2.1 Certified category Uncrewed Aircraft Systems (UAS) are expected to operate in all classes of airspace for which they are equipped, and over all populous areas. Under such circumstances, certain failures of a Certified category UAS will lead to an increased likelihood of a mid-air collision with other airspace users, serious or fatal injury to people on the ground, or significant damage to critical infrastructure. To account for this, the Authority’s approach to initial airworthiness for Certified category UAS is analogous to that adopted for crewed aircraft.
2.2 This chapter guides applicants in developing a Type Certification Basis (TCB) for a candidate Certified category UAS by prescribing design requirements for a fixed wing Uncrewed Aircraft (UA), be it a Remotely Piloted Aircraft (RPA) or one that flies autonomously, the Remote Pilot Station (RPS), and Command and Control (C2) link(s). Should other components of the UAS be shown by a Functional Hazard Assessment to make a direct contribution to airworthiness, then additional design requirements will be prescribed by the Authority.
2.3 DASDRM Section 1 Chapter 3 articulates the need for robust airworthiness design requirements, usually documented in an Airworthiness Code, to underpin the safe design of Defence crewed aircraft. This need is equally applicable to Certified category UAS.
2.4 The Authority recognises NATO STANAG 4671, Uncrewed Aircraft System Airworthiness Requirements, Edition 3, as an acceptable Airworthiness Code for fixed-wing UAS, provided it is supplemented with the design requirements defined in this chapter. STANAG 4671 was derived from EASA’s Certification Specification (CS) 23 for small fixed wing aircraft, and has been accepted as a sufficient UAS Airworthiness Code by Military Airworthiness Authorities (MAAs) of NATO countries, albeit with some reservations.
2.5 The Authority notes that, circa 2021, STANAG 4671 has not yet been well exercised by UAS designers and MAAs, and therefore lacks a proven safety record. It has, however, undergone many years of review by international subject matter experts, and has a sound genesis in EASA’s CS-23, and therefore presents a sufficient basis for a Defence Type Certification program provided Defence’s design or acquisition organisations remain vigilant for deficiencies in the STANAG when comparing the STANAG’s operating context to Defence’s unique Configuration, Role, and operating Environment (CRE). Critically, these organisations must ensure a robust system safety program is implemented to identify and address UAS-unique hazards. Furthermore, throughout the life of the platform, continued vigilance will be required to identify early indicators that assumptions are not entirely valid, referenced design standards are not entirely effective, or additional hazards exist that weren’t previously considered.
2.6 STANAG 4671 assumes a particular context of use for the UAS. This is partly driven by its civil CS-23 genesis and partly by the scope of operations agreed by the STANAG sponsors. For the STANAG to be safely applied to a Defence UAS, the operating context needs to be fully understood, and any limitations addressed where necessary.
2.7 Relevant to what Defence normally considers to be within the scope of ‘initial airworthiness’ (and therefore requiring coverage in the TCB), STANAG 4671 specifically does not cover:
airspace navigation, integration and segregation requirements (including “sense and avoid”)
the type of UAS operation (i.e. the specific military role and operating environment for the UAS)
carriage and release of weapons, pyrotechnics and other functioning or non-functioning stores designed for release during normal operations
non-deterministic flight, in the sense that UA flight profiles are not pre-determined or UA actions are not predictable to the UA crew
piloting from an external or internal control box
supersonic flight
cyber security
engines and propellers
lithium batteries.
2.8 STANAG 4671 also does not cover the following design elements that can affect flight safety, but are not normally covered in TCBs for Defence crewed aircraft:
control station security
security of the command and control data link from wilful interference
frequency spectrum allocation.
2.9 Design requirements for each paragraph 2.7 element are presented in this chapter. While design requirements are not presented for the paragraph 2.8 elements (which normally would not be included in a Defence TCB), Defence’s design or acquisition organisations would still be expected to ensure they are robustly addressed.
2.10 This chapter also assumes the UA is not optionally piloted, nor will it carry passengers. A pervasive assumption within STANAG 4671 Edition 3 is that the UA is always uncrewed, and it is impractical to reverse this assumption. Where crew or passenger carriage is required, the Authority would expect a crewed aircraft Airworthiness Code to be used, supplemented to account for the unique UAS context.
