NATO STANDARD

AEP-83

LIGHT UNMANNED AIRCRAFT

SYSTEMS AIRWORTHINESS
REQUIREMENTS
Edition C, Version 1

OCTOBER 2023

NORTH ATLANTIC TREATY ORGANIZATION

ALLIED ENGINEERING PUBLICATION

Published by the
NATO STANDARDIZATION OFFICE (NSO)
© NATO/OTAN
INTENTIONALLY BLANK
INTENTIONALLY BLANK
 AEP-83

RESERVED FOR NATIONAL LETTER OF PROMULGATION

I
Edition C Version 1

\r
 AEP-83

INTENTIONALLY BLANK

II
Edition C Version 1

\r
 AEP-83

RECORD OF RESERVATIONS

CHAPTER RECORD OF RESERVATION BY NATIONS

Note: The reservations listed on this page include only those that were recorded at
time of promulgation and may not be complete. Refer to the NATO Standardization
Documents Database for the complete list of existing reservations.

III
Edition C Version 1

\r
 AEP-83

INTENTIONALLY BLANK

IV
Edition C Version 1

\r
 AEP-83

RECORD OF SPECIFIC RESERVATIONS

[nation] [detail of reservation]

BEL BEL reserves the right to categorize its UAS (OPEN, SPECIFIC,
CERTIFIED) taking into account use and scenarios and not only
intrinsic characteristics of the UAS (e.g. MTOW, impact energy) and to
apply subsequent airworthiness requirements befitting the category.
NLD For acquisitions of UAS that fall under the scope of STANAG 4703,
Military Aviation Authority of The Netherlands (MAA-NLD) will require
the implementation of AEP-83 Edition C Version 1 for UAS that are
required to be certified. The Military Type Certificate requirements in
the AEP-83 will not be followed. Instead, the MAA-NLD issues
separate regulations related to the conditions and requirements for a
Military Type Certificate.

Note: The reservations listed on this page include only those that were recorded at
time of promulgation and may not be complete. Refer to the NATO Standardization
Documents Database for the complete list of existing reservations.

V
Edition C Version 1

\r
 AEP-83

INTENTIONALLY BLANK

VI
Edition C Version 1

\r
 AEP-83
TABLE OF CONTENTS

1. Scope .......................................................................................................................... 1
2. Introduction.................................................................................................................. 1
3. Type design airworthiness evidence............................................................................ 3
4. Source documents....................................................................................................... 3
5. Restricted Certification ................................................................................................ 4
6. Requirements .............................................................................................................. 4
ER.1 System integrity ................................................................................................ 5
ER.1.1 Structures and materials .................................................................... 6
ER.1.2 Propulsion and Electrical Power......................................................... 15
ER.1.3 Systems and equipment ..................................................................... 20
ER.1.4 Continued airworthiness of the UAS .................................................. 34
ER.2 Airworthiness aspects of system operation ....................................................... 36
ER.3 Organisations .................................................................................................... 48
ANNEX A Terms and Definitions ....................................................................................... A-1
ANNEX B Landing conditions for conventional landing gear configurations
(where applicable)............................................................................................. B-1
ANNEX C Spark and compression ignition reciprocating engines ..................................... C-1
ANNEX D Electric engines................................................................................................. D-1
ANNEX E Turbine engines ................................................................................................ E-1
ANNEX F Propellers .......................................................................................................... F-1
ANNEX G Hazard Reference System ................................................................................ G-1
ANNEX H Stability and Response assessment guidance .................................................. H-1
ANNEX I The Safety Management Plan .......................................................................... I-1
ANNEX J Guidelines for airworthiness requirements applicable to UA below
the 66J impact energy ....................................................................................... J-1

VII
Edition C Version 1

\r
 AEP-83

INTENTIONALLY BLANK

VIII
Edition C Version 1

\r
 AEP-83

1. Scope

This document contains the minimum set of technical airworthiness requirements intended for
the airworthiness certification of fixed-wing Light UAS with a maximum take-off weight not
greater than 150 kg and an impact energy1 greater than 66 J (49 ft-lb) that intend to regularly
operate in non-segregated airspace.

