COR – Containment requirements
AMC1 Article 11 Annex E. Containment requirements
CAA ORS9 Decision No. 46
Level of integrity
| Criterion | Low (SAIL 2, 3) | Medium (SAIL 4, 5) | High (SAIL 6) |
|---|---|---|---|
| Criterion 1 (Operational volume containment) | COR.C1.L.I | COR.C1.L.I | COR.C1.H.I |
| Criterion 2 (End of flight upon exit of the operational volume) | COR.C2.L.I | COR.C2.L.I | COR.C2.L.I |
| Criterion 3 (Definition of the ground risk buffer) | COR.C3.L.I | COR.C3.M.I | COR.C3.M.I |
| Criterion 4 (Ground risk buffer containment) | Not applicable |
COR.C4.M.I |
COR.C4.M.I |
Level of assurance
| Criterion | Low (SAIL 2, 3) | Medium (SAIL 4, 5) | High (SAIL 6) |
|---|---|---|---|
| Criterion 1 (Operational volume containment) | COR.C1.L.A |
COR.C1.L.A COR.C1.M.A |
COR.C1.M.A COR.C1.H.A |
| Criterion 2 (End of flight upon exit of the operational volume) | COR.C2.L.A |
COR.C2.L.A COR.C2.M.A |
COR.C2.M.A COR.C2.H.A |
| Criterion 3 (Definition of the ground risk buffer) | COR.C3.L.A |
COR.C3.L.A COR.C3.M.A |
COR.C3.M.A COR.C3.H.A |
| Criterion 4 (Ground risk buffer containment) | Not applicable |
COR.C4.L.A COR.C4.M.A |
COR.C4.H.A |
Low level of robustness (SAIL 2 and 3)
COR.C1.L.I
Criterion 1 – Operational volume containment
(a) No probable single failure of the UAS or any external system supporting the operation must lead to operation outside of the operational volume (qualitative approach), or,
(b) The probability of the failure condition “UA leaving the operational volume” must be less than 10-3/FH (quantitative approach).
COR.C2.L.I
Criterion 2 – End of flight upon exit of the operational volume
When the UA leaves the operational volume, an immediate end of the flight must be initiated through a combination of procedures and/or technical means.
COR.C3.L.I
Criterion 3 – Definition of the final ground risk buffer
A ground risk buffer must be defined which adheres at least to the 1:1 principle, unless the Applicant is able to demonstrate the applicability of a smaller buffer.
COR.C1.L.A
Criterion 1 – Operational volume containment
(a) The compliance evidence must at least include a design and installation appraisal which shows that:
(1) The design and installation features, including independence claims, comply with the low integrity requirements.
(2) Particular risks relevant to the intended operation have been addressed and do not violate any independence claim.
(b) If compliance evidence is provided through simulation, the validity of the target environment used in the simulation must be justified.
(c) If (a), (b) and Integrity requirements are complied with through a SAIL mark certificate, the Applicant must demonstrate that the following aspects considered by the Designer are relevant to the intended operation:
(1) External systems.
(2) The operational volume is the same as or contains the operational volume considered by the Designer.
(3) Particular risks.
(d) The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
COR.C2.L.A
Criterion 2 – End of flight upon exit of the operational volume
(a) The adequacy of the procedures to initiate an immediate end of the flight must be tested.
(b) If (a) and Integrity requirements are complied with through a SAIL mark certificate, the Applicant must demonstrate that the procedures developed by the Designer in (a) are followed by the Operator.
(c) The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
(d) If compliance evidence is provided through simulation, the validity of the target environment used in the simulation must be justified.
COR.C3.L.A
Criterion 3 – Definition of the final ground risk buffer
(a) The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
(b) If compliance evidence is provided through simulation, the validity of the target environment used in the simulation must be justified.
(c) If (a), (b) and Integrity requirements are complied with through a SAIL mark certificate, the Applicant must demonstrate that the ground risk buffer is the same as or contains the ground risk buffer defined by the Designer.
AMC.COR.C3.L.I
Criterion 3 – Definition of the final ground risk buffer
A smaller than 1:1 ground risk buffer value may be demonstrated by the Applicant for a rotary wing UA using a ballistic methodology approach.
AMC.COR.C1.L.A
Criterion 1 – Operational volume containment
The design and installation appraisal may consist of a written justification which includes functional diagrams, describes how the system works and explains why the Integrity requirement is met.
