This work addresses the critical safety challenges of VTOL UAV operations during take-off and landing by integrating vision-based systems with System-Theoretic Process Analysis (STPA). Through detailed hazard identification and control strucutre analysis, we systematically addressed unsafe control actions associated with the vision-based landing system and multirotor controller. The proposed multi-fiducial marker approach enhances the robustness of landing pad detection under occlusion and dynamic lighting conditions, while additional redundancy measures and altitude state integration improve system reliability. Similarly, we propose to add adaptive mechanism and modification of multirotor controller corresponding to the motor command control action. Experimental insights and design recommendations were provided to refine vision-based sensor fusion mechanisms along and motor control commands to assure safer UAV operations. The findings contribute to the advancement of autonomous VTOL UAV technologies, establishing a framework for future research on safety-critical systems in dynamic environments. Future work involves experimental testing and implementation of the proposed solutions for both the classes of scenarios and extending the STPA analysis for the complete autonomous mission.

Solution: Similar to the Class 1 scenarios, the Class 2 scenarios corresponding to landing pad position share common causes for UCA-1 and UCA-4. A primary contributor to the Class 2 loss scenario corresponding to landing pad location is the reliance on a single fiducial marker and the absence of a comprehensive tagging system for individual VTOLs. Based on the identified scenarios, we propose the following control and feedback mitigation strategies:

Vertical take-off and landing (VTOL) unmanned aerial vehicles (UAVs) are versatile platforms widely used in applications such as surveillance, search and rescue, and urban air mobility. Despite their potential, the critical phases of take-off and landing in uncertain and dynamic environments pose significant safety challenges due to environmental uncertainties, sensor noise, and system-level interactions. This paper presents an integrated approach combining vision-based sensor fusion with System-Theoretic Process Analysis (STPA) to enhance the safety and robustness of VTOL UAV operations during take-off and landing. By incorporating fiducial markers, such as AprilTags, into the control architecture, and performing comprehensive hazard analysis, we identify unsafe control actions and propose mitigation strategies. Key contributions include developing the control structure with vision system capable of identifying a fiducial marker, multirotor controller and corresponding unsafe control actions and mitigation strategies. The proposed solution is expected to improve the reliability and safety of VTOL UAV operations, paving the way for resilient autonomous systems.

Vertical take-off and landing (VTOL) unmanned aerial vehicles (UAVs) have emerged as a vital technology in various applications [1], including surveillance, search and rescue, and urban air mobility [2]. Their ability to hover and operate in confined spaces without requiring runways [3] makes them highly versatile. However, the critical phases of take-off and landing in uncertain and dynamic environments pose significant challenges. Environmental uncertainties, sensor noise, and model inaccuracies can adversely affect the UAV’s performance, leading to potential safety hazards and mission failures [4, 5]. Ensuring robust autonomous operations under these uncertainties is essential for the broader adoption of VTOL UAVs. Vision-based systems have been identified as a promising solution to enhance situational awareness, enable precise navigation and take-off and land efficiently by providing rich environmental information [6]. Specifically, integrating vision systems like AprilTag detection can significantly improve landing pad identification and tracking, which is crucial during take-off and landing phases [7].

Development of a vision-based control structure and analysis: We identify a control structure that integrates an autopilot with a fiducial marker system, such as AprilTag detection. We expand the component blocks in a cascading manner until we reach the control structure with the vision processing block. A comprehensive STPA is conducted on this control structure to identify unsafe control actions and scenarios under which the safety of the VTOL UAV could be compromised.

Safety of critical flight phases, such as take-off and landing, necessitates a structured and comprehensive approach to hazard identification and mitigation. System-Theoretic Process Analysis (STPA) provides a robust framework for analyzing complex systems by focusing on unsafe control actions and their impact on system safety [10]. Unlike traditional hazard analysis methods that emphasize component-level failures, STPA adopts a system-wide perspective, considering interactions between components, environmental uncertainties, and dynamic operational contexts. This makes it particularly well-suited for addressing the challenges inherent in the vision-based control of VTOL UAVs.

