Federal Aviation Administration (FAA), DOT.
Notice of proposed airworthiness criteria.
The FAA announces the availability of and requests comments on proposed airworthiness criteria for the Matternet, Inc. Model M2 unmanned aircraft system (UAS). This document proposes airworthiness criteria the FAA finds to be appropriate and applicable for the UAS design.
Send comments on or before December 21, 2020.
Send comments identified by docket number FAA-2020-1085 using any of the following methods:
□ Federal eRegulations Portal: Go to http://www.regulations.gov and follow the online instructions for sending your comments electronically.
□ Mail: Send comments to Docket Operations, M-30, U.S. Department of Transportation (DOT), 1200 New Jersey Avenue SE, Room W12-140, West Building Ground Floor, Washington, DC 20590-0001.
□ Hand Delivery of Courier: Take comments to Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays.
□ Fax: Fax comments to Docket Operations at 202-493-2251.
Privacy: The FAA will post all comments it receives, without change, to http://regulations.gov, including any personal information the commenter provides. Using the search function of the docket website, anyone can find and read the electronic form of all comments received into any FAA docket, including the name of the individual sending the comment (or signing the comment for an association, business, labor union, etc.). DOT's complete Privacy Act Statement can be found in the Federal Register published on April 11, 2000 (65 FR 19477-19478), as well as at http://DocketsInfo.dot.gov.
Docket: Background documents or comments received may be read at http://www.regulations.gov at any time. Follow the online instructions for accessing the docket or go to the Docket Operations in Room W12-140 of the West Building Ground Floor at 1200 New Jersey Avenue SE, Washington, DC, between 9 a.m., and 5 p.m., Monday through Friday, except Federal holidays.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Hieu Nguyen, AIR-692, Federal Aviation Administration, Policy and Innovation Division, Small Airplane Standards Branch, Aircraft Certification Service, 901 Locust, Room 301, Kansas City, MO 64106, telephone (816) 329-4123, facsimile (816) 329-4090.
End Further Info
Start Supplemental Information
The FAA invites interested people to take part in the development of these airworthiness criteria by sending written comments, data, or views. The most helpful comments reference a specific portion of the airworthiness criteria, explain the reason for any recommended change, and include supporting data. Comments on operational, pilot certification, and maintenance requirements would address issues that are beyond the scope of this document.
Except for Confidential Business Information as described in the following paragraph, and other information as described in 14 CFR 11.35, the FAA will file in the docket all comments received, as well as a report summarizing each substantive public contact with FAA personnel concerning these proposed airworthiness criteria. Before acting on this proposal, the FAA will consider all comments received on or before the closing date for comments. The FAA will consider comments filed late if it is possible to do so without incurring delay. The FAA may change these airworthiness criteria based on received comments.
Confidential Business Information
Confidential Business Information (CBI) is commercial or financial information that is both customarily and actually treated as private by its owner. Start Printed Page 74295Under the Freedom of Information Act (FOIA) (5 U.S.C. 552), CBI is exempt from public disclosure. If your comments responsive to this NPRM contain commercial or financial information that is customarily treated as private, that you actually treat as private, and that is relevant or responsive to this notice, it is important that you clearly designate the submitted comments as CBI. Please mark each page of your submission containing CBI as “PROPIN.” The FAA will treat such marked submissions as confidential under the FOIA, and they will not be placed in the public docket of this notice. Submissions containing CBI should be sent to the individual listed under FOR FURTHER INFORMATION CONTACT. Any commentary that the FAA receives which is not specifically designated as CBI will be placed in the public docket for this notice.
Matternet, Inc. (Matternet) applied to the FAA on May 21, 2018, for a special class type certificate under Title 14, Code of Federal Regulations (14 CFR) 21.17(b) for the Model M2 UAS.
The Model M2 consists of an unmanned aircraft (UA) and its associated elements that include communication links and the components that control the UA. The Model M2 UA has a maximum gross takeoff weight of 29 pounds. It is approximately 50 inches in width, 50 inches in length, and 10 inches in height. The Model M2 UA is battery powered using electric motors for vertical takeoff, landing, and forward flight. The UAS operations would rely on high levels of automation and may include multiple UA operated by a single pilot, up to a ratio of 20 UA to 1 pilot. Matternet anticipates operators will use the Model M2 for transporting medical materials. The proposed concept of operations for the Model M2 identifies a maximum operating altitude of 400 feet above ground level, a maximum cruise speed of 39 knots (45 mph), operations beyond visual line of sight of the pilot, and operations over human beings. Matternet has not requested type certification for flight into known icing for the Model M2.
