Advisory Circular (AC) No. 922-001

From: Transport Canada

Subject: Remotely Piloted Aircraft Systems Safety Assurance

Issuing Office: Civil Aviation, Remotely Piloted Aircraft Systems Task Force
Document No.: AC 922-001
File Classification No.: Z 5000-32
Issue No.: 01
RDIMS No.: 13518324 V24
Effective Date: 2021-11-02

Table of contents

List of figures

1.0 Introduction

(1) An Advisory Circular (AC) provides information and guidance by describing considerations relevant to assisting the public in complying with the regulations and standards. An AC does not change, create, amend or permit deviations from regulatory requirements, nor does it establish minimum standards.

1.1 Purpose

(1) This AC provides information and guidance to manufacturers making a declaration to the Minister for remotely piloted aircraft systems (RPAS) intended for Advanced Operations in accordance with the requirements of Part IX of the Canadian Aviation Regulations (CARs). Furthermore, this AC provides guidance to manufacturers on how to comply with the documentation requirements in Part IX of the CARs associated with making a declaration, including the expected content of applicable operating manuals and maintenance programs.

(2) The Minister will not systematically review each declaration submitted to evaluate the compliance demonstration by the RPAS manufacturer and issue a corresponding aviation document. RPAS manufacturers are however accountable to perform the necessary tests, evaluations, and/or assessments and record the results in a form that can be inspected by the Minister on demand. This AC outlines the safety assurance process to guide RPAS manufacturers with developing the necessary evidence to substantiate their declaration. A declaration is therefore the statement by the manufacturer that their system meets the applicable safety assurance requirements and is fit for the intended Advanced Operations when operated and maintained in accordance with the manufacturer's instructions.

1.2 Applicability

(1) This document applies to manufacturers of RPAS intended for Advanced Operations as described by CAR 901.62 for which a declaration is required by Division V – Advanced Operations – in Part IX of the CARs.

(2) Table 1 provides a cross-reference between the regulatory requirements and this advisory material.

Table 1 - Requirement/Guidance Cross-Reference
CAR Provision AC Section
  • 7.0
  • 4.0
  • 4.0(3)
  • 4.0(6)
  • 5.4
  • 5.10
  • 5.4(2)
  • 5.4(3)
  • 5.8
  • 5.4(2)
  • 5.4(3)
  • 5.4(4)
  • 5.4(5)(a)
  • 5.4(5)(b)
  • 5.4(6)
  • 4.0(8)
  • 6.1
  • 6.2
  • 6.4
  • 6.3
  • 6.4

1.3 Description of changes

(1) Not applicable.

2.0 References and requirements

2.1 Reference documents

(1) It is intended that the following reference materials be used in conjunction with this document:

2.2 Cancelled documents

(1) Not applicable.

2.3 Definitions and abbreviations

Note: The definitions provided below are strictly for the purposes related to RPAS Safety Assurance as described in the remainder of the document. In the case of any conflict between these definitions and definitions from other sources (e.g., the CARs), these definitions shall be used only in the context of RPAS Safety Assurance.

(1) The following definitions are used in this document:

  • (a) Abbreviated Injury Scale (AIS): an anatomically-based, consensus-derived, global severity scoring system that classifies each injury by body region according to its relative importance on a 6 point ordinal scale. AIS is the basis for the Injury Severity Score (ISS) calculation of the multiply injured patient.
  • (b) Concept of Operations (CONOPS): The clearly defined and detailed purpose of the system/operation intended for the RPAS. This includes a description of the operational aspects of the crew, RPAS system, Processes and Procedures, and the expected Environment.
  • (c) Operator: A person, group of persons, or organization which has possession of the RPAS as owner, lessee or otherwise and conducts operations of an RPAS under the CAR, Part IX.
  • (d) Owner: the person or entity who holds a valid RPAS Certification of Registration and has legal custody and control of the RPAS.
  • (e) RPAS Manufacturer: A person, group of persons, or organization which builds, maintains, and/or operates facilities that produce, assemble, and/or sell a physical RPAS and the associated technical products (e.g. manuals) holding the intellectual property to substantiate its design and performance (herein referred to as "manufacturer").

(2) The following abbreviations are used in this document:

  • (a) AAAM: Association for the Advancement of Automotive Medicine;
  • (b) AC: Advisory Circular;
  • (c) AGL: Above Ground Level;
  • (d) AIS: Abbreviated Injury Scale;
  • (e) ASSURE: Alliance for System Safety of UAS Through Research Excellence;
  • (f) ATD: Anthropomorphic Test Device;
  • (g) BVLOS: Beyond Visual Line of Sight;
  • (h) C2 Link: Command and Control Data Link;
  • (i) CAR: Canadian Aviation Regulation;
  • (j) CE: Conformité européene;
  • (k) CFR: Code of Federal Regulations;
  • (l) CRC: Communications Research Centre;
  • (m) CS: Control Station;
  • (n) EM: Electromagnetic;
  • (o) EMI: Electromagnetic Interference;
  • (p) EU: European Union;
  • (q) FAA: Federal Aviation Administration;
  • (r) FMVSS: Federal Motor Vehicle Safety Standards;
  • (s) GNSS: Global Navigation Satellite System;
  • (t) HIC: Head Injury Criteria;
  • (u) HMI: Human Machine Interface;
  • (v) ISED: Innovation, Science, and Economic Development Canada;
  • (w) MTOW: Maximum Take-off Weight;
  • (x) RF: Radio Frequency;
  • (y) RPA: Remotely Piloted Aircraft;
  • (z) RPAS: Remotely Piloted Aircraft System;
  • (aa) sRPA: small Remotely Piloted Aircraft;
  • (bb) TCCA: Transport Canada Civil Aviation;
  • (cc) TSO: Technical Standard Order;
  • (dd) VLOS: Visual Line of Sight.

3.0 Background

(1) The goal of Canadian Aviation Regulation (CAR) Standard 922 RPAS Safety Assurance is to encourage the spirit of innovation while striking a balance between the safe use of RPAS in the national airspace, design requirements, and oversight of the industry. To this end, operational categories have been defined with specific requirements associated with the RPAS design, construction, and reliability.

(2) Standard 922 is split between Visual Line of Sight (VLOS) Operations and Beyond Visual Line of Sight (BVLOS) Operations. At the moment this AC only addresses VLOS while the regulatory requirements for BVLOS operations are still incipient.

(3) Within VLOS operations, three operational risk categories have been defined for which safety assurance of the RPAS is deemed necessary:

  • (a) Operations in controlled airspace;
  • (b) Operations near people; and
  • (c) Operations over people.

(4) These categories identify design requirements that RPAS manufacturers must meet in order to declare their systems as being capable to operate in that specific environment. In addition to the design standards identified in CAR Standard 922, RPAS manufacturers have a regulatory obligation to make available to each owner the information prescribed by CAR 901.78. This information may be contained within the operating manual published for each RPAS model.

4.0 RPAS manufacturers obligations

(1) General. In accordance with CAR 901.76, manufacturers of RPAS intended for Advanced Operations must make a declaration to the Minister identifying the demonstrated capabilities of their system. CAR Standard 922 of the CARs outlines the minimum technical requirements and associated safety objectives to be achieved for the intended Advanced Operations. The RPAS manufacturer completes and submits the declaration form to the Minister at:

https://www.tc.gc.ca/en/services/aviation/drone-safety/submit-drone-safety-assurance-declaration.html

Upon submission of a declaration, and subject to applicable obligations stated in Part IX of the CARs, the subject RPAS may be authorized to operate in the environment for which the minimum safety standards and capabilities have been demonstrated for Advanced Operation; namely:

  • (a) Operations in controlled airspace;
  • (b) Operations near people (<30m but >5m measured horizontally at any altitude); and/or
  • (c) Operations over people (<5m measured horizontally at any altitude).

(2) RPAS Elements. CAR 101 defines a RPAS as a set of configurable elements consisting of a remotely piloted aircraft (RPA), a remote control station (CS), the command and control (C2) links and any other elements required for operation.

The manufacturer's declaration must identify each elements of an RPAS for which it is made.

(3) Content of a Declaration. As noted in CAR 901.76(2) the declaration form contains the following information:

  • (a) Make – Manufacturer's Name;
  • (b) Model – Specific model designation which identifies the configuration of elements that make up the RPAS;
  • (c) Maximum Take-off Weight (MTOW) – The maximum designed take-off weight of the RPA in kilograms (note: it must be 25 kg or less);
  • (d) Aircraft Category – A single selection checkbox which identifies the configuration of the aircraft (i.e. fixed-wing, rotary-wing, hybrid, light-than-air);
  • (e) RPAS Visual Line-of-Sight Operational Environments – A multi-select checkbox to identify which technical requirements the RPAS has been verified against. Any combination of the checkboxes can be selected to reflect the capability of the aircraft. RPAS meeting the safety requirements for operation over people inherently meet the less stringent requirements for operations near people;
  • (f) Signature of the Responsible Person – A box for the signature of the person making the declaration on behalf of the manufacturer;
  • (g) Title of Signatory – The business title/position of the person making the declaration;
  • (h) E-mail Address – The valid and active e-mail address that can be used to contact the person making the declaration; and
  • (i) Date – day, month, and year at which the declaration is signed.

(4) Persons Making a Declaration. A declaration may be made by:

  • (a) The designer and/or manufacturer of an RPAS; and
  • (b) The modifier of an RPAS.

The Minister envisions that a market for third party modifiers may emerge given the predicted proliferation of systems. The obligations are identical in either cases required by Part IX of the CARs and further delineated in this AC. It is further envisioned that RPAS modifiers would need to enter into an agreement with the RPAS manufacturers having ownership of intellectual property required to substantiate a declaration that the modified RPAS meets the applicable safety objectives. To the extent practical, the RPAS modifier should declare modifications applicable to multiple RPAS models of the same make on a single declaration form. Section 7.0 provides further guidance on modifications.

(5) Retention of Declarations. The Minister retains declarations for the purposes of inspection, program oversight, administer compliance and designated provisions, and to derive demographic information. The Minister may inspect any element of the RPAS, the technical evidence supporting a declaration, and any related publications by the RPAS manufacturer.

(6) Validity of Declarations. Declarations remain valid unless the RPAS manufacturer notifies the Minister otherwise or the Minister determines that the RPAS does not meet the technical requirements set out by CAR Standard 922. The RPAS manufacturer is required to notify the Minister as soon as practical upon discovery of an issue affecting safe operation. Once the declaration is found invalid, the RPAS will be restricted to Basic Operations in accordance with CAR 901.53.

While 901.76(3)(b) identifies that a declaration is invalid if the Minister is notified of an issue, the recommended actions from the RPAS manufacturer will be taken into account and the validity of the declaration evaluated within that context.

(7) Notice to the Minister. The objective for notification of issues related to declarations is to ensure Transport Canada is kept up to date of known issues leading to unsafe operations and to support the user community by disseminating procedures or additional limitations to registered owners. An RPAS manufacturer with a declared RPAS must notify Transport Canada by specifying the make and model, describing the nature of the issue and which technical requirement is no longer met, along with any recommended action, and the name and contact information of the responsible persons to:

E-mail: RPASDeclaration-DeclarationSATP@tc.gc.ca

The nature of the recommended actions will differ based on the specific issue identified. Transport Canada may review and ask for clarifications regarding recommended actions and/or may mandate limitations.

(8) Record Keeping by the Manufacturer. In order to verify that a particular RPAS meets the technical requirements, and that the limitations communicated to the operator have been developed correctly, the RPAS manufacturer must complete the necessary tests, analysis, simulations to support a declaration. CAR 901.79 identifies the record-keeping obligations of the RPAS manufacturer. The RPAS Manufacturer is required to produce on demand by the Minister current records corroborating a declaration. The records comprise:

  • (a) All mandatory actions in respect of the RPAS;
  • (b) Identify design criteria, standards and practices used to design RPAS structure, engine, propeller, and associated systems.
  • (c) Reports containing the results of testing, analyses, assessments, and verifications undertaken to demonstrate compliance with the applicable safety assurance requirements of CAR Standard 922 for which the declaration applies.

The RPAS manufacturer shall retain these records for the greater of (1) two years following the date the manufacturing of the appertaining RPAS permanently ceases, and (2) the lifetime of the RPA that is an element of that RPAS. In the second case, it is assumed the CS may have a lifespan that exceeds that of the RPA and furthermore may be utilized for multiple RPA models.

5.0 RPAS design considerations

5.1 General

(1) The following guidance applies to the design and development of RPAS, the definition of the operating envelope and limitations. It also outlines the technical information that must be provided to operators. The technical information is instrumental in elaborating the concept of operations (CONOPS) intended for the RPAS. The CONOPS is necessary for performing an operational risk assessment which may dictate safety features in the RPAS design and/or specific procedures or instructions for operation to mitigate identified safety risks. It is expected that manufacturers conduct their due diligence in designing, testing, and constructing RPAS to ensure their products are safe for use in their intended environment; as such the guidance provided in this circular is intended to be scaled to the risks of the intended operations with the RPAS.

5.2 System design and description

(1) CAR 901.78 specifies the information that must be made available to each owner of a system subject to a declaration that is intended for Advanced Operations.

  • (a) A system description. The description should define all elements of the RPAS.
  • (b) Ranges of weights and centre of gravity within which the system may be safely operated under normal and emergency conditions and, if a weight and centre of gravity combination is allowable only within certain loading limits, those limits and the corresponding weight and centre of gravity combinations. Thus, identifying all the possible mass configurations (minimum and maximum flying weight, empty CG, most forward CG, most rearward CG must be identified).
  • (c) With respect to each flight phase and mode of operation, the minimum and maximum altitudes and velocities within which the aircraft can be operated safely under normal and emergency conditions.
  • (d) Operating limitations associated to weather or other environmental conditions.
  • (e) Operating environment (controlled airspace, near people, and/or over people).
  • (f) Operational modes (automatic, speed-hold, altitude hold, direct manual, etc.).
  • (g) Characteristics of the system which might result in severe injury to persons on the ground during normal operations.
  • (h) Design features of the system, and their associated operations, which are intended to protect against injury to persons on the ground.
  • (i) Warning information provided to the pilot in the event of a degradation in system performance which results in an unsafe system operating condition.
  • (j) Number of air vehicles to be operated simultaneously.
  • (k) On-ground operation conditions:
    • (i) Transport conditions (define the transportation and storage environment of the RPAS like bag, package, truck or whatever is required);
    • (ii) Locations (e.g., land, littoral/maritime, air) and platforms (e.g. land vehicle, water vessel, aircraft, building, etc.) from which operations may be performed, for example: launch, command and control, and recovery.
  • (l) Procedures for operating the system in normal and emergency conditions.
  • (m) Assembly and adjustment instructions for the system.

(2) This material may be provided in electronic format (e.g. operating manual and/or maintenance manual available on the manufacturer's website) or in a physical format (e.g. paper manual), but the information must be provided to each owner in a form that is easily accessible. In addition, the operating manual should be written in a way which allows it to be understood by the target consumers (e.g. the general public, specially trained pilots).

5.3 Safety assurance requirements

(1) Standard 922 of the CARs prescribes safety assurance requirements that must be met by the RPAS manufacturers for the intended environments defined for Advanced Operations which are outlined below:

  • (a) For operations in controlled airspace
    • (i) Required accuracies while operating in controlled airspace:
      • (A) Lateral position accuracy of at least +/- 10 meters.
      • (B) Altitude accuracy of at least +/- 16 meters.
  • (b) For operations near people
    • (i) Protection against injury to persons on the ground
      • (A) The occurrence of any single failure of the RPAS which may result in a severe injury to a person on the ground within 30m of the RPA in operation must be shown to be remote.
    • (ii) Warnings and Alerts
      • (A) Systems, controls, and associated monitoring and warning means must be designed to minimize RPAS pilot errors that could create additional hazards.
  • (c) For operations over people
    • (i) Protection against injury to persons on the ground
      • (A) No single failure of the RPAS may result in a severe injury to a person on the ground within 5m horizontal of the RPA in operation.
      • (B) The occurrence of any combination of failures of the RPAS which may result in a severe injury to a person on the ground within 5m horizontal of the RPA in operation must be shown to be remote.
    • (ii) Warnings and Alerts
      • (A) Systems, controls, and associated monitoring and warning means must be designed to minimize RPAS pilot errors that could create additional hazards.

(2) Compliance with these technical requirements must be demonstrated by the RPAS manufacturer using adequate means and methods. These requirements are further elaborated in this section while the methods for showing compliance are addressed in the next section.

5.4 RPAS design characteristics

(1) General. The design process requires a well-defined concept of operations (CONOPS). This CONOPS aims to describe the operational environment. This should be the manufacturer's first step to collect and provide sufficient technical information, and should describe the RPAS operations, system, operating environments, and control methods. This will define the flight envelope.

A flight envelope is the set of operational limitations that determine the ideal flight characteristics of the aircraft as well as those which will exceed the aircrafts design limitations and result in a loss of the aircraft, or a loss of controllability. The extent of envelope is constrained by both the physical design of the RPA as well as the operational environment in which the system is designed to fly. The following sections are intended to guide the evaluation of the design of an RPAS such that a safe flight envelope can be developed and the operational limitations can be communicated to pilots. The information required by CAR 901.78(c) forms what is, in essence, the RPAS flight envelope as it should be communicated to pilots as limits of the system which should not be exceeded. This section provides additional guidance on the requirements in CAR 901.78(c) as well as acceptable methods of compliance to these documentation requirements.