Medium level of robustness
Lower robustness level requirements to be complied with:
• COR.C1.L.I
• COR.C1.L.A
• COR.C2.L.I
• COR.C3.L.A
Additional requirements to be compiled with:
COR.C1.M.I
Criterion 1 – Operational volume containment
No additional requirements.
COR.C2.M.I
Criterion 2 – End of flight upon exit of the operational volume
No additional requirements.
COR.C3.M.I
Criterion 3 – Definition of the final ground risk buffer
The ground risk buffer must be developed considering the following aspects:
(a) Probable single failures (including the projection of high energy parts such as rotors and propellers) which may lead to operation outside of the operational volume.
(b) Meteorological conditions.
(c) UA behaviour when activating a technical containment measure.
(d) UA performance.
COR.C4.M.I
Criterion 4 – Ground risk buffer containment
(a) No single failure of the UAS or any external system supporting the operation must lead to operation outside of the ground risk buffer.
(b) Software and airborne electronic hardware whose development errors could directly lead to operations outside of the ground risk buffer, must be developed to a standard or means of compliance acceptable to the CAA.
COR.C1.M.A
Criterion 1 – Operational volume containment
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
COR.C2.M.A
Criterion 2 – End of flight upon exit of the operational volume
(a) The adequacy of the procedures must be demonstrated through either of the following methods:
(1) Dedicated flight test.
(2) Simulation, provided that the simulation is proven valid for the intended purpose with positive results.
(b) If compliance evidence is provided through simulation, the validity of the target environment used in the simulation must be justified.
(c) The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
If (a), (b) and Integrity requirements are complied with through a SAIL mark certificate, the Applicant must demonstrate that the procedures developed by the Designer in (a) are followed by the Operator.
COR.C3.M.A
Criterion 3 – Definition of the final ground risk buffer
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
COR.C4.M.A
Criterion 4 – Ground risk buffer containment
(a) The compliance evidence must at least include a design and installation appraisal which shows that:
(1) The design and installation features, including independence claims, comply with the low integrity requirements.
(2) Particular risks relevant to the intended operation have been addressed and do not violate any independence claim.
(b) If compliance evidence is provided through simulation, the validity of the target environment used in the simulation must be justified.
(c) If (a), (b) and Integrity requirements are complied with through a SAIL mark certificate, the Applicant must demonstrate that the following aspects considered by the Designer are relevant to the intended operation:
(1) External systems.
(2) The operational volume is the same as or contains the operational volume considered by the Designer.
(3) The ground risk buffer is the same as or contains the ground risk buffer defined by the Designer.
(4) Particular risks.
(d) The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
AMC.COR.C4.M.I
Criterion 4 – Ground risk buffer containment
(a) One of the following methods may be used to demonstrate compliance with the requirement:
(1) An independent flight termination system which initiates the end of the flight when exiting the operational volume.
(2) A secondary independent emergency flight control system which ends the flight in a controlled manner.
(3) A tether which prevents the UA from exiting the ground risk buffer.
(4) A fail-safe health monitoring system which is triggered in the event of a critical feature failure (e.g. navigation).
(b) Annex E – AMC 1 Integrity and assurance levels for the Operational Safety Objectives (OSO) paragraph 1.5 provides further information about proposing a standard as an AMC.
AMC.COR.C4.M.A
Criterion 4 – Ground risk buffer containment
The design and installation appraisal may consist of a written justification which includes functional diagrams, describes how the system works and explains why the Integrity requirement is met.
High level of robustness
Lower robustness level requirements to be complied with:
• COR.C1.L.A
• COR.C2.L.I
• COR.C2.M.A
• COR.C3.M.I
• COR.C3.L.A
• COR.C4.M.I
• COR.C4.M.A
Additional requirements to be compiled with:
COR.C1.H.I
Criterion 1 – Operational volume containment
No remote single failure of the UAS or any external system supporting the operation must lead to operation outside of the operational volume (qualitative approach), or,
The probability of the failure condition “UA leaving the operational volume” must be less than 10-4/FH (quantitative approach).
COR.C2.H.I
Criterion 2 – End of flight upon exit of the operational volume
No additional requirements.
COR.C3.H.I
Criterion 3 – Definition of the final ground risk buffer
No additional requirements.
COR.C4.H.I
Criterion 4 – Ground risk buffer containment
No additional requirements.
COR.C1.H.A
Criterion 1 – Operational volume containment
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA. The CAA will validate continuing compliance through oversight.
