Full Description

1.1This standard practice defines design and test best practices that if followed, would provide guidance to an applicant for providing evidence to the civil aviation authority (CAA) that the flight behavior of an unmanned aircraft system (UAS) containing complex function(s) is constrained through a run-time assurance (RTA) architecture to maintain an acceptable level of flight safety.

1.2This practice will have the benefit of enabling highly automated UAS operations. It is envisioned that applicants will use this practice as a means of compliance for safe implementation of complex functions for routine operations.

1.3Verification of complex functions is considered too challenging to use conventional software assurance methods such as RTCA DO-178C or IEC 61508. Certification challenges under these standards include generating required artifacts, such as requirements, elimination of unintended functionality, traceability/coverage, and test cases required for verification.

1.4There is significant interest from industry and CAAs to have a standard practice to enable flight operations for UAS containing complex functions. Developing a certification path for these UAS technologies could also advance safety in General Aviation.

1.5The following design tenets are offered to provide guidance to the UAS manufacturer as to the intended application of this standard.

1.5.1The RTA Architecture is intended to be used for Complex Functions that would require an amount of effort that is beyond reasonably practicable to pass CAA conventional certification requirements.

1.5.2The UAS manufacturer should engage in appropriate design, test, and validation activities to enable the Complex Function to perform as intended.

1.5.3The complexity of the Recovery Control Function (RCF) deterministic commands should be minimized insofar as practicable.

1.5.4Repeated invocation of an RCF during a single mission may be considered an indication of improper Complex Function performance.

1.5.5An RTA design with multiple RCFs should consider the aircraft state, relative outcomes, and differences in RTA recovery times in prioritizing the recovery actions in the safety monitor.

1.5.6The UAS manufacturer should strive to minimize false or nuisance triggers of one or more RCFs as these false alarms undermine user confidence in the system and impact operational efficiency.

1.6This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.

1.7This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.