2.11 Finally, both STANAG 4671 and this chapter inherently assume the UAS design, role and operating environment will not be excessively novel. However, cognisant of the rapidly evolving nature of UAS designs and their military use, this assumption may not always hold true. Depending on the issue, it may be possible to expand the System Safety Program to identify and manage the resulting unique safety hazards. In other cases, however, the Authority may conclude that STANAG 4671 provides an insufficient basis for a safe UAS design.
2.12 The following sections identify supplementation for STANAG 4671 Edition 3, separated into ‘integrated’ and ‘system’ design requirements, aligned respectively to Sections 2 and 3 of this manual.
2.13 Section 2 of this manual covers engineering disciplines associated with crewed aircraft design that affect multiple aircraft systems or have an impact on most aspects of an aircraft’s design. This part of the chapter covers a similar scope, and leverages extensively off Section 2.
2.14 Importantly, Section 2 assumes an Authority-recognised Airworthiness Code underpins the design. Each of the Essential and Recommended design requirements in Section 2 supplement the selected Airworthiness Code, where an aspect of a requirement is judged deficient or to support application to Defence’s unique role and operating environment. Unsurprisingly, those same issues will normally be equally relevant to a UAS underpinned by the STANAG 4671 Airworthiness Code, although in some instances the unique UAS context may add or remove some requirements.
2.15 STANAG 4671 Edition 3 requires a UAS be designed to reduce risk to a level acceptable to the Certifying Authority, demonstrated through a system safety program that is a core aspect of any given design program (or design change). Cognisant of the significant variations in system safety approaches permitted by international MAAs, Section 2 Chapter 2 presents the Authority prescribed system safety design requirements for crewed aircraft. The essential design requirements in Section 2 Chapter 2 are equally applicable to design activities conducted for new Certified UAS and subsequent design changes, tailored as follows:
Essential requirement 2.15 (single-point failures) is only applicable to Catastrophic consequences for UAS using STANAG 4671 Edition 3 consequence definitions.
UAS using STANAG 4671 Edition 3 Development Assurance Levels and Design Assurance Levels do not need further supplementation through essential requirement 2.30 (software and complex electronic hardware).
2.16 Importantly, STANAG 4671 Edition 3 requires that any special military airworthiness requirements that result in an actual or potential hazard condition that reduces the margin of safety below the levels required by STANAG 4671 Edition 3 paragraph 1309 and its associated Acceptable Means of Compliance (AMC), whether temporary or permanent, will be addressed by suitable operational restrictions.
2.17 STANAG 4671 Edition 3 requires that software satisfies applicable Design Assurance Levels. In addition to the STANAG 4671 Edition 3 requirements, the Authority guidance and prescribed supplementary aviation software design requirements in Section 2 Chapter 3 are equally applicable to a Certified UAS design.
2.18 While STANAG 4671 Edition 3 includes Electromagnetic Environmental Effects (E3) requirements, Australian legislation and Defence Policy, and Defence’s intended CRE, necessitate supplementation to the TCB. Section 2 Chapter 4 presents the Authority prescribed design requirements for E3 that are equally applicable to design activities conducted for new Certified UAS and subsequent design changes, tailored as follows:
Essential requirement 4.24 (aircraft occupants) is not applicable to the UA. It is, however, applicable to the occupants of the RPS as C2 link equipment may be located near to or integrated with the RPS.
2.19 Unlike certain crewed aircraft airworthiness design requirements and standards, STANAG 4671 Edition 3 does not include requirements to maintain the E3 hardness levels established by the initial design. Recommended requirement 4.31 (E3 life cycle hardness) seeks to address this by recommending applicants follow the guidance in MIL-STD-464C when determining if additional Instructions for Continuing Airworthiness (ICA) need to be developed. However, note that this recommended ‘design requirement’ is focused on ICA development rather than E3 design, therefore it does not need to be included in a TCB.
2.20 STANAG 4671 Edition 3 requires human factors be considered when evaluating failure conditions, however, there is limited guidance material in the STANAG on this crucial engineering discipline. The Authority’s guidance and supplementary design requirements for human factors have been collated in Section 2 Chapter 5 and are equally applicable to a Certified UAS design.
