes define the
most reliable results from different methods.
Both methods identify hazards by reviewing the Use-Case. Studying the Use-Case can provide more
risks, but the time limitation and several analysis tools limited the number of hazards. Therefore
only the six most relevant hazards (HAZ01-HAZ06) (Appendix A, C) are identified and analyzed
in this thesis. The methods use the same identified risks to verify which method gives the most
reliable result; otherwise, using different hazards for each method cannot accurately answer RQ2
(Sect. 4.). Another limitation considered in this thesis was that different mitigation solutions could
be applied or added to the design. Still, some of those solutions can change the design significantly
or create another new type of hazard. Therefore, the mitigation solution proposed in this thesis
increases the reliability without changing the design completely.
Severity and probability analysis identify hazards and analyze them. Analyzing identified hazards
provides the solution to reduce the dangers into acceptable risks. This method focuses on probab-
ility and severity to determine events’ causes and consequences. The causes indicate the likelihood
of occurrence, and the consequences indicate the severity of the hazards. Multiplication of the
likelihood and severity determines and reflects the level of the risks. The preventive action is based
on the degree of risk assessment. It provides the solution to reduce both the probability of events
occurring and the severity of the consequences. Assessed risks determine possible mishaps, their
likelihood and consequences. The Top-Down analysis identifies, classifies hazards and analyzes
them by decomposing the identified risk as a top event into the basic events. Boolean logic operat-
ors connect all events to demonstrate how the basic event can result in a top event. This analysis
allows removing the event that can cause a top event or adding redundancy into the architecture
using an AND-gate. Afterwards, CMA verifies that ANDed events in the new architecture are
truly independent. Redundancy is added because a single fault event shall not lead to the top
event. This method provides specified requirements using PSSA, and the new architecture shall
meet the requirements to increase reliability.
Severity and Probability analysis is focused on the probability of an event’s occurrence and take
preventive action according to the degree of the risk. This analysis provides safeguards to increase
the reliability. Still, this method does not analyze if the possible solution to the system offers
to continue operating in the presence of a fault. The Top-Down analysis focuses on the events
that cause the top event. The system reliability increases by adding redundancy into the new
architecture. Furthermore, this method determines if the new architecture can meet requirements
provided by PSSA and examine if ANDed events in the new architecture are independent. The
analysis solution (preventive action) is more reliable if further investigation is performed on the
solution. Which method analyses the preventive action to achieve a more reliable solution? The
first attribute provides the solution based on the Severity and Probability of the hazard to reduce
the risk. These solutions are provided to reduce the danger, but this method does not analyse
the preventive action. Compared with the second attribute, the solutions provided by Top-Down
analysis have a further investigation on the solution. This additional analysis provides the require-
ments that the architecture shall meet them and independence between ANDed events to ensure
continuous operation in the presence of the fault; this makes the solution more reliable.
Methods used in this thesis identified hazards by reviewing the Use-Case. Analyzing the identified
risks provide the danger’s causes and consequences. This information about hazards determines
the safeguard. The hazard mitigation eliminates or reduces the risk to an acceptable risk, which
increases reliability. Compared with other related works, previous works has identified the hazards
based on collected data of UAS accidents or a combination of qualitative and quantitative analysis
(Sect. 3.1). The hazard analysis is based on the sequential predecessor model or can even be
analyzed by a probabilistic analysis approach (Sect. 3.2), and hazard mitigation aims to reduce
the probability and severity of the hazard consequences to an acceptable level (Sect. 3.4). There
are similarities and differences between this thesis and related works. Similarities are the analysis
procedure, e.g. identifying, analyzing and hazard mitigation, and differences are the method used

30
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

to determine the hazard, analyze them and provide the hazard mitigation. This thesis even of-
fers more detailed information about those identified risks, i.e. causes, consequences, probability,
severity, requirements etc., to provide a more reliable solution.

31
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

10. Conclusion
The thesis aims to identify hazards and analyze them to mitigate dangers and increase reliability.
Analyzing the hazards provide essential information about the nature of the hazards, e.g. causes
and consequences of risks. This information is used to provide preventive action to eliminate or
reduce the dangers. Mitigation of the hazard decreases the degree of the danger and increases
reliability.

10.1 Research Question 1

- What are the hazards in missions that incorporate autonomous drones within the
scope defined as above-mentioned Use-Cases (common situation as identified in the
AFarCloud project) and how can these hazards be mitigated?

