• Each of the UAS design requirement sets will include system safety requirements. This requires that the probability of a failure is inversely proportional to the severity of its effect at aircraft level, i.e. high criticality duly systems are required to have an extremely low probability of failure.
• These certification requirements were established many years ago based on in-service experience (accident data etc) and a desire to set a standard that would drive improvements in what was then being achieved. For each class of passenger transport aircraft (large and small fixed wing aircraft, rotorcraft, etc.), an acceptable fatal accident rate was defined, e.g. 1 accident in 10 million flight hours for a large fixed wing aircraft.
• Then based on simple assumptions regarding the number of aircraft systems and potentially critical failures in each of these, a target level of safety was defined for each critical failure. This is described in detail within the advisory material that that goes with the requirement.
• The validity of using these probability targets for UAS is currently a debated subject. Clearly, they relate to passenger transport aircraft and safety of passengers carried. However, it must be noted that by protecting persons on board an aircraft, third parties on the ground will also be protected.
• There is also some discussion that the types of operation undertaken by passenger aircraft is quite different to the range of operations undertaken by UAS, hence once again the probability targets are inappropriate. In respect to this, it must be noted that the safety assessment process already accounts for this to some extent, as due to these differences the consequence or severity of effect could be quite different thus giving a different target level of safety.
• For UAS, the safety assessment and any analysis or justification to demonstrate compliance with the level of safety target is primarily based on the aircraft system and its associated failures mechanisms. The aircraft system is the total system required for safe flight and landing, e.g. the aircraft, control station, command and control datalinks and any launch or landing/recovery systems.
• In principle, it does not place reliance on external factors that may mitigate the failure-these are the safety nets that could prevent the worst case scenario.
• It must also be noted that where the simple assumptions made in the certification safety assessment requirements are not valid, e.g. independent versus integrated systems, simple versus complex and the number of critical failure conditions, it may be necessary to impose more stringent targets to individual failure conditions in order to meet the aircraft target level of safety.
• For aircraft of 150kg or less the proportionate approach taken does not require a safety assessment to the level described above. However, the safety case approach does still require consideration of the hazards, their severity, and justification of how these will be mitigated and managed. It is therefore envisaged that some level of assessment and justification of how and why hazards are suitably managed will be necessary, albeit not to the level that used detail probability based analyses.
Other Considerations
The value of the safety assessment process in the development of maintenance programmes, e.g. the type and frequency of maintenance actions, must also be recognized. The outputs of the processes provide useful data to determine what maintenance activities are required and how frequently they will be performed to maintain the appropriate level of aircraft integrity. These maintenance actions can prevent critical failures, e.g. by replacing items before they are likely to fail, or by detecting problems before operation of the aircraft. Not only does this support safety but it has the potential to save money-it is usually cheaper in terms of both money and time to fix a minor problem before it becomes a serious problem.
Lifestyle Project 