The host VTOL UAV is assumed to have been developed independently, with the goal of creating a low-cost, collaborative platform capable of supporting a wide variety of autonomy systems. It operates under two primary control modes throughout a mission:

The motivation for this work arises from the need to connect performance of low-level components with the system-level safety requirement. An illustration of an arbitrary control structure (Step 2 of STPA [10]) is shown in Figure 1. The illustration demonstrates the performance of controller 1; however, such a performance is not guaranteed when it is integrated with other sub-systems, which makes up the whole system. Components of complex systems are generally developed in parallel, often in a process that fails to fully capture the interdependencies necessary to meet high-level requirements. Although a controller may assure performance under specific conditions, these assurances often rely on underlying assumptions and constraints. A top-down system-theoretic approach enables us to analyze such interconnections to generate system and controller constraints, which connects the individual performance of sub-systems to the safety requirements.

Integrate a tagging system within the AprilTag detection and fusion system to uniquely identify landing pad locations, allowing precise recognition even in complex environments (UCA-2, UCA-4).

: This level expands the autopilot block, which includes the multirotor controller, fixed-wing controller, tilt scheduler, and scheduler (Fig. 4a). The tilt scheduler is responsible for altering the thrust vector of the motors, which is essential in transition. The scheduler filters motor actuation and control surface commands based on the current flight mode (hover, transition, fixed-wing, or back-transition) and sends these commands to the host VTOL UAV actuators. Level 3a : At this level, the multirotor controller block is expanded to include multiple sub-controllers such as position, velocity, attitude, and angular rate controllers (Fig. 4b). The multirotor controller block forms a cascaded control structure in which outer-loop controllers provide reference signals to inner-loop controllers. The multirotor controller generates motor actuation commands to track reference signals from the guidance controller. Level 3b : This level expands the estimator block, which consists of multiple sensor processing modules, including the airspeed filter, altitude and heading reference system (AHRS), GPS processing, and the AprilTag system (Fig. 5). The AprilTag system incorporates the vision processing block, which processes high-resolution visual data for tasks such as landing pad detection and localization. Level 4b : At this level, the AprilTag block is further expanded to include a switching system and an AprilTag detection and fusion system (Fig. 5). The AprilTag detection and fusion block is kept generalized to facilitate a system-level analysis without delving into specific algorithms used in its implementation.

In Control mode I, the human pilot retains complete control of the UAV, managing all five stages of the mission. This mode requires constant visual feedback to ensure the effective execution of the mission. Conversely, Control mode II leverages the capabilities of the autopilot to perform all or parts of the mission autonomously. In this mode, the human pilot retains the ability to intervene and issue overriding commands to the autopilot, enabling corrective actions when needed. This dual-mode architecture ensures flexibility in operations, accommodating both manual control and varying levels of autonomy based on mission requirements.

The application of STPA to the take-off and landing phases involves the following steps, which guide the systematic identification and mitigation of hazards:

When an autopilot is integrated into a host VTOL UAV, the guidance logic and flight controllers must be tuned to enable seamless operation across different flight modes, including hover, transition, and fixed-wing configurations. This tuning process involves optimizing rotor tilt scheduling, critical tilt angles, and rotor wind-down rates controller gains [15] to ensure accurate tracking of critical parameters such as attitude, altitude, and airspeed. By fine-tuning these parameters, the autopilot system significantly enhances the reliability and robustness of the VTOL UAV, enabling safe and efficient operations in diverse and unpredictable environments. While the autopilot includes multiple components, such as the guidance controller, flight controllers, and estimators, this paper refers to the autopilot specifically as the subsystem comprising the flight controllers.

This integrated approach addresses the safety concerns of a VTOL UAV with a vision-based system, while operating in autonomous mode. The results demonstrate the gap in assuring safety requirements when integrating different components in a VTOL, and recommend mitigation strategies to improve the robustness and reliability during critical flight phases, contributing to the advancement of VTOL UAV technologies.