Reviewing the Use-Cases reveal the possible and potential hazards. Instead of using several
Use-Cases, this thesis identified and analysed one generic Use-Case to identify the risks. Thus, the
defined Use-Case is crucial and covers several Use-Cases. The most relevant and critical hazards
were identified by studying the Use-Case are:
– HAZ01: Communication Failure between UAV/Collars/MMT
– HAZ02: Beyond Visual Line Of Sight (BVLOS)
– HAZ03: Animal localization Failure (Permanently)
– HAZ04: Collision avoidance Failure (Dynamic or Static object in proximity)
– HAZ05: UAV mission Failure
– HAZ06: Power supply Failure
The hazards analysis provide the causes, consequences and classification of the hazards. This
information is essential to determine preventive action or add redundancy in the architecture. The
preventive action and redundancy reduce or eliminate the risks to mitigate the dangers and increase
reliability.

10.2 Research Question 2

- Which attributes define “most reliable results” from different tools for identifying
and analyzing hazards from the RQ1?

Severity and Probability hazard analysis is focused on probability and severity and provide
the solution and preventive action to mitigate the hazard. This method does not offer further
research on whether or not the possible solution to the system offers to continue operating in
the presence of a fault. However, Top-Down analysis provides the solution by adding redundancy
in the architecture and offering further research on whether or not the possible solution to the
system offers to continue operating in the presence of a fault. This analysis also includes PSSA
to provide requirements that the new architecture meets those requirements and CMA to verify if
ANDed events are truly independent. The continuity of the function in the presence of the fault
is essential and increases the reliability; therefore, the Top-down hazard analysis defines the most
reliable results.

32
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

11. Future Work

This section presents some works and suggestions that can be considered and implemented in
future work.

11.1 Number of Hazard

This thesis analyzed the limited number of most relevant and critical hazards. For future work,
more risks can be identified and considered for analysis. The number of identified hazards increases
by studying the Use-Case in more detail and dividing the system into subsystems to facilitate the
identification of the hazards.

11.2 Probability estimation

In Severity and Probability analysis, the probability of hazard’s occurrence is based on the causes.
The probability estimation becomes more accurate by calculating the probability of each event’s
occurrence. The likelihood of occurrence of each failure event is required to calculate the probability
of hazard’s affair, and this thesis does not implement quantitative analysis because of the lack of
likelihood of several events’ occurrences. Still, it can be considered for future work.

11.3 Testing
The proposed solution and redundancy in this thesis mitigate the risks according to the require-
ments provided by PSSA to increase the reliability. This thesis did not test the solution to min-
imising the hazard and redundancy added in the new architecture. Still, it can be considered in
future work to ensure their reliability.

11.4 Other analysis tool

The other analysis tool that can be considered for identifying hazards by studying the components
and subsystems is Failure Mode and Effects Analysis (FMEA). This analysis tool reviews the
component and subsystems to identify the hazard, analyze them to estimate the probability and
severity of the consequences. Furthermore, assess the risks by risk assessment and provide the
Control and recommendation to mitigate the hazards.