COR.C2.H.A
Criterion 2 – End of flight upon exit of the operational volume
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA. The CAA will validate continuing compliance through oversight.
COR.C3.H.A
Criterion 3 – Definition of the final ground risk buffer
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA. The CAA will validate continuing compliance through oversight.
COR.C4.H.A
Criterion 4 – Ground risk buffer containment
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA. The CAA will validate continuing compliance through oversight.
AMC.COR.C1.H.I
Criterion 1 – Operational volume containment
A tether which prevents the drone from exiting the operational volume may be used to demonstrate compliance with the requirement.
GM1 Article 11 Annex E. Containment requirements
CAA ORS9 Decision No. 46
GM.COR
Determination of containment requirements addresses the risk posed by an operational loss of control that may infringe on areas adjacent to the operational volume and buffers. The level of risk inherent to the adjacent area and adjacent airspace drives the level of containment robustness to be achieved by containment design features and operational procedures.
The following section provides the containment requirements for the following 3 levels of robustness: low, medium and high.
GM.COR.C1.L.I
Criterion 1 – Operational volume containment
A probable failure is anticipated to occur one or more times in the entire operational life of the UAS.
GM.COR.C3.L.I
Criterion 3 – Definition of the final ground risk buffer
The 1:1 principle refers to applying a ground risk buffer that is as wide as the maximum height of the operational volume.
The 1:1 rule may not be sufficient to meet the target level of safety for some UA configurations (e.g., fixed-wing UA, UA equipped with a parachute). In such cases, the CAA may require defining the ground risk buffer based on a ballistic methodology approach, a glide trajectory, representative flight tests, and/or a combination thereof.
GM.COR.C1.L.A
Criterion 1 – Operational volume containment
(a) Particular risks are physical risks/hazards which originate from a source external to the UAS. Particular risks are able to effect:
(1) Both UAS structures and systems.
(2) One or more UAS sections, and even the entire UAS.
(3) One or more aircraft functions.
(4) One or more aircraft systems.
(5) One or more aircraft system installations.
(b) In other words, a particular risk may violate an independence claim made in the design (e.g. through claiming separation or redundancy of 2 or more systems or functions), which would not be captured by a hazard assessment performed within the boundaries of the UAS.
(c) Examples of particular risks are: hail, ice, snow, bird strike, lightning strike, high intensity radiated fields (e.g. electro-magnetic interference). More details on particular risk may be found in SAE ARP4761A.
(d) If the design and installation appraisal is developed by the Designer, the Designer should develop a set of assumptions for the particular risks which the UAS is expected to be exposed to in the conditions in which the UAS will be cleared to operate. The Designer should then use these assumptions in their compliance evidence data.
(e) Designer data is found on the SAIL mark certificate.
(f) Compliance evidence is typically provided through testing, analysis, simulation, inspection, design review or through operational experience.
GM.COR.C2.L.A
Criterion 2 – End of flight upon exit of the operational volume
(b) Designer data is found on the SAIL mark certificate.
(c) Compliance evidence is typically provided through testing, analysis, simulation, inspection, design review or through operational experience.
GM.COR.C3.L.A
Criterion 3 – Definition of the final ground risk buffer
(a) Compliance evidence is typically provided through testing, analysis, simulation, inspection, design review or through operational experience.
(b) Designer data is found on the SAIL mark certificate.
GM.COR.C3.M.I
Criterion 3 – Definition of the final ground risk buffer
(a) A probable failure is anticipated to occur one or more times in the entire operational life of the UAS.
(b) One example of a meteorological condition is the maximum sustained wind.
GM.COR.C2.M.A
Criterion 2 – End of flight upon exit of the operational volume
Compliance evidence is typically provided through testing, analysis, simulation, inspection, design review or through operational experience.
(c) Designer data is found on the SAIL mark certificate.
GM.COR.C4.M.I
Criterion 4 – Ground risk buffer containment
(a) See GM.CORC1.L.A (a).
(b) Designer data is found on the SAIL mark certificate.
(c) Compliance evidence is typically provided through testing, analysis, simulation, inspection, design review or through operational experience.
GM.COR.C1.H.I
Criterion 1 – Operational volume containment
A remote failure is unlikely to occur in the entire operational life of a single UAS but is anticipated to occur several times when considering the total operational life of a number of UAS of that type.
The quantitative requirement to achieve a high level of integrity is a reduction by a factor of 10 of the likelihood of exiting the operational volume, when compared with the quantitative requirement to achieve a low or medium level of integrity.