The first solution corresponds to a checklist that must be completed by the remote pilot before initiating the mission. The second solution is dynamic and requires experimental validation to determine the optimal lighting conditions for reliable operation. The third and fourth solutions necessitate modifications to the underlying AprilTag detection and fusion system to accommodate multiple fiducial markers. A visual representation of the third and fourth solutions is provided in Figure 6. While existing multi-fiducial marker setups have been explored, the proposed approach utilizes markers of varying sizes, which enhances robustness by ensuring reliable detection even if some markers are occluded.

Ensure the remote pilot performs an occlusion check on the fiducial marker before initiating the mission to confirm visibility (UCA-1).

Solution: The Class 1 scenario corresponding to the action of landing pad location is common to both UCA-1 and UCA-4. A major cause of the Class 1 for the landing pad location loss scenario arises from the altitude state input, which leads to the control action behaving unsafely. For the motor commands, the loss scenario primarily occurs when the tuned proportional integral and derivation (PID) gains are operating in different conditions. These conditions can either be model mismatch or external disturbances (wind), referred to as trim conditions. To mitigate this issue, we propose the following control strategies:

STPA has been successfully applied in the aviation domain to analyze and mitigate risks in autonomous systems, including UAVs. For instance, STPA was applied to the Airworthiness Technologies Research Center UAV (ATRC-UAV) [31] to analyze take-off operations, focusing on a top-level control structure. In another study, multiple hazard analysis tools, such as Functional Hazard Analysis (FHA) and STPA, were combined to conduct a worst-case analysis of a VTOL carrying an urban air passenger [32]. The safety analysis of VTOLs using STPA was further extended to include manufacturers and operators to support regulatory agencies in the certification process [33]. Additionally, STPA has been applied to an existing design architecture of a VTOL to identify potentially unsafe issues and modify the architecture to enhance safety [34].

The ground control station (GCS) serves as the primary interface between the remote human pilot and the VTOL UAV, enabling efficient mission planning, monitoring, and control. It provides the human pilot with real-time telemetry, including positional data, attitude information, battery status, and other critical system parameters. The GCS facilitates the configuration of flight plans, which include defining waypoints, altitude settings, and selecting flight modes.

A promising approach to addressing safety challenges in VTOL UAVs is the application of System-Theoretic Process Analysis (STPA). STPA is a hazard analysis technique rooted in systems theory, designed to identify potential hazards by examining unsafe control actions within complex systems [10]. Unlike traditional hazard analysis methods, STPA considers both component failures and unsafe interactions within the system, making it particularly well-suited for the intricate multimodal operations of VTOL UAVs.

Conduct the mission only under predefined (TBD) lighting conditions to avoid detection failures caused by low visibility (UCA-1).

Sensing and perception represent another critical area for VTOL development, as autonomous operations rely heavily on accurate environmental awareness. These systems form the foundation for decision-making processes and the synthesis of automated flight controllers [22, 23, 24]. Autonomous decision-making itself presents additional challenges, requiring algorithms capable of managing transitions between flight modes, navigating complex airspaces, and responding to dynamic environments [25, 26]. Automated flight controllers further complicate development, as they must handle highly nonlinear dynamics while maintaining stability and efficiency under varying operational conditions [27]. Hardware-in-the-loop (HIL) simulations are often used to verify VTOL functionality and validate control performance [29, 30]. However, these simulations frequently lack a comprehensive, top-down approach to safety assurance, highlighting the need for more advanced validation frameworks.

The system under consideration is a generic VTOL UAV equipped with a vision system, when operating in an autonomous mission. An autonomous mission for a VTOL UAV typically consists of five stages: i) take-off in hover mode, ii) transition to fixed-wing mode, iii) waypoint navigation in fixed-wing mode, iv) back-transition to hover mode, and v) landing in hover mode. For the purposes of this paper, we limit our analysis to the take-off and landing phases in hover mode, as these phases are critical and prone to operational uncertainties. The VTOL UAV under consideration comprises the following key components:

Introduce a secondary altitude measurement as an additional input to the AprilTag system. A potential solution could involve using an infrared (IR) sensor in conjunction with an IR beacon on the landing pad. This setup can aid the switching mechanism within the AprilTag system, enhancing its reliability (UCA-1, UCA-2, UCA-4).