33
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

References
[1] K. Nonami, F. Kendoul, S. Suzuki, W. Wang and D. Nakazawa, Autonomous flying robots:
unmanned aerial vehicles and micro aerial vehicles. Springer Science & Business Media, 2010.
[2] M. C. Hunter, R. G. Smith, M. E. Schipanski, L. W. Atwood and D. A. Mortensen, ‘Agricul-
ture in 2050: Recalibrating targets for sustainable intensification,’ Bioscience, vol. 67, no. 4,
pp. 386–391, 2017.
[3] J. Kim, S. Kim, C. Ju and H. I. Son, ‘Unmanned aerial vehicles in agriculture: A review of
perspective of platform, control, and applications,’ IEEE Access, vol. 7, pp. 105 100–105 115,
2019.
[4] J.-F. Martínez-Ortega, Aggregate Farming in the Cloud, 2020. [Online]. Available: https:
//www.ecsel.eu/projects/afarcloud.
[5] 2021. [Online]. Available: http://www.afarcloud.eu/.
[6] R. Hamrén, Open Drone - FLA400 - Project in Dependable System, 2019.
[7] M. Wagner, ‘Unmanned Aerial Vehicles,’ vol. 59, October 2015.
[8] E. Fox, Step by step Completes the first Drone Mapping, OCTOBER 12, 2019. [Online].
Available: https://www.oxobio.org/what-is-drone-mapping/.
[9] H. Shakhatreh, A. H. Sawalmeh, A. Al-Fuqaha, Z. Dou, E. Almaita, I. Khalil, N. S. Oth-
man, A. Khreishah and M. Guizani, ‘Unmanned aerial vehicles (uavs): A survey on civil
applications and key research challenges,’ Ieee Access, vol. 7, pp. 48 572–48 634, 2019.
[10] A. M. Samad, N. Kamarulzaman, M. A. Hamdani, T. A. Mastor and K. A. Hashim, ‘The
potential of unmanned aerial vehicle (uav) for civilian and mapping application,’ in 2013
IEEE 3rd International Conference on System Engineering and Technology, 2013, pp. 313–
318.
[11] B. C. Mariann Merz Afshin Ameri, D6.15 Design and implementation of a generic UAV for
agriculture applications, July, 2021.
[12] A. Cardon and M. Itmi, New Autonomous Systems. John Wiley Sons, Incorporated, 2016.
[13] K. P. Valavanis and G. J. Vachtsevanos, ‘UAV Autonomy: Introduction,’ in Handbook of
Unmanned Aerial Vehicles, K. P. Valavanis and G. J. Vachtsevanos, Eds. Dordrecht: Springer
Netherlands, 2015, pp. 1723–1724, isbn: 978-90-481-9707-1.
[14] M. Radovic, ‘Tech Talk: Untangling The 5 Levels of Drone Autonomy,’ vol. 59, 2019-03-07.
[Online]. Available: https://droneii.com/drone-autonomy.
[15] E. Technologies, Exyn drones achieve autonomy level 4, 2021. [Online]. Available: https:
//www.exyn.com/news/exyn-drones-achieve-autonomy-level-4.
[16] T. Aven, Reliability and Risk analysis, 1st ed. Elsevier applied science, 1992, p. 5.
[17] M. P. Kailash C. Kapur, Reliability Engineering, 1st ed. John Wiley Sons, Incorporated,
2014, p. 2.
[18] A. K. Verma, S. Ajit and D. R. Karanki, ‘Introduction,’ in Reliability and Safety Engineering.
London: Springer London, 2016, pp. 1–17.
[19] F. Schenkelberg, How Reliable Does a Delivery Drone Have to Be? 2016.
[20] A. Paithankar, ‘Hazard identification and risk analysis in mining industry,’ Ph.D. disserta-
tion, 2011.
[21] D. P. Purohit, N. Siddiqui, A. Nandan and B. P. Yadav, ‘Hazard identification and risk
assessment in construction industry,’ International Journal of Applied Engineering Research,
vol. 13, no. 10, pp. 7639–7667, 2018.
[22] B. Suhardi, P. W. Laksono, J. M. Rohani and T. S. Ching, ‘Analysis of the potential hazard
identification and risk assessment (hira) and hazard operability study (hazop): Case study,’
International Journal of Engineering & Technology, vol. 7, no. 3.24, pp. 1–7, 2018.

