OSO-18 — Automatic Protection of the Flight Envelope from Human Errors

Source PDF

Summary

Compliance route for OSO#18 at low integrity / low assurance (SAIL III, no EASA Design Verification). The UAS must include automatic protection that prevents the remote pilot from causing the UA to exceed its flight envelope (or from preventing timely recovery) via any single input under normal operating conditions. Six declarable claims (a–f) cover the limit envelope, parameter set, FCS implementation, demonstration method, pilot feedback, and system description. Highly automated UAS where the pilot cannot operate outside the envelope are exempt. Errors during planning, FTS activation, or payload release are NOT in scope (see OSO#19/#20).

Operation Safety Objective

"The UAS incorporates automatic protection of the flight envelope to prevent the remote pilot from making any single input under normal operating conditions that would cause the UA to exceed its flight envelope or prevent it from recovering in a timely fashion."

Low assurance criterion: protection developed in-house or out-of-the-box (e.g. COTS) without specific standards.

Means of Compliance — Six Claims (low robustness)

• (a) Limit flight envelope under normal operating conditions established by applicant — tied to UA design limits and/or operational limitations enabling safe controllable manoeuvring.
• (b) Flight parameters relevant for envelope protection identified, with allowed variability ranges, appropriate for aircraft kind, flight phase, manoeuvre type. Parameters analysed singly and in combination:
• Speed (horizontal/vertical)
• Angle of attack and sideslip
• Accelerations
• Aircraft pitch and bank angles
• Pitch, roll, yaw rates
• Power settings
• (c) Implementation in the flight control system on board UA and CMU if applicable.
• (d) Demonstration by ground/flight test, analysis, simulation, or combination — under anticipated operating conditions — for any identified parameter or critical combination.
• (e) Pilot feedback provided + pilot able to regain appropriate level of control.
• (f) System description — clear and concise description of system, architecture, modes, transients, pilot interaction.

Inherent-protection credit: if a parameter is protected by inherent UA characteristics (stall-resistant design, limited control authority) demonstrated by test/analysis/sim, no additional automated protection function is expected for that parameter.

Exemption: per Annex E of AMC1 to Article 11 of Regulation (EU) 2019/947, for highly automated UAS where the remote pilot has no means to operate outside the envelope, OSO#18 is not applicable.

Documentation & Record-Keeping

Declaration based on testing/analysis/simulation/inspection/design review/operational experience (or combination). Procedures, limitations, pre-flight checks, parameter settings, maintenance instructions provided to operator.

Guidance Examples (informative — not exhaustive)

• (a) Rate of descent — sudden vertical-thrust reduction → high RoD → loss of control / structural damage. Auto thrust to protect critical RoD/flight vector; demonstrate engagement & efficiency.
• (b) Structural integrity (fixed-wing) — identify limit loads, derive parameter combinations with margin, implement auto function to limit pilot inputs beyond limits, indicate engagement to pilot (e.g. caution light), pilot can recover with normal inputs.
• (c) Inherent-protection credit (fixed-wing) — naturally stable + stall-resistant + 2-axis FCS limiting roll/pitch rates; visible bank-angle limit cues; recovery margin from structural limits when input stops.
• (d) "Single input" / "single control" — interfaces enabling direct envelope exceedance must be limited and protected; flight-prep / flight-path management / FTS / payload-release interfaces are OSO#20 territory, not OSO#18.
• (e) Parameter-selection / switch protection — prevent inadvertent selection that would directly exceed envelope (flight-parameter/trajectory settings; deactivation of auto-flight, stabilization, etc.). Means include required dual action, in-activation of selected value, automatic checking of pilot input.

Link With Other OSOs

• OSO#5 — automated function design must consider system safety & reliability.
• Containment / FTS / M2 mitigation — envelope protection must not impair these means; conversely, containment limits may shape the established limit envelope.
• OSO#19 — Safe Recovery from Human Error covers human errors NOT related to envelope protection.
• OSO#20 — Human Factors evaluation requires UAS info/control interfaces clear and succinct, no confusion/fatigue/crew-error contribution.

Definitions (key)

• Flight envelope — UA design limits or designer-defined limit envelope tied to operational limitations.
• Exceedance / failure to recover in timely fashion — UA manoeuvres outside prescribed design limits where loss of control may follow or reliable return to normal operation cannot be expected.
• Single input — pilot interaction with a single HMI control over a period within which the pilot cannot be assumed to detect and correct the error.
• Loss of control (this MoC) — loss of controllability leading to crash with ground/infrastructure/people, UA leaving operational volume, or activation of FTS/parachute/M2 mitigation.
• Normal operating condition — operation within established limits and foreseeable environmental conditions.

References

• Annex E of AMC1 to Article 11 of Regulation (EU) 2019/947

Related

• MoC Index
• OSO-05 — System Safety and Reliability
• OSO-19-20 — Safe Recovery from Human Error & HMI

Open Questions

• Medium / high robustness criteria for OSO#18 (different SAIL) not in this corpus.