2.21 STANAG 4671 Edition 3 provides equipment environmental qualification design requirements based on a nominal operating environment. Historically, Defence’s expected operating environment has often exceeded these nominal requirements. Consequently, the Authority has prescribed equipment environmental qualification design requirements in Section 2 Chapter 9 that are equally applicable to a Certified UAS design.
2.22 STANAG 4671 Edition 3 does not cover UAS designs that allow the carriage and release of aircraft stores. Consequently, the Authority prescribed aircraft/stores compatibility design requirements in Section 2 Chapter 11 are relevant to a Certified UAS design. In applying these design requirements, designers must remain cognisant that for crewed aircraft, the presence of an on-board pilot may be an assumed risk control for a variety of stores-related hazards considered during a system safety program, such as confirmation of safe store carriage/separation through visual means or by on-board indicating systems not subject to datalink uncertainties. Therefore, the demonstration of compliance to Section 2 Chapter 11 requirements must not rely on indications normally received by, or actions performed by, an on-board pilot.
2.23 In complying with the system safety requirements discussed earlier in this chapter, consideration should be given to aircraft/stores compatibility safety hazards that, whilst not always UAS-unique, may create risks of greater likelihood than when those hazards apply to crewed aircraft. In particular, consideration should be given to the:
unavailability of an on-board pilot to identify problems, either visually or through vibration, with uncommanded stores separations, hung stores, UA/stores contact during separation, stores failing to separate or fire when commanded, and damage from bird strikes and lightning strikes
need for additional independent weapon release safety interlocks to account for problems with datalink availability, latency and corruption
need for stores, especially weapons, to transition to a predetermined safe state during lost-link conditions
prevention of unintended weapon arming caused by problems with datalink corruption
means to make armed weapons safe when experiencing problems with datalink availability and corruption
ability of the RP to identify stores’ (especially weapons) status when faced with problems with datalink availability, latency and corruption.
2.24 Design Requirement (Essential). Where the UA is to carry and release aircraft stores, the UAS system safety program must account for the lack of an on-board pilot.
2.25 Post store separation safety. The inability to provide effective stores targeting creates safety hazards to the general public either near the stores’ flight path or the stores’ target area. For crewed aircraft, systems for targeting stores are not subject to datalink uncertainties and the on-board pilot may provide additional risk controls when the target area is visible. To ensure that UAS stores targeting is as effectively performed as for crewed aircraft, consideration should be given during UAS design to the:
unavailability of an on-board pilot to identify problems with weapons targeting, either visually or through vibration, with uncommanded stores separations and UA/stores contact during separation
adequacy of low-integrity GPS systems for weapons targeting in the absence of the visual observation of the target area
problems with weapon targeting created by datalink availability, latency and corruption.
2.26 Capability Design Requirement. Where the UA is to carry and release aircraft stores, the UAS design must consider the hazards to timely and accurate stores targeting created by the lack of an on-board pilot, use of low-integrity GPS systems, as well as datalink availability, latency and corruption.
2.27 Like most crewed aircraft Airworthiness Codes, STANAG 4671 Edition 3 does not contain cyber security design requirements. For UAS this omission may present an additional risk, given the dislocated nature of the RPS from the UA (which can remove a layer of protection against wilful interference), and the extent of UA control accessible via the C2 link. Consequently, the Authority prescribed cyber security design requirements in Section 2 Chapter 12 are equally applicable to a Certified UAS design.
2.28 Where cyber security is identified as a credible threat to aviation safety, in-service management arrangements must also be identified and implemented to maintain the cyber security integrity and minimise risks throughout the UAS life of type.
2.29 Section 3 of this manual covers systems on Defence aircraft for which the Authority has historically found Airworthiness Codes to be inadequate for Defence's intended CRE. This part of the chapter covers a similar scope, and leverages extensively off Section 3.
2.30 As with Section 2, Section 3 also assumes an Authority-recognised Airworthiness Code underpins the design and integration of the system onto a Defence aircraft. Each of the Essential and Recommended design requirements in Section 3 supplement the selected Airworthiness Code, where an aspect of a requirement is judged deficient or to support application to Defence’s unique role and operating environment. Those same issues will normally be equally relevant to a UAS underpinned by the STANAG 4671 Airworthiness Code, although in some instances the unique UAS context may add or remove some requirements.