34
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

[23] R. Sari, K. Syahputri, I. Rizkya and I. Siregar, ‘Identification of Potential Hazard using
Hazard Identification and Risk Assessment,’ in IOP Conference Series: Materials Science
and Engineering, IOP Publishing, vol. 180, 2017, p. 012 120.
[24] N. J. Bahr, System safety engineering and risk assessment: a practical approach. CRC press,
2014.
[25] F. Crawley and B. Tyler, Hazard identification methods. IChemE, 2003.
[26] F. S. Committee, Federal Aviation Administration Safety Risk Management Guidance: SRM
Tools avp-300-005-ja3, April 30, 2018.
[27] H. Hadj-Mabrouk, ‘Preliminary Hazard Analysis (pha): New hybrid approach to railway risk
analysis,’ International Refereed Journal of Engineering and Science, vol. 6, no. 2, pp. 51–58,
2017.
[28] R. Mader, G. Grießnig, A. Leitner, C. Kreiner, Q. Bourrouilh, E. Armengaud, C. Steger and
R. Weiß, ‘A computer-aided approach to preliminary hazard analysis for automotive embed-
ded systems,’ in 2011 18th IEEE International Conference and Workshops on Engineering
of Computer-Based Systems, IEEE, 2011, pp. 169–178.
[29] E. Galante, D. Bordalo and M. Nobrega, ‘Risk assessment methodology: Quantitative hazop,’
Journal of Safety Engineering, vol. 3, no. 2, pp. 31–36, 2014.
[30] Z. Yanjun and S. Youchao, ‘Safety risk assessment of human-machine interaction behavior
in cockpit,’ in 2014 Seventh International Symposium on Computational Intelligence and
Design, vol. 1, 2014, pp. 39–42.
[31] 2021. [Online]. Available: https : / / www . ccohs . ca / oshanswers / hsprograms / risk _
assessment.html.
[32] R. Č. Veronika Koukolová Dana Kumprechtová, D7.12. demonstration evaluation results,
2021.
[33] P. Kafka, ‘The automotive standard iso 26262, the innovative driver for enhanced safety
assessment technology for motor cars,’ Procedia Engineering, vol. 45, pp. 2–10, Dec. 2012.
doi: 10.1016/j.proeng.2012.08.112.
[34] A. J. Carpio, M. de las Nieves GONZÁLEZ, I. Martınez and M. I. Prieto, ‘Protocol de-
velopment: Level of preventive action method, considering the preventive environments in
construction works,’ Journal of Civil Engineering and Management, vol. 26, no. 8, pp. 819–
835, 2020.
[35] P. Wilkinson and T. Kelly, ‘Functional hazard analysis for highly integrated aerospace sys-
tems,’ 1998.
[36] P. Johannessen, C. Grante, A. Alminger, U. Eklund and J. Torin, ‘Hazard analysis in object
oriented design of dependable systems,’ in 2001 International Conference on Dependable
Systems and Networks, IEEE, 2001, pp. 507–512.
[37] S. Aerospace, ‘ARP4754, AEROSPACE RECOMMENDED PRACTICE,’ 1996.
[38] S. Reimann, J. Amos, E. Bergquist, J. Cole, J. Phillips and S. Shuster, ‘Uav for Reliability,’
Aerospace Vehicle Design. AEM-4331, 2013.
[39] T. Hessing, Fault Tree Analysis, 2020. [Online]. Available: https://sixsigmastudyguide.
com/fault-tree-analysis/.
[40] S. Kabir, An overview of Fault Tree Analysis and its application in model based dependability
analysis, 2018. [Online]. Available: https://core.ac.uk/download/pdf/151161983.pdf.
[41] D. Rodina, Fault Tree Analysis Diagram (FTA), June 17 2020. [Online]. Available: https:
//www.softwareideas.net/fta-fault-tree-analysis.
[42] B.-H. Ku and J.-M. Cha, ‘Reliability assessment of catenary of electric railway by using
fta and eta analysis,’ in 2011 10th International Conference on Environment and Electrical
Engineering, IEEE, 2011, pp. 1–4.

35
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

[43] M. Jishkariani, ‘Fault tree analysis (fta) for energy enterprises,’ Retrievedfrom https://www.
researchgate. net/publication/341494947_Fault_Tree_Analysis_FTA_For _Energy_Enterprises,
2020.
[44] N. Xiao, P. Wang, Y. Tian and Z. Ma, ‘Research and application of Preliminary System
Safety Assessment on civil airborne systems,’ in 2011 International Conference on Quality,
Reliability, Risk, Maintenance, and Safety Engineering, IEEE, 2011, pp. 562–566.
[45] M. B. Zdzislaw H. Klim, Methodology for the Common Mode Analysis, 2007-09-17.
[46] M. Aliyari, B. Ashrafi and Y. Z. Ayele, ‘Hazards identification and risk assessment for uav-
assisted bridge inspections,’ Structure and Infrastructure Engineering, pp. 1–17, 2021. doi:
10.1080/15732479.2020.1858878. [Online]. Available: https://www.tandfonline.com/
doi/full/10.1080/15732479.2020.1858878?scroll=top&needAccess=true&fbclid=
IwAR1SJT-6CXyCohZYJ37ptCUWKdpaFR2d4xr5fyTqfbbr-UH-ctelwN45Er0.
[47] C. M. Belcastro, G. Loren, R. L. Newman and J. V. Foster, ‘Preliminary analysis of aircraft
loss of control accidents: Worst case precursor combinations and temporal sequencing,’ p. 32,
2014.
[48] C. M. Belcastro, G. Loren and R. L. Newman, ‘Aircraft loss of control: Problem analysis for
the development and validation of technology solutions,’ p. 48, 2014.
[49] C. M. Belcastro, R. L. Newman, J. Evans, D. H. Klyde, L. C. Barr and E. Ancel, ‘Hazards
identification and analysis for unmanned aircraft system operations,’ in 17th AIAA Aviation
Technology, Integration, and Operations Conference, 2017, p. 3269.
[50] S. Basavaraju, V. A. Rangan and S. Rajgopal, ‘Unmanned aerial system (uas) Hazard identi-
fication, reliability, risk analysis & range Safety,’ in 2019 International Conference on Range
Technology (ICORT), IEEE, 2019, pp. 1–5.
[51] A. Allouch, A. Koubâa, M. Khalgui and T. Abbes, ‘Qualitative and quantitative risk analysis
and safety assessment of unmanned aerial vehicles missions over the internet,’ IEEE Access,
vol. 7, pp. 53 392–53 410, 2019.
[52] R. Abdallah, R. Kouta, C. Sarraf, J. Gaber and M. Wack, ‘Fault tree analysis for the commu-
nication of a fleet formation flight of uavs,’ in 2017 2nd International Conference on System
Reliability and Safety (ICSRS), 2017, pp. 202–206. doi: 10.1109/ICSRS.2017.8272821.
[53] P. Runeson, M. Host, A. Rainer and B. Regnell, Case Study Research in Software Engineer-
ing: Guidelines and Examples, eng, 1. Aufl. Hoboken: Wiley, 2012, isbn: 1118104358.
[54] S. Aerospace, ‘Guidelines and methods for conducting the safety assessment process on civil
airborne systems and equipment,’ 1996.
[55] J. Gorm, F. Bernhard, M. Patrik, K. Erwin, S. Christoph, B. Arndt, K. Reinhard, F. Carlo
and C. Baran, ‘Methodology for developing autonomous systems in the agriculture domain,’
p. 105, 2020.
[56] J. Gorm, F. Bernhard, M. Patrik, K. Erwin, S. Christoph, B. Arndt, F. Reinhard and C.
Baran, ‘D6.15 design and implementation of a generic uav for agriculture applications,’ 2020.
[57] What is visual line of sight (vlos) for drones? - pilot institute2 021, 2021. [Online]. Available:
https://pilotinstitute.com/drone-vlos-rules/.
[58] Startup in the spotlight: Sensowave - copernicus masters2 021, 2021. [Online]. Available: https:
//copernicus-masters.com/startup-in-the-spotlight-sensowave/#.
[59] ‘White Paper - AFarCloud,’ p. 7, 2020. [Online]. Available: https://www.qamcom.com/wp-
content/uploads/2021/08/AFarCloud-WhitePaper-Qamcom.pdf.
[60] 2022. [Online]. Available: http://user.it.uu.se/~yi/courses/rts/dvp-rts-08/notes/
fault.pdf.

