OSO 5 – UAS is designed considering system safety and reliability
AMC1 Article 11 Annex E. Operational Safety Objective 5
CAA ORS9 Decision No. 46
OSO 5 – UAS is designed considering system safety and reliability
Level of integrity
| Criterion | Low (SAIL 3) | Medium (SAIL 4) | High (SAIL 5, 6) |
|---|---|---|---|
| Criterion | OSO5.L.I |
OSO5.L.I OSO5.M.I |
OSO5.H.I |
Level of assurance
| Criterion | Low (SAIL 3) | Medium (SAIL 4) | High (SAIL 5, 6) |
|---|---|---|---|
| Criterion | OSO5.L.A |
OSO5.L.A OSO5.M.A |
OSO5.L.A OSO5.M.A OSO5.H.A |
Low level of robustness (SAIL 3)
OSO5.L.I
The equipment, systems and installations must be designed to minimise hazards in the event of a probable failure of the UAS or of any external system supporting the operation.
OSO5.L.A
(a) A Functional Hazard Assessment and a design and installation appraisal must be used to demonstrate that hazards are minimized.
(b) If (a) and Integrity requirements are complied with through a SAIL mark certificate, the Applicant must demonstrate that the external systems used for the intended operation have been considered by the Designer in their compliance to the requirements.
(c) The Applicant must declare and provide evidence of compliance with the Integrity requirements. The detailed evidence of compliance may be assessed by the CAA.
AMC.OSO5.L.A
Annex E – AMC 1 Integrity and assurance levels for the Operational Safety Objectives (OSO) paragraph 1.5 provides further information about proposing a standard as an AMC.
The design and installation appraisal may consist of a written justification which includes functional diagrams, describes how the system works and explains why the Integrity requirement is met.
Medium level of robustness (SAIL 4)
Lower robustness level requirements to be complied with:
• OSO5.L.I
• OSO5.L.A
Additional requirements to be compiled with:
OSO5.M.I
A strategy must be developed for the detection, alerting and management of any failure or combination thereof, which may lead to a hazard.
OSO5.M.A
(a) The safety assessment must be developed to a standard or means of compliance acceptable to the CAA.
(b) The strategy for detection of single failures of concern must include pre-flight checks.
(c) The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA.
AMC.OSO5.M.A
Annex E – AMC 1 Integrity and assurance levels for the Operational Safety Objectives (OSO) paragraph 1.5 provides further information about proposing a standard as an AMC.
High level of robustness (SAIL 5 and 6)
Lower robustness level requirements to be complied with:
• OSO5.L.A
• OSO5.M.A
Additional requirements to be compiled with:
OSO5.H.I
(a) A major failure condition must be no more frequent than Remote.
(b) A hazardous failure condition must be no more frequent than Extremely Remote.
(c) A catastrophic failure condition must be no more frequent than Extremely Improbable.
(d) A single failure must not result in a catastrophic failure condition.
(e) Software and airborne electronic hardware whose development errors could directly lead to a failure affecting the operation in such a way that it may be reasonably expected that a fatality will occur, must be developed to a standard or means of compliance acceptable to the CAA.
OSO5.H.A
The Applicant must provide evidence of compliance with the Integrity requirements, which will be assessed by the CAA. The CAA will validate continuing compliance through oversight.
GM1 Article 11 Annex E. Operational Safety Objective 5
CAA ORS9 Decision No. 46
GM.OSO5
(a) OSO 5 ensures that the contribution of the UAS and any external system supporting the operation to the loss of control of the operation inside the operational volume is commensurate with the acceptable level of risk associated with each SAIL. OSO 5 safety objectives are to be considered in conjunction with the containment safety requirements (Step 10) and, when applicable, the ground risk mitigation requirements (Annex B, and in particular M2 Criterion 1 requirements). In combination, these three sets of safety objectives ensure that whatever the SAIL of the operation, the Target Level of Safety (TLOS) is achieved and no single failure is expected to lead to a catastrophic effect.
(b) Note on SAIL 2 operations: some UAS designs may employ novel or complex features which have limited demonstrable operational history. If such features are identified by the CAA or Applicant, the Applicant may be required to comply with OSO 5 requirements at a low level of robustness.
GM.OSO5.L.I
The Integrity requirement correlates with the contribution of the UAS and external systems to the loss of control of the operation, thus the SAIL of the operation. As an example, at SAIL 3, the contribution of the UAS and external systems to the loss of control of the operation rate may be 10-4/FH, assuming a traditional 10% attribution to technical failures.
The term “hazard” should be interpreted as a failure condition which may lead to a major or hazardous event. Catastrophic events are excluded from SAIL 3 to 4 as the TLOS is considered to be met for SAIL 3 to 4 operations per the previous paragraph and, if applicable, Annex B M2 mitigation requirements.
A probable failure is anticipated to occur one or more times in the entire operational life of the UAS.
External systems supporting the UAS operation are defined as systems that are not an integral part of the UAS, but are used to for example:
• Launch / take-off the UAS.
• Undertake pre-flight checks.
• Support operations of the UA within the operational volume (e.g. GNSS, Satellite Systems, Air Traffic Management, UTM).
GM.OSO5.L.A
(a) When developing the Functional Hazard Assessment, the severity of failure conditions (e.g. no safety effect, minor, major, hazardous) should be determined in accordance with the definitions provided in JARUS AMC RPAS.1309 Issue 2.
(b) Designer data is found on the SAIL mark certificate.
GM.OSO5.H.I (a) (b) (c)
Safety objectives may be derived from JARUS AMC RPAS.1309 Issue 2 Table 3 depending on the UAS class.
GM.OSO5.H.I (e)
Development assurance levels for software and airborne electronic hardware may be derived from JARUS AMC RPAS.1309 Issue 2 Table 3 depending on the UAS class.