Despite the rapid advancements in VTOL UAVs, several significant challenges [21] persist in achieving robust autonomy and reliable performance, namely, i) safety and reliability, ii) sensing and perception [22, 23, 24], iii) decision making [25, 26], iv) automated flight controller synthesis [27], v) regulatory challenges [28], and iv) societal challenges. One of the most fundamental challenges is safety and reliability. VTOL UAVs are expected to meet stringent safety standards that surpass those of existing aviation platforms due to their complex multimodal operations and broader deployment potential. Safety concerns are deeply intertwined with regulatory and societal challenges, making safety a critical focus of development efforts.

While prior works have primarily implemented STPA at a high-level control structure to identify generic unsafe control actions and provide safety recommendations, this work takes a different approach. Here, we expand the control structure to multiple levels, with a specific focus on vision-based systems, to identify precise control actions that could become unsafe and propose mitigation strategies to address them.

The control structure for the system is illustrated in Figure 3. It encompasses all the components described in Section 3. As indicated, the remote pilot selects the autonomy mode (enabled or disabled) and specifies waypoints to the GCS. The GCS, in turn, provides feedback on the autonomy mode status and estimated UAV states (EUS). The GCS transmits the mission parameters to the guidance controller and receives updates on EUS and sensor data. Additionally, the autonomy mode selected by remote pilot is transmitted to the guidance controller. The guidance controller generates the trajectory to be followed by the VTOL UAV and transmits flight reference commands, flight mode, and control mode to the autopilot. The autopilot then provides feedback on the EUS to the guidance controller, allowing for updates to the reference commands as needed. The autopilot calculates motor actuation commands for multirotor operations and control surface commands for fixed-wing operations. These commands are transmitted to the VTOL UAV’s actuators, which, in turn, provide sensor data feedback to close the control loop.

As described earlier, the host VTOL UAV can be controlled either manually by a remote human pilot or autonomously via the autopilot. The human pilot issues control commands through an RC controller, which maps user inputs to specific control actions such as pitch, roll, yaw, and altitude adjustments. To initiate an autonomous mission, the pilot must explicitly enable the autonomy mode, which is disabled by default. Activating this mode triggers autonomous operations and communicates the status change to both the Ground Control Station (GCS) and the guidance controller.

The last solution improves the robustness of the multirotor controller by adaptation. Unlike kinematic models (position and attitude), dynamic models (velocity and angular rate) can become uncertain due to external disturbances such as wind and drag, implying that the process models used for controller design may differ from the actual models. To address this, adaptive control methods such as ℒ1subscriptℒ1\mathcal{L}_{1}caligraphic_L start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT adaptive control [36, 37] can be utilized to improve the control performance. The second class of identified scenarios is described in section 5.

Vision-based systems rely on high-resolution visual data to perform tasks such as landing pad detection, localization, and obstacle avoidance. However, the reliance on vision introduces unique challenges, including the possibility of degraded performance under adverse conditions, such as low light, occlusions, or sensor noise. STPA provides a structured methodology to analyze these potential failure modes and ensure safe operation by identifying hazards associated with vision system dependencies and their interactions with other UAV components.

Autopilot systems form the backbone of modern unmanned aerial vehicle (UAV) operations, enabling autonomous navigation and control through advanced algorithms and sensor integration. These systems perform critical functions, such as maintaining stability, executing predefined flight paths, and adapting to environmental changes with minimal human intervention. Similar to the host VTOL UAV, the autopilot is assumed to have been developed independently to ensure compatibility with a wide range of UAV systems. The autopilot comprises multiple components, including guidance logic, flight controllers (for both multi-rotor and fixed-wing configurations), tilt schedulers, and estimators. Widely used autopilot platforms, such as Ardupilot and PX4, provide open-source solutions that support diverse UAV configurations, including fixed-wing, rotary-wing, and hybrid designs. These platforms integrate data from various sensors, such as GPS for positional accuracy, inertial measurement units (IMUs) for attitude and orientation, and barometers for altitude control.