(2) Process. This section discusses the process to determine the physical design of the RPA and define the controllability and performance limitations identified in CAR 901.78(c)(ii) and (iii). The process to develop the limitations of the airframe should follow a standard engineering development approach. While there are many industry standards which outline a general process for system development (e.g. SAE ARP-4754) for the development of an airframe the process to follow can be generally outlined in the following iterative steps:

  • (a) Define the expected performance. Performance is generally refined from a high level concept of operations the system is attempting to satisfy, and the performance requirements can typically be clearly defined (e.g. "RPAS must fly 3km round-trip within 15 minutes, 250ft above the ground, and stay on-site for at least 15 minutes"). The general requirements of system operation then leads to the selection of a general design concept (e.g. fixed-wing vs rotary-wing vs hybrid vs lighter-than-air), and identification of the manufacturing needs which typically lead to material selections. Flight dynamics can then be assessed once these general performance requirements have been identified.
  • (b) Define the expected loads. With the performance criteria and general design selected, the next step is to clearly define the aerodynamic loading on the airframe. Aerodynamic loading is derived from the maximum operational velocities and altitudes needed to achieve the operational performance requirements. For example, limiting height and speed needs to be defined, including hover, under which a forced landing cannot be made under the applicable power failure condition, or the RPAS failure modes where probability of occurrence is higher than remote as defined in (e) of this section. Thus, the maximum operational loads the airframe can withstand in flight, at each critical combination of altitude, speed, weight, centre of gravity, and payload configuration are identified.
  • (c) Model/Prototype the system. The loading and system design features (e.g. C2) are then applied to a model or prototype of the system to determine the reactions of the system and whether any design changes should be made. There are many ways of modeling or prototyping. Generally, computer models are used when creating new designs to avoid having to create multiple prototypes which can become costly. If a design is being incrementally updated it may be easier to build a prototype of an existing, earlier model to evaluate the changes.
    • (i) Identify a sufficient number of points within the design envelope to ensure that the maximum load for each part of the RPAS structure is achieved.
    • (ii) Identify Critical Parts (CP) and Primary Structural Elements (PSE) – For operations near and over people, the models and/or prototypes are used to determine which parts of the RPAS design lead to catastrophic failures (refer to Appendix B), as well as which portions of the airframe are critical to the continued safe flight of the RPA. These are termed Critical Parts and Primary Structural Elements respectively.
  • (d) Validation of the model/prototype. Once the model/prototype has been produced and the design confirmed (at least mathematically) the results of the simulations and/or construction are to be validated. Validation of the model/prototype is key in the design process as it allows a manufacturer to confirm their calculations and provide a clear path to support design changes as the design is iterated. At least the loading on the CPs and PSEs are measured during the validation to ensure elements related to safety of the aircraft are well defined. There are multiple ways of validating a model; three of these methods are identified below:
    • (i) Ground Testing – a ground test can provide useful information on early stages of the development such as behaviour of the subcomponents, a Building Block Approach (BBA) is a good system to understand how the airframe may meet the requirements.
    • (ii) Wind Tunnel – a wind tunnel test with either a prototype or scaled version of the RPA allows for dynamic loading to be evaluated in a controlled and well measured environment. A wind tunnel allows a manufacturer to very carefully control the aspects of flight in order to validate well defined test points in a model; and
    • (iii) Flight Test – a flight test protocol with a functional representative prototype allows for a combination of systems testing as well as aerodynamic model validation. While the conditions cannot be as well controlled as in a wind tunnel, a well-designed flight test protocol, along with sufficient test instrumentation, allows for the manufacturer to validate some model test points as well as validate broader RPAS functionality.
  • (e) Evaluate against Safety Assurance Requirements. For operations near and over people, the results of the validation of the model and the results of the simulation and/or flight testing are then evaluated against the safety assurance requirements and other safety objectives derived from a system safety assessment process to ensure the failures have been clearly identified and the hazards are well controlled and understood.
  • Note: There are many industry standards which outline a general process for system development (e.g. SAE ARP-4754 is well recognized for manned aircraft).
  • (f) Iterative Reviews. While this is identified at the end of the process, as mentioned above, iterative reviews may occur at any point during the design process. As issues are identified design changes or model updates may be required which would require additional execution of simulations, and/or additional validation.
  • (g) Definition of Operating Limitations. With the modeling complete on the design, the limitations (as identified in CAR 901.78(c)) must be documented and provided with the operating manual. The physical operational limitations identified as part of this process are one section of operational limitations, and for RPAS being declared for operations near and over people additional steps are taken to fully define the limitations. See section 6.0 for additional discussion on design requirements which will inform further operational limitations.
  • (h) Human Factors Evaluations. Systems are ideally developed to be controllable without undue piloting skill or training. This can be interpreted, for example, as the RPA controls are manageable, the system status is clearly discernible, and operational information is readily available. The pilot-system interface is designed and evaluated using methods collectively referred to as "human factors". In determining the flight envelope, in addition to the technical capabilities of the aircraft, the ability of pilots (or supporting systems) to keep the aircraft within this flight envelope/be recoverable when reaching the edges of the flight envelope is developed and evaluated. Guidance on developing systems to account for human factors performance can be found within ISO 9241-210 and/or MIL-STD-46855A. For additional information related to warning and alerting see section 5.4.6 of this circular.

(3) Modes of Operation

  • (a) General. RPAS are typically capable of multiple modes of operation (e.g. remote controlled flight, assisted manual flight, automated waypoint tracking). All unique modes of operation should be included in the operator manuals including their limitations and expectations (e.g. user experience requirements, default modes). Operation of flight controls and safety devices (e.g. parachutes, flight termination technologies) should be clearly identified within the operating manual as well as limitations of these systems imposed by different operational modes. As part of defining the operational modes the operating manual should clearly identify the minimum number of engines required to remain airborne.
  • (b) Human-on-the-Loop (HOTL) operational modes are defined as those types of operational modes in which the RPAS is the primary decision-making platform and the operator is actively monitoring the operation of the platform ready to take control in the event the operator determines the system operation requires intervention. This type of operational mode is common in complex fixed wing platforms requiring microsecond sensitive actuator responses in order to maintain level flight. In most cases the human plans the operation using flight planning software and uploads the flight plan to the RPAS which follows the plan to the best of its ability given the active environmental conditions. These operations differ from Human-in-the-Loop (HITL) operations in which the operator has direct positive control of the system and is directing the flight whether through controller inputs or through waypoint identification. For HOTL operations the operating manual should clearly define the necessary steps to plan, upload, and monitor the flight plan along with procedures to identify when issues arise throughout the process.
  • (c) Night Flight. If the aircraft is capable of safely operating at night the operating manual should clearly identify the configuration and limitations associated with night operations. For night operations CAR 901.39(1) requires that the RPA is equipped with position lights sufficient to allow the aircraft to be visible to the pilot and to any visual observer. While at this point there are not clear standards defined for the colour, positioning, or number of position lights the intent is to have lighting sufficient in order for it to be clear to the pilot which way the system is oriented while in flight. In absences of an industry standard regarding RPAS lighting, the recommended best practice is to adopt aviation lighting standards, namely red lights on the left side of the system and green lights on right. The aircraft should also have lighting to allow the pilot to determine the direction of flight (i.e. the "front" of the aircraft). It is acknowledged that multi-rotor RPAS may not have a "front" as the system may be capable of flight in any direction; in this case it is especially important to identify the initial direction of flight via lights as it can be easy to confuse the orientation of the aircraft and, when in the operating manual, the controls may become "inverted" (i.e. what the pilot believes is forward is actually reverse as the aircraft is pointed opposite to them).

Information Note: For an aircraft to safely operate at night, the lights should be bright enough to see from a distance and the lights cannot blind the pilot during landing. One way to meet these criteria by dimming the lights before landing.

(4) Environmental Effects

  • (a) General. CAR 901.78(c)(iv) identifies that the effects of foreseeable environmental conditions on the performance of the aircraft and the pilot-in-command must be established. This supports CAR 901.31 which requires that the operation be conducted in accordance with the operating limitations established by the manufacturer. These requirements identify the responsibility of the manufacturer to define how the RPAS is affected by the world around it, and communicate that information effectively to the operator through associated documentation (i.e. operating manuals).
  • (b) Meteorological Conditions
    • (i) General. The part of the environment which has the largest impact on the operational characteristics of the RPAS is undoubtedly the effect of weather (both macro and micro weather environments). While it is noted most RPA which weigh less than 25 kg will have a limited ability to operate in inclement weather it is incumbent on the manufacturer to clearly identify the specific limitations associated with a given model of RPAS in their operating manual.
    • (ii) Wind. Effects of wind on the safe operation of the RPAS should be clearly identified. Specifically the strongest wind the aircraft can safely operate in without losing control of the platform. In addition, the maximum gust loading the RPA can withstand before losing structural integrity should be identified if it is less than the winds affecting the controllability of the RPA. Finally, effects of the wind conditions on the flight time of the aircraft may be identified. It is expected that operators have a clear understanding of the effect of wind on aviation, and that flying in wind will have operational effects, additional information on specific performance degradation as a result of winds may prove helpful to operators when conducting flight planning activities.
    • (iii) Temperature. Effects of ambient temperature on the safe operation of the RPAS should be clearly identified. Ideally this would simply be an operational temperature range specifying the ranges in which the aircraft can be safely operated. This range would be based on the rated temperature ranges of each of the components and a technical evaluation of how these components function together within the larger system. In most cases the temperature effects on the control surfaces of the aircraft (e.g. ailerons, rotor blades), the motors, and the fuel systems (e.g. batteries, fuel lines) would be the limiting factors, though effects on the transceivers for the C2 link and navigation systems would need to be considered as well. While the intention is to provide operators with limits of the aircraft that impact safe operation, additional performance limitation that occur as a result of temperature may be identified (e.g. performance degradation of LiPo batteries in temperatures <+10oC).
    • (iv) Air Density. Effects of the air density on the safe operation of the RPAS should be clearly identified. In general air density is related to the altitude of the operation as well as the ambient temperature and humidity of the air. Air density is an important factor in fixed wing, rotary-wing, and lighter-than-air aircraft operations as it directly impacts the generation of lift in heavier-than-air aircraft and on the relative lift generated by lighter-than-air aircraft. While the intention is to provide operators with the limits of the aircraft that impact safe operation (i.e. densities where not enough lift may be generated or sustained), additional performance limitations that occur as a result of air density may be identified such as higher take-off velocities, changes in stall characteristics, or limits on operational range.
    • (v) Precipitation. Effects of precipitation on the safe operation of the RPAS should be clearly identified. Precipitation (drizzle, rain, fog, snow, freeing rain, etc.) can affect an RPAS in a number of ways including, but not limited to, limiting the actuation of control surfaces, degrading the C2 link capability, reducing the lift experienced by the aircraft, and shorting electrical systems. Each RPAS design will have different capabilities, and different protections against, specific types of precipitation. The types of precipitation to consider when designing protective system include:
      • (A) Drizzle;
      • (B) Rain;
      • (C) Fog condensation;
      • (D) Freezing drizzle;
      • (E) Freezing rain;
      • (F) Rain and snow mixed;
      • (G) Snow;
      • (H) Snow grains;
      • (I) Ice pellets/Sleet;
      • (J) Hail;
      • (K) Snow pellets/graupel; and
      • (L) Ice crystals.
      • While the impacts of specific types of precipitation on a specific RPAS design will vary, the expectation is for manufacturers to communicate in which types of precipitation their systems are capable of operating safely, and in which their capability is degraded to such an extent that safe operation is no longer possible. Precipitation would need to be taken into account along with other operating limitations (e.g. wind, altitude) in order to fully describe the precipitate environments in which the RPAS may safely be controlled. While the intention is to provide operators with the limits of the aircraft that effect safe operations, additional performance limitations may be identified such as reductions in operational range/altitude.
    • Information Note: If the RPAS is designed for operations where it may reasonably be exposed to saltwater (e.g. littoral operations) the precipitation conditions above, especially fog, should be evaluated with respect to a saltwater environment. It is recognized that salt spray and salt fog constitute special consideration on the reliability and function of an RPAS.
    • (vi) Vibration. The effects of vibration on the RPA shall be evaluated and mitigated to ensure safe operations throughout the flight envelope. Vibrations generally result from the operation of the RPA itself. Vibration has two primary impacts on the operation of the RPA: structural fatigue failure and controllability.
      • (A) As sources of vibration and of dynamic loading of materials have increased, fatigue failures have become increasingly important in engineering. Technological developments continually bring out new materials, new fabrication processes, improved design concepts, and additional information about service requirements. Effects of vibration on structural integrity shall be addressed as part of the RPA structural design. Trends in design and in operations indicate new complexities are certain to arise. Some of these trends are: higher design stresses, requirements for increased performance, and demands for increased operational flexibility. Moreover, special flight vehicles, such as rotary-wing aircraft, VTOL and STOL aircraft, present special problems.
      • (B) Changes in takeoff and landing speeds result in more severe taxiing loads, manoeuvering loads, and landing dynamic loadings (catapult takeoffs and arrested landings are particularly severe).
    • (vii) Icing. CAR 901.35 identifies that no RPAS shall be operated where icing conditions exist or may reasonably exist without associated detection or protection equipment. Icing detection means allow for the identification of the accretion of precipitate on the control surfaces or other critical flight surfaces of an aircraft. Icing protection equipment is equipment which prevents the accretion of precipitate or reduces the rate of precipitate accretion on control surfaces or other critical flight surfaces. At the moment there are no recognized industry standards or technologies for the detection or prevention of icing on small RPAS, though it is expected that solutions will become available as the market expands and is further refined. As research and development related to icing progresses this circular will be updated to reflect the results to aid in the design and implementation of icing detection and prevention systems on small RPAS.
  • (c) Electromagnetic Environment
    • (i) General. RPAS inevitably operate within an electromagnetic (EM) environment. The airspace in which RPAS operates is bombarded by electromagnetic radiation from both cosmic (e.g. solar radiation) and terrestrial sources (e.g. cellphone towers). While the operator is expected to have some knowledge of EM interference and system susceptibility, most will rely on limitations and recommendations identified in material provided by manufacturers. As a result, impacts from the EM environment on the operation of the RPAS are to be communicated via the operating manual.
    • (ii) Electromagnetic Interference (EMI). Electromagnetic radiation interacts with all electronic circuits, unshielded current conducting materials, and other electromagnetic fields. This interaction may result in a number of unintended effects in RPAS functions and should be accounted for in both design and operation if protections (e.g. shielded conductors) are not in place. Some common sources of EMI which may affect RPAS are listed below:
      • (A) Wi-Fi transmitters;
      • (B) Microwave radio relays;
      • (C) Cellphone radio towers;
      • (D) Industrial, commercial, or private Supervisory Control and Data Acquisition (SCADA) systems;
      • (E) Lightning (see below);
      • (F) On-board devices (e.g. Bluetooth payload and C2 link).
      • Evaluation of the impacts of EMI on RPAS functions should be identified based on the components of the system which may be affected: the C2 link, the RPA, and/or the Control Station. It is important to evaluate the effects on all these systems as each may be susceptible to interactions from different frequencies in the EM spectrum, and the impacts may result in different limitations to the RPAS operation.
      • With respect to effects of EMI on the RPA the evaluation should be focused on safety critical systems (e.g. flight control electronics/actuators, navigation electronics, C2 transceiver) as defined in the system safety assessment (refer to Appendix B). One common area of interference is when swapping payloads; it is recommended manufacturers provide clear descriptions of the types of payloads and the impacts their operations may have on the RPAS.
      • With respect to effects of EMI on the Control Station the evaluation should be focused on the risk of interference caused by positioning of the Control Station antenna in relation to potential sources of interference including radio-frequency (RF) reflectors (i.e. ground planes). Specific limitations would depend on the frequencies and designs chosen for C2 link.
      • With respect to the C2 link interference the evaluation should be focused on specific frequencies chosen for C2 link operation and associated sources of interference. The impacts (e.g. reduced operational range, degraded payload performance) should be clearly communicated as a risk to the operation to assist operators in planning their flights. It has been noted during operations EMI can be a significant source of unexpected link interruptions, which can lead to a loss of positive control (e.g. lost link) and invoking automated return-to-home or link recovery procedures in situations where these procedures may be undesirable.
    • (iii) Lightning. In general it is not recommended to operate VLOS RPAS in conditions where lightning may be present. If manufacturers design systems to operate in thunderstorms, lightning storms, or other conditions where lightning may be present, it is recommended the impact of lightning on the RPAS systems be clearly explained in the operating manual. While most RPAS will not be designed to survive a direct lightning strike, there may be system architectures which allow for a safe recovery of the system. If an RPAS is being designed for operation in an environment where lightning effects are expected, then the impact of transients induced by lightning on the RPAS functions should be evaluated.
  • (d) Methods of Evaluation. In order to communicate the limitations noted above, the manufacturer is expected to undertake appropriate testing and evaluation to show that these limitations have been established for each intended configuration of RPAS. It is acknowledged there are many forms of testing and evaluation that the manufacturer/designer/verifier may choose in establishing limitations. For aeronautical products RTCA DO-160 (current revision) is the de facto standard for environmental testing (outside of flight testing). In the case of RPAS, DO-160 may provide a significant cost especially when considering operations that may not necessarily be safety critical. With this said, the standard provides a good starting point for developing and evaluating RPAS specific methodologies.
  • With respect to evaluating the impacts of environmental limitations, especially as they are related to EMI, it is recommended that RPAS manufacturers conduct a system safety assessment to identify safety critical functions of the system from which equipment qualification requirements could be derived. As part of a system safety assessment, a functional hazard assessment contributes to identifying specific functional hazards related to operation of the system.