36
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

A Preliminary Hazard List (PHL)

The Figure 11 provide an overview of the identified hazards (HAZ01-HAZ06) and their effect.

Preliminay Hazard List (PHL)

Hazard Item Hazard Effect
Nr.

HAZ01 AFarCloud Communication Failure ● The location of animal(s) is not

between UAV/Collars/MMT available, and therefore, the position is
unreachable.
● The MMT can not receive the image
sent by the UAV.
● UAV can not receive the command
from MMT to fly over the selected
position.

HAZ02 AFarCloud Beyond Visual Line Of Sight ● Loss of visual contact with UAV
(BVLOS)

HAZ03 AFarCloud Animal localization Failure ● The location of animal(s) is not

(Permanently) available, and therefore, the position is
unreachable by UAV.
● The movement and position of the
animal(s) are unknown to the MMT.

HAZ04 AFarCloud Collision avoidance Failure ● UAV can collide with a dynamic and
(Dynamic or Static static object.
object in proximity) ● The mission failed

HAZ05 AFarCloud UAV mission Failure ● The operation fails, and the requested
image is unavailable.

HAZ06 AFarCloud Power supply Failure ● Devices or systems are out of function
(UAV, Collars, MMT)

Figure 11: Preliminary Hazard List (PHL)

37
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

B Preliminary Hazards Analysis (PHA)

Figure 12 and 13 provide hazard descriptions and describe the event’s causes, consequences, pre-
ventive action, probability, severity and risk assessment for each hazard. The probability and
severity level and category illustrated in (Table. 3) (Table. 4).

Preliminary Hazard Analysis (PHA)

Hazard Hazard Cause of Event consequences Preventive Action Probability Severity Risk
N. Description Assessment

HAZ01 Communication ● The collars ● Operation fails. ● ● Robust design High

C S1
Failure (between malfunction. It is not possible to locate the ● Use redundancy
collars and ● The collars are out cow(s) at any time. networks such as
MMT) of function and do not ● It is not possible to monitor sigfox, Bluetooth low
send the signal. cows' health and activity. energy (BLE).
● Collars battery is ● The cow is moving freely on ● Battery discharge
discharged. the farm. In the absence of warning device
● Wi-Fi failure communication between collars
and MMT, the position will be
unknown; therefore, it is
possible to lose the cow (the
cow(s) can go beyond the
limited area).
● The cow(s) life may be in
danger, and disconnected
communication does not
provide the position, leading to
death or severe damage to the
cow(s).