2.31 STANAG 4671 Edition 3 does not prescribe design requirements for the communication systems needed for operations in particular classes of airspace. The design requirements in Section 3 Chapter 2 relevant to the intended classes of airspace are equally applicable to a Certified UAS design.
2.32 While STANAG 4671 Edition 3 prescribes design requirements for flight recorders and locating equipment, some requirements are open to negotiation with the Certifying Authority and the associated guidance material is generally limited. All essential design requirements in Section 3 Chapter 3 apply to a Certified UAS, but tailored as follows:
Essential requirement 3.6 (flight recorders) is applicable to the UA.
Essential requirement 3.11 (flight recorder power) is not applicable to UAS based on STANAG 4671 Edition 3 as it duplicates the requirements contained in USAR.1459.
Essential requirement 3.16 (Emergency Locator Transmitter) is not applicable to UAS. An Emergency Locator Transmitter’s primary purpose is to assist search and rescue to locate a crashed aircraft and provide aid to aircraft occupants as quickly as possible, thus increasing their chances of surviving an accident. Given that Authority prescription of UAS design requirements assumes the UA will not carry any crew or passengers, there is no impetus to carry an ELT. However, Command may choose to require the fitment of an emergency beacon to aid with the recovery of the UA, but this would be determined on the capability need rather than as an ‘airworthiness’ requirement.
2.33 For crewed aircraft, the placement of flight recorder equipment on-board the aircraft is a logical and practical design solution. For UAS however, the situation is not always as clear. In general, a UAS will have two locations where flight recorder equipment may be fitted; the UA and the RPS. These two locations are connected by a C2 link that can be lost or become degraded during operations. In keeping with crewed aviation principles, the Authority prescribes that flight recorder equipment be fitted on-board the UA as this provides the best opportunity to record all necessary information when the C2 link is lost or degraded. However, there is a view forming worldwide that flight recorder equipment should also be fitted to the RPS to provide complete coverage. While it may be possible to fit flight recorder equipment to the RPS alone and record information via the C2 link, this carries the risk that key information may not be recorded once the C2 link is lost or degraded, or that bandwidth limitations may restrict the information passed to the RPS from the UA. Applicants wishing to explore RPS only design solutions will need to approach the Authority to determine if their proposal will be accepted.
2.34 Finally, while not for inclusion in a TCB, the continuing airworthiness requirements listed in Section 3 Chapter 3 for flight recorder equipment and Emergency Locator Transmitters (where fitted) are equally applicable to Certified UAS.
2.35 STANAG 4671 Edition 3 does not prescribe design requirements for navigation systems. Defence UAS can operate in a global airspace environment that includes civil airspace that is subject to prescribed access criteria and adherence to specific Rules of the Air. While International Civil Aviation Organisation (ICAO) rules for civil aviation are not applicable to State registered aircraft, Defence UAS not capable of similar navigation performance to civil aircraft may be subject to civil airspace restrictions and sub-optimal routing. Consequently, the Authority’s guidance and supplementary design requirements for navigation systems in Section 3 Chapter 4 are equally applicable to a Certified UAS design.
2.36 Several of the standards in Section 3 Chapter 4 inherently assume the pilot will be on-board the aircraft. In demonstrating compliance to those standards, the unique UAS context where the pilot is separated from the aircraft must be fully accounted for.
2.37 STANAG 4671 Edition 3 does not include design requirements for surveillance and avoidance systems required for airspace integration and aircraft safe separation. While Defence UAS without surveillance and avoidance systems may not necessarily be precluded from operations in civil airspace, without the fitment of such systems sub-optimal routes and additional risk controls may be imposed. In extreme cases, Due Regard operations may end up being the only avenue for Defence to access certain airspace. Therefore, fitment of surveillance and avoidance systems in Defence UAS is, ultimately, a capability decision for the capability manager. The Authority’s guidance and supplementary design requirements for surveillance and avoidance systems have been collated in Section 3 Chapter 5 and are equally applicable to a Certified UAS design.