The FAA establishes airworthiness criteria to ensure the safe operation of aircraft in accordance with 49 U.S.C. 44701(a) and 44704. UAS are type certificated by the FAA as special class aircraft for which airworthiness standards have not been established by regulation. Under the provisions of 14 CFR 21.17(b), the airworthiness standards for special class aircraft are those the FAA finds to be appropriate and applicable to the specific type design.
The applicant has proposed a design with constraints upon its operations and an unusual design characteristic: The pilot is remotely located. The FAA developed existing airworthiness standards to establish an appropriate level of safety for each product and its intended use. The FAA's existing airworthiness standards did not envision aircraft with no pilot in the cockpit and the technologies associated with that capability.
The FAA has reviewed the proposed design and assessed the potential risk to the National Airspace System. The FAA considered the size of the proposed aircraft, its maximum airspeed and altitude, and operational limitations to address the number of unmanned aircraft per operator and to address operations in which the aircraft would operate beyond the visual line of sight of the pilot. These factors allowed the FAA to assess the potential risk the aircraft could pose to other aircraft and to human beings on the ground. Using these parameters, the FAA developed airworthiness criteria to address those potential risks to ensure the aircraft remains reliable, controllable, safe, and airworthy.
The proposed criteria focus on mitigating hazards by establishing safety outcomes that must be achieved, rather than by establishing prescriptive requirements that must be met. This is in contrast to many current airworthiness standards, used to certificate traditional aircraft systems, which prescribe specific indicators and instruments for a pilot in a cockpit that would be inappropriate for UAS. The FAA finds that the proposed criteria are appropriate and applicable for the UAS design, based on the intended operational concepts for the UAS as identified by the applicant.
The FAA selected the particular airworthiness criteria proposed by this notice for the following reasons:
General: In order to determine appropriate and applicable airworthiness standards for UAS as a special class of aircraft, the FAA determined that the applicant must provide information describing the characteristics and capabilities of the UAS and how it will be used.
UAS.001 Concept of Operations: To assist the FAA in identifying and analyzing the risks and impacts associated with integrating the proposed UAS design into the National Airspace System, the applicant would be required to submit a Concept of Operations (CONOPS). The proposed criteria would require the applicant's CONOPS to identify the intended operational concepts for the UAS and describe the UAS and its operation. The information in the CONOPS would determine parameters and extent of testing, as well as operating limitations that will be placed in the UAS Flight Manual.
Design and Construction: The FAA selected the design and construction criteria in this section to address airworthiness requirements where the flight testing demonstration alone may not be sufficient to demonstrate an appropriate level of safety.
UAS.100 Control Station: The control station, which is located separately from the UA, is a unique feature to UAS. As a result, no regulatory airworthiness standards exist that directly apply to this part of the system. The FAA based some of the proposed criteria on existing regulations that address the information that must be provided to a pilot in the cockpit of a manned aircraft, and modified them as appropriate to this UAS. Thus, to address the risks associated with loss of control of the UAS, the applicant would be required to design the control station to provide the pilot with the information necessary for continued safe flight and operation. The proposed criteria contain the specific minimum types of information the FAA finds are necessary for this requirement; however, the applicant must determine whether additional parameters are necessary.
UAS.110 Software: Software for manned aircraft is certified under the regulations applicable to systems, equipment, and installations (e.g., §§ 23.2510, 25.1309, 27.1309, or 29.1309). There are two regulations that specifically prescribe airworthiness standards for software: Engine airworthiness standards (§ 33.28) and propeller airworthiness standards (§ 35.23). The proposed UAS software criteria was based on these regulations and tailored for the risks posed by UAS software.
UAS.115 Cyber Security: The location of the pilot separate from the UA requires a continuous wireless connection (command and control link) with the UA for the pilot to monitor and control it. Because the purpose of this link is to control the aircraft, this makes the UAS susceptible to cyber security threats in a unique way.
The current regulations for the certification of systems, equipment, and installations (e.g., §§ 23.2510, 25.1309, 27.1309, and 29.1309) do not adequately address potential security vulnerabilities that could be exploited by unauthorized access to aircraft Start Printed Page 74296systems, data buses, and services. For manned aircraft, the FAA therefore issues special conditions for particular designs with network security vulnerabilities.
To address the risks to the UAS associated with intentional unauthorized electronic interactions, the applicant would be required to design the UAS's systems and networks to protect against intentional unauthorized electronic interactions and mitigate potential adverse effects. The FAA based the language for the proposed criteria on recommendations in the final report dated August 22, 2016, from the Aircraft System Information Security/Protection (ASISP) working group, under the FAA's Aviation Rulemaking Advisory Committee. Although the recommendations pertained to manned aircraft, the FAA has reviewed the report and determined the recommendations are also appropriate for UAS. The wireless connections used by UAS make these aircraft susceptible to the same cyber security risks, and therefore require similar criteria, as manned aircraft.
UAS.120 Contingency Planning: The location of the pilot and the controls for the UAS, separate from the UA, is a unique feature to UAS. As a result, no regulatory airworthiness standards exist that directly apply to this feature of the system.
To address the risks associated with loss of communication between the pilot and the UA, and thus the pilot's inability to control the UA, the proposed criteria would require that the UAS be designed to automatically execute a predetermined action. Because the pilot needs to be aware of the particular predetermined action the UA will take when there is a loss of communication between the pilot and the UA, the proposed criteria would require that the applicant identify the predetermined action in the UAS Flight Manual. The proposed criteria would also include requirements for preventing takeoff when quality of service is inadequate.
UAS.125 Lightning: Because of the size and physical limitations of this UAS, it would be unlikely that this UAS would incorporate traditional lightning protection features. To address the risks that would result from a lightning strike, the proposed criteria would require an operating limitation in the UAS Flight Manual that prohibits flight into weather conditions conducive to lightning. The proposed criteria would also allow design characteristics to protect the UAS from lightning as an alternative to the prohibition.
UAS.130 Adverse Weather Conditions: Because of the size and physical limitations of this UAS, adverse weather such as rain, snow, and icing pose a greater hazard to the UAS than to manned aircraft. For the same reason, it would be unlikely that this UAS would incorporate traditional protection features from icing. The FAA based the proposed criteria on the icing requirements in 14 CFR 23.2165(b) and (c), and applied them to all of these adverse weather conditions. The proposed criteria would allow design characteristics to protect the UAS from adverse weather conditions. As an alternative, the proposed criteria would require an operating limitation in the UAS Flight Manual that prohibits flight into known adverse weather conditions, and either also prevent inadvertent flight into adverse weather or provide a means to detect and to avoid or exit adverse weather conditions.
UAS.135 Critical Parts: The proposed criteria for critical parts are substantively the same as that in § 27.602, with changes to reflect UAS terminology and failure condition.
Operating Limitations and Information: Similar to manned aircraft, the FAA determined that the UAS applicant must provide airworthiness instructions, operating limitations, and flight and performance information necessary for the safe operation and continued operational safety of the UAS.
UAS.200 Flight Manual: The proposed criteria for the UAS Flight Manual are substantively the same as that in § 23.2620, with minor changes to reflect UAS terminology.
UAS.205 Instructions for Continued Airworthiness: The proposed criteria for the Instructions for Continued Airworthiness (ICA) are substantively the same as that in § 23.1529, with minor changes to reflect UAS terminology.
Testing: Traditional certification methodologies for manned aircraft are based on design requirements verified at the component level by inspection, analysis, demonstration, or test. Due to the difference in size and complexity, the FAA determined testing methodologies that demonstrate reliability at the aircraft (UAS) level, in addition to the design and construction criteria identified in this proposal, will achieve the same safety objective. The proposed testing criteria in sections UAS.300 through UAS.320 utilize these methodologies.
UAS.300 Durability and Reliability: The FAA intends the proposed testing criteria in this section to cover key design aspects and prevent unsafe features at an appropriate level tailored for this UAS. The proposed durability and reliability testing would require the applicant to demonstrate safe flight of the UAS across the entire operational envelope and up to all operational limitations, for all phases of flight and all aircraft configurations. The UAS would only be certificated for operations within the limitations, and for flight over the maximum population density, as demonstrated by test. The proposed criteria would require that all flights during the testing be completed with no failures that result in a loss of flight, loss of control, loss of containment, or emergency landing outside of the operator's recovery zone.
For some aircraft design requirements imposed by existing airworthiness standards (e.g., §§ 23.2135, 23.2600, 25.105, 25.125, 27.141, 27.173, 29.51, 29.177) the aircraft must not require exceptional piloting skill or alertness. These rules recognize that pilots have varying levels of ability and attention. In a similar manner, the proposed criteria would require that the durability and reliability flight testing be performed by a pilot with average skill and alertness.
Flight testing will be used to determine the aircraft's ability to withstand flight loads across the range of operating limits and the flight envelope. Because small UAS may be subjected to significant ground loads when handled, lifted, carried, loaded, maintained, and transported physically by hand, the proposed criteria would require that the aircraft used for testing endure the same worst-case ground loads as those the UAS will experience in operation after type certification.
UAS.305 Probable Failures: The FAA intends the proposed testing criteria to evaluate how the UAS functions after failures that are probable to occur. The applicant will test the UAS by inducing certain failures and demonstrating that the failure will not result in a loss of containment or control of the UA. The proposed criteria contain the minimum types of failures the FAA finds are probable; however, the applicant must determine the probable failures related to any other equipment that will be addressed for this requirement.
UAS.310 Capabilities and Functions: The proposed criteria for this section address the minimum capabilities and functions the FAA finds are necessary in the design of the UAS and would require the applicant to demonstrate these capabilities and functions by test. Due to the location of the pilot and the controls for UAS, separate from the UA, communication between the pilot and the UA is Start Printed Page 74297significant to the design. Thus, the proposed criteria would require the applicant to demonstrate the capability of the UAS to regain command and control after a loss. As with manned aircraft, the electrical system of the UAS must have a capacity sufficient for all anticipated loads; the proposed criteria would require the applicant to demonstrate this by test.
The proposed criteria contain functions that would allow the pilot to command the UA to deviate from its flight plan or from its pre-programmed flight path. For example, in the event the pilot needs to deconflict the airspace, the UA must be able to respond to pilot inputs that override any pre-programming.
In the event an applicant requests approval for certain features, such as geo-fencing or external cargo, the proposed criteria contain requirements to address the associated risks. The proposed criteria in this section would also require design of the UAS to safeguard against an unintended discontinuation of flight or release of cargo, whether by human action or malfunction.
UAS.315 Fatigue: The FAA intends the proposed criteria in this section to address the risks from reduced structural integrity and structural failure due to fatigue. The proposed criteria would require the applicant to establish an airframe life limit and demonstrate that loss of flight or loss of control due to structural failure will be avoided throughout the operational life of the UA. These proposed criteria would require the applicant to demonstrate this by test, while maintaining the UA in accordance with the ICA.
UAS.320 Verification of Limits: This section would evaluate structural safety and address the risks associated with inadequate structural design. While the proposed criteria in UAS.300 address testing to demonstrate that the UAS structure adequately supports expected loads throughout the flight and operational envelopes, the proposed criteria in this section would require an evaluation of the performance, maneuverability, stability, and control of the UA with a factor of safety.
Proposed Airworthiness Criteria
The FAA proposes to establish the following airworthiness criteria for type certification of the Matternet Model M2. The FAA proposes that compliance with the following would mitigate the risks associated with the proposed design and Concept of Operations appropriately and would provide an equivalent level of safety to existing rules:
UAS.001 Concept of Operations
The applicant must define and submit to the FAA a concept of operations (CONOPS) proposal describing the Unmanned Aircraft System (UAS) operation in the National Airspace System for which certification is requested. The CONOPS proposal must include, at a minimum, a description of the following information.
(a) The intended type of operations;
(b) Unmanned aircraft (UA) specifications;
(c) Meteorological conditions;
(d) Operators, pilots, and personnel responsibilities;
(e) Control station and support equipment;
(f) Command, control, and communication functions; and
(g) Operational parameters, such as population density, geographic operating boundaries, airspace classes, launch and recovery area, congestion of proposed operating area, communications with air traffic control, line of sight, and aircraft separation.
Design and Construction
UAS.100 Control Station
The control station must be designed to provide the pilot with all information required for continued safe flight and operation. This information includes, at a minimum, the following:
(a) Alerts, such as an alert following the loss of the command and control (C2) link and function.
(b) The status of all critical parameters for all energy storage systems.
(c) The status of all critical parameters for all propulsion systems.
(d) Flight and navigation information as appropriate, such as airspeed, heading, altitude, and location.
(e) C2 link signal strength, quality, or status.
To minimize the existence of errors, the applicant must:
(a) Verify by test all software that may impact the safe operation of the UAS;
(b) Utilize a configuration management system that tracks, controls, and preserves changes made to software throughout the entire life cycle; and
(c) Implement a problem reporting system that captures and records defects and modifications to the software.
UAS.115 Cyber Security
(a) UAS equipment, systems, and networks, addressed separately and in relation to other systems, must be protected from intentional unauthorized electronic interactions that may result in an adverse effect on the security or airworthiness of the UAS. Protection must be ensured by showing that the security risks have been identified, assessed, and mitigated as necessary.
(b) When required by paragraph (a) of this section, procedures and instructions to ensure security protections are maintained must be included in the Instructions for Continued Airworthiness (ICA).
UAS.120 Contingency Planning
(a) The UAS must be designed so that, in the event of a loss of the C2 link, the UA will automatically and immediately execute a safe predetermined flight, loiter, landing, or termination.
(b) The applicant must establish the predetermined action in the event of a loss of the C2 link and include it in the UAS Flight Manual.
(c) The UAS Flight Manual must include the minimum performance requirements for the C2 data link defining when the C2 link is degraded to a level where remote active control of the UA is no longer ensured. Takeoff when the C2 link is degraded below the minimum link performance requirements must be prevented by design or prohibited by an operating limitation in the UAS Flight Manual.
(a) Except as provided in paragraph (b) of this section, the UAS must have design characteristics that will protect the UAS from loss of flight or loss of control due to lightning.
(b) If the UAS has not been shown to protect against lightning, the UAS Flight Manual must include an operating limitation to prohibit flight into weather conditions conducive to lightning activity.
UAS.130 Adverse Weather Conditions
(a) For purposes of this section, “adverse weather conditions” means rain, snow, and icing.
(b) Except as provided in paragraph (c) of this section, the UAS must have design characteristics that will allow the UAS to operate within the adverse weather conditions specified in the CONOPS without loss of flight or loss of control.
(c) For adverse weather conditions for which the UAS is not approved to operate, the applicant must develop operating limitations to prohibit flight into known adverse weather conditions and either:
(1) Develop operating limitations to prevent inadvertent flight into adverse weather conditions; orStart Printed Page 74298
(2) Provide a means to detect any adverse weather conditions for which the UAS is not certificated to operate and show the UAS's ability to avoid or exit those conditions.
UAS.135 Critical Parts
(a) A critical part is a part, the failure of which could result in a loss of flight or unrecoverable loss of UAS control.
(b) If the type design includes critical parts, the applicant must establish a critical parts list. The applicant must develop and define mandatory maintenance instructions or life limits, or a combination of both, to prevent failures of critical parts. Each of these mandatory actions must be included in the Airworthiness Limitations Section of the ICA.
Operating Limitations and Information
UAS.200 Flight Manual
The applicant must provide a UAS Flight Manual with each UAS.
(a) The UAS Flight Manual must contain the following information:
(1) UAS operating limitations;
(2) UAS normal and emergency operating procedures;
(3) Performance information;
(4) Loading information; and
(5) Other information that is necessary for safe operation because of design, operating, or handling characteristics.
(b) Those portions of the UAS Flight Manual containing the information specified in paragraphs (a)(1) through (4) of this section must be approved by the FAA.
UAS.205 Instructions for Continued Airworthiness
The applicant must prepare ICA for the UAS in accordance with Appendix A to Part 23, as appropriate, that are acceptable to the FAA. The ICA may be incomplete at type certification if a program exists to ensure their completion prior to delivery of the first UAS or issuance of a standard airworthiness certificate, whichever occurs later.