HAZ01 Communication ● LoRa or Wi-Fi ● Operation fails. ● ● Robust design High

C S1
Failure (between malfunction. Image can not be send. ● Use redundancy
MMT and UAV) ● LoRa or Wi-Fi is ●The situation and the problem networks such as
disabled. is unknown to the operator. sigfox, Bluetooth low
● UAV battery is ● The problem is getting worse energy (BLE). ●
discharged because it is not possible to take Battery discharge
preventive action by the warning device
operator.
● MMT cannot receive the
image. ●
In the worst-case, the cow is
lost, or the cow's situation can
lead to serious injury because of
failed operation.
● The UAV does not take action
(flying over the selected
position). ●
The command from MMT can
not be sent or receive by UAV.

HAZ02 Visual Line Of ● Obstacles ● UAV Collision ● Position tracking High

A S2
Sight (VLOS) ● Long Distance ● Can fly beyond the limited ● Visible color like
Failure ● Bad Weather altitude and farm premises RED/YELLOW
● Darkness ● Unpredictable UAV's ● Flashing light
● Human Error behaviour ● ● Thermal camera
Uncontrollable UAV's behaviour stationary
● UAV's crash or collision can
damage the animals or
environment

Figure 12: Preliminary Hazard Analysis (PHA)

38
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

HAZ03 Animal ● Disconnection ● The animal life may be in ● GNSS tracking High
C S1
localization between collars and danger, and not reaching the position
Failure MMT. position can lead to death or
(Permanently) ● Collars are out of severe damage to the animal.
function. ● It is not possible to locate the
● Collars battery is animals at any time.
discharged. ● The animal is moving freely on
● Wear out or physical the farm, and in the absence of
damage reaching the position, it is
possible to lose the animal
(animal can go beyond the
limited area).

HAZ04 Collision ● Dynamic obstacle: ● UAV can Collide and crash ● Closed-Loop RRT C S2 Serious
avoidance - ANN failure with obstacle ● Robust physical
failure (dynamic - Stereo camera perturbation
or static failure ●
object in Static obstacle:
proximity) - IMU and GNSS fail to
localize the location.
- Depth camera and
LiDAR fail to detect
the object.

HAZ05 UAV mission ● HW failure ● Uncompleted mission. ● Forward recovery C S2 Serious

Failure ● SW failure ● It is not possible to take the ● N-version
● Loss of pictures of the animal(s). programming
communication ● Animal(s) activity is unknown
●Loss of power to MMT/Operator.

HAZ06 Power supply ● The outside ● Unable to send animal's ● Battery Level D S1 Serious
Failure (Collars) temperature. position, movement, health and Indicator. ●
● Wear out. activity. Planned maintenance.
● Short circuit. ● Auxiliary battery
● Physical damage.
●Overcurrent/Underc
urrent.
● Low supply voltage.
● Unstable voltage

HAZ06 Power supply ● The outside ● UAV can not fly or finish the ● Battery Level D S1 Serious
Failure UAV temperature. ● mission. Indicator.
Wear out. ● Planned
● Short circuit. maintenance.
● Physical damage. ● Auxiliary battery
●Overcurrent/Underc
urrent.
● Low supply voltage.
● Unstable voltage

Figure 13: Preliminary Hazard Analysis (PHA)

39
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

C Functional Hazard Assessment (FHA)

Figure 14 provides each hazard’s function and its failure condition, failure effect, and classification.
The classification illustrated in (Table. 4).

Functional Hazard Assessment (FHA)

Hazard Function Failure Condition Failure Effect Classification
Nr.

HAZ01 Communication Loss of Communication ● May lose the animal(s). Catastrophic

between all devices ● If a animal's life is in
(collars, UAV and danger, unavailable
MMT) communication may lead to
death or severe damage to
the animal(s).
● Unknown animal(s)'s
position, movement and
health.

HAZ02 Visualisation of the Loss of Visual Line Of ● UAV Collision Critical

UAV Sight ● Can fly beyond the limited
altitude, and farm premises
● Unpredictable UAV's
behaviour
● Uncontrollable UAV's
behaviour
● UAV's crash or collision can
damage the animals or
environment

HAZ03 Localize the Permanently loss of ● The health and activity of Catastrophic
position animal's location the animal(s) can not be
monitored.

HAZ04 Avoid collision Loss of collision ● UAV can collide with an Critical
avoidance obstacle.
● It can damage the
environment or lead to
human/animal injury.