(5) Hazards Identification

  • (a) Hazards to RPAS Crew. CAR 901.78(c)(v) requires that the characteristics of the system which may result in a severe injury (see section 6.4 of this circular for the definition of severe injury) to the RPAS crew members during normal or abnormal operations must be identified. There are a number of hazards which may result from operations of RPAS including but not limited to: electric shocks, lacerations, trauma injuries, and burns. In order to prevent injuries when operating and maintaining the RPAS, the characteristics of RPAS sub-systems (e.g. voltages) should be clearly identified to operators, and instructions for the safe handling, operation and maintenance of the systems and sub-systems should be provided.
  • With respect to abnormal operations, the intent is for manufacturers to provide information to safely handle an RPAS when it is in a mode of operation posing a safety risk to the RPAS crew or other people associated with the operation. While it is noted there is an assumption of risk when an individual is involved in the operation of an RPAS it is expected that manufacturers will perform due diligence to help ensure operators have the information required to effectively address emergency situations. To this end the manufacturer should provide the operator with checklists outlining emergency procedures related to situations resulting from technical issues in which the RPAS operation becomes unsafe. Some examples of emergency situations include: loss of C2 link, loss of one or more motors, loss of control in-flight (e.g. flight controls), loss of navigation (e.g. GPS).
  • Information Note: The manufacturer need not provide procedures to address hazards when features implemented in the design are intended to prevent their occurrence. For instance, a flight envelope protection function that prevents the aircraft from stalling would obviate the need of stall prevention procedures.
  • (b) Hazards to Persons on the Ground. CAR 901.78(C)(vi) requires that design features and their associated operations, which are intended to protect against injury to persons on the ground must be identified. In conjunction with the hazard identification above, failures of elements of the RPAS that may pose a hazard to people on the ground. These specific features intended to mitigate against the hazard to people on the ground implemented in the RPAS design (e.g. parachutes, rotor guards) are clearly identified in the operating manual. Procedures associated with the operation of these safety features and emergency procedures with respect to handling the RPAS in the case of abnormal operations should be clearly communicated in the operating manual; emergency checklists and automated warnings/procedures displayed on Control Stations are acceptable methods of communicating this information to pilots. While the safety assurance standard only requires the assessment of hazards of injury to people within the identified operational environment, it is recommended to evaluate and communicate safety impacts to any potential people on the ground identified as a result of a comprehensive system safety assessment.
  • (c) Methods of Evaluation. To aid in the identification of system hazards it is recommended that manufacturers complete a functional hazard assessment. The functional hazard assessment relates the functional failures to hazard criticality classifications from which safety objectives are allocated to the design and operation of the RPAS. The design is further decomposed into the specific technologies to identify specific modes of failure which can cause or contribute to the functional failures. The safety objectives that must be demonstrated are outlined in Appendix B.

(6) Warnings and Alerts

  • (a) General. The remote nature of RPAS control stations result in the separation of the pilot from the physical environment of the aircraft. As a consequence of this physical decoupling, the pilot no longer has the acoustic, visual, or haptic feedback associated with the airframe and on-board equipment and so relies solely on the information presented on the Control Station (CS). The sources of this information are either systems on-board the aircraft transmitted over the C2 link or computations performed by the CS itself (e.g. controller battery power, analysis of data received from the aircraft). Safe operation is predicated on information presented by the CS to the pilot. CAR 901.78(c)(vii) requires manufacturers to identify applicable warning information provided to the pilot in the event of degraded system performance which results in unsafe operating conditions. For example: for electrical engine applications, a minimum voltage threshold that indicates low remaining capacity should be determined in the worst environmental conditions. A low battery warning is provided in the CS in order to alert the RPA operator that the battery has discharged to a level which requires immediate RPA recovery actions. The procedure to be followed in case of low battery warning is established and provided in the operating manual.
  • (b) Alerting. Alerts are to inform the pilot of system malfunctions or unsafe conditions (e.g. low fuel, degraded C2 capability) thereby appropriate actions may be taken. In addition, the alerts should be conspicuous and intelligible to the pilot under all foreseeable operating conditions, including conditions where multiple alerts are provided. Alerts should be removed when the alerting conditions no longer exist. In order to support timely pilot decision making, alerts should provide timely attention-getting cues when taking into account normal piloting operations and workload. Alert prioritization and alert suppression may be employed when the conditions warrant. The suppression mechanism should not allow for inadvertent or reflexive suppression of the alerts as the goal is to present the information for pilot action. Finally, the operating manual should clearly define all the alerts that may be displayed including their impacts to the operation of the RPAS and the required pilot actions.
  • (c) Prioritization. Alerting schemes should have priorities related to the types of information they display in order to ensure that spurious, or nuisance alerts are minimized in order to assure timely pilot response to conditions when they occur. The following hierarchy of alerting prioritization is suggested as an aviation best practice:
    • (i) Warning Alert: For conditions that require immediate pilot awareness and immediate response;
    • (ii) Caution Alert: For conditions that require immediate pilot awareness and subsequent response; and
    • (iii) Advisory Alert: For conditions that require pilot awareness and may require subsequent response.
  • (d) Marginal Performance. Part of the purpose of the alerting system is to make the pilot aware of the status of the RPAS such that they can confidently make decisions regarding the continued safe operation. To that end it is recommended that alerting systems include alerts (advisories) which provide an indication that a flight critical system (e.g. Navigation, C2 Link, battery), as determined by the system safety assessment, is operating at marginal capacity. Some examples of degraded or marginal performance include:
    • (i) GNSS errors including GNSS satellite errors such as gravitational effects (which pull the satellite from planned orbital path), and GNSS dilution of precision (DOP) when the geometries of available satellites does not provide sufficient coverage to meet navigation precision.
    • (ii) Navigation/Orientation errors such as pitot/static obstruction which can lead to invalid airspeed/altitude readings, and Inertial Measurement Unit sensor faults/drifts.
    • (iii) Errors caused by the terrain such as terrain masking, where the landscape (e.g. mountain) blocks the antenna on the RPAS from receiving the satellite signal, and "multi-pathing" where a signal is reflected by the landscape such that the receiver now receives "additional" signals which can create confusion and need to be processed out to avoid creating position errors.
    • (iv) Degradations in C2 link bandwidth and responsiveness cause by unknown or uncharacterized sources of interference (e.g. RADAR), or operating near the edge of range.

(7) Remote Identification

  • (a) General. Remote identification, (or Remote Id) may be implemented in the RPAS. A remote identification system allows a transponder installed in the RPA to respond to third party interrogations with specific information regarding the system (e.g. registration mark, owner, launch point, etc.).
  • (b) Remote Identification Capability. If an RPAS has remote identification capability, the operating manual should have clear instructions on how to register with the system, as well as information on what information can be interrogated.

Information Note: Remote identification capability may be required for operation in certain jurisdiction (e.g. EU CE Class 3 UAS).

5.5 Configuration management

(1) A manufacturer should have configuration control over their specific RPAS designs and construction in order to have sufficient traceability to track the life of the RPAS and its components. Thus, configuration management is crucial in the establishment of service history tracking systems, and to the declaration filed to the Minister. The manufacturer may follow FAA AC20-153B, SAE EIA-649, ASTM, ISO or other equivalent industry standards in order to establish a configuration management system appropriate the risks of their declarations.

(2) Operators and manufacturers are recommended to use maintenance systems (e.g. traceability software) in order to track the configuration of in-service RPAS to track life-cycle data associated with the components. These types of systems are generally used in conjunction with aircraft health monitoring systems (AHMS) on-board the aircraft which allow for health and usage data to be connected directly to operational databases to support the lifecycle management of RPAS in service. The maintenance systems (either computer based or otherwise) should contain the configuration of the various operational RPAS in order to build a history of the actual life-cycle of the components, and systems in different operating environments. When the entirety of an RPAS fleet (either a specific operator, or as part of a manufacturer/designer sourced maintenance system) is tracked the reliability data will have the right level of sensitivity and accuracy needed for broad system life-cycle analysis. In traditional aviation, service difficulty reporting (SDR) is used to track issues experienced by operators and designers/manufacturers use this data to help determine root causes of issues in order to understand the reliability of systems and system components. In this way the data can be used to perform trend analyses of issues, defects, and failures in order to substantiate claims of reliability for operations near or over people.

5.6 Manufacturing

(1) The manufacturer is responsible for a product that complies with accepted manufacturing industry standards at the time of delivery and is demonstrated as fit and safe for flight.

(2) The manufacturer identifies the materials and manufacturing processes used in the construction of the RPA and the criteria implemented to control materials performance variability among specimens. Materials are to be compatible with the usage spectrum. Manufactured parts, assemblies, and the complete RPAS are produced in accordance with the manufacturer's Quality Management System.

5.7 Aircraft serviceability

(1) Maintenance Manual. The RPAS shall have a maintenance manual (which may be part of the operating manual) that defines actions to be taken to keep the RPAS serviceable. Appendix A provides some acceptable means of defining maintenance tasks.

(2) In particular, the manual provides instructions for maintaining the serviceability of the RPA structure, engine, propeller and any subsystem for which inspection, substitution (e.g. life limited parts), adjustment, and lubrication are required.

(3) The manufacturer must promulgate all necessary instructions for ensuring the safe operation of the aircraft including mandatory serviceability actions. The manufacturer should provide a method to track technical occurrences affecting safety throughout the life of the program and implement preventive and corrective actions as necessary.

5.8 Payloads

(1) General. Payloads are systems, an object, or a collection of objects on board the aircraft that are not necessary for flight but useful for the accomplishment of the mission. Payloads may include items such as sensor packages, containers, or additional radios. Payloads themselves are part of the RPA airframe as they are attached to the structural elements in some way. As such, where CAR 901.78(c)(ii) requires that controllability and centre-of-gravity be assessed, the effects of payloads must be considered.

(2) Payload Definition. It is important for manufacturers to define the limits of the various payload configurations a RPAS is designed to support. The payload limitations are generally defined in terms of mass, physical dimensions, and airframe integration. There are many different ways of incorporating payloads onto an RPAS, some designs include a specific payload "compartment" while other designs have "ports" where payloads may be affixed, still others require payloads to be carried using external equipment affixed to the airframe. The operating manual should clearly define the payload carriage capabilities and their impact on the operational characteristics of the RPAS (e.g. reduction in range, susceptibility to winds). Payload configurations that invalidate the declared capabilities of the RPAS for Advanced Operations (e.g. if the failure of a payload system may cause a severe injury to a person on the ground) are to be clearly identified in the operating manual.

In lieu of dimensional, mass, and integration considerations (expanded on below), the operating manual may specify specific payloads which are deemed acceptable. This option may be especially attractive in cases where a declaration of the provided capability is made, and effects of unknown payloads may not be characterized.

(3) Mass Limitations. Mass limitations are to be defined within the scope of the weight and centre-of-gravity of the RPAS. The operating manual should clearly state the maximum weight capacity for payloads such as it will not adversely affect the controllability and airworthiness of the system. In addition, if specific mass distributions are not acceptable (e.g. payload mounted with majority of mass in the nose) the operating manual should clearly identify loading limitations with respect to the distribution of mass across the RPAS. If the payload mass has been considered when making a declaration relating to Advanced Operational capability the maximum payload mass (and distribution) must be established in the operating manual. In general, the operating manual should clearly define the acceptable ranges of payload mass and distribution for which the RPAS will remain operational.

(4) Dimension Limitations. Payload dimensions are to be defined within the scope of the centre-of-gravity of the RPAS. The operating manual should clearly state the limits on the dimensions of payloads which would adversely affect the controllability of the system in flight. If there are multiple configurations of payload dimensions (e.g. a cubic footprint and a spherical footprint) the operating manual should define the maximum limits of the payload. If the payload dimensions have been considered in making a declaration relating to advanced operational capability (e.g. sharp edges, payload contained within the airframe) the payload maximum dimensions should be established in the operating manual.

(5) Integration Limitations. Integration of the payload within the airframe should be defined within the scope of the aerodynamics of the aircraft. Payloads may be attached to the airframe in any orientation and may integrate with the electronic systems through various means (e.g. USB). The operating manual should clearly state how payloads may be integrated onto the airframe both physically and electrically to avoid hazards. Electrical hazards should be identified where appropriate especially when considering direct connections to the aircraft electrical systems. Effects on the controllable operation of the aircraft should be identified when providing information on airframe integration (e.g. if a payload is installed outside of a payload compartment). When integration of a payload has been considered as part of a declaration relating to advanced operational capabilities, limitations on changes to the specified integration methodologies must be clearly identified in the operating manual.

5.9 Command and control data link

(1) General. The importance of the command and control (C2) data link cannot be overstated. The C2 link is the only means of controlling the flight of an RPAS and is, in most cases, the most critical limiting factor in its operation. Industry has implemented various types of C2 links in order to meet specific consumer, or client needs while providing optimum reliability commensurate with the intended operation. Nevertheless, due to the complexities of the operational environments, "loss of link" events are expected to occur.

(2) Lost Link. A "loss of link" state has occurred when C2 Link is unavailable and the pilot is unable to intervene in the management of the flight. Lost C2 Links can be caused by equipment failure, human error, electromagnetic interference, or many other factors. Lost link can also be caused by radio frequency (RF) propagation related conditions such as:

  • (a) Atmosphere/weather; and
  • (b) Reflection of signals from terrain, buildings and airframe causes received RF signal level to vary with time (fade).

Note: Fades may cause temporary, self-repairing, link outages and are more probable when conducting longer range operations.

It should be a design goal to minimize the probability of a loss link state such that uninterrupted operation of the RPAS can be maintained. It is considered a best practice that RPAS have features to detect a loss link state and initiate recovery procedures to either re-establish a nominal link state, or safely recover the vehicle.

(3) Radio Standards. In Canada, Innovation Science and Economic Development Canada (ISED) regulates the use of the frequency spectrum. The manufacturer may have to contact ISED with their specific requirements and conditions for frequency allocation to support the C2 link. ISED has published Radio Standards Specifications (RSS) which define the technical parameters for radios intended for specific operations:
https://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/h_sf06129.html

(4) Design and Performance Considerations. Design of the C2 link should be commensurate with the operations of the RPAS. Most RPAS operators are unfamiliar with the impacts of EMI on their radios, and will at best have only a rudimentary understanding of RF theory and applications that may adversely affect their operations. The C2 link should be designed with a maximum theoretical range defined for the intended operation based nominally on the frequency and transmission power of the radio. Estimations for the theoretical range of a particular radio/antenna combination can be generated using the Communications Research Centre (CRC) Canada radio coverage prediction methodology (CRC-Predict):

  • (a) Performance limitations of the C2 link should be clearly identified (e.g. 2.4GHz bandwidth limitations when in proximity to other transmission sources). Limitations should clearly identify the impact on the operations of the RPAS (e.g. degraded performance, slow response, loss of video) as well as identify the considerations in developing this limitation (e.g. 2.5 km range in ideal conditions). Communicating performance limitations in quantities and terms the pilot can understand is a key consideration (as noted above). In order to design against loss of link independent and redundant data links are recommended, especially in cases where a loss of link may result in a loss of control in-flight (e.g. "fly away"). The necessity of multiple links would resolve out of the functional hazard assessment and system safety assessments done as part of evaluating the hazards for Advanced Operations.
  • (b) For a complete listing of frequency allocations and where operation is available refer to the ISED website on spectrum allocation:
    https://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/h_sf01678.html

(5) Link Security. Current radio systems are not immune to the threats of radio jamming, signal spoofing, and/or signal interception and overriding. It is recognized at the moment there are no industry standards existing that allow for a completely secure C2 link, though different technologies offer different levels of vulnerability to these threats. Operators should be aware of the risk related to operating unsecure radio transmitters and be aware of anomalous situations related to their C2 operations. To this end, if the manufacturer has any supporting information to provide on how jamming, spoofing, or interception may present themselves in their systems this information should be made available to operators to assist in maintaining a safe and secure airspace.

5.10 Operating limitations

(1) General. The RPAS manufacturer must define operating limitations as defined in CAR 901.78(c) and make them available to each owner for the intended Advanced Operations. The manufacturer should publish those limitations on the use of their RPAS to support operators in selecting the system appropriate to their specific needs. Some examples of limitations which may need to be considered are:

  • (a) The maximum expected operational range for the C2 link;
  • (b) Latencies as a function of all relevant operating conditions (note: latencies should not lead to an unsafe condition in any Flight Control System (FCS) operating mode);
  • (c) C2 link channel availability when it has the capability to use multiple channels; and
  • (d) Minimum information to be provided to the CS display.

(2) C2 Link. When evaluating technical options for C2 link radios the operational environment as well as the capabilities and limitations of specific frequencies should be kept in mind. In general, the following characteristics have been noted for the following common frequency allocations:

  • (a) 2.4 GHz occupies unlicensed radio bandwidth. Most radios operating on this frequency use the IEEE 802.11 standards (e.g. Wi-Fi) and the frequency is in very common use to the point of crowding the band. As a result, it is recommended that this frequency be used for systems aimed at operating away from a large number of radio transmitters (e.g. urban areas). Items which may interfere in this frequency range include Wi-Fi routers, Bluetooth devices, microwave ovens, wireless microphones and keyboards.
  • (b) 5.8GHz occupies unlicensed radio bandwidth. Most radios operating on this frequency use the Wi-Fi standard. 5.8 GHz Wi-Fi radios will typically have more bandwidth available than 2.4 GHz Wi-Fi radios, and while more resistant to interference, are not immune to losing bandwidth in the presence of other 5.8 GHz sources. As a result, it is recommended that this frequency be used for systems aimed at operating away from areas where other 5.8 GHz are present. Some items which may interfere in this frequency range include cordless phones, AC power supplies, and other RPAS.
  • (c) 5040-5050 MHz (C-Band) – C-Band occupies licensed radio bandwidth. As a result RPAS that use these radios require operators hold licenses issued by ISED. These frequencies have been identified as usable for high reliability systems. Design criteria for C-Band radios can be found in TSO-C213 and the supporting documents. These radios are recommended for more robust operations, and in areas approved by ISED. For more information on licenses refer to the ISED website:
    https://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/h_sf10772.html
  • (d) L-Band, Satellite Communications and others – While it is noted there are dozens of other technologies that may be used to fulfill the C2 capability (including cellular radios) they primarily operate within licensed frequencies and as a result will have similar characteristics to the C-Band radios above (albeit with different sources of interference). Again, care should be used when selecting which radios should be used based on the operational environment of the RPAS.

