OSO-05 — System Safety and Reliability
Summary
Compliance route for OSO#05 at low robustness (SAIL III) where no EASA Design Verification is required. The applicant performs a Functional Hazard Assessment per EUROCAE ED-280, an FMEA-like analysis with Common Cause Analysis, plus a Design and Installation Appraisal per ASTM F3309-21. Scope is limited to technical failures of the UAS (UA + CMU + supporting external systems and any installed FTS/M2 means); pilot error, operational-procedure errors, cybersecurity, environmental qualification (HIRF/EMI), and AI technologies are explicitly excluded.
Operation Safety Objective
"The equipment, systems, and installations are designed to minimise hazards in the event of a probable malfunction or failure of the UAS or of any external system supporting the operation. A functional hazard assessment and a design and installation appraisal that shows hazards are minimised, are available."
For medium-risk UAS (SAIL III): - Failure conditions leading to Loss of Control of operation are not probable. - SW / complex AEH whose development errors could directly cause LoC must be developed to a systematic methodology.
Means of Compliance
- Safety assessment per ED-280, containing: - Description of functional/operational principles of UAS and architecture - UAS-level FHA - FMEA-like analysis incl. Common Cause Analysis
- Design and Installation Appraisal per ASTM F3309-21 §4.4.
Severity classification (mapping to JARUS AMC RPAS.1309 Issue 2)
| RPAS.1309 severity | Effect | Qualitative safety objective |
|---|---|---|
| No Safety Effect / Minor / Major | No LoC of operation | None |
| Hazardous / Catastrophic | Loss of control of operation | Less than probable |
Catastrophic FCs are not expected to be identified at UAS-level FHA when complying with OSO#05 (TLOS already met for SAIL III).
Quantitative option (optional)
Sum of probabilities of all failure conditions leading to LoC < 10⁻⁴/FH, assuming 10% of LoC events are technical. Substantiate with FHA + FTA + FMEA. (Overall TLOS for all SAIL: <10⁻⁶/FH; SAIL III assumes 1/1000 fatality probability after LoC.)
Loss-of-Control examples (technical failures only)
- Crash with ground/infrastructure/people
- Unrecoverable loss of controllability
- Controlled flight into terrain
- Activation of FTS/parachute/other M2 mitigation (intended or erroneous)
- UA leaving operational volume
- System failure causing payload detachment heavy enough to risk people on ground
Activation of contingency procedures (return-to-home on C2 link loss, divergence to safe landing/crash area) is not considered LoC.
Single failures and Common Cause Analysis
- Single failures may be acceptable if less than probable.
- Exceptions (single failures must NOT lead to LoC):
- Where M2 mitigation is used for ground-risk reduction: single failure must not simultaneously cause LoC and loss of M2 effectiveness (see MOC Light-UAS.2512-01).
- Inherently dangerous design features (explosive/toxic payload, high-energy launch/recovery, compressed-gas malfunction).
- Common cause analysis must consider: common HW, common SW, common power source, common resource (input data, GNSS, etc.), particular ConOps risks (hail, ice, snow, EMI).
Development errors (SW / complex AEH)
For items whose development errors could directly cause LoC, applicant follows standards covering: planning, configuration summaries, OPRs, function specification & validation, function verification (test-primary), config identification & change control, change-impact analysis, issue management, process assurance.
External systems (GNSS, SATCOM, …)
FHA classifies UAS-level effect of external-system loss/malfunction. If loss directly causes LoC, OSO#08 and/or OSO#13 apply; designer must provide deterioration modes, detection means, recommended procedures.
Evidence / Verification
- Documented safety assessment (architecture, FHA, FMEA-like, CCA, dev-assurance plans/summaries, OPRs).
- Signed Design and Installation Appraisal (qualitative; component qualification, independence, separation, redundancy).
- Service experience may substantiate "less than probable" claims if fleet/configuration similarity is demonstrated; lacking that, all failures are deemed more likely than probable.
Assumptions & Limitations
- TLOS identical for all SAIL: <10⁻⁶/FH.
- SAIL III: probability of fatality after LoC assumed 1/1000.
- Single CMU controlling one UA assumed; multi-UA-per-CMU may need additional provisions.
- Cybersecurity, environmental qualification (HIRF/EMI), AI tech: out of scope — addressed elsewhere.
References
- EUROCAE ED-280 — Guidelines for UAS Safety Analysis (specific category, low/medium robustness)
- ASTM F3309/F3309M-21 — Standard Practice for Simplified Safety Assessment of Systems and Equipment in Small Aircraft
- SAE ARP 4754B / EUROCAE ED-79B — Civil aircraft and systems development
- JARUS AMC RPAS.1309 Issue 2 — Safety Assessment of Remotely Piloted Aircraft Systems
- AMC 20-152A §5.2 — definition of complex electronic hardware
Definitions (key)
- Loss of control of operation — situation relying on providence or unhandleable by contingency procedure (per SORA semantic model + JAR-DEL-SRM-SORA-MB-2.5).
- Probable failure condition — anticipated to occur ≥1 time during entire operational life of each UAS.
- Hazardous FC — loss of UA without expected fatalities, OR large reduction in safety margins, OR remote-crew workload prevents accurate task performance.
- Major FC — significant reduction in safety margins / functional capabilities / separation, OR significant increase in remote-crew workload.
Related
- MoC Index
- OSO-03 — Maintenance of UAS
- OSO-06 — C2 Link — C2 link HW/SW must comply with OSO#05
- OSO-18 — Automatic Protection of Flight Envelope from Human Errors — automated protection function design must respect OSO#05
- OSO-24 — Environmental Conditions — uses OSO#05 output to identify systems requiring environmental qualification