2.38 The lack of on-board crew presents a number of unique challenges for UAS operating in uncontrolled airspace where the ability to ‘see and avoid’ (also commonly termed ‘detect and avoid’ when used in the UAS context) other aircraft is a key airspace entry requirement. Several technological solutions are in development worldwide that aim to provide UAS with the ability to detect and avoid other aircraft. STANAG 4671 Edition 3 does not cover ‘detect and avoid’ designs and the Authority is yet to prescribe associated design requirements. Additionally, care must be taken when considering existing crewed aircraft collision avoidance systems, such as TCAS II, as the underlying algorithms may be based on a defined set of aircraft dynamics that may or may not be applicable to either the UAS or the encounter traffic. It is also worth noting that a ‘detect and avoid’ system installed onto a UAS would be an item of installed equipment and would need to comply with all relevant STANAG 4671 Edition 3 requirements.
2.39 Design Requirement (Essential). Where a detect and avoid capability is required for airspace access, design requirements for detect and avoid systems must be identified and proposed for Authority approval.
2.40 STANAG 4671 Edition 3 lighting system design requirements may not account for certain military operations, such as external lighting to support air-air refuelling or formation flight. The Authority’s guidance and supplementary design requirements for lighting systems in Section 3 Chapter 7 are equally applicable to a Certified UAS design.
2.41 Defence experience with electrical systems has shown that simple application of Airworthiness Codes may still pose hazards to safe aircraft operations in Defence’s unique CRE, and this is equally relevant to STANAG 4671 Edition 3. All essential design requirements in Section 3 Chapter 8 therefore apply to a Certified UAS, but tailored as follows:
Essential requirement 8.11 (Wiring with PVC) is only a recommended requirement for UAS based on STANAG 4671 Edition 3. Polyvinyl chloride (PVC) releases hydrogen chloride gas when burnt or subject to high temperatures, which transforms into hydrochloric acid on contact with moisture causing sight and breathing impairment. While there are no crew or passengers on-board a STANAG 4671 Edition 3 based UA, designers should confirm the presence of hydrochloric acid generated from electrical system faults will not cause secondary failure modes or longer-term UA degradation.
2.42 Defence experience with Environmental Control Systems (ECS) has shown that simple application of Airworthiness Codes may not adequately account for the Australian operating environment, particularly where ground operations in harsh environmental conditions are expected, and for some military loads and mission systems. This is equally relevant to STANAG 4671 Edition 3. The Authority’s guidance and supplementary design requirements for ECS in Section 3 Chapter 9 are therefore equally applicable to a Certified UAS design.
2.43 STANAG 4671 Edition 3 does not prescribe an Aircraft Structural Integrity Program be developed for UA. Defence experience is that effective and efficient management of structural integrity is required to ensure ongoing airworthiness, and to preserve the asset to its Planned Withdrawal Date (PWD). The Authority’s guidance and supplementary design requirements for aircraft structural integrity in Section 3 Chapter 12 are equally applicable to a Certified UAS design.
2.44 STANAG 4671 Edition 3 does not cover engine and propeller design, so bespoke design requirements need to be included in the TCB for the UAS. While an Authority recognised Airworthiness Code for engines and propellers provides a sound basis for these design requirements, from a safety perspective some elements may be excessive and/or insufficient. For example, given the STANAG assumes flight profiles similar to that of General Aviation, UAS designed to perform certain military flight profiles, such as aerobatics or carriage and release of stores, may necessitate additional supplementation to or tailoring of the recognised Airworthiness Code. Additionally, due to the absence of on-board crew and/or passengers, a UA engine failure may not constitute a catastrophic hazard, potentially allowing some relaxation of engine design goals. Conversely, engine design requirements for crewed aircraft may implicitly expect certain observations and actions by on-board crew, and these need to be accounted for in the UAS system safety program.
2.45 Accordingly, while the Authority’s guidance and supplementary design requirements in Section 3 Chapter 13 are applicable to a Certified UAS design, there may be room for judicious tailoring or a need for further supplementation.
2.46 Design Requirement (Essential). A relevant Authority-recognised engine Airworthiness Code is to be used for UA engine design, with tailoring and additional requirements identified as necessary, and proposed for Authority approval.