VTOL UAVs have gained significant attention due to their wide-ranging applications, including urban air mobility, logistics, surveillance, and disaster response [11, 12, 13, 14]. VTOL UAVs are typically classified into three major configurations: tailsitter, tiltrotor, and tiltwing designs [15, 16] . Each configuration offers distinct advantages and trade-offs. Tailsitter UAVs transition from vertical take-off to horizontal flight by reorienting their entire body, while tiltrotor UAVs achieve transitions by tilting the rotors between vertical and horizontal positions. Similarly, tiltwing UAVs tilt the entire wing to ensure smoother transitions. These designs differ in terms of performance, stability, efficiency, and maneuverability, and their suitability depends heavily on the mission requirements, such as long-range endurance or short-distance agility [17, 18]. With approximately 250 companies currently working to develop commercial VTOL UAVs, such as Joby Aviation, Lilium, Volocopter, Ehang, Airbus, Kittyhawk, and Wisk are leading the race to bring these advanced systems to the commercial space [19]. Among the various VTOL designs, the tiltrotor configuration stands out as the most widely recognized for its aerodynamic efficiency, particularly during the transition from hovering to low-speed forward flight [20]. This efficiency makes tiltrotor UAVs highly suitable for applications that require both vertical agility and horizontal range. In this work, we focus on control structure identification for tiltrotor VTOLs, addressing the unique challenges associated with their operational stability and transition dynamics.

Mitigation strategies for vision-based and multirotor control structures: We propose a set of effective mitigation strategies tailored for the vision-based and multirotor control structures, ensuring the safety of VTOL UAVs during take-off and landing operations.

Additionally, since the locations of the auxiliary fiducial markers are predefined and stored within the VTOL UAV autopilot, the system can achieve greater accuracy in identifying the landing pad location. This is accomplished by averaging or applying weighted averaging to the measurements from multiple markers, thereby improving precision in the detection of the landing site. By integrating these strategies, the VTOL UAV can achieve improved safety and precision during critical flight phases, particularly take-off and landing. This foundation paves the way for future advancements in vision-based navigation systems, ensuring their adaptability to complex and uncertain operational scenarios.

The actuators and flight computer are essential components of the host VTOL UAV, enabling precise management of the vehicle’s orientation, stability, and trajectory. The actuators, which may include rudders, elevators, ailerons, and tilt-rotors, are actuated by servos or motors. These actuators respond to commands generated by the flight controller based on real-time sensor feedback and guidance inputs, ensuring accurate control of the UAV’s movements.

In an autonomous mission, the human pilot defines mission parameters by specifying the launch location, waypoints, and the landing location (typically the same as the launch location). The GCS transmits this mission plan to the guidance controller. Once the autonomy mode is enabled, the UAV begins executing the mission. The guidance controller generates reference signals that the autopilot uses to ensure the UAV adheres to the predefined trajectory. The autopilot converts these reference signals into motor actuation and control surface commands, enabling precise maneuvering. A suite of onboard sensors—including accelerometers, magnetometers, barometers, GPS, and cameras continuously collects real-time flight data. Some of this sensor data are processed by the flight controller and relayed back to the different controllers in the autopilot block and guidance controller as feedback, closing the control loop. This integrated architecture facilitates robust control, real-time adaptation to environmental variations, and accurate execution of autonomous missions. By integrating STPA with vision-based capabilities, this study systematically identifies potential hazards, unsafe control actions, and critical safety constraints, ensuring robust operation even in complex and uncertain environments. This approach not only enhances the reliability of the UAV during take-off and landing but also establishes a foundation for designing resilient autonomy frameworks for future UAV systems. An illustration of the problem description is shown in Fig 2a along with an ongoing VTOL development [35] at UIUC shown in Fig 2b.