(3) System Options for Limiting Operations. In addition to specific uses, there are a number of operating limitations that relevant aviation authorities may impose on the operation of RPAS (e.g. above 400 feet AGL, over correctional institutions, in restricted airspace). While it is the responsibility of the operator to ensure they are abiding by the aviation regulations and codes of the jurisdictions in which they are operating, a number of manufacturers include functions which assist operators in respecting jurisdictionally imposed operational limitations. An example of such technologies are "Geo-Fencing" and "Altitude Limiters." These technologies allow restrictions to be set within the RPAS flight controller related to specific areas of operation. While these types of systems are not currently required by regulations, their incorporation is considered a best-practice aimed at minimizing the risk to aviation. The operator's manual should provide clear instructions for enabling these features including override functions and their limitations.

(4) Control of Multiple Systems. CAR 901.40(1) provides for the operation of multiple RPA from a single CS provided that system and control station has been designed to perform these functions. RPAS manufacturers must provide instructions for operation of multiple RPAs from a single CS and the limitations in the operating manual. These instructions should define how to manage, coordinate, and control the RPA under both normal and abnormal operations. It should consider:

  • (a) The maximum number of RPA to be controlled from a single control station at any given time; though the regulations that number to five RPA at a time;
  • (b) Control each individual RPA;
  • (c) Pausing and/or cessation of control; and
  • (d) Control handover to another CS if applicable.

These CS and RPAS operations should be validated by flight testing to evaluate the user interface, the procedures and the pilot workload (human factors).

6.0 Methods for demonstrating compliance

(1) RPAS Manufacturers are required to declare the compliance of their system against the safety assurance requirements of Standard 922 which are transcribed at paragraph 5.3(1) for convenience. While section 5.0 outlined general RPAS design considerations, this section focusses on methods for demonstrating compliance with the safety assurance requirements. These safety assurance requirements are based on the risk these operations pose to the public, and the expectations the public has regarding the reliability of aeronautical products.

(2) For operations near and over people, evaluation of the failure modes and their potential injury severity is the key aspect of ensuring the design is safe and that the RPA does not create undue hazards to persons on the ground. Though accidents are likely to occur, there should be a high level of confidence that the injury likely to be sustained are not life threatening. The following sub sections describe the considerations that should be taken to develop a high level of confidence in the design of the RPA. Further considerations and potential means of compliance to demonstrate the level of confidence in the RPA design as it pertains to operations near and over people are outlined in Appendix B and C.

6.1 Operations in controlled airspace

(1) General. For RPAS operating in controlled airspace CAR Standard 922.04 requires that design requirements are met to allow for communication of position and altitude to air traffic controllers and other participant aircraft with the specified level of accuracy. While it is acknowledged that accuracy requirements alone do not provide any additional robustness or system reliability objectives, the intent is to provide a minimum required accuracy for position and altitude such that other users of the airspace are accurately made aware of any potential hazard the RPA may pose.

(2) Position Accuracy. A system position accuracy of +/-10m has been identified as the minimum accuracy for position within controlled airspace. Most modern Global Navigation Satellite System (GNSS) technologies can easily achieve this accuracy nearly 100% of the time. Considerations should be taken to ensure that this accuracy can be maintained while in degraded modes of operation, and in all portions of the proposed operational space (e.g. considerations for buildings, trees, valleys etc.). The accuracy should be clearly identified in the limitations portions of the operating manual.

(3) Altitude Accuracy. A system altitude accuracy of +/- 16m has been identified as the minimum accuracy for altitude within controlled airspace. Most modern GNSS technology can achieve this accuracy using the WGS-84 geodetic datum. Consideration should be taken when designing altitude measurement systems that differences between ground level, sea level, and various geodetic datum are taken into account.

(4) Errors. Accuracy is a probabilistic measurement based on assumptions related to the quality and integrity in a constantly changing environment. It is important to understand the errors that may contribute to degradation of accuracy and take these into account as part of the overall design error budget. Examples of sources of errors adversely affecting accuracy are identified below.

  • (a) Terrain Errors. GNSS signals are also subject to errors caused by the terrain. Terrain masking of the signal, for example by a building or mountain, blocks the antenna on the RPAS from receiving the satellite signal. A GNSS signal reflected by the landscape such that the receiver now receives "additional" signals which can create confusion and may need to be processed out to avoid creating position errors.
  • (b) Atmospheric Errors. Atmospheric errors are caused by the Ionosphere and the Troposphere, which are both capable of refracting GNSS radio signals. Ionospheric Density is diurnally dependent, which means that it varies with time of day (or night). The density is affected by, among other factors, humidity, temperature and pressure. These variations adversely affects the "signal speed x time" equation built into GNSS position calculations. To correct for these errors, a number of steps are taken. Troposphere errors can be caused by moisture absorbing/refracting signal and cause errors up to 6m. Ionosphere errors can be caused by the atmospheric refraction of the GNSS signals and may be up to 40-60 m by day and 6-12 m at night. These errors can be mitigated by the use of multi-frequency receivers, selection of masking angle, and/or the use of augmentation systems (either ground-based, such as Local Area Augmentation System [LAAS], or space-based, such as European Geostationary Navigation Overlay Service [EGNOS]).
  • (c) Satellite Errors. These are errors resulting from poor or unexpected geometries related to the positions of the GNSS satellites in reference to an RPAS. Gravitational effects of the Sun and Moon may pull the SV from planned orbital path. Solar Radiation creates EMI prior to the signal hitting the atmosphere.
  • (d) Geometric Dilution of Precision (DOP). DOP occurs when there is no adequate cross cut in the "fix" (i.e. all satellites are all too closely located to each other). The consequence is that all of the signals are vulnerable to same errors from the atmosphere. Errors can occur in the horizontal (H), the vertical (V) and in time (T).

6.2 Operations near people

(1) General. CAR 901.62(b) allows operations of an RPA at a distance of 30m (100ft) but not less than 5m (15ft) of a person, except for crew member or person involved in the operation. This permission is only granted to RPAS for which a declaration was submitted by the manufacturer having confirmed that it is fit for operations near people. CAR Standard 922.05 identifies two technical requirements which are to be verified before a declaration is made. The manufacturer must also publish all associated limitations for operations near people (e.g. speed limits, allowed operational modes) in the operating manual.

(2) Protection Against Injury to Persons on the Ground

  • (a) General. The RPAS design must be assessed to show that the probability of occurrence of any single failure which may result in a severe injury to a person on the ground within 30m of the RPA while in operation is remote. This requirement is meant to protect people not associated with the operation of the RPAS from being severely injured or killed as a result of unreliable or unsafe system designs for this kind of operation.
  • (b) Single Failure. The principle of "no single failure" allows for the implementation of system architectures using redundancy to increase reliability of the overall RPAS. While it is acknowledged that certain single failures may occur without adversely affecting the capability to control and recover the RPA following the published non-normal or emergency procedures, the single failures referred to in this technical requirement are those in which no controlled recovery is possible. Some examples are identified below:
    • (i) Flight control failure leading to a stall;
    • (ii) Antenna failure leading to a flyaway;
    • (iii) Motor winding failure leading to an engine failure; and
    • (iv) Electrical short leading to a fire.
  • Safety features may be incorporated in the design to mitigate to risk of injury to people on the ground (see section 6.4 on injury severity). Possible safety features are identified below:
    • (i) Stall warning;
    • (ii) Parachute;
    • (iii) Frangible design;
    • (iv) Soft materials;
    • (v) Rotor shrouds;
    • (vi) A flight envelope protection system;
    • (vii) A battery/fuel gauge and a warning when the battery/fuel is low;
    • (viii) Commanding the aircraft to land when the battery/fuel is low;
    • (ix) A return to home function; and
    • (x) A fast-acting rotor/propeller braking means.
  • (c) Remote. The term "remote" implies a probability prediction for a specific failure scenario. A safety assessment must be conducted for the elements on the RPAS in order to substantiate any probability prediction. Refer to Appendix B for further guidance; it should be clearly noted that this Appendix uses standard aviation terminologies and processes to perform a system safety assessment.
  • (d) Methods of Evaluation. Compliance with the safety assurance requirements entails the assessment of the injury sustained by persons on the ground as a result of each failure condition and the determination of the probability of their occurrence per flight-hour. The objective is for the RPAS manufacturer to demonstrate that the likelihood of the RPA inflicting severe injuries (AIS 4 to 6) to persons on the ground as a result of a failure condition is remote. A procedure for evaluating the injury severity is provided in Appendix C.
AC-992-001-figure1
Figure 1 - Operations Near People Safety Assessment Compliance Flowchart

Flowchart which shows a potential method of analysing compliance with an operations near people safety assessment. "Operations near people" starts at the top and each decision moves downward as follows: "Perform Failure Analysis" then "Identify each failure", then "Classify injuries to people within 30 meters but not less than 5 meters from the operating RPA for each failure combination identified" then "Is injury classification equal or worse than AIS 4?" No - "Compliant"; "Document analysis and associated compliance evidence". Yes - "Is failure probability remote or less?" No - "Mitigation or redesign required" back to "Perform Failure Analysis" Yes - "Compliant"; "Document analysis and associated compliance evidence".

(3) Warning and Alerts.

  • (a) General. Warnings and alerts on the CS are intended to inform the pilot when conditions exist which may impact RPAS safe flight operation. In the event that failures or unsafe conditions exist where an alert is presented to the pilot, the warning and alerting system must be designed to provide conspicuous indications minimizing the possibility of pilot errors which could exacerbate the situation. The safety objective is to design systems that support pilot duties by providing timely, accurate, and intuitive information for safe RPA operation.
  • (b) Minimization of Pilot Errors. Failures and errors are an inevitability in any operation, the goal of warning and alerting systems is to minimize their occurrence commensurate with their impact on the safe flight and operation of the RPAS. The design should therefore be subjected to reviews, assessments, and testing to assure critical information for safe operation is presented to the pilot in an intuitive form while minimizing the occurrences of erroneous or misleading information.
  • (c) Methods of Evaluation. Evaluation of the warning and alerting systems should be done in conjunction with flight tests evaluating the handling qualities of the aircraft in order to evaluate the human machine interface and handling qualities during the RPAS development. The guidance in FAA AC 25.1322-1 – Flight Crew Alerting is appropriate for the design of warning and alerting system.
    • (i) Human Machine Interface. In order to evaluate the various capabilities of the aircraft and their impact on the pilots, the manufacturer should split the operation into discrete tasks (e.g. perform pre-flight check, perform a take-off, recover from lost link). These tasks should have procedure definitions with acceptable performance criteria identified. These tasks should be broken down to a level in which the targeted user class (e.g. experienced RPAS pilot, beginner RPAS pilot) can understand the operation. In order to evaluate the pilot workload associated with the task, the Bedford Pilot Workload Rating Scale (Figure 1 – Bedford Pilot Workload Rating Scale) is recommended to guide test pilots evaluation of the suitability of the design to perform the task. While it is acknowledged that human machine interfaces (HMI) continue to evolve in layout and symbology, in the absence of standardized user interfaces MIL-STD-1472 (current version) – Design Criteria Human Engineering – is a good guide for the design and evaluation of human responses. In general, due to the nature of HMI being primarily software based, the interface should continue to evolve to meet the needs identified by the user base over the development lifecycle.
    • (ii) Handling Qualities. The current aviation standard for evaluating the handling qualities of aircraft is the Cooper-Harper rating system. While performing flight envelope maneuvers and piloting tasks (as recommended above), it is recommended the test pilot evaluate the ease of use of the system using the Cooper-Harper, Cranfield Aircraft Handling Qualities Rating Scale, or other equivalent evaluation methodology. The results of these tests are to be evaluated and additional design or implementation refinement should be made to resolve identified issues. It is expected all piloting tasks fall within the range of 1 to 6 on the Cooper-Harper scale in order for the system to be considered acceptable. When tasks have an evaluated value between 4-6, it is recommended that operational limitations, guidance, or procedures be provided in the operators manual to help prepare pilots to manage workload around those tasks.
AC-992-001-figure2
Figure 2 Bedford Pilot Workload Rating Scale

Decision tree diagram used to assess and rank the workload associated with pilot tasks. Evaluation starts at the bottom (Pilot Decisions) and moves upwards through each logic gate as follows: Was it possible to complete the task? No—Task abandoned. Pilot unable to apply level of effort required for the task. Workload rating 10. Yes—next question: Was workload tolerable for the task? No—Extremely high workload. No spare capacity. Serious doubts as to ability to maintain level of effort. Workload rating 9. No—Very high workload with almost no spare capacity, difficulty in maintaining the level of effort. Workload rating 8. No—Very little spare capacity, but maintenance of effort in the primary tasks not in question. Workload rating 7. Yes—next question: Was workload satisfactory without reduction? No—Little spare capacity; Level of effort allows little attention to additional tasks. Workload rating 6. No—Reduced spare capacity; additional tasks cannot be given the desired amount of attention. Workload rating 5. No—Insufficient spare capacity for easy attention to additional tasks. Workload rating 4. Yes—Enough spare capacity for all tasks. Workload rating 3. Yes—Workload low. Workload rating 3. Yes—Workload insignificant. Workload rating 1.

6.3 Operations over people

(1) General. CAR 901.62(c) allows operations of an RPA at a distance of less 5m (16.4ft) from a person on the ground. This permission is only granted to RPAS for which a declaration was submitted by the manufacturer having confirmed that it is fit for operations over people. Standard 922.06 identifies the three key technical requirements that must be verified before a declaration is made. A description of means incorporated in the design to prevent exceeding operating limits when flying over people along with associated limitations for operations over people should be published in the operating manual.

(2) Protection Against Injury to Persons on the Ground

  • (a) General. The RPAS must be assessed to show that the design precludes the occurrence of any single failure which may result in a severe injury to a person on the ground within 5m of the RPA while in operation. In addition, any failure combinations which may result in a severe injury must be remote. These requirements are meant to protect people not associated with the operation of the RPAS from being severely injured or killed as a result of unreliable or unsafe system designs for this kind of operation.
  • (b) Single Failure. Consideration for the evaluation of single failures is similar to the considerations made for operations near people; see section 6.2(3)(b). The RPAS design should therefore provide for additional reliability which may be provided through architectural means such as redundancy, independence, and high development assurance levels. Any safety assessment must consider common modes and common cause failures.
  • (c) Failure Combinations. The safety assurance requirements specify that any failure combinations which may result in severe injury be evaluated to show that their combined probability of occurrence is remote.
  • (d) Remote. Refer to section 6.2(3)(c) for guidance on the use of the term "remote".
  • (e) Methods of Evaluation. The methods of evaluating compliance are identical to those for operations near people in section 6.2(3)(d). Operations over people require a demonstration that severe injuries will not result from a single failure condition irrespective of its probability of occurrence.
AC-992-001-figure3
Figure 3 - Operations Over People Safety Assessment Compliance Flowchart

Flowchart which shows a potential method of analysing compliance with an operations over people safety assessment. "Operations over people" starts at the top and each decision moves downward as follows: "Perform Failure Analysis" then, on the left side of the diagram: "Identify Failure Combinations", then "Classify injuries to people within 5 meters of the operating RPA for each failure combination identified" then "Is injury classification equal or worse than AIS 4?" No - "Compliant"; "Document analysis and associated compliance evidence". Yes - "Is failure probability remote or less?" No - "Mitigation or redesign required" back to "Perform Failure Analysis" Yes - "Compliant"; "Document analysis and associated compliance evidence". On the right side of the diagram, "Identify each failure", then "Classify injuries to people within 5 meters of operating RPA for each failure identified", then "Is injury classification equal or worse than AIS 4?" No - "Compliant"; "Document analysis and associated compliance evidence". Yes - "Mitigation or redesign required" back to "Perform Failure Analysis".

(3) Warning and Alerts

  • (a) The same procedures and design criteria need to be taken into account for the design of systems operating over people as systems design to operate near people; see section 6.2(3).

6.4 Classification of injury severity

(1) General. Both CAR Standard 922.05 and 922.06, as well as CAR 901.78(c)(v) & (vi) apply a scale to classify the injury that may be inflicted to a person on the ground as a result of a malfunctioning RPA. The classification of "severe injury" is selected for evaluating the maximum acceptable injury that may be sustained and establishes the objectives required to meet the RPAS safety assurance requirements for operations near and over people. The Abbreviated Injury Scale is the primary industry standard with respect to evaluation of injury, though this may not be the only standard for determining injury severity.

(2) Abbreviated Injury Scale (AIS). The AIS was introduced in 1969 to help physicians and medical professionals classify various types of injuries, and this scale has been used around the world for decades as the de facto standard in evaluating injuries. The current version recognized in Canada is AIS 2005 Update 2008, which classifies a Severe Injury (AIS-4) having a probability of death from the injury up to approximately 50%. The AIS is developed and maintained by the Association for the Advancement of Automotive Medicine (AAAM).

(3) Determining a Severe Injury. There are many methods by which an AIS-4 injury may be evaluated. For trauma injuries related to the impact of an RPAS, these have generally be considered with respect to the kinetic energy transferred from an RPAS to a person during an impact. There have been various levels of kinetic energy proposed related to when an impact may result in a severe injury, some of this is backed by laboratory research and field experience. This circular considers energy transferred to the head, neck, or chest of a person as the worst case that may result in a severe injury. Initial rule making activities in Canada (CARAC UAV Systems Program Design Working Group - Phase 1) and the United States (Micro-UAS Advisory Rulemaking Committee) identified 12J/cm2 as being the maximum allowable during an impact to avoid a serious (AIS-3) injury. This value was notionally validated by the work done in the FAA ASSURE impact to persons on the ground research.

(4) Operations Near and Over People. CAR Standard 922.05 and 922.06 both identify the need to constrain the probability of a severe injury to "remote" for various failure modes. Development of an RPAS for these types of operations necessitates an evaluation of the capacity of the RPA to inflict sever injuries. It is acknowledged there are many design approaches may be used to minimize the injury severity in the case of failures. These include but are not limited to:

  • (a) Structural design features such as:
    • (i) Soft materials; and/or
    • (ii) Frangible materials.
  • (b) Additional protective equipment such as:
    • (i) Parachutes; and/or
    • (ii) Inflatable capsules (e.g. "airbag").