The lower limit is established according to available blunt trauma studies showing that below
this level it is reasonably expected that a fatal injury should not occur if the UA strikes an
unprotected person. It is recognized that 66 J is a conservative value based on current research
that will be reviewed after further investigation.

For UA below the 66J impact energy threshold, it is reasonable that a number of requirements
can be relaxed. Specific airworthiness requirements must be approved by the Certifying
Authority on a case-by-case basis. Annex J of this document provides applicable guidelines,
that are not limited to fixed wing aspects.

2. Introduction

Due to the large variety of possible configurations and technology in this category of UAS and
the fact that many of these systems are architecturally simple, this STANAG has been
developed with the following objectives.
- require no more than the minimum amount of certification evidence that is needed to
substantiate an acceptable level of airworthiness;
- address all design attributes which may endanger safety;
- be flexible by being non-prescriptive, in order not to limit the design solutions (i.e.,
address issues instead of prescribing solutions).
It has been considered that a pure complete traditional prescriptive set of airworthiness codes
(e.g. CSs, FARs) could not fulfil this objective, and it could not be derived from existing civil or
military regulations applicable to manned aircraft. Therefore, a hybrid approach has been
established, which combines a set of conventional airworthiness codes requirements with other
types of qualitative criteria aimed to achieve a high level of confidence that the type design is
airworthy (e.g. through process evidence or design criteria).

The standard referred in this document will have a normal evolution with the publication of later
editions. This document will not be updated every time a new standard will be available. The
applicant should therefore refer to the latest published standard unless expressly specified.

The following areas are not covered by this airworthiness code:

a. Control station security;
b. Security of the command and control data link from wilful interference;
c. Airspace integration and segregation of aircraft (including “sense and avoid”);
d. The competence, training and licensing of UAS crew, maintenance and other staff;

1
The impact energy must be calculated using the worst case terminal velocity based on the foreseeable failure
conditions, as agreed with the Certifying Authority.
1
Edition C Version 1

\r
 AEP-83
e. Approval of operating, maintenance and design organizations;
f. Frequency spectrum allocation;
g. Noise, emission, and other environmental certification;
h. Launch/landing equipment that is not safety critical and which does not form part of the Type
Certification Basis;
i. Operation of the payload (other than its potential hazard to the aircraft);
j. Carriage or release of weapons, pyrotechnics and other functioning or non-functioning stores
designed for release during normal operations;
k. Sea-basing.

It is expected that these areas will be subject to other forms of approval by Certifying Authority
in order to ensure a total aviation safety approach. Where such approval requires technical
assessment, the Certifying Authority may supplement these requirements with suitable
additional conditions as appropriate.

Creating this hybrid approach, the top-level starting point is the set of the Military Essential
Requirements for Airworthiness, which have been transferred into the STANAG to the greatest
extent possible in their original wording and have been modified where necessary to
accomplish the specific characteristics of this type of UAS. This STANAG also establishes
detailed arguments to comply with each of these mandatory minimum essential requirements
in order to obtain a Type Certificate (or equivalent document) for UAS with Maximum Take-Off
Weight of 150 kg, or less, for flight in non-segregated airspace.

The Certifying Authority will issue a Military Type Certificate or equivalent national document
containing as a minimum:
a. System Identification;
b. System configuration description;
c. Requested operating frequencies;
d. Statement of compliance (including, if applicable, additional conditions, exemptions
and deviation);
e. List of approved publications (operating and maintenance instructions);
f. Issuing Agency;
g. Date of Issue.
Throughout this document, the term ‘Type Certificate’ refers to any document issued by a
National Certifying Authority that, within the regulatory framework of that Nation, certifies
compliance as determined by the National Certifying Authority with this STANAG.

It is recognized that 'sense and avoid' is a key enabling issue for UA operations. The derivation
and definition of 'sense and avoid' requirements is primarily an operational issue and hence
outside the scope of this STANAG. However, once these requirements are clarified, any
system designed and installed to achieve these objectives shall be considered as an item of
installed equipment within a UAS.

2
Edition C Version 1

\r
 AEP-83
3. Type design airworthiness evidence

The Applicant must provide to the Certifying Authority any type of verifiable evidence that the
system is designed to be airworthy for its intended purpose through its lifetime.

The Applicant should create comprehensive arguments, supported by a body of evidence, to

demonstrate how the mandatory Essential Requirements for Airworthiness have been met and
to provide confidence in the airworthiness of the UA type design. The evidence could consist
of one or more forms of the following types as agreed with the Certifying Authority.
• direct evidence from analysis;
• direct evidence from demonstration (rig testing, representative prototype ground and flight
operation, operational experience);
• direct quantitative safety evidence;
• direct qualitative safety evidence;
• direct evidence from hazard risk management;
• direct evidence extracted from the design review process;
• direct technical description of design features and system functions;
• direct qualitative evidence of good design (e.g. design criteria and practices);
• process evidence (e.g. Design Assurance Levels allocation as per ARP-4754; Safety
Management System processes) showing good UA life-cycle safety issues management;
• any other quantitative and/or qualitative compelling argument provided to the Certifying
Authority in order to demonstrate compliance with mandatory Essential Requirements for
Airworthiness.
Consideration of design criteria and airworthiness management processes is as important as
compliance with detailed codes, where applicable, and may constitute a certification credit
giving the Certifying Authority the necessary confidence and level of trust that the result of the
design activity is an airworthy UA. In other words, behind this STANAG is the firm belief that
the verification of design criteria, safety management plans, and technical qualitative
arguments constitute an additional means in order to demonstrate compliance with high-level
Essential Requirements for Airworthiness, which are general and qualitative in nature.
Therefore, consideration of additional evidence, other than conventional quantitative
arguments, is an effective strategy that may be used by the Authority to certify the airworthiness
of a Light UA for which the variety of possible configurations and technical design solutions
may sometimes compromise compliance with a detailed set of airworthiness codes.

4. Source documents

The following rules and standards have been used as source material to derive this STANAG:
• STANAG 4671 (UAV Systems Airworthiness Requirements for North Atlantic Treaty
Organization Military UAV Systems),
• CS-VLA (Certification Specifications for Very Light Aeroplanes),
• CS-22 Amendment 1 (Certification Specifications for Sailplanes And Powered Sailplanes),
• ASTM F2245-06 (Standard Specification for Design and Performance of a Light Sport
Airplane),
• DEF STAN 00-56 (Safety Management Requirements for Defence Systems).

3
Edition C Version 1

\r
 AEP-83
5. Restricted Certification

Non-segregated airspace contains regions of densely populated areas and sparsely populated
areas. It is therefore possible that UAS not meeting all the objectives in this STANAG will be
airworthy to fly in sparsely populated areas of non-segregated airspace as determined by the
Certifying Authority.

Non-compliance with some requirements of this STANAG may be negotiated on a case-by-

case basis depending on particular UA design and envisaged operating restrictions in the
framework of a Restricted Type Certification.

Any non-compliance or operating restriction must be approved by the Certifying Authority,

tracked and identified in the Certificate Data Sheet (or equivalent).

6. Requirements

The following section provides the Certification Basis requirements for Light UAS in the form
of a three column table in which:

I. the first column expresses the mandatory Minimum Essential Requirements for
Airworthiness;

II. the second column presents a detailed argument to elaborate the Essential Requirements
in the first column into an Airworthiness Basis for a specific type of UA;

III. the third column presents an acceptable set of evidence that may be provided to the
Certifying Authority in order to demonstrate compliance with the detailed arguments in the
second column.

Compliance with the Airworthiness Essential Requirements (first column) is mandatory and
must be demonstrated through a comprehensive set of arguments (of the type mentioned in
§3).

Unless stated as a requirement (i.e. "must" statements), the detailed arguments may be
interpreted as Applicable Means of Compliance with the Airworthiness Essential
Requirements. The Applicant should follow these requested arguments. Nevertheless, if it is
difficult for a particular application to comply with the detailed request, the Applicant may
propose to the Certifying Authority compelling alternative arguments with a rational
demonstration that a comparable level of safety is assured.

Where within the detailed argument there is a requirement to have an agreement with the
Certifying Authority, the airworthiness implication of such agreement shall be documented by
the applicant and provided to the Certifying Authority.

4
Edition C Version 1

\r
 AEP-83

NOTE
DETAILED ARGUMENTS: Compliance with the Essential Requirements may be shown by the Applicant through these detailed arguments or by any other
argument which meets the intent behind them with a comparable level of safety, to be agreed with the Certifying Authority, wherever a “should” statement
appears.

AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE

ESSENTIAL
REQUIREMENTS

ER.1 System integrity UL.0 The Applicant must identify the design usage spectrum as the set of all the foreseen operational ME0 Description of the
conditions of the UAS: design usage spectrum
System integrity must be - typical design missions;
assured for all anticipated - in-flight operation conditions;
flight conditions and ground - on-ground operation conditions;
operations for the operational - operational modes (automatic, speed-hold, altitude hold, direct manual, etc.);
life of the UAS. Compliance - take-off / launch / ramp conditions;
with all requirements must be - landing / recovery conditions;
shown by assessment or - locations and platforms (e.g. land vehicle, water vessel, aircraft, building, etc.) from which launch,
analysis, supported, where command and control, and recovery operations will be performed (e.g., land, littoral/maritime, air);
necessary, by tests. - number of air vehicles to be operated simultaneously;
- transport conditions (define the transportation and storage environment of the UAS - e.g. bag,
package, truck or whatever is required);
- operating environmental conditions:
- natural climate (altitude, temperature, pressure, humidity, wind, rainfall rate, lightning, ice, salt
fog, fungus, hail, bird strike, sand and dust, etc.);
- electromagnetic environmental effects (electromagnetic environment among all sub-systems
and equipment, electromagnetic effects caused by external environment, electromagnetic
interference among more than one UAS operated in proximity);
- lighting conditions (e.g., day, night, dawn, dusk, mixed, etc.);
- identify all the possible mass configurations (minimum and maximum flying weight, empty CG, most
forward CG, most rearward CG must be identified).
In all the identified conditions the Applicant must verify to the satisfaction of the Certifying Authority the
requirements of the following paragraphs.

5
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.1 The Applicant must identify design criteria, standards and practices used to design UA structure, engine, ME1 A description of the
propeller, and UAS and equipment. design criteria to be used
must be submitted to the
UL1.1 Where practicable, the UA should be designed without sharp edges that may constitute a danger
Certifying Authority, in order
to third parties on the ground. Propellers should be designed in a way to limit any injury that may be
to gather a sufficient level of
inflicted by the blades.
trust

ER.1.1 Structures and UL.2 The Applicant must define and justify with a rationale a positive margin beyond the maximum operating ME2 A description of the
materials envelope, in order to establish the design loads. This margin must take into account all the possible rationale for the design loads
uncertainties related to: operator usage (e.g. loads may be exceeded due to operator demands in manual margins to be included in
The integrity of the structure
direct piloting conditions), material properties variation, and design method approximation. Design Criteria in ME1
must be ensured throughout,
and by a defined margin Strength Requirements are specified in terms of limit loads (the maximum loads to be expected in service)
beyond, the operational and ultimate loads (limit loads multiplied by prescribed factors of safety). Unless otherwise provided,
envelope for the UA, prescribed loads are limit loads.
including its propulsion
system, and maintained for
The following margins should be taken into account, unless more rational means are agreed with the
the operational life of the UA.
Certifying Authority.
UL2.1 a positive margin between the maximum design speed [VD] and the maximum operating speed
[VCmax] (the maximum operating speed should be no more than 0.9 the maximum design speed);
UL2.2 a factor ≥1.25 to determine limit loads on the control system components and its supporting
structure from the computed hinge moments of the movable control surface;
UL2.3 an ultimate load factor of safety ≥1.5 (for structure whose failure would lead to a Hazardous or
more serious failure condition) or ≥1.25 (for other structure);
UL2.4 the factor of safety of UL2.3 should be multiplied by a further special factor in the following cases:
- ≥2.0 on castings,
- ≥1.15 on fittings,
- ≥2.0 on bearings at bolted or pinned joints subject to rotation,
- ≥4.45 on control surface hinge-bearing loads except ball and roller bearing hinges,
- ≥2.2 on push-pull control system joints,
- in composite structures, if A or B allowables for hot and wet conditions are not statistically
justified (as per UL9.2 and UL9.3), the following special factors should be used: ≥1.2 for
moisture conditioned specimen tested at maximum service temperature, providing that a

6
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
well-established manufacturing and quality control procedure is used; or ≥1.5 for specimen
tested with no specific allowance for moisture and temperature;
- ≥1.5 for attachments in frequently assembled and disassembled structural parts, to cover
potential deterioration in service; alternatively, this factor is not needed if a test reproducing
the required number of assemble/disassemble operations demonstrates no degradation of
structural integrity;
- in certain circumstances the Certifying Authority may choose to use a further justified
special factor >1 to cover any uncertainty not previously mentioned.

ER.1.1.1 All parts of the UL.3 The Applicant must identify Primary Structural Elements (PSEs) for which failure would lead to hazardous ME3 Description of the
UA, the failure of which could or more serious effects (e.g. primary UA structure bearing aerodynamic, inertial and propulsion forces; PSEs
reduce the structural control surface and control system structural elements, control surface hinges; structural elements of
integrity, must comply with systems used in launching and recovery phases).
the following conditions
without detrimental UL.4 For each PSE identified in UL.3 and for all on-board equipment, the structure must be proven according ME4 Static strength should
deformation or failure. This to the following criteria: be demonstrated through
includes all items of - no detrimental deformation against the Limit Loads; ultimate load tests in the
significant mass and their - no rupture against the Ultimate Loads obtained by multiplying the loads identified under UL.5 to UL.6 appropriate environment, or
means of restraint. by the ultimate load factors of safety in UL.2; by using the appropriate
- the control system is free from interference, jamming, excessive friction and excessive deflection knockdown factors.
when the control system loads are applied to the controls and the surfaces; additionally the control Alternatively, proof by analysis
system stops must withstand those loads. may be accepted provided it is
supported by the appropriate
For non-PSEs, the structure must be proven according to the following criterion:
extent of lower level testing to
- no rupture against the Ultimate Loads obtained by multiplying the loads identified under UL.5 to UL.6
validate the method used.
by the ultimate load factors of safety in UL.2.
ER.1.1.1.1 All combinations UL.5 Flight loads ME5 Assumptions and
of load reasonably expected analysis of the design loads
The Applicant must identify all of the loads that PSEs must withstand in flight, at each critical combination
to occur within, and by a in-flight
of altitude, speed and UA configurations (including weight, centre of gravity, landing gear configurations,
defined margin beyond, the
weights, centre of gravity fuel distribution, aerodynamic configurations, etc.).
range, operational envelope UL5.1. The manoeuvres which need to be considered in the load establishment are those resulting from
and life of the UA must be all reasonable combinations of possible control surface deflections and power or thrust settings,
considered. This includes taking into account the UAS design peculiarities.
loads due to gusts,

7
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
manoeuvres, pressurisation,
If convenient, conservative manoeuvre conditions may be used, providing there is compelling
movable surfaces, control
rationale to justify the degree of conservatism.
and propulsion systems both
in flight and on the ground. The resulting load conditions (with all forces acting on the UA placed in equilibrium with inertial
forces) must be established in a rational or conservative manner and must consider:
- the UAS nominal modes of control,
- the UAS failure modes where probability of occurrence is higher than extremely remote,
- Non-symmetrical loads due to engine failure (for multi-engine configurations).
UL5.2. A symmetric manoeuvring load factor ≥3.8 should be established. A symmetric negative
manoeuvring load factor ≤-1.5 should be established.
UL5.2.1 Manoeuvring load factors lower than the above (but not less than a minimum load
envelope 0 - 2.5 g) may be used if the UA has design features that make it impossible
to intentionally exceed these values in flight.
UL5.2.2 There should be means to avoid maximum load factor exceedances in all operational
modes, including manual direct mode where applicable (e.g. warning systems to the
UA operator or load envelope protections as per UL.57 and UL.58). If such design
features are not provided, an adequate proof factor of safety >1.0 should be agreed
with the Certifying Authority, and applied to all PSEs to prove that detrimental
deformation will not occur.
UL5.3. The UA is assumed to be subjected to symmetrical vertical and lateral gusts in level flight.
The load factors resulting from gusts should correspond to the conditions determined as follows.
Positive (up) and negative (down) gust values at VCmax and VD should be determined by rational
analysis of the intended use of the UAS, considering the design operational altitude level and
the cruise speed (consistent with the design usage spectrum defined in UL.0). In absence of an
alternative compelling rationale, the following should be used.
- positive (up) and negative (down) gusts of 15.2 m/s (50 fps) at VCmax should be considered
at altitudes between sea level and 6096 m (20,000 ft). Where applicable, the gust velocity
may be reduced linearly from 15.2 m/s (50 fps) at 6096 m (20,000 ft) to 7.6 m/s (25 fps) at
15,240 m (50,000 ft).
- Positive and negative gusts of 7.6 m/s (25 fps) at VD should be considered at altitudes
between sea level and 6096 m (20,000 ft). Where applicable, the gust velocity may be
reduced linearly from 7.6 m/s (25 fps) at 6096 m (20,000) ft to 3.8 m/s (12.5 fps) at 15,240
m (50,000 ft).
The same values should be used for lateral gust.
8
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

Potential limitations may be established, where applicable, and documented in operating

manuals, taking due account of the design usage spectrum as per UL.0.
NOTE 1 - For UAs with configuration, size and speeds for which the simplified gust
characterization of CS-VLA may apply, in the absence of a more rational analysis, the gust load
factors may be computed as follows:

NOTE 2 - For UAS light and slow the CS-VLA simplified formula may produce unrealistic gust
responses. More accurate and realistic results for gust loads may be established considering (1-
9
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
cos) gust profiles at VCmax (50 fps gust) and VD (25 fps gust). The gust length of the (1-cos)
profiles should be established based on the typical scales of turbulence at the typical operating
altitude (as per UL0) in accordance with CS-25, MIL-F-8785C, MIL-DTL-9490E, SAE-AS94900,
JSSG-2001B or any other recognized database for turbulent air characterization, as agreed with
the Certifying Authority. Including the Flight Control System Control Laws in a 5 or 6 degrees of
freedom time simulation of the UA entering the (1-cos) gust profiles allows a realistic
determination of the Nz for gust loads.
UL5.4. Recovery with parachute (for applications with normal parachute landing operations) - The loads
during recovery phase due to deployment of the parachute and consequent aerodynamic and
inertial loads from the worst operational condition of weight and flight envelope must be
determined.
UL5.5. Recovery with parachute (for applications in which parachute recovery is an emergency condition
only) –The loads due to deployment of the parachute and consequent aerodynamic and inertial
loads from the worst operational condition of weight and flight envelope must be determined as
an ultimate condition only.
UL5.6. Any other specific load condition in-flight not included in the previous paragraphs.

UL.6 Ground loads ME6 Assumptions and

analysis of the design loads
The Applicant must identify all loads that the PSEs must withstand on the ground, considering external
on-ground
forces in equilibrium with inertial forces.
UL.6.1 Launch / Catapult (where applicable)
- For both the launch system and the UA PSEs, determine a longitudinal load corresponding
to the maximum continuous load factor applied by the launch system / operator at the
maximum and minimum take-off weight.
- Demonstrate that either the assumptions for launching loads determination are sufficiently
conservative or that the acceleration and the rate of change of acceleration (jerk) imposed
by the launcher are controlled such that the UAS does not sustain damage during launch.
UL.6.2 Landing impact at the maximum design weight
Taking into account the specific design usage spectrum as per UL.0, the worst combination of
loads corresponding to all the reasonably possible scenarios of impact in the landing phase must
be determined. For conventional landing gear configurations see Annex B as a reference.
UL.6.3 Any other specific load condition on-ground not included in the previous paragraphs.

10
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

ER.1.1.1.2 Where N/A

applicable to the system,
consideration must be given
to the loads and likely failures
induced by emergency
landings either on land or
water.

ER.1.1.1.3 Dynamic effects UL.7 Structural dynamic load response – The airframe should be monitored in flight tests and ground tests in ME7 A combination of tests
must be covered in the order to assess whether the dynamic response to flight and ground loads is relevant, or not, as agreed and analyses
structural response to these with the Certifying Authority. If the dynamic contribution in flight or ground operations is shown to be
loads. relevant, a dynamic response analysis should be performed using the most significant dynamic loading
conditions.

ER.1.1.2 The UA must be UL.8 Aeroservoelastic effects – A rational compelling set of arguments must be provided to the satisfaction of ME8 A combination of
free from any aero–servo- the Certifying Authority, in order to show that the UA is free from flutter, control reversal, and divergence assumptions, tests and
elastic instability and in all configurations. A margin ≥1.22 VD must be applied. analyses
excessive vibration.
Simplified analytical or computational conservative methods may be used.
Though specific flutter flight tests with appropriate excitation are not mandatory, as agreed with the
Certifying Authority, flight tests survey should not reveal excessive airframe vibrations, flutter, or control
divergence at any speed within the design usage spectrum as per UL.0.

ER.1.1.3 The UL.9 The Applicant must identify the material allowables used in structure design, so that no structural part is ME9 Description of the
manufacturing processes under strength as a result of material variations or load concentration. used materials and their
and materials used in the allowables. Evidence of
UL9.1 The sources for material allowables determination must be declared and agreed with the
construction of the UA must compliance could be given in
Certifying Authority.
result in known and the Design Criteria of ME1.
reproducible structural UL9.2 The following criteria in choosing material allowables should be used.
properties. Any changes in
- Where applied loads are eventually distributed through a single member within an
material performance related
to the operational assembly, the failure of which would result in the loss of the structural integrity of the
component involved, the guaranteed minimum design mechanical properties (‘A’ values -

2
Flutter flight tests with appropriate excitation could allow reduction of this margin up to 1.15.
11
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
environment must be value above which at least 99% of the population of values is expected to fall with a
accounted for. confidence of 95%) should be met.
- Redundant structures, in which the failure of the individual elements would result in applied
loads being safely distributed to other load carrying members, may be designed on the
basis of the 90% probability values (‘B’ basis).
- When the Applicant is unable to provide satisfactory statistical justification for A and B
values, especially in the case of manufacturing of composite materials, an additional safety
super factor should be applied to ensure that A/ B values are met.
Material properties handbooks (e.g. MMPDS-03, CMH-17) could be used.
UL9.3 Where temperature and moisture have significant effects on the material strength capabilities
(e.g. composites), the allowable design values must be considered in the worst operational
conditions (see also UL2.4).

UL.10 The Applicant must identify the materials and manufacturing processes used in the construction of the UA ME10 AS/EN-9100
and the criteria implemented to control materials performance variability among specimens. Certification or equivalent.
Manufactured parts, assemblies, and the complete UAS must be produced in accordance with the
manufacturer’s Quality Management System, approved as per AS/EN-9100 certification or equivalent.

ER.1.1.4 The effects of UL.11 Fatigue ME11 Structural design

cyclic loading, environmental criteria (refer to ME1) and
UL11.1. The structure must be designed, as far as practicable, to avoid points of stress concentration
degradation, accidental and stress analysis.
where variable stresses above the fatigue limit are likely to occur in normal service.
discrete source damage
must not reduce the UL11.2. There must be sufficient evidence that PSEs have strength capabilities to achieve an adequate
structural integrity below an safe-life.
acceptable residual strength
UL11.2.1. For Aluminium and Steel Alloys, the use of stress levels less than half of the rupture
level. All necessary
tensile strength may be taken as sufficient evidence, in conjunction with good design
instructions for ensuring
practices to eliminate stress concentrations, that structural items have adequate
continued airworthiness in
this regard must be safe-lives.
promulgated. UL11.2.2. For wood, ANC-18 should be used as a reference.
UL11.2.3. For Composite materials, the use of strain levels compatible with the no-growth
criterion for the Damage Tolerance (as per UL13.1.1 or UL13.1.2) may be taken as
sufficient evidence, in conjunction with good design precautions to avoid the local

12
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
development of out-of-plane stresses3, that structural items have adequate safe-
lives.

UL.12 Protection of the structure against weathering, corrosion and wear, as well as suitable ventilation and ME12 Description of
drainage, must be provided as required. protection criteria against
environmental degradation
and corresponding inspection
and test where applicable.

UL.13 The Applicant must identify all reasonable accidental and discrete sources of damage relevant for the ME13 Description of
operational conditions and determine protection design features for each of them. protection criteria against
accidental discrete damage
UL13.1 Impact damage on composite PSEs
sources and corresponding
For composite PSEs, it must be shown that delamination or barely visible flaws related to impact analyses and tests where
damages realistically expected from manufacturing and service will not reduce the structural applicable.
strength below ultimate load capability and will not grow.
The following alternative arguments are acceptable means to comply with this requirement.
UL13.1.1 For composite PSEs, a special factor ≥ 6.0 multiplying the factor of safety of UL2.3
could be used.
To demonstrate strength and damage tolerance for damaged critical design
features the Certifying Authority may require tests at detail, sub-component or
component levels.
UL13.1.2 Composite PSE parts could be designed not to exceed the following Damage
Tolerance Strains:
Loading Damage Tolerance Strain(με)
Sandwich skin Full Laminates with
Full Laminates with thickness > 2 mm
thickness ≤2 mm
Tension 5000 5000
Compression 2600 3000
Shear 5200 6000

3
Corners, ply drop-off, stringer run-outs are of primary importance.
13
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

To demonstrate strength and damage tolerance for damaged critical design

features, the Certifying Authority may require tests at detail, sub-component or
component levels.
This allowable strain must be used in absence of a compelling argument in the
choice of allowables in composite material, taking into account reduction of
strength capabilities down to barely visible impact damage strength after impact.
Note - The damage tolerance strain values in the above table should only be used
if the degradation of Hot Wet (HW) properties is less than 50% of the Room
Temperature Dry (RTD) properties. Otherwise, a safety factor of 6.0 should be
used.
Note - The above strain values may be increased if the Applicant shows by other
evidence (e.g. analytical evidence; analysis with a representative composite
material; specimen tests; repeated landing demonstration test in conjunction with
composite inspections) that the typical damages within the design usage
spectrum have no negative influence on the composite structure, including the
consideration of material properties, possible impact zones, and protection layers,
etc.
UL13.2 Bird strike
Bird strike protection for the UA must be agreed with the Certifying Authority, according to the
intended UA size, use and technological constraints.
The UA should be designed so that the impact with a 0.2kg bird does not result in a catastrophic
event at any speed within the design usage spectrum.

UL.14 The designed configuration must provide accessibility for PSEs and control system inspection, ME14 Description of
adjustment, maintenance and repair, where necessary. accessibility provisions

UL.15 The Applicant must promulgate all necessary instructions for ensuring continued airworthiness. ME15 Set of instructions for
continued airworthiness to be
provided in the operational
manuals.

14
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

ER.1.2 Propulsion and UL.16 Engine ME16 Declaration of

Electrical Power compliance by the Engine
UL16.1 For spark and compression ignition engines, the installed engine must comply with the requirements
Manufacturer, together with
The integrity of the of Annex C, as agreed with the Certifying Authority.
the complete set of
propulsion system (i.e.
For electric engines, the installed engine must comply with the requirements of Annex D, as agreed compliance evidence.
engine and, where
with the Certifying Authority.
appropriate, propeller) and Safety Assessment Report
electrical power system must For turbine engines, the installed engine must comply with the requirements of Annex E, as agreed
Where necessary, description
be demonstrated throughout, with the Certifying Authority.
of fire detection and warning
and by a defined margin
UL16.2 The installation must provide accessibility for servicing, inspection and maintenance. system and description of the
beyond, the operational
procedure to take in case fire,
envelope of the propulsion UL16.3 The fire hazard must be assessed as per UL30.3.
together with fire expansion
and electrical power system
If the fire hazard risk is not compliant with the hazard reference system: analysis or test
and must be maintained for
the operational life of the - detection means should be installed on–board and warnings provided in the UCS / UCB,
propulsion and electrical so that the UA operator can take appropriate actions;
system. - a fire expansion assessment should be conducted in order to evaluate time for fire
propagation to catastrophic event;
- the operating manuals must contain procedures following a fire detection.

UL.17 Propeller - The installed propeller must comply with the requirements of Annex F. ME17 Declaration of
compliance by the Propeller
Manufacturer, together with
the complete set of
compliance evidence

ER.1.2.1 The propulsion UL.18 Propulsion system compatibility ME18 Description of

system must produce, within requirements compatibility,
UL18.1 Compatibility between engine and propeller requirements and limits must be assured:
its stated limits, the thrust or analyses, ground and flight
power demanded of it at all - engine power and propeller shaft rotational speed must not exceed the propeller limits; test evidence as agreed with
required flight conditions, - for fixed pitch propