Home' RTCA Documents for Review : C2 Link Systems MASPS_Draft Contents Appendix C
© 2018 RTCA, Inc.
clear. This type of UA maneuver has been taken into consideration within the analysis as
an existing control for several hazards. A C2 Link System hazard that affects the DAA
capability (e.g., the loss of the C2 Link System) would affect the ability of the DAA to
alert the remote pilot of a DAA warning and affect the ability of the Aviate command
(based on the DAA alert message) to be sent to maneuver the UA. This would increase the
severity of the encounter.
DAA Lost Link Hazard caused by a Lost C2 Link condition occurs whenever the specified
Transaction Expiration Time (TET) supporting the remote pilot’s DAA activity is exceeded
due to unavailability of the C2 Link System, including equipment failures. TET is defined
and discussed in more detail in Subsection E.1.
DAA Well Clear Definition
The federal regulations do not define well clear in a quantitative way. In order for UAS to
comply with the well clear regulations, a quantitative means for a UAS to calculate well
clear was required. This definition is established in RTCA DO-365, “Minimum
Operational Performance Standards for Detect and Avoid Systems,” Section 184.108.40.206.1, and
the description of how it was developed is in Appendix C. This OSA assumes that a
compliant DAA system is installed on the UAS.
A flyaway occurs when the pilot is unable to control the aircraft and, as a result, the UAS
is not operating in a predictable or planned manner. A Lost C2 Link state is not a flyway
since the UA is performing a preplanned/programmed flight so is predictable.
Single Point of Failure
The SMS prescribes that a hazard with a safety risk rating of 1E must not have a single
point of failure. Section 220.127.116.11 of the SMS manual states in part:
“Hazards with catastrophic effects that are caused by single point events or failures,
common cause events or failures, or undetectable latent events in combination with single
point or common cause events are considered high risk, even if the possibility of occurrence
is extremely improbable.”
The SMS manual also states in Section 18.104.22.168:
“A catastrophic severity and corresponding extremely improbable likelihood qualify as
medium risk provided that the effect is not the result of a single point or common cause
failure. If the cause is a single point or common cause failure, the hazard is categorized
as high risk.”
There was discussion during the SRMP meetings on whether hazards C2-S1-UC1.6b, C1-
S1-UC3.2 and C1-S1-UC6.2 constituted a single point of failure leading to the catastrophic
effect. Specifically, the discussion was on whether the UAS C2 Link System was a single
point of failure leading to a mid-air collision. It was argued that a failure of the C2 Link
System does not directly lead to a mid-air collision. Although a failure of the C2 Link
System will render the DAA system inoperable, the remote pilot in command of the UAS
is required to follow contingency procedures when such a failure occurs. Contingency
procedures include notifying ATC that the UAS is in a Lost C2 Link state and the mission
needs to be terminated in an expeditious way. Hence, the loss of the C2 Link System and
the DAA capability might increase the probability of a mid-air collision, but will not
directly lead to the catastrophic effect (mid-air collision). Other factors and conditions
must be present for the catastrophic effect to occur. Therefore, the three catastrophic
hazards were not considered to be single point of failure events.
Links Archive DO-XYZ_ED-ABC_FRAC_SC236_MASPS Navigation Previous Page Next Page