(5) Methods of Evaluation. The RPAS manufacturer must evaluate the probability the RPAS will cause severe or worse injuries. There are many types of tests, analyses, and/or evaluations which may serve this purpose. For RPAS which have significant service history and failure tracking there may be sufficient evidence to support compliance with the standards defined in CAR Standards 922. For designs which service history may not be available, or which operate over people, Appendix C provides guidance on a test procedure to evaluate the RPAS capacity for injury severity. Where tests have determined the inherent design characteristics of the RPA will not result in a severe injury (e.g. test criteria falls within those defined in Appendix C) there is no need to evaluate the probability of failures (Appendix B).

7.0 Modifications

(1) General. CAR 901.70 provides for the modification of RPAS by third parties. In other words, modifications performed by a party other than the manufacturer. In general, modifications should be made in accordance with the manufacturer's recommendations. Manufacturers should publish guidance on the extent to which their RPAS may be modified without invalidating the declared capabilities of the system.

(2) Extent of Modifications. Modifications may fall into one of two categories: (1) modifications which affect the declared capabilities of the RPAS, and (2) modifications which do not affect the declared capabilities of the RPAS. It is the responsibility of the party making the modification to evaluate whether there is an effect on the declared capabilities, specifically as they apply to the technical and documentation requirements set out in CAR 901.78. Evaluation of the impact of modifications may require coordination with the RPAS manufacturer to obtain detailed technical information. No notification to the Minister is necessary for modifications that do not alter the RPAS's declared capabilities (or continued satisfaction of CAR Standard 922 technical requirements). Otherwise, the modifier has responsibility to make a new declaration when a modification invalidates the RPAS manufacturer's declaration.

(3) RPAS Modifier Obligations. The RPAS modifier has the same obligations of the RPAS manufacturer as outlined at Section 4.0.

(4) Limitation for Modified RPAS. A modified RPAS will be limited to Basic Operations unless the RPAS modifier makes a new declaration for modifications that invalidate manufacturer's declaration.

8.0 Beyond Visual Line of Sight (BVLOS)

(1) Reserved

9.0 Information management

(1) Not applicable

10.0 Document history

(1) Not applicable

11.0 Contact office

For more information, please contact:

Transport Canada RPAS Task Force, Engineering (AARV)
4th Floor, Place de Ville, Tower C
330 Sparks Street, Ottawa, ON, K1A 0N8

E-mail address: TC.RPASInfo-InfoSATP.TC@tc.gc.ca
Suggestions for amendment to this document are invited, and should be submitted via the contact information above.

Document approved by

Jeremy Fountain
Acting Director, RPAS Task Force

Appendix A – Recognized industry consensus standards

Documentation

ASTM F2908-18 Standard Specification for Unmanned Aircraft Flight Manual (UFM) for an Unmanned Aircraft System (UAS)

ASTM F2909-14 Standard Practice for Maintenance and Continued Airworthiness of Small Unmanned Aircraft Systems (sUAS)

ASTM F2911-14e1 Practice for Production Acceptance of a Small Unmanned Aircraft System (sUAS)

ASTM F3003-14 Specification for Quality Assurance of a Small Unmanned Aircraft System (sUAS)

Electrical Systems

UL 3030 Standard for Unmanned Aircraft Systems

ASTM F2639-15 Standard Practice for Design, Alteration, and Certification of Aircraft Electrical Wiring Systems

ASTM F2490-05(2013) Standard Guide for Aircraft Electrical Load and Power Source Capacity Analysis

SAE AS 4805-2007, Solid State Power Controller, General Standard For

SAE AS 50881F, Wiring Aerospace Vehicle

Equipment

ASTM F3322-18 - Parachutes

ASTM F3002-14a Standard Specification for Design of the Command and Control System for Small Unmanned Aircraft Systems (sUAS)

ASTM F3005-14a Standard Specification for Batteries for Use in Small Unmanned Aircraft Systems (UAS)

SAE AS 8033, Nickel Cadmium Vented Rechargeable Aircraft Batteries (Non-Sealed, Maintainable Type)

SAE J3042-2015, Measuring Properties of Li-Battery Electrolyte

SAE J3021-2014, Recommended Practice for Determining Material Properties of Li-Battery Cathode Active Materials

SAE ARP 5724, Aerospace - Testing of Electromechanical Actuators, General Guidelines For

TSO-C213-Unmanned Aircraft Systems Control and Non-Payload Communications Terrestrial Link System Radios

Human Factors Evaluation

ISO 9241-210

MIL-STD-46855A

Aeronautical design standard performance specification handling qualities requirements for military rotorcraft ADS-33E-PRF

Display Guidance: AC23.1311-1C

Software

ASTM F3201-16 Standard Practice for Ensuring Dependability of Software Used in Unmanned Aircraft Systems (UAS)

ASTM F3269-17 Standard Practice for Methods to Safely Bound Flight Behavior of Unmanned Aircraft Systems Containing Complex Functions

RTCA DO-178C

Safety Assessment

AC 23.1309-1E

JARUS AMC RPAS.1309, Safety Assessment of Remotely Piloted Aircraft Systems

SAE ARP 4761, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment

SAE ARP 4754a – Guidelines for Development of Civil Aircraft and Systems

ASTM F3309/F3309M - Standard Practice for Simplified Safety Assessment of Systems and Equipment in Small Aircraft

ASTM F3230 – Standard Practice for Safety Assessment of Systems and Equipment in Small Aircraft

Aircraft F3389/F3389M-20 Standard Test Method for Assessing the Safety of Small Unmanned Aircraft Impacts – Method A for RPA MTOW <1 kg, Method B for RPA MTOW <4 kg and Method C for others using the thresholds identified in Appendix C of this document.

Design Specifications

ASTM F3298-19 Standard Practice for Design, Construction, and Verification of Fixed-Wing Unmanned Aircraft Systems (UAS)

EU CE Designations, Appendices 2-5

JARUS CS-LUAS, Recommendations for Certification Specification for Light Unmanned Aeroplane Systems

JARUS CS-LURS, Certification Specification for Light Unmanned Rotorcraft Systems

STANAG 4703 Light UAV System Airworthiness Requirement for NATO UAV Systems

TCCA SI 623-001 Issue 02 Appendix C

Note: Satisfying the standards that have been developed for large systems and/or traditionally piloted aircraft is one acceptable means of compliance but not mandatory for the operation of small RPAS.

Appendix B – System safety assessment

1.0 Scope

(1) The appendix offers guidance to assist manufacturers in assessing the safety of their RPAS intended for Advanced Operations. This guidance is suitable for existing RPAS and the development of new systems.

2.0 Acceptable methods

(1) The preferred industry standard developed for aeronautical products is SAE ARP 4761 – Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment. RPAS manufacturer may choose to conform to other acceptable methods and processes for conducting a system safety assessment provided that they are documented such that they are consistently adhered to and that artifacts and evidence generated from those processes are auditable. It is recommended that RPAS manufacturers endorse rigorous standards and practices suitable for the aviation industry to the maximum extent as possible.

(2) Advisory material published by TCCA, and that of other civil aviation authorities acceptable to TCCA, may be used in conjunction with acceptable methods for performing the system safety assessment process. Namely JARUS AMC RPAS.1309, FAA AC 23.1309-1E, AC 25.1309-1A, AC 27-1B and AC 29-2C may be used to complement the guidance of this AC.

3.0 Classification of failure conditions (severity)

(1) TCCA endorses the same failure criticality classification and associated safety objectives as those defined by airworthiness standards for type certification, AC 23.1309 or the most recent version. The criticality classifications and safety objectives adapted to RPAS are outlined in Table B-1:

Table B-1 – Criticality classification and safety objective
Criticality Classification Definition applied to RPAS Safety Objective
Catastrophic Failure conditions that could result in one or more fatalities. Extremely Improbable
Hazardous Failure conditions that would reduce the capability of the RPAS or the ability of the pilot to cope with adverse operating conditions to the extent that there would be the following:
  • (i) Loss of the RPA where it can be reasonably expected that a fatality will not occur, though people on the ground will sustain severe injuries, or
  • (ii) A large reduction in safety margins or functional capabilities, or
  • (iii) High workload such that the pilot cannot be relied upon to perform their tasks accurately or completely.
 Extremely Remote
Major Failure conditions that would reduce the capability of the RPAS or the ability of the pilot to cope with adverse operating conditions to the extent that there would be a significant reduction in safety margins, functional capabilities or separation assurance. People on the ground may not sustain severe injuries. In addition, the failure condition has a significant increase in pilot workload or impairs remote pilot efficiency. Remote
Minor Failure conditions that would not significantly reduce RPAS safety and that involve crew actions that are within their capabilities. Minor failure conditions may include a slight reduction in safety margins or functional capabilities, a slight increase in pilot workload, such as flight plan changes. Probable
No effect in safety Failure conditions that would have no effect on safety. For example, failure conditions that would not affect the operational capability of the RPAS or increase the pilot workload. No probability requirements

4.0 Safety objectives

(1) TCCA defines the following safety objectives prescribing quantitative probability targets commensurate with the MTOW of the RPA.

  • (a) The cumulative probability for catastrophic events (PCUM) represents the summation of probabilities for each catastrophic failure condition taking into account the failure contributions of the RPA and its sub-systems, including propulsion, navigation, C2 link, as well as the other elements of the RPAS.
  • (b) The targeted cumulative probability (PCUM) per flight-hour (FH) of all catastrophic events is established in Table B-2 by weight category as follows:
Table B-2 – Cumulative probability per flight-hour
RPA Weight Category Probability per FH
For MTOW below 4 kg PCUM = 10-2
For MTOW between 4 kg to 15 kg PCUM = 10-3
For MTOW between 15 kg to 25kg PCUM = .001 / MTOW
  • (c) The safety objectives expressed quantitatively for each failure criticality classification taking account of the PCUM for each RPA weight category are expressed in Table B-3 as follows:
Table B-3 – Safety objectives
Failure Criticality Classification Safety Objective
Qualitative Term Numerical Probability per FH
Catastrophic Extremely Improbable = PCUM/100
Hazardous Extremely Remote = PCUM/10
Major Remote = PCUM
Minor Probable = 10 x PCUM
  • (d) The RPAS manufacturer must therefore demonstrate that the RPA S design achieves the applicable safety objective of Table B-3 for demonstrating compliance which meet the safety assurance requirements prescribed by CAR Standard 922 for Advanced Operations namely:
    • (i) Operations near people:
      • (A) The occurrence of any single failure of the RPAS which may result in a severe injury to a person on the ground within 30m of the RPA in operation must be shown to be remote.
    • (ii) Operations above people:
      • (A) No single failure of the RPAS may result in a severe injury to a person on the ground within 5m horizontal of the RPA in operation. This being irrespective of their associated failure probability.
      • (B) The occurrence of any combination of failures of the RPAS which may result in a severe injury to a person on the ground within 5m horizontal of the RPA in operation must be shown to be remote.

5.0 Development process

(1) The engineering system used for the development of the RPAS will significantly contribute to the degree of confidence in the RPAS performing as intended. The RPAS manufacturer should follow a suitable development process in order to provide an adequate level of confidence that design requirements are correctly implemented through successive validation and verification activities. The objective is to minimize the likelihood of errors which may adversely affect the performance of the RPAS and create hazards to people on ground.

(2) Though the preferred standard developed for aeronautical products is SAE ARP 4754 – Guidelines for Development of Civil Aircraft and Systems, RPAS manufacturers should follow processes that provide an equivalent degree of confidence. The RPAS manufacturer's engineering system should be documented such that procedures and processes are consistently adhered to and that artifacts and evidence generated traceable and thereby auditable.

(3) As per point 2 of this section, a System Safety Assessment should be performed for the RPAS (including all contributions coming from the RPA, CS, Data Link and any other equipment necessary to operate the RPAS). This assessment should include a Functional Hazard Analysis, a Failure Mode Effect and Criticality Analysis and a Fault Tree Analysis.

(4) It must be verified that the probability of failures expected to result in at least uncontrolled flight (including flight outside of pre-planned or contingency flight profiles/areas) and/or uncontrolled crash is remote.

(5) A minimum essential set of Built-In-Tests (BIT) should be done, and each configuration software item whose failure could lead to uncontrolled flight and/or crash should be equivalent to Design Assurance Level (DAL) D as per RTCA DO-178C / ED-12C, or follow ASTM F3201-16 and ASTM F3269-17, or equivalent.

Appendix C – Severe injury test methodology

1.0 Discussion

1.1 Intent of tests

(1) The intent of the tests is to assess the safety of RPAS operations involving flight operations over people, and thus the potential for severe injury (see Section 6.4 for definition of severe injury) to a person on the ground. This test evaluates the trauma to a person impacted by a head strike, or chest strike. By performing these tests, the manufacturer can correlate between reaction of dummy head impact G's (force of acceleration due to gravity) and RPAS kinetic energy, and set operational limits that correspond to injury thresholds established in this AC. The manufacturer should understand the correlation of the test with AIS scale. Also, this guidance allows for determination of existing RPAS designs' injury potential during a collision with a person on the ground, and encourages designers/manufacturers to modify the RPAS accordingly to reduce injury potential.

(2) Secondary Impacts. This procedure assumes that the majority of energy will be transferred from the RPA to the initial person struck. As such, the procedures do not specifically measure or evaluate the speed, acceleration, or orientation of the RPA after the impact. If the manufacturer expects the specific design may create hazards following an initial impact it is recommended that the effect of secondary impacts to persons be evaluated in a similar manner as prescribed in this appendix.

1.2 Operating environment

(1) The manufacturer should have an understanding of the actual operating environment in which the system is designed to function. For example, if the manufacturer intends for operations with 30km/h gusts when operating over people, the critical conditions defined should take into consideration the influence of the gust on the terminal velocity used for these tests.

1.3 Standardized test procedures—Reason and practicalities

(1) The tests described in this circular are standardized procedures generally regarded as the minimum necessary to develop the flight envelope of an RPAS in a way that provides for assurance of the safe use of the system in the advanced environment. Standardized procedures seek to obtain consistent results between different test facilities. These facilities may be of varying types; often they are not under the direct control of the designer or manufacturer of the article under test. To foster industry standardization, this circular describes many of the procedures and evaluations that are already accepted (or in the process of becoming accepted) as part of industry standards.

1.4 Acknowledgement

(1) These methodologies are based on methods researched by the FAA Center for Excellence for Unmanned Aerial Systems (UAS) supported by the Alliance for System Safety of UAS Through Research Excellence (ASSURE). These methods expand on extensive research and testing conducted by the automotive industry to support quantitative automotive passenger safety standards and testing and test data on RPAS collected by ASSURE. This appendix presents deltas on interpretation that will be resolved with further experience on real case scenarios, or further testing.

2.0 References

(1) ASTM F3322 – Parachutes

(2) Assessment of Head Injury Criteria Potential During Aircraft Longitudinal Impact. The Eight Triennial Aviation Fire and Research Conference Richard Deweese FAA Civil Aerospace Medical Institute, October 27 2016

(3) DOT/FAA/AM-17/9 Office of Aerospace Medicine Washington, DC 20591 Assessment of Head and Neck Injury Potential During Aircraft Longitudinal Impacts Civil Aerospace Medical Institute Federal Aviation Administration February 2017 Richard L. DeWeese, David M. Moorcroft, M.M.G.M. Philippens

(4) Development of Improved Injury Criteria for the Assessment of Advanced Automotive Restraint Systems – II November 1999

(5) European new car assessment Program (Euro NCAP) Pedestrian Testing Protocol Version 8.4 November 2017

(6) FAA UAS Center of Excellence Task A4: UAS Ground Collision Severity Evaluation Revision 2 Mr. David Arterburn, Principal Investigator – arterbd@uah.edu Director, Rotorcraft Systems Engineering and Simulation Center The University of Alabama in Huntsville, Dr. Mark Ewing – mewing@ku.edu Associate Professor and Director of the Flight Research Laboratory The University of Kansas 28 Apr 2017

(7) FAA AC 25.562-1B - Dynamic Evaluation of Seat Restraint Systems and Occupant Protection on Transport Airplanes / with Change 1 January 10, 2016

(8) Federal Motor Vehicle Safety Standards 208 (FMVSS 208)

(9) Final Report of Workshop on Criteria for Head Injury and Helmet Standards Scientific Editors: Harold Fenner, Jr., Daniel J. Thomas, Thomas Gennarelli, Frank A. Pintar, Edward B. Becker, James A. Newman, Narayan Yoganandan, Department of Neurosurgery, Medical College of Wisconsin December 16, 2005

(10) Moderate Overlap Frontal Crashworthiness Evaluation Guidelines for Rating Injury Measures September 2014

(11) National Highway Traffic Safety Administration Test Procedure TP208-14 Appendix A (Part 572E (50th Male) Dummy Performance Calibration Test Procedure

(12) Prasad P, Mertz HJ. The position of the United States Delegation to the ISO Working Group 6 on the use of HIC in the automotive environment. Warrendale, PA. Report No.: SAE 851246,1985.

(13) SAE J1727 Issued 1996-08 Revised 2015-02 Calculation Guidelines for Impact Testing

(14) SAE International. Sign Convention for Vehicle Crash Testing. Warrendale, PA: SAE International; Dec. 1994; SAE Surface Vehicle Information Report No: J1733.

(15) SAE International. Instrumentation for Impact Test – Part 1- Electronic Instrumentation. Warrendale, PA: SAE International; 2014; Surface Vehicle Recommended Practice No: J211/1.

(16) SAE International. Instrumentation for Impact Test – Part 2- Photographic Instrumentation. Warrendale, PA: SAE International; 2014; SAE Surface Vehicle Recommended Practice No: J211/2.