HAZ05 Complete the Loss of UAV mission ● MMT/Operator do not have Critical
mission the image of animal(s)
activity and position

Figure 14: Functional Hazard Assessment (FHA)

40
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

D Fault Tree Analysis (FTA)

4.1 Loss of communication
Figure 15 shows the events that can cause the top event: communication network failure, UAV
crash, transmitter and receiver device failure, collars failure, or loss of power. In turn, these events
are affected by basic events. The OR-gate indicate that failure of one event can cause the top
event, which is the loss of communication between UAV/Collars/MMT.

Figure 15: Fault Tree Analysis - Loss of communication

41
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.1.1 Redundancy
Figure 16 shows how communication network failures are caused by long-range or short-range
communication failure. Long-range communication is supported by three networks (Sigfox, LoRa,
Cellular Network), and they are connected with the same AND-gate. Short-range communication
is supported by three networks (Bluetooth LE, WiFi, Ultra-wideband), and they are connected
with the same AND-gate.

Figure 16: Communication Network Failure Redundancy

42
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.2 Loss of VLOS

Figure 17 shows that VLOS prevented by obstacles, long-distance vision failure, visual detection
failure, bad weather, or day and night vision failure can cause VLOS loss, and basic event can cause
the top event; darkness can cause night vision failure, and improper UAV’s colour and human error
can cause day vision failure. in turn, failure of day vision or night vision can cause day and night
vision failure, which lead to the top event (loss of VLOS).

Figure 17: Fault Tree Analysis - Loss of Visual Line of Sight

43
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.2.1 New Architecture

Figure 18 shows that two devices added to the new system architecture are the INS and GNSS
for tracking position. The two devices are connected to the priority AND-gate, which means
that the event will occur only after a particular sequence of conditions. In this case, If GNSS
disconnection occurs during the operation, INS takes the last UAV’s position and velocity from
GNSS and continues to provide the location of the UAV.

Figure 18: New architecture for Loss of UAV position

44
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.3 Loss of animal’s location

Figure 19 shows that Loss of communication between UAV/Collars/MMT, collars failure, and Loss
of power leads to the permanent loss of the animal’s location. Basic events, e.g. physical damage,
wear out, or malfunction, induce the top event.

Figure 19: Fault Tree Analysis - Permanently loss of animal’s location

45
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.3.1 Redundancy
Figure 20 shows that the Collars provide the animal’s position using GPS, Glonass and Galileo as
navigation satellites. All navigation systems operate independently since all three has each sender,
and if collars are disconnected from one or two of them, collars can still provide the position using
a third navigation satellite system.

Figure 20: Three navigation systems are added as redundancy into the Fault Tree Analysis

46
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.4 Loss of collision avoidance

Figure 21 shows that IMU failure, GNSS failure or depth camera failure, and LiDAR failure cause
static collision avoidance failure. AND-gate between two events, IMU and GNSS, indicate that
IMU and GNSS must fail to cause static collision avoidance failure. Otherwise, the event (static
collision avoidance failure) does not occur if one fails. The same principle is valid for dynamic
collision avoidance failure.

Figure 21: Fault Tree Analysis - Loss of collision avoidance

47
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.4.1 Redundancy
Figure 22 shows that The static and dynamic collision avoidance failure affects the loss of colli-
sion avoidance. Inertial Measurement Unit (IMU), GNSS, Depth camera and Light Detection and
Ranging (LiDAR) failure lead to a static collision. Dynamic collision is affected only by Artificial
Neural Networks (ANN) and Stereo Cameras failure. The Closed-Loop Rapidly- exploring Ran-
dom Tree (RRT) is added into the system architecture as redundancy to increase the reliability of
Dynamic collision avoidance. ANN is vulnerable to adversarial examples because small perturba-
tions added to the input can result in ANN failure. Adversarial examples can deceive the system
and cause dangerous situations. Robust Physical Perturbations are added in the new architecture
because they generate robust visual adversarial perturbations under different physical conditions.

Figure 22: Added Closed-Loop RRT and Robust Physical Perturbation as redundancy

48
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.5 Loss of UAV mission

Figure 23 shows that Loss of UAV mission is affected by HW failure, SW failure, loss of power or
loss of communication. If one of these events fails, the loss of the UAV mission will occur.

Figure 23: Fault Tree Analysis - Loss of UAV mission

49
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.5.1 Redundancy
Figure 24 shows that incorrect commands execution and viruses can lead to software failure and,
in turn to the loss of UAV mission. Forward recovery and N-version programming are added to
the architecture as redundancy to detect and correct errors.