2.47 Design Requirement (Essential). A relevant Authority-recognised propeller Airworthiness Code is to be used for UA propeller design, with tailoring and additional requirements identified as necessary, and proposed for Authority approval.
2.48 As UAS designs are still evolving worldwide, novel forms of propulsion will inevitably emerge. Certified UAS employing novel forms of propulsion designs will require the development and inclusion of suitable design requirements.
2.49 Design Requirement (Essential). Where a novel form of propulsion is to be employed, design requirements must be identified and proposed for Authority approval.
2.50 STANAG 4671 Edition 3 does not include design requirements for airborne lasers that have the capacity to present a personnel exposure hazard, or pose a hazard to safe aircraft operations through laser beam contact with the aircraft or the generation of by-products. All essential design requirements in Section 3 Chapter 14 are equally applicable to a Certified UAS, but tailored as follows:
Essential requirement 14.4 (Aircraft occupant exposure) is not applicable to UAS as there will not be any UA occupants.
Essential requirement 14.8.B (chemical by-products/exhaust gasses) is not applicable to UAS. However, while not an airworthiness issue, designers still have a WHS duty to ensure lingering chemical by-products or exhaust gasses do not pose a hazard to maintenance personnel.
2.51 As UAS designs are still evolving worldwide, novel forms of indicating systems may emerge. The Authority’s guidance and supplementary design requirements for novel indicating systems in Section 3 Chapter 15 are equally applicable to a Certified UAS design.
2.52 STANAG 4671 assumes a particular context of UAS use. Over time, emerging technologies, threats and UAS missions may exceed that context of use. Several potential future issues have been identified in this section, along with Authority-prescribed design requirements. Where these issues are shown to have an effect on airworthiness, the Authority may approve the inclusion of the design requirements into the TCB for the UAS.
2.53 STANAG 4671 Edition 3 makes provision for automated contingency flight logic and criteria, as the behaviour has generally been pre-programmed for each mission and the resultant actions are predictable. However, STANAG 4671 Edition 3 does not cover ‘non-deterministic flight’, in the sense that the aircraft’s flight profiles are not pre-determined or its actions are not predictable to the Remote Pilot (RP) or Air Traffic Control. Supplementation will therefore be required for Certified UAS that can perform non-deterministic operations. This supplementation need only cover the non-deterministic aspects that have a direct and potentially negative impact on airworthiness.
2.54 Design Requirement (Essential). Where a UAS design will implement a capacity for non-deterministic operation, design requirements must be identified and proposed for Authority approval.
2.55 STANAG 4671 Edition 3 assumes that ‘conventional’ take-off and landing on paved runways will be utilised by the UA. Where unconventional means of UA launch and/or recovery are to be employed, supplementation to STANAG 4671 Edition 3 may be required. Any supplementation will be limited to those issues where a direct link to aviation safety can be established. For example, a Rocket Assisted Take-Off (RATO) may impose additional airframe stresses, and these must be accounted for in the airframe design. Novel recovery designs may need to account for incorrect operation of the capture mechanism, additional ICA may be required, and so on.
2.56 Design Requirement (Essential). Where unconventional launch and/or recovery is to be employed, design requirements must be identified and proposed for Authority approval.
2.57 STANAG 4671 Edition 3 does not cover supersonic flight profiles and related design considerations. Supersonic flight will require supplementation to STANAG 4671 Edition 3.
2.58 Design Requirement (Essential). Where supersonic flight is required, design requirements must be identified and proposed for Authority approval.
2.59 STANAG 4671 Edition 3 excludes UAS designs where a RP must manually control pitch, roll, yaw and/or thrust as part of normal flight operations, which it refers to as “piloting from an external or internal control box”. Supplementation to STANAG 4671 Edition 3 will be required if this method of UA control is to be employed, to account for issues such as the lack of visual cues and haptic feedback an on-board pilot would have received, control latency due to the dislocated state of the RPS and UA, and the potential for a lost or degraded C2 link.
2.60 Design Requirement (Essential). Where manual control of pitch, roll, yaw and/or thrust is required as part of normal operations, design requirements must be identified and proposed for Authority approval.