(17) SAE J2570: Performance Specifications for Anthropomorphic Test Device Transducers

(18) The Abbreviated Injury Scale 2005 - Update 2008, Barrington, Illinois, Association for the Advancement of Automotive Medicine, 2008.

(19) Transport Canada UAV systems program design working group phase 1 final report march 2012

(20) United Nations [UN] Global Technical Regulation [GTR] n°9, Pedestrian Safety, November, 12, 2008.

(21) UN Regulation n°94 (R94), Uniform provisions concerning the approval of vehicles with regard to the protection of the occupants in the event of a frontal collision, August, 20, 2013.

(22) US Code of Federal Regulations, Title 14, Part 25.562. Airworthiness Standards: Transport Category Airplanes, Emergency Landing Conditions. Washington, DC: US Government Printing Office, 1988.

(23) US Code of Federal Regulations, Title 14, Part 23.562. Airworthiness Standards: Transport Category Airplanes, Emergency Landing Conditions. Washington, DC: US Government Printing Office, 1988.

(24) US Code of Federal Regulations, Title 49, Part 571.208. Occupant Crash Protection. Washington, DC: US Government Printing Office, 2011.

3.0 Standardized test procedures—Relationship to design

(1) As stated above, the tests are standardized by necessity, and are presented below.

  • (a) Third Party. The dynamic tests are performed with an anthropomorphic test device (ATD), Hybrid III—representing approximately the 50th percentile male.
    • (i) Third Party Weight. A 50th percentile ATD provides for an assessment against the widest range of Third Parties.
  • (b) Test conditions. This circular describes six (6) basic types of dynamic test procedures (see Figures C-1 through C-6): a test where the predominant impact vector is vertical, three tests where the dominant impact vector is horizontal, and two tests using a worst case vector defined by flight testing showing different failure conditions. These procedures address the tests required to demonstrate a safe flight envelope for operating over people. Additional tests may be necessary to demonstrate safe operations for these variations if they cannot be adequately addressed by analysis.
  • (c) Speeds. The speed of the RPAS prior to the impact will vary depending on both the test as well as the type of RPAS used. Two speeds are defined:
    • (i) Critical Speed: this is the speed at which the aircraft is capable of its maximum kinetic energy considering both powered flight as well as failure conditions. The Critical Speed for fixed wing aircraft is the maximum cruise speed. The Critical Speed for rotary-wing aircraft is the speed of the rotorcraft at terminal velocity.
    • (ii) Operational Speed: this is the maximum speed at which the aircraft can normally operate (considering the usage expectations and limitations within the operating manual).
  • Information Note: There may be several other aspects of the standardized test procedure that need to be considered when determining the test program required to demonstrate the safety assured flight envelope or interpret the test results. The extent of the test program will depend on the most critical case determination and its applicability to other configurations. Further discussion on this aspect of testing is provided in section C5.2.

4.0 Probable impact scenario development

(1) The manufacturer may determine the most probable impact orientations for the sRPA to hit a person's head based on engineering judgment, flight test, any parachute or recovery systems installed, simulation, and/or understanding of the operating characteristics of the sRPA. For each probable impact orientation, the manufacturer shall perform a series of drop tests to determine the worst case, that which produces the most severe injury, of these probable orientations. These drop tests shall consist of at least three drops in each orientation with a drop height as specified below.

5.0 Test conditions

5.1 General

(1) Testing is always a trade-off between that which is being monitoring and the impact of additional monitors, as such tests should be structured and calibrated to achieve the highest precision and accuracy for the parameters being evaluated. The objective of the tests are to evaluate the critical impact direction, and corresponding injury severity to support the analysis required in CAR standard 922 related to injuries. The manufacturer should have an understanding of the actual operating characteristics of their RPAS before starting the process outlined in this guidance. It is assumed that the manufacturer will be able to substantiate: the most probable critical case impacts, typical and maximum operating heights and speeds, and terminal velocity of their RPAS in order to compare the results of the impact analysis with the proposed vehicle concept of operations. Thus, the manufacturer should have a good understanding of the failure modes (e.g. engine failure, etc.), and the flight operating envelope shall consider different environmental conditions such as gust in order to define the critical conditions.

5.2 Determination of critical orientation

(1) The manufacturer shall determine the critical impact orientation, that which produces the highest risk of severe injury, for the RPAS to hit a person's body. This can be accomplished through flight testing or other methods (see section 4.0 of this Appendix), and test or simulation of the failure modes of the RPAS shall be accomplished to determine the impact on the critical cases.

(2) Simulation. Through use of simulation the manufacturer may determine no flight test is required, however, the manufacturer needs to provide an engineering rationale describing the differences between model simulation results (model validation methodology), as well as determine if the results produce minimal differences in flying attitudes as compared to operational test data. The use of computational fluid dynamics (CFD) analysis is recommended when the manufacturer has demonstrated it is able to replicate the RPAS behavior. The correlation between the CFD model and RPAS design can be extrapolated to similar RPAS configuration to support other analyses.

(3) A minimum of six (6) tests at the maximum flying speed with different failure conditions shall be done.

(4) In cases where a parachute or recovery system is installed, the manufacturer needs to understand the effect of the system on the most probable critical orientation of the RPA, and flight test the RPAS to determine if there are impacts to previously defined critical cases (if applicable). For RPAS employing parachute (or other recovery system) mitigations for uncontrolled flight, the drop height shall be chosen such that the impact speed is at least equal to the maximum descent speed with the parachute (or other recovery system) deployed (the goal of the test is to evaluate whether the recovery system successfully mitigates the impact as measured by the injury criteria in table C-1).

(5) The test vehicles shall be instrumented in order to define acceleration and speed at impact.

(6) The manufacturer shall record the following results of the test:

  • (a) RPAS configuration;
  • (b) RPAS impact orientation;
  • (c) RPAS speed at impact, the maximum magnitude of maximum resultant speed;
  • (d) Any relevant notes about the impact;
  • (e) Any damage to the sRPA or ATD shall be noted, and photography kept in the records; and
  • (f) Maximum accelerations for each impact orientation.

The designers/manufactures shall produce a test report with the information described above along with general conclusions from the test. Specifically, the manufacturer shall identify the critical impact orientation as the orientation that resulted in the greatest measured maximum acceleration over the three drops.

Information Note: This identified critical impact orientation is only valid for the specific configuration tested by the manufacturer.

(7) If a modifier does not have access to this critical impact orientation specified by the manufacturer, a modifier shall create a failure mode analysis, and follow the procedures described in section critical orientation (see section 7.0 of this appendix for information on modifications).

(8) If the manufacturer wishes to use simulation as a method of compliance with this procedure, or with the general injury prevention requirement, it is recommended that the manufacturer discuss the proposed methodology with TCCA. This will allow both TCCA to gain experience with the methodology used as well as support the dissemination and adoption of the latest industry safety standards. Also, a correlation should be done to validate the simulation with flight test data.

5.3 Impact to ATD

(1) The dynamic test methods identified below may be correlated to other standards, such as FMVSS 208, to determine the corresponding probability of an injury. A minimum of six (6) dynamic tests are required to define the operating limits of the RPAS flying over people.

Information Note: The following diagrams depict the RPAS as a multi-rotor rotorcraft, but it is meant to be representative of any RPAS whether fixed-wing, rotary-wing, hybrid, or lighter-than-air.

(2) Test 1 - Vertical Drop Test. The vertical drop test is to drop the RPA onto the head of the male ATD at the Critical Speed, and normal flight orientation. A minimum of two (2) drops shall be done in this orientation in order to reduce possible variability.

AC-992-001-figureC1

(3) Test 2 - Frontal Head Test. The frontal head test is to impact the forehead of the male ATD with the RPA at the Operational Speed, and normal flight orientation. A minimum of two (2) tests shall be done in this orientation in order to reduce possible variability.

AC-992-001-figureC2

(4) Test 3 - Head Critical Impact Direction. The head critical impact direction test is to impact the head of the ATD at the Critical Orientation at the Critical Speed. A minimum of two (2) test shall be done in this orientation.

AC-992-001-figureC3

(5) Test 4 - Head Side Impact. The head side impact test is to impact the head of the male ATD from the side at the Operating Speed, and normal flight orientation. A minimum of 2 tests shall be done in this orientation in order to reduce possible variability.

AC-992-001-figureC4

Information Note: It may be possible to evaluate the HIC using alternative tests. It is recommended that if other methodologies are being used the manufacturer coordinate with TCCA to support a collaborative development process.

6.0 Test articles

(1) General. In all cases, the test article (i.e. RPAS) shall be representative of the final production article and shall include a structural frame, motors, propellers, electronics, batteries, and payload. It shall also include functioning servos, if any. The RPAS does not necessarily need to be powered. The configuration of each RPAS used in each impact test shall be documented, and this configuration should conform to the production specification of the RPAS for which a declaration will be provided. Specific modifications to the RPAS which are made to support or conduct the tests shall be clearly documented along with their potential impacts on the results of the tests.

(2) Cameras. The payload may be replaced by a dummy-load made of representative shape, stiffness, and mass.

(3) Item of mass. Defined as any part of the RPA that can detach during impact (e.g. removable cameras, batteries) and may become a projectile with enough energy to cause a serious injury (see section 6.5) to a person. Detachment of these items are grounds for re-test and the means of restraint for these items should be improved by changes to design or implementation. Detachment of an item of mass should not leave any sharp or injurious edges. Once retention of an item of mass has been demonstrated using the standard RPAS configuration, subsequent tests may be conducted with the item secured by means other than those in the standard operational configuration for the purposes of the test (if required).

(4) Batteries. Batteries that present a potential for fire during impact should be discharged as much as possible to minimize the fire risk. The batteries should be tested separately to demonstrate that there is no risk of fire at impact (many battery manufacturers perform such tests as part of their development process). The manufacturer should maintain a report of the battery impact test, with photographic or video evidence, to demonstrate the battery does not catch fire at impact.

(5) Used Articles. Test units shall not be used for more than one test except if the test article is found to be mechanically equivalent to the original configuration. In this case, a report stating the method used to determine the equivalence shall be completed. For example, visual inspection of composite material may find the impacted materials to be mechanically equivalent to the original configuration, but micro-cracks may not be visually distinct.

(6) Critical Components. Design changes may influence other performance parameters such as HIC. The following summarizes critical elements relative to the assessment criteria.

The frame is the basic layout upon which the rest of the structure is built. The frame supports the motors and various other devices in a way that they maintain stability during the flight and keep the vehicle levelled. There are several frame types that define the multi-rotor or fixed wing RPA. The modification of material may change the impact characteristics of the RPA. Thus, the HIC may need to be reassessed.

7.0 Test setup and test preparation

(1) General. The test setup dictates how the impact loads are introduced into the ATD and how the ATD reacts. Every effort should be made to introduce and react to loads as realistically as possible. To aid this, the ATD shall be seated in a rigid position in order to obtain conservative results, and used to control variability. The seat should be rigid in order to avoid any type of deformation that may alter the test results (Figure C-6).

AC-992-001-figureC5

The ATD should be seated in a straight position, and a restraint system may be needed depending on the test facilities and ATD configuration. In addition, Attention should be given to positioning the ATD against the seat back and to proper positioning of the ATD's arms and legs. Demonstration of compliance with the HIC should address critical cases (as noted above). From these cases, the flight envelope will be defined. The evaluation showing HIC of 700 or less shall be from an ATD head impact that is a solid strike and not a glancing blow. Dynamic tests are conducted with an ATD (or equivalent) that is representative of a 50th percentile male occupant.

Compliance with the HIC is dependent on the details of the RPAS design as well as the test Setup.

Preparation for tests involves positioning and securing the ATD, the RPAS, and the instrumentation. This is done for the specific critical condition being tested. Preparations that pertain to the normal operation of the test facility, such as safety provisions and the actual procedures for accomplishment of the tests, are specific to the test facility and are not addressed in this circular.

7.1 Test facilities

(1) General. There are a number of test facilities that can be used to accomplish dynamic testing scenarios identified in section C5 above. Any of the following test devices are acceptable to perform the testing, as well, other test devices, facilities, or mechanisms may be used provided they provide the same capabilities regarding the measurement of the impacts and the reproducibility of the tests.

(2) RPAS Launcher. In this case, the RPAS is launched towards the ATD as a projectile. This test facility may present difficulties in obtaining the right exit speed, and orientation due to influence of aerodynamic surfaces of the RPAS. In this case the impact angles can be obtained by changing the seat location and angle with respect to the launcher, or the launcher may change its location and position so different angles of impact may be tested.

Photometric film coverage of the RPAS at the exit of the launcher may be used to define the orientation of the RPAS. Also, the exit speed may be measured to make sure that the maximum speed is obtained, and the impact impulse is obtained at the speed required for that particular test case.

Side cameras should be used to provide film coverage of the test. Side cameras need to be at each side of the ATD, and on the top in order to provide a good indication of the RPAS orientation during impact. This will assist in determining if the worst case (as defined above) was achieved.

(3) Sled Tester. If a sled tester is used for this test the recommendations of FAA AC 25.562 for this type of test facility shall be followed, or equivalent.

(4) Drop Tower. Drop towers are one of the easiest facilities to build and operate; as a result, they are frequently used for these types of tests. In these facilities, the pull of earth's gravity is used to accelerate the RPA to impact velocity so the need for a complex mechanical accelerating system is eliminated. The seat angle can be changed in order to achieve the required test scenario geometries. Special care should be taken to ensure variations of sit orientation do not prevent the ATD from achieving the right posture for the test.

Side cameras should be used at each side of the dummy as well as above the ATD in order to provide a good indication of the RPAS orientation during impact. This will assist in determining if the worst case (as defined above) was achieved.

7.2 Anthropomorphic test devices

(1) General. The use of the 50th percentile male Hybrid III test dummy specified in 49 CFR part 572, subpart E, is required unless TCCA agrees with other type of ATD.

(2) Calibration. ATD load cells shall be calibrated on an "as needed" basis, or a minimum of once per year, whichever comes first. ATD accelerometers shall be calibrated on an "as needed" basis, or a minimum of once every six months whichever comes first. Need is determined by a pre- and post-test shunt calibration. If the bridge balance remained unchanged after the test, and if full-scale shunt calibration results in the same value as the pre-test value, then the transducer characteristics are within calibration. If loads become suspect, linearity of the load cell will be checked with a universal compression testing machine. Exact calibration procedure can be found in National Highway Traffic Safety Administration Test Procedure TP208-14 Appendix A (Part 572E (50th Male) Dummy Performance Calibration Test Procedure.

(3) Maintenance. Anthropomorphic dummies used in the tests shall be maintained to perform in accordance with the requirements described in their specification. Periodic teardown and inspection of the ATD should be accomplished to identify and correct any worn or damaged components, and appropriate ATD calibration tests (as described in their specification) should be completed if major components are replaced.

(4) Setup. The ATD shall be placed in the test fixture seat in a way to ensure repeatability of the tests, and to ensure the maximum transfer of energy between the RPAS and the ATD representing the worst case impact on the ATD. As such the following ATD setup is recommended:

  • (a) The ATD should be placed in the center of the test fixture seat in as nearly a symmetrical position as possible. The ATD should be placed in the seat in a uniform manner so as to obtain reproducible test results.
  • (b) The ATD's back should be against the seatback without clearance. This condition can be achieved if the ATD's legs are lifted as it is lowered into the seat. Then the ATD is pushed back into the seatback as it is lowered the last few inches into the seat pan. Once all lifting devices have been removed from the ATD, the ATD should be "rocked" slightly to settle it in the seat.
  • (c) The ATD's knees should be separated about four inches.
  • (d) The ATD's hands should be placed on the top of its upper legs, just behind the knees.

7.3 Instrumentation

(1) General. Electronic and photographic instrumentation systems shall be used to record data for qualification of RPAS. Electronic instrumentation should measure the test environment and measure and record data required for the comparison of performance to established pass/fail criteria. Photographic instrumentation should be used to document the overall results of tests.

(2) Electronic Instrumentation. Electronic instrumentation should be accomplished in accordance with the Society of Automotive Engineers Recommended Practice SAE J211, "Instrumentation for Impact Tests," using the sign convention of SAE J1733 "Sign Convention for Vehicle Crash Testing." In this practice, a data channel is considered to include all of the instrumentation components from the transducer through to the final data measurement, including connecting cables and any analytical procedures which may alter the magnitude or frequency content of the data. Each dynamic data channel is assigned a nominal channel class equivalent to the high frequency limit for that channel based on a constant output/input ratio versus frequency response plot, which begins at 0.1 Hz (+1/2 to -1/2 dB) and extends to the high frequency limit (+1/2 to -1 dB). Frequency response characteristics beyond this high frequency limit are also specified. When digitizing data, the sample rate should be at least five times the 3 dB cutoff frequency of the pre-sample analog filters. Since most facilities set all pre-sample analog filters for Channel Class 1000, and since the 3 dB cutoff frequency for channel class 1000 is 1650 Hz, the minimum digital sampling rate would be about 8000 samples per second. For the dynamic tests discussed in this in this appendix the dynamic data channels shall comply with the following channel class characteristics:

  • (a) Launcher or drop tower vehicle acceleration is measured in accordance with the requirements of Channel Class 60;
  • (b) ATD head accelerations used for calculating the Head Injury Criterion (HIC) are measured in accordance with the requirements of Channel Class 1000;
  • (c) The full-scale calibration range for each channel provides sufficient dynamic range for the data being measured; and
  • (d) Digital conversion of analog data provides sample resolution of not less than 1 percent of full-scale input.
  • Note: On the selection of data channel, SAE J 211, paragraph 5, states, "that selection of frequency response class is dependent upon many considerations, some of which may be unique to a particular test." Further, SAE J211 notes, "the channel class recommendations for a particular application should not be considered to imply that all the frequencies passed by that channel are significant for the application. Accordingly, the TCCA seeks comments on an appropriate CFC for evaluating data.