Loss L-1 directly affects the host VTOL UAV and its operational environment, including critical assets such as the landing pad and nearby UAVs. Losses such as L-2 and L-3 have broader implications, particularly impacting the credibility and feasibility of deploying autonomous operations in the event of an accident. Lastly, loss L-4 pertains to scenarios where triggers prevent the collection of valuable data during autonomous operation tests. Addressing L-4 is crucial, as it supports the identification of risky evaluations and the development of improved safety mechanisms. For each identified loss, corresponding hazards and system-level constraints were determined, detailed in Table 1 and Table 2, respectively.

In this paper, we present an integrated approach that combines a vision-based sensor fusion mechanism with an autopilot of a VTOL UAV, and employ STPA for hazard analysis to improve the robustness during take-off and landing. The key contributions of this work include:

In Control mode I, the GCS plays a pivotal role in providing the human pilot with visual feedback and situational awareness, which are essential for manual operation. Modern GCS platforms, such as QGroundControl and Mission Planner, are designed to be intuitive and user-friendly, supporting a wide range of autopilot systems to ensure seamless integration with various UAV configurations. Additionally, the GCS is equipped with data-logging capabilities, allowing for post-mission analysis and diagnostics. These capabilities are crucial for improving UAV performance, identifying system inefficiencies, and enhancing overall reliability.

Any UCA occurs under four classes of scenarios: Class 1 - the feedback or input is good, but the control action generated is unsafe, Class 2 - both the feedback or input are unsafe and control actions are unsafe, Class 3 - the feedback or input and the generated control action are good, but the control actions become unsafe in the control path, and Class 4 - the generated control action is good but the controlled process produces an unsafe action. For the unsafe control actions in subsection 4.3, we identify two classes of the loss scenarios. The first class of identified scenarios is described in section 5.

This material is based upon work supported by the National Aeronautics and Space Administration (NASA) under the cooperative agreement 80NSSC20M0229, University Leadership Initiative grant no. 80NSSC22M0070 and Air Force Office of Scientific Research (AFOSR) grant no. FA9550-21-1-0411. This work was also supported by the AFOSR “Certifiable and Self-Supervised Category-Level Tracking” program, Carlone’s NSF CAREER award. Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

Control mode II: Piloted by an autopilot, where the remote human pilot may issue overriding commands to the autopilot (human-on-the-loop).

While incorporating various components can enhance the capabilities of a system, it also introduces significant complexity in analyzing and assuring its safety. Addressing safety concerns for a whole system requires a systematic approach to hazard analysis and develop corresponding mitigation strategies. When independently designed components are integrated, their interactions under complex dynamics and environmental factors—such as wind gusts or varying lighting conditions during landing zone detection can degrade system performance or even lead to safety violations [8, 9]. For instance, numerous learning-based vision algorithms exist for tasks such as navigation, scene understanding, and obstacle avoidance. However, these algorithms are often tailored for specific purposes and lack a holistic approach to system safety, particularly in addressing hazards that emerge from interactions between different components. The System-Theoretic Process Analysis (STPA) framework offers a comprehensive method to identify potential hazards, unsafe control actions, and design constraints in complex systems [10]. By incorporating STPA into the VTOL UAV’s control system development, we are able to proactively address safety issues arising from both system components and interactions.

Next, we perform the STPA step 3, identifying the unsafe control actions (UCAs) for the multirotor controller and AprilTag system, indicated in subsection 4.3. The control actions, landing pad position and motor commands can turn unsafe under four broad categories: i) not providing causes hazard, ii) providing causes hazards, iii) too early, too late or out-of-order, and iv) stopped too soon, applied too long.

We expand the control loop to two more level, illustrated in Figure 4 and Figure 5. The details of the control structure blocks are as follows.

Deploy multiple fiducial markers to provide redundancy, enhancing reliability and ensuring robust landing pad detection (UCA-2, UCA-4).

Optimize the camera’s image capture rate and adjust the processing resolution to prevent bottlenecks and mitigate the risk of out-of-order image generation by the AprilTag system (UCA-3).