Figure 24: Forward recovery and N-version programming are added as redundancy with an AND-ed
gate

50
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.6 Loss of power

Figure 25 shows that the basic events over-current/undercurrent, short circuit or overheating cause
discharge. In turn, discharge, low supply voltage or unstable voltage cause battery failure. The
top event occurs when battery failure, physical damage, or wear out ensue.

Figure 25: Fault Tree Analysis - Loss of power

51
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

4.6.1 Redundancy
This Figure 26 demonstrates that an auxiliary battery is added into the design as redundant to
reduce the hazard. Suppose the primary battery fails because of discharge, low supply voltage or
unstable voltage. In this case, the auxiliary battery will take over and continue to generate power
to finish the mission or execute a safe landing.

Figure 26: Auxiliary battery added in the design as redundancy

52
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

E Functional Hazard Assessment system(FHAs)

Functional Hazard Assessment system(FHAs) provide the description of a failure condition, failure
effect and classification for each hazard’s function. The classification illustrated in (Table. 4).

Functional Hazard Assessment (FHAs)

Hazard Function Failure Condition Failure Effect Classification
N.

HAZ01 Communication Long Rang ● Long-Range Communication Catastrophic

Network Communication is unavailable, and it is not
Failure possible to receive or transmit
data, image or position of the
cow(s).
● It is not possible to monitor
the animal's movement and
health by MMT.

HAZ01 Communication Short Rang ● Short-Range Communication Catastrophic

Network Communication is unavailable, and it is not
Failure possible to receive or transmit
data, image or position of the
cow(s).
● It is not possible to monitor
the animal's movement and
health by MMT.

HAZ02 Visualisation of the VLOS Prevented by The UAV is beyond visual line Critical
UAV Obstacles of sight

HAZ02 Visualisation of the Horizontal Distance The UAV is beyond visual line Critical
UAV Vision Failure of sight

HAZ02 Visualisation of the Bad Weather The UAV is beyond visual line Critical
UAV of sight

HAZ02 Visualisation of the Night Vision Failure The UAV is beyond visual line Critical
UAV of sight

HAZ03 Localize the position Collars Out of ● The position is unkown Catastrophic
Function ● The movement and health
of cow(s) are not available.

Figure 27: Functional Hazard Assessment system (FHAs)

53
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

HAZ04 Collision avoidance Dynamic collision ● UAV crash Critical

avoidance Failure ● Uncompleted operation
● Damage the environment
● Causes injury into human or
animal

HAZ05 Complete the SW Failure ● MMT/Operator can not Critical

mission receive the image of cow's
activity. ●
Unwanted behaviour, e.g. UAV
can not fly, UAV can not reach
the correct position, increase
probability to collide with
obstacles, UAV is unstable
during the flight. ● Safe
landing issue. ● UAV
can fly beyond the limited
altitude.

HAZ05 Complete the HW Failure ● MMT/Operator can not Critical

mission receive the image of cow's
activity.
● Safe landing issue.
● UAV can not fly.
● Increase the risk of collision.

HAZ06 Power source Loss of power ● It affects the devices or Catastrophic

systems functionality
● The operation can not start
or finish the mission.
● It is not possible to send
essential information (cow's
health and activities).

Figure 28: Functional Hazard Assessment system (FHAs)

54
Alireza Ebrahimi, Mohammed Mustafa Autonomous Robots in Farming

F Preliminary System Safety Assessment (PSSA)

Appendix F illustrates the identified requirements for each hazard.

Preliminary System Safety Assessment (PSSA)

Hazard Failure Condition Requirement
N.

HAZ01 Loss of Communication ● The UAV shall be robust to loss of

communication link, preferably by providing
redundant communication links.
● Remote animal monitoring shall be
implemented by the communication from body-
worn sensor nodes (Collars on cow(s)) ●
The AFarCloud communication architecture shall
support various transmision ranges.

HAZ02 Loss of Visual Line Of Sight ● The UAV shall be i VLOS in any time.
● The operator shall see UAV location in a map.

HAZ03 Permanently Loss of location ● The body-worn sensor shall send the cow(s)
location at any time.
● Require robustness to loss of communication
link.

HAZ04 Loss of collision avoidance ● UAV shall avoid collision with Static/Dynamic
obstacle

HAZ05 Loss of UAV mission ● The UAV shall complete the mission.

HAZ06 Loss of power ● No single fault shall lead to Loss of power ●

The UAV mission shall be completed.
● UAV shall have enough power to apply safe
landing in the worst-case scenario.

Figure 29: Preliminary System Safety Assessment (PSSA)

55