UAS.300 Durability and Reliability
The UAS must be designed to be durable and reliable commensurate to the maximum population density specified in the operating limitations. The durability and reliability must be demonstrated by flight test in accordance with the requirements of this section and completed with no failures that result in a loss of flight, loss of control, loss of containment, or emergency landing outside the operator's recovery area.
(a) Once a UAS has begun testing to show compliance with this section, all flights for that UA must be included in the flight test report.
(b) Tests must include an evaluation of the entire flight envelope across all phases of operation and must address, at a minimum, the following:
(1) Flight distances;
(2) Flight durations;
(3) Route complexity;
(5) Center of gravity;
(6) Density altitude;
(7) Outside air temperature;
(11) Operation at night, if requested;
(12) Energy storage system capacity; and
(13) Aircraft to pilot ratio.
(c) Tests must include the most adverse combinations of the conditions and configurations in paragraph (b) of this section.
(d) Tests must show a distribution of the different flight profiles and routes representative of the type of operations identified in the CONOPS.
(e) Tests must be conducted in conditions consistent with the expected environmental conditions identified in the CONOPS, including electromagnetic interference (EMI) and High Intensity Radiated Fields (HIRF).
(f) Tests must not require exceptional piloting skill or alertness.
(g) Any UAS used for testing must be subject to the same worst-case ground handling, shipping, and transportation loads as those allowed in service.
(h) Any UAS used for testing must be maintained and operated in accordance with the ICA and UAS Flight Manual. No maintenance beyond the intervals established in the ICA will be allowed to show compliance with this section.
(i) If cargo operations or external-load operations are requested, tests must show, throughout the flight envelope and with the cargo or external-load at the most critical combinations of weight and center of gravity, that—
(1) the UA is safely controllable and maneuverable; and
(2) the cargo or external-load are retainable and transportable.
UAS.305 Probable Failures
The UAS must be designed such that a probable failure will not result in a loss of containment or control of the UA. This must be demonstrated by test.
(a) Probable failures related to the following equipment, at a minimum, must be addressed.
(1) Propulsion systems;
(2) C2 link;
(3) Global Positioning System (GPS);
(4) Critical flight control components with a single point of failure;
(5) Control station; and
(6) Any other equipment identified by the applicant.
(b) Any UAS used for testing must be operated in accordance with the UAS Flight Manual.
(c) Each test must occur at the critical phase and mode of flight, and at the highest aircraft-to-pilot ratio.
UAS.310 Capabilities and Functions
(a) All of the following required UAS capabilities and functions must be demonstrated by test:
(1) Capability to regain command and control of the UA after the C2 link has been lost.
(2) Capability of the electrical system to power all UA systems and payloads.
(3) Ability for the pilot to safely discontinue the flight.
(4) Ability for the pilot to dynamically re-route the UA.
(5) Ability to safely abort a takeoff.
(6) Ability to safely abort a landing and initiate a go-around.
(b) The following UAS capabilities and functions, if requested for approval, must be demonstrated by test:
(1) Continued flight after degradation of the propulsion system.
(2) Geo-fencing that contains the UA within a designated area, in all operating conditions.
(3) Positive transfer of the UA between control stations that ensures only one control station can control the UA at a time.
(4) Capability to release an external cargo load to prevent loss of control of the UA.
(5) Capability to detect and avoid other aircraft and obstacles.
(c) The UAS must be designed to safeguard against inadvertent discontinuation of the flight and inadvertent release of cargo or external-load.
The structure of the UA must be shown to be able to withstand the repeated loads expected during its service life without failure. A life limit for the airframe must be established, demonstrated by test, and included in the ICA.
UAS.320 Verification of Limits
The performance, maneuverability, stability, and control of the UA within the flight envelope described in the UAS Flight Manual must be demonstrated at a minimum of 5% over maximum gross weight with no loss of control or loss of flight.
Start Printed Page 74299
End Supplemental Information
Issued in Kansas City, Missouri, on November 16, 2020.
Patrick R. Mullen,
Manager, Small Airplane Standards Branch, Policy and Innovation Division, Aircraft Certification Service.
[FR Doc. 2020-25664 Filed 11-19-20; 8:45 am]
BILLING CODE 4910-13-P