(3) Photographic Instrumentation. Photographic instrumentation is used for documenting the response of the ATDs and the test items to the dynamic test environment. Both high-speed video and static imaging cameras should be used. The following recommendations for the selection, installation, and calibration of the photographic instrumentation should be relied on as best practices:

  • (a) Photographic instrumentation should be selected in accordance with SAE J211, Part 2;
  • (b) Photo instrumentation methods should not be used for measurement of acceleration
  • (c) High-speed cameras that provide data used to calculate displacement or velocity should operate at a minimum nominal speed of 1000 frames per second;
  • (d) Cameras operating at a nominal rate of 1000 frames per second or greater may be used to document the response of ATDs and test items if measurements are not required.
  • (e) The locations of the camera and targets or targeted measuring points within the field of view should be measured and documented;
  • (f) Targets should be at least 1/100 of the field width covered by the camera, and should be of contrasting colors or should contrast with their background;
  • (g) The center of the target should be easily discernible;
  • (h) A description of photographic calibration boards, or scales, should be within the camera field of view;
  • (i) The following should be documented for each test:
    • (i) Camera lens focal length;
    • (ii) Camera and lens make;
    • (iii) Camera and lens model; and
    • (iv) Camera and lens serial numbers.
  • (j) Appropriate digital or serial timing should be provided on the image media.
  • (k) Rectilinearity of the image is documented in accordance with SAE J211, Part 2.
    • (i) If the image is not rectilinear, as indicated by an overall error in excess of 1 percent, appropriate correction factors should be used in the data analysis process.
  • (l) Still image cameras should be used to document the pre-test installation and the post-test response of the ATDs and the test items. At least four pictures should be obtained from different positions around the test items in pre-test and post-test conditions.

A description of the timing signal(s), the offset of the timing signal to the image(s), and the means of correlating the time of the image(s) with the time of the electronic data shall be provided.

A rigorous, verified analytical procedure should be used for data analysis. The accuracy of the procedure is considered adequate, if the difference between the measured and derived distance separating the Validation Target Pair, as defined in SAE J211, Part 2, is not greater than 1.0 cm (0.4 inches).

(4) Setup. Professional practice should be followed when installing instrumentation. Test Facility instrumentation shall follow SAE J211.

8.0 Hazards

(1) This test method involves impacts with significant kinetic energy and RPAS may have parts which (as discussed above) may come free and result in injuries to test participants if hazards are not appropriately identified and mitigated. The test apparatus should be set up to control the RPAS impact such that it remains within the test apparatus throughout the impact. The test apparatus should be designed to prevent flying debris from becoming a hazard. Participants should use appropriate personal protective equipment (PPE), or remain protected during the test. When testing an RPAS with power plants and/or lithium batteries, appropriate fire extinguishing equipment for each application should be easily accessible. Participants should be made aware of the hazards of lithium batteries and which fire extinguishers are appropriate for lithium-based fires. In case of a battery fire, it should be documented design changes to the battery may be required (depending on failure analysis). A retest of the battery at the same impact level shall be done until no fire hazards are presented.

9.0 Test failures vs. retest.

(1) A variety of failures can result in an unsuccessful test. Failures can range from not obtaining the adequate orientation. All such failures should be addressed and corrective action taken. However, the necessity of repeating tests following corrective action is the same decision process as that used to determine which tests are initially conducted.

(2) If a test exceeds the minimum test conditions and results in a failure, an assessment of the test conditions, and a rational basis for retest without a design change shall be presented to allow a retest without modification.

10.0 Test reporting

(1) General. As required by record keeping requirements, the results of verifications associated with the technical requirements of CAR Standard 922 shall be maintained by the manufacturer. To this end, test reports created from the raw and analyzed test data associated with the test procedures in this appendix shall be created and maintained to demonstrate the tests have been completed and that all requirements of this appendix have been met.

10.1 Data requirements

(1) General. The data generated as a result of tests and analysis should include charts, listings, and/or tabulated results, along with copies of any photo instrumentation used to support the results. The following should be recorded:

  • (a) Impact pulse shape;
  • (b) Head and Neck sensor impact response;
  • (c) Chest sensor impact response;
  • (d) Total velocity change in the RPAS;
  • (e) Maximum resultant acceleration recorded by dummy head form on each of three axes: ax, ay, az with the magnitude of the acceleration amag=(ax2+ayM2+az2)1/2;
  • (f) Maximum rotational acceleration recorded by the dummy head form on each of three axes (𝜔̇ x, 𝜔̇ y, 𝜔̇ z);
  • (g) Calculated kinetic energy experienced by the ATD;
  • (h) Retention of Cameras, batteries or other parts that can detach during impact;
  • (i) Angle of Impact and Mass of the RPAS;
  • (j) Recording of video impact of collision and vehicle and ATD response at no less than 1000 frames/sec; and
  • (k) Any notes about the details of the impact. Any damage to the RPAS shall be noted.

10.2 Data analysis

(1) General. All data obtained in the dynamic tests should be reviewed for errors. Baseline drift, masking, ringing, and other common electronic instrumentation problems should be detected and corrected before the tests executed. Loss of data during the test is readily observed in a plot of the data versus time and is typically indicated by sharp discontinuities in the data, often exceeding the amplitude limits of the data collection system. If these occur early in the test in essential data channels, the data should be rejected and the test repeated. If they occur late in the test after the peak data in each channel has been recorded, the validity of the data should be carefully evaluated, and the maximum values of the data may still be acceptable for the tests described above. The instrumentation, collection of data, and filtering of that data in these tests shall meet the requirements of SAE J211-1: Instrumentation for Impact Test. Refer to Table C-1 for injury parameter cutoff values associated acceptable values for injuries.

(2) Impact Pulse Shape. The pulse shall meet the requirements of SAE 1727 Calculation Guidelines for Impact Testing.

(3) Total Velocity Change. The speed of the RPAS just prior to the time of impact shall be measured for each test point. Video of the impact made perpendicular to the fall, with a way of measuring the distance travelled between frames (e.g. radar, ultrasonic distance measurements, or other sensors). The uncertainty of the measurement shall be documented. When making such a computation the possible errors of the time and displacement measurements are used to calculate a possible velocity measurement error, and the test impact velocity should exceed the terminal velocity calculated in the critical case analysis by at least the velocity measurement error.

(4) Head and Neck.

  • (a) Head injury mechanism. There are three major types of head injury by direct impact:
    • (i) Brain injury: Brain injury can be produced by high accelerations to the entire brain producing injuries often related to impacts with rigid flat or semi blunt objects, or it can be produced by a direct impact to a local area of the brain from minor contusions (bruising) to direct penetration of the brain often related to blunt or sharp object impacts. Brain injury is not covered in this AC.
    • (ii) Skull fracture: Skull fracture can be produced by direct impact. Cranial fractures can be produced by two different impact-loading mechanisms.
      • (A) Impact with a flat surface producing linear type fractures
      • (B) Impact with a blunt object producing localized depressed fractures
    • (iii) Facial lacerations: caused by sharp objects are likely to have discrete edges but may extend deeply and involve underlying structures, such as the muscles of facial expression, nerves, and arteries. Wounds caused by blunt forces burst the skin open, damage cells, and produce tissue edema, which slows the wound-healing process. Therefore, a mitigation needs to be used to reduce the risk of these type of injuries. For example, rotor guards, blade stoppage, detect and stop and others. These mitigations will need to be flight tested to show their effectiveness. The results of the test should be annexed to the test results report. The AC does not account for laceration's injury criteria, and it is shown on table C-1 as pass or fail criteria only.
  • (b) We consider a HIC value calculated with a time interval that maximizes the HIC value up to a 15 ms period, and not 36 ms, which is generally used for car occupants. The main reason is that head impact to an RPAS structure is very short, only a few milliseconds of contact. Thus while the time interval used in the calculation may be up to 15 ms, depending on the design of the RPA, a period of only a few milliseconds can be expected for this calculation.
  • (c) At this moment, this AC will evaluate head injury risk mainly on the basis of head injury criterion (HIC) with a time interval that maximizes the HIC value, up to a 15 ms limit, over which it is calculated. A HIC value of 1000 is equivalent to approximately a 15 per cent risk of AIS 4+ head injury whereas a HIC 700 to 5 percent risk of AIS 4+ head injury. A "severe" injury is one with a score of 4+ on the Abbreviated Injury Scale (AIS). The maximum calculated HIC-15 value shall not exceed 700, and the maximum peak acceleration shall not exceed 237g.
  • (d) Neck. The resulting neck injury criteria, called "Nij", propose critical limits for all four possible modes of neck loading; tension or compression combined with either flexion (forward) or extension (rearward) bending moment. The Nij is defined as the sum of the normalized loads and moments. The calculation shall meet the requirements of SAE 1727 Calculation Guidelines for Impact Testing. The Nij should not exceed a value of 1.21, it was estimated to represent an 30 percent risk of AIS 3 injury.
    • (i) The shear force (Fx), axial force (Fz), and bending moment (My) shall be measured by the dummy upper neck load cell for the duration of the crash event as specified in FMVSS 208 S4.11. Shear force, axial force, and bending moment shall be filtered for Nij purposes at SAE Recommended Practice J211.
    • (ii) During the event, the axial force (Fz) can be either in tension or compression while the occipital condyle bending moment (Mocy) can be in either flexion or extension. This results in four possible loading conditions for Nij: tension-extension (Nte), tension-flexion (Ntf), compression-extension (Nce), or compression-flexion (Ncf).
    • (iii) When calculating Nij, the critical values, Fzc and Myc, are:
      • (A) Fzc = 6806 N (1530 lbf) when Fz is in tension
      • (B) Fzc = 6160 N (1385 lbf) when Fz is in compression
      • (C) Myc = 310 Nm (229 lbf-ft) when a flexion moment exists at the occipital condyle
      • (D) Myc = 135 Nm (100 lbf-ft) when an extension moment exists at the occipital condyle.
    • (iv) At each point in time, only one of the four loading conditions occurs and the Nij value corresponding to that loading condition is computed and the three remaining loading modes shall be considered a value of zero. The expression for calculating each Nij loading condition is given by:
      • (A) Nij = (Fz/Fzc) + (Mocy/Myc)
      • (B) Each of the four Nij values shall not exceed 1.0 at any time during the event.
      • (C) Peak tension. Tension force (Fz), measured at the upper neck load cell, shall not exceed 4170 N (937 lbf) at any time.
      • (D) Peak compression. Compression force (Fz), measured at the upper neck load cell, shall not exceed 4000 N (899 lbf) at any time.
      • (E) Unless otherwise indicated, instrumentation for data acquisition, data channel frequency class, and moment calculations are the same as given for the 49 CFR Part 572, Subpart E Hybrid III test dummy.

(5) Chest. Chest injury risk is evaluated on the basis of spine acceleration, and sternum deflection rate. A sternum deflection of 63 mm represents either a 45 or 70 percent risk of an AIS 3+ chest injury.

  • (a) The resultant acceleration calculated from the output of the thoracic instrumentation shown in drawing 78051.218, revision R incorporated by reference in 49 CFR part 572, subpart E of US Code of Federal Regulations, Title 49 shall not exceed 60 g's, except for intervals whose cumulative duration is not more than 3 milliseconds.
  • (b) Compressive deflection of the sternum relative to the spine shall not exceed 63 mm (2.5 in).
Table C-1
Body Region Parameter Values not to exceed Measurement
C-1 C-2 C-3 C-4
Head HIC-15 700        
Peak Acceleration (g) 237        
Neck Nij 1.21        
Fz Tension (N) 4170        
Fz Compression (N) 4297        

(6) Note:

  • (a) These injury metrics have an associated risk of a specific level of injury, typically based on the Abbreviated Injury Scale (AIS). The AIS is an anatomical-based coding system developed by the Association for the Advancement of Automotive Medicine that classifies and ranks the severity of specific injuries. It represents the threat to life associated with the injury rather than the comprehensive assessment of the severity of the injury. An AIS value of two is denoted as moderate, a value of three is denoted as serious, and a value of four is denoted as severe.
  • (b) Based on the following technical requirements UN ECE R94, GTR No.9 Pedestrian Safety, FAA AC 25.562, and FMVSS 208.
  • (c) Table C-1 provides a summary of test pass criteria and provides the applicant guidance on how to present and collect information.

10.3 Test documentation

(1) General. The tests should be documented in reports that describe the procedures, limitations, results, and deviations to the tests discussed in this appendix.

(2) Facility data. In order to clearly document the facilities (see section C7.2) in which the tests took place the following facility information shall be documented in the test report:

  • (a) The name and address of the test facility performing the tests;
  • (b) The name and telephone number of the individual at the test facility responsible for conducting the tests;
  • (c) A brief description and/or photograph of each test fixture;
  • (d) Statements confirming:
    • (i) All instrumentation and data collection equipment used in the test meet the facility's internal calibration requirements;
    • (ii) These calibration requirements are documented and available for inspection upon request;
    • (iii) All calibrations are traceable to a national standard; and
    • (iv) The records of current calibration of all instruments used in the test are maintained at the facility.
  • (e) A statement confirming the data collection was done in accordance with the recommendations in this appendix, or a detailed description of the actual procedure used and technical analysis showing equivalence to the procedures and expected outcomes of this circular;
  • (f) The manufacturer, governing specification, serial number, and test weight of the ATDs used in the tests, and a description of any modifications or repairs performed on the ATDs which may cause them to deviate from the specification; and
  • (g) A description of the photographic-instrumentation system used in the tests.

(3) RPAS Data. As the RPAS is the unit under test in this case, detailed information on test articles helps ensure the requirements were appropriately met. This data includes, but is not limited to:

  • (a) The manufacturer's name and identifying model numbers of the RPAS used in the tests with a brief description of the system, including identification and a functional description of all major components and photographs or drawings, as applicable;
  • (b) RPAS mass; and
  • (c) Critical impact direction, terminal velocity, acceleration, and environmental conditions report (as described in this appendix).

(4) Test Description. The description of the test should be documented in sufficient detail, such that the tests could be reproduced simply by following the guidance given in the report. The procedures outlined in this appendix can be referenced in the report, but should be supplemented by such details as are necessary to describe the unique conditions of the tests. For example:

  • (a) Pertinent dimensions and other details of the installation that are not included in the drawings of the test items should be provided;
  • (b) The placement and characteristics of electronic and photographic instrumentation chosen for the test beyond that information provided by the facility should be documented. This can include special targets, grids, or marking used for interpretation of photo documentation, transducers, restraint system loads, floor reaction forces, or other measurements beyond those discussed in this appendix;
  • (c) Any unusual or unique activity or event pertinent to conducting the test should be documented. This could include RPAS damage or support for the ATDs, test items or transducers, operational conditions or activities such as delayed or aborted test procedures, and failures of test fixtures, instrumentation system components, or ATDs; and
  • (d) The expected structural behavior that will result should be documented.

11.0 Conclusions

(1) General. The results of the tests conducted above are expected to inform the operating limitations of the RPAS when conducting operations over people. There are two effective ways of responding to the results of the tests:

  • (a) Modification of Design. If the results of the tests indicate the RPA will result in measurements which fall above the "acceptable marginal" values described in Table C-1, the RPA may be redesigned utilizing different materials, structural configurations, or equipment mitigations. If this option is chosen, the updated design should be retested against this appendix.
  • (b) Hard Operational Limits. If the results of the tests indicate there is a speed (or set of speeds) and altitude (or set of altitudes) at which the RPA will have a HIC-15 result which is below the maximum allowed, the manufacturer may provide hard operational limits within their design to restrict the speeds of the RPA to these lower speeds. It should be noted in the case of rotorcraft, the terminal speed is the Critical Speed and as such would most likely result in a redesign of the system if the tests are determined to fail. Mechanisms to restrict operations to ensure the safety of people on the ground must be included as part of the failure mode evaluation as required by the safety assurance process.

(2) In general, the results of these tests should provide the manufacturer enough information to determine the maximum allowable altitudes, speeds, flight configurations, and operational maneuvers of the RPA.

(3) The manufacturer may decide to create a fight mode that allows operating safely over people. Thus, reducing the workload to the Pilot in Command, and considering within this flight mode operational limits allowable altitudes, speeds, flight configurations, and operational maneuvers of the RPA. In this development, the manufacturer should consider the following:

  • (a) Human Factors
    • (i) A qualitative evaluation of crew workload and degree of difficulty in all FCS operating modes including manual direct piloting (where applicable) and in all flight phases (e.g. launching strength) should be done in order to demonstrate that the probability of piloting errors is reduced to the minimum. This assessment must include workload evaluation while in emergency conditions.
  • (b) Transition
    • (i) It should be possible to make a smooth transition from one flight phase and/or condition to another (including turns and slips) without danger of exceeding the limit load factor, under any probable operating condition, (including, for multi-engine RPA, those conditions normally encountered in the sudden failure of any engine). Where applicable, consideration should be given to the transition from launch phase to normal flight condition, as well as the transition from normal flight condition to recovery phase.
  • (c) Flight Envelope Protection
    • (i) Flight envelope protection may be implemented in the flight control system.
      • (A) Characteristics of each envelope protection feature should be smooth, appropriate to the phase of flight and type of maneuver.
    • (ii) Limit values of protected flight parameters must be compatible with:
      • (A) RPA structural limits;
      • (B) With acceptable values of table C-1; and
      • (C) Required safe and controllable maneuvering of the RPA.
    • (iii) A safe margin to catastrophic failure conditions.
      • (A) The RPA must respond to intentional dynamic maneuvering within a suitable range of control parameter limits.
      • (B) Dynamic characteristics such as damping and overshoot must also be appropriate for the maneuver and limit parameter concerned.
      • (C) Characteristics of the flight control system must not result in residual oscillations in commanded output due to combinations of flight envelope protection limits.
      • (D) Rapidly engage automatic flight envelope protection in response to flight critical parameters.
        • (I) Examples of mission maneuvers that may bring about the conditions cited above may include, but are not limited to, in case of rotary-wing RPAS roll reversals, pull-ups, push-overs, rapid sidesteps, and large amplitude heading changes. ADS-33, "Aeronautical Design Standard Performance Specification Handling Qualities Requirements for Military Aircraft" describe these and other maneuvers that may be part of the rotorcraft RPAS mission.

(4) The manufacturer may consider using parachutes in case of emergency conditions; ASTM provides standard in regards to parachutes refer to appendix A of this AC.

Appendix D – Example RPAS operating manual

(1) The following provides an example of a typical RPAS operating manual contents, including the structure and information that a pilot may need to safely conduct operations. The exact layout and information may vary depending on design and manufacturer. Note: All altitudes should be referenced as pressure altitude and not altitude above ground.

RPAS Operating Manual

<<RPAS Type>>

DOC # <<Doc. Number>>

<<Applicant Name>>

<<Applicant Address1>>

<<Applicant Address2>>

<<Applicant Legal Statement, if necessary>>

RPAS Operating Manual

<<RPAS Type>>

RPA Manufacturer :

RPA Model :

Serial Number :

Registration :

Remote Controller Manufacturer :

Remote Controller Model :

Serial Number :

DOC # : <<Doc. Number>>

Date of Initial Issue : April 1, 2016

Revision : 00

Date of Revision : April 1, 2016

This manual must be readily available to the RPAS pilot at all times.

The RPAS is to be operated in compliance with the information and limitations contained herein.

Applicable Regulations

The Remotely Piloted Aircraft System (RPAS) as described in this operating manual is subject to Transport Canada Civil Aviation regulations.

The RPAS operated is under the sole responsibility of the RPAS Operator.

Privacy

Check that your use of the cameras on board this RPA complies with the legal provision on privacy in the Province or Territory where your product is intended to be operated.

Index of Revisions

Revisions to this RPAS Operator's Manual are recorded in the following table. The RPAS Operator's Manual Revision Number, Revision Date and Document Number are shown on the bottom right hand corner, respectively the bottom centre on each page.

The RPAS may only be operated using the latest version of the Operator's Manual.

Revision Number Revision Date Reason for Revision
Revision 00 April 1, 2016 Initial Issue.

Table of contents

  • Section
  • General
  • Operating limitations
  • Emergency procedures
  • Normal operating procedures
  • Performance
  • Weight and balance | Equipment list
  • Description of the RPA and systems
  • Handling, care and maintenance
  • Supplements

Section 1

General

Table of contents

  • 1.1 Introduction.
  • 1.2 Warnings, Cautions and Notes.
  • 1.3 Description of the RPA.
    • 1.3.1 Three-View-Drawing of the RPA.
    • 1.3.2 Dimensions.
    • 1.3.3 Motors | Propellers | Electronic Speed Controls.
    • 1.3.4 Flight Control Surfaces
    • 1.3.5 Avionics | Navigation | Communication Systems.
    • 1.3.6 Fuel | Flight Battery.
    • 1.3.7 Weights.
  • 1.4 Remote Pilot Station.
    • 1.4.1 Function Controls Layout.
    • 1.4.2 Command and Control Link.
  • 1.5 Firmware | Software.
  • 1.6 List of Definitions and Abbreviations.
    • 1.6.1 Abbreviations and Acronyms.
    • 1.6.2 Definitions.

1.1 Introduction.

This Section provides basic data and information of general interest. It also contains definitions or explanations of symbols, abbreviations, and terminology commonly used.

The description of the RPA System in this Section is intended to familiarise the operator with the (basic) structure and composition of the RPA, and with the (basic) control functions of the Remote Pilot Station.

More detailed information about the RPA System is provided in Section 7.

1.2 Warnings, Cautions and Notes.

The following definitions apply to warnings, cautions, and notes used in this RPAS operating manual:

Warning

Disregarding the following instructions leads to an immediate or severe deterioration of flight safety and hazardous situations, including such resulting in personal injury and damage to property.

 

Caution

Disregarding the following instructions leads to a serious or long term deterioration of flight safety.

 

Note

Draws the attention to any special item not directly related to safety but which is important or unusual.

 

1.3 Description of the RPA

Airframe Type (fixed-wing | multirotor | other) ...

General description (structure, composition), primary usage, ...

(include name, location and contact information of the RPA manufacturer)

1.3.1 Three-View-Drawing of the RPA.

(shown in normal ground attitude)

1.3.2 Dimensions.

Overall Dimensions (Length, Width, Height)

Important Dimensions

1.3.3 Motors | Propellers | Electronic Speed Controls.

Motor(s) Number of Motors

Motor Manufacturer:

Motor Model Number:

Motor Type:

Motor Power Rating | Speed:

Propeller(s)

Number of Propellers:

Propeller Manufacturer:

Propeller Model Number:

Number of Blades:

Propeller Diameter:

Propeller Type:

Electronic Speed Control(s)

Number of ESCs:

ESC Manufacturer:

ESC Model Number:

ESC Type:

ESC Power Rating:

1.3.4 Flight Control Surfaces

1.3.5 Avionics | Navigation | Communication Systems

Guidance, Navigation and Control (flight computer)

Communication Systems

Other avionics (transponder, recording device, video processing, antenna, etc.)

1.3.6 Fuel | Flight Battery.

Fuel

Approved Fuel Grades:

Fuel Total Capacity:

Fuel Total Usable:

Flight Battery

Battery Manufacturer:

Battery Type:

Battery Capacity:

Battery Min. Charge Rate:

Number of batteries required for flight ...

Number of spare batteries required (available) on site ...

1.3.7 Weights

Empty Weight — without fuel | flight battery, without payload — approx. kg

Nominal Take Off Weight — with standard flight battery, standard payload — approx. kg

Maximum Take Off Weight — XX kg

1.4 Remote Pilot Station

1.4.1 Function Controls Layout

Information Displays (RPA health and status, navigation, payload, etc.)

User Interfaces (keyboards, trackballs, joysticks, etc.)

1.4.2 Command and Control Link

Frequencies

Power | Range

1.5 Firmware | Software.

(Firmware and/or software build, version control, part number, etc.)

1.6 List of Definitions and Abbreviations.

1.6.1 Abbreviations and Acronyms.

1.6.2 Definitions.

As may be applicable.

Section 2

Operating limitations

Table of contents

  • 2.1 Introduction.
  • 2.2 Airspeed Limitations.
  • 2.3 Mass | Centre of Gravity Limits.
    • 2.3.1 Longitudinal Centre of Gravity Limits.
    • 2.3.2 Lateral Centre of Gravity Limits.
  • 2.4 Flight and Maneuver Limitations.
  • 2.5 Fuel | Flight Battery Limitations.
  • 2.6 Weather Limitations.
  • 2.7 Range and Endurance Limitations.
    • 2.7.1 Fuel | Flight Battery.
    • 2.7.2 Command and Control Link.
  • 2.8 Kinds of Operation.

2.1 Introduction.

This Section includes operating limitations which are necessary for the safe operation of the RPAS, its motors, standard equipment and standard payload.

Warning

All limitations given in this Section must be complied with for all operations.

 

Note

Refer to the Supplements, Section 9 of this RPAS operating manual for amended Operating Limitations, Operating Procedures, Performance Data and other necessary information for RPAS equipped with specific equipment or payload.

 

2.2 Airspeed Limitations.

Stall Speed: (maximum weight, landing configuration)

Operating Maneuvering Speed: (do not make full or abrupt control movements above this speed)

Maximum Structural Cruising Speed: (do not exceed this speed except in smooth air, and then only with caution)

Never Exceed Speed: (do not exceed this speed under any circumstances)

2.3 Mass | Centre of Gravity Limits.

Empty Weight:
Max. Take-Off Weight:

Warning

Exceeding weight limitations may lead to overloading of the RPA structure and cause loss of control of the RPA and | or structural damage.

The reference datum for determining the longitudinal Centre of Gravity is located ...; given

the lateral symmetry of the RPA, the reference line for the lateral Centre of Gravity is located on the symmetry axis.

 

Warning

Exceeding the centre of gravity limitations reduces the manoeuvrability and stability of the RPA.

 

2.3.1 Longitudinal Centre of Gravity Limits.

Forward | Aft

2.3.2 Lateral Centre of Gravity Limits.

Left | Right

2.4 Flight and Maneuver Limitations.

(Prohibited maneuvers)

(Load factors)

(Flight envelope)

2.5 Fuel | Flight Battery Limitations.

(Approved types of fuel | batteries)

2.6 Weather Limitations.

(Environmental limitations)

(Maximum wind limitations)

2.7 Range and Endurance Limitations.

2.7.1 Fuel | Flight Battery.

(Total fuel capacity - total usable fuel | total battery power – total usable battery)

2.7.2 Command and Control Link.

2.8 Kinds of Operation.

RPAS flights are limited to Visual Line Of Sight (VLOS) flights, under DAY Visual Flight Rules (VFR) conditions.

Section 3

Emergency procedures

Table of contents

  • 3.1 Introduction.
  • 3.2 Emergency Procedures – Checklists.
    • 3.2.1 Motor Failures.
    • 3.2.2 Electrical Power Failure.
    • 3.2.3 Avionics System Failure.
    • 3.2.4 Control Station Failure.
    • 3.2.5 Data Link Communication Failures.

3.1 Introduction.

This Section contains checklists as well as descriptions of the recommended procedures in case of an emergency.

Emergencies caused by motor or system malfunctions are extremely rare if pre flight inspections and maintenance are performed properly.

3.2 Emergency Procedures – Checklists.

3.2.1 Operation of Recovery System

3.2.2 Motor Failures.

Operation is possible with one motor | electronic speed control | propeller failure.

3.2.3 Electrical Power Failure.

3.2.4 Avionics System Failure.

3.2.5 Control Station Failure.

3.2.6 Data Link Communication Failures.

(Loss of C2 link)

Section 4

Normal operating procedures

Table of contents

  • 4.1 Introduction.
  • 4.2 Normal Operation Checklists.
    • 4.2.1 Pre-Flight Planning.
    • 4.2.2 System Assembly and Pre-Flight Inspection.
    • 4.2.3 Systems Start.
    • 4.2.4 Take-Off | Launch Systems.
    • 4.2.5 Flight Modes | Transitions.
    • 4.2.6 In-Flight Monitoring.
    • 4.2.7 Landing Approach | Recovery Systems.
    • 4.2.8 Systems Shutdown.
    • 4.2.9 After Landing Inspection.
    • 4.2.10 System disassembly | Storage.
    • 4.2.11 Handover | Handoff to alternate control station.

4.1 Introduction.

This Section contains checklists and describes extended procedures for the normal operation of the RPAS, using standard equipment and standard payload.

4.2 Normal Operation Checklists.

4.2.1 Pre-Flight Planning.

The Pre-Flight Planning includes the selection of the site(s) for launch (take-off) and recovery (landing).

(Ground operational area set up)

4.2.2 System Assembly and Pre-Flight Inspection.

4.2.3 Systems Start.

(Motor | remote control station | communications)

4.2.4 Take-Off | Launch Systems.

4.2.5 Flight Modes | Transitions.

(Cruise | maneuvering flight)

(In flight mission changes)

4.2.6 In-Flight Monitoring.

4.2.7 Landing Approach | Recovery Systems.

4.2.8 Systems Shutdown.

4.2.9 After Landing Inspection.

4.2.10 System disassembly | Storage.

4.2.11 Handover | Handoff to alternate control station.

Section 5

Performance

Table of contents

  • 5.1 Introduction.
  • 5.2 Performance Tables and Diagrams.
    • 5.2.1 Take-Off Area (Distance).
    • 5.2.2 Climb Performance.
    • 5.2.3 Cruise Performance.
    • 5.2.4 Landing Area.
  • 5.3 Noise Data.

5.1 Introduction.

The performance data in this Section has been prepared to illustrate the performance you may expect from the RPA under various conditions and to facilitate the planning of flights in detail and with reasonable accuracy.

The performance data do not take into account the expertise of the RPA Pilot or the maintenance condition of the RPA. The performance described can be achieved if the indicated procedures are followed and the RPA is maintained in good condition.

5.2 Performance Tables and Diagrams.

(Maximum speed – cruise | loiter speed – as a function of power setting and altitude)

(Maximum operating altitude)

(Maximum autonomy)

(Maximum range)

(Maximum endurance)

5.2.1 Take-Off Area (Distance).

5.2.2 Climb Performance.

(Maximum rate of climb)

(Time, fuel and distance to climb)

5.2.3 Cruise Performance.

(Cruise speeds)

(Power setting and consumption)

(Operating envelope)

(Range profile)

5.2.4 Landing Area.

(Maximum rate of descent)

(Time, fuel and distance to descent)

5.3 Noise Data.

Section 6

Weight and balance | Equipment list

Table of contents

  • 6.1 Introduction.
  • 6.2 Weighing Procedures.
  • 6.3 Weight and Balance Report.
  • 6.4 Equipment List.

6.1 Introduction.

To obtain the performance, flight characteristics and safe operation described in this RPAS operating manual, the RPA must be operated within the permissible weight and centre of gravity limitations specified in Section 2.

The procedure for weighing the RPA and calculating the centre of gravity position are given in this Section.

6.2 Weighing Procedures.

RPA operating weights and loading (fuel | batteries | payloads | ballast)

RPA Centre of Gravity range and determination

For the weighing, the RPA should be placed in the normal ground position (indicated reference lines should be kept horizontal).

6.3 Weight and Balance Report.

RPA Weight and Balance Chart

6.4 Equipment List.

Installed RPA optional equipment list affecting Weight and Balance, or a reference as to where this information can be found.

Section 7

Description of the RPA and systems

Table of contents

  • 7.1 Introduction.
  • 7.2 Airframe.
  • 7.3 Flight Controls.
  • 7.4 Propulsion System.
    • 7.4.1 Motor | Propeller | Electronic Speed Control.
    • 7.4.2 Fuel | Flight Battery.
  • 7.5 Electrical System.
  • 7.6 Avionics System.
    • 7.6.1 Navigation.
    • 7.6.2 Communication.
    • 7.6.3 Sensors | Telemetry.
  • 7.7 Launch | Flight Recovery System.
  • 7.8 Payloads.
  • 7.9 Remote Pilot Station.
  • 7.10 Ground Support | Surveillance.

7.1 Introduction.

This Section provides a detailed description and operation of the RPAS and its Systems. Some equipment or payload described may be optional and as such not installed in the RPA. Refer to the Supplements in Section 9 for details of other optional equipment or payload.

7.2 Airframe.

7.3 Flight Controls.

7.4 Propulsion System.

7.4.1 Motor | Propeller | Electronic Speed Control.

7.4.2 Fuel | Flight Battery.

7.5 Electrical System.

7.6 Avionics System.

(Global avionic system diagram)

(Localization of air data sensors, antennas, transceivers and navigational instruments)

7.6.1 Navigation.

(Autopilot – type, manufacturer, working principles)

(Navigation systems – components, accuracy)

7.6.2 Communication.

Caution These frequencies may only be used within the indicated power limits.

7.6.3 Sensors | Telemetry.

7.7 Launch | Flight Recovery System.

7.8 Payloads.

7.9 Remote Pilot Station.

7.10 Ground Support | Surveillance.

(Ground support equipment)

(Surveillance equipment)

Section 8

Handling, care and maintenance

Table of contents

  • 8.1 Introduction.
  • 8.2 Transport | Storage.
  • 8.3 Assembly | Disassembly.
  • 8.4 Cleaning and Care.
    • 8.4.1 Propeller Care.
    • 8.4.2 Battery Care, Storage, and Use.
  • 8.5 Scheduled Maintenance.
    • 8.5.1 Annual Inspection (example).
    • 8.5.2 500 Hour Preventive Maintenance (example).
  • 8.6 Other Field and/or Shop Maintenance.

8.1 Introduction.

This Section contains the recommended procedures for proper handling of the RPA. It also identifies certain inspection and maintenance requirements which should be followed if the RPA is to retain its original performance and dependability.

8.2 Transport | Storage.

8.3 Assembly | Disassembly.

8.4 Cleaning and Care.

8.4.1 Propeller Care.

Propellers must be checked before each flight for nicks or cracks and installed securely.

8.4.2 Battery Care, Storage, and Use.

Charging, Conditioning, Storing, and Replacing Batteries.

8.5 Scheduled Maintenance.

8.5.1 Annual Inspection (example).

Test all batteries for capacity.

Upgrade firmware and software to latest revisions prior to each flight.

8.5.2 500 Hour Preventive Maintenance (example).

Disassembly, inspection of components for wear, replace any components as required by manufacturer certified technicians.

Replace all motors.

Test all batteries for capacity by manufacturer certified technicians.

Upgrade firmware and software to latest revisions.

8.6 Other Field and/or Shop Maintenance.

Section 9

Supplements

Table of contents

  • 9.1 General.
  • 9.2 Index of Supplements.

9.1 General.

This Section contains information regarding optional equipment | payload | accessories which may be installed in the RPAS.

Individual supplements address each optional equipment | payload |accessory installation.

The RPAS operator should refer to these supplements to ensure that the appropriate limitations and procedures are observed.

9.2 Index of Supplements.

Supplement Number Title Pages Equipment Installed
1      

Supplement 1

Equipment | Payload

Table of contents

  • 1. General
  • 2. Operating limitations
  • 3. Emergency procedures
  • 4. Normal operating procedures
  • 5. Performance
  • 6. Weight and balance
  • 7. Description of the RPA and systems
  • 8. Handling, care and maintenance

1. General

2. Operational limitations

3. Emergency procedures

4. Normal operating procedures

5. Performance

6. Weight and balance

7. Description of the RPA and systems

8. Handling, care and maintenance

AC 922-001 - Remotely Piloted Aircraft Systems Safety Assurance
(PDF, 1.13 MB)

 

Report a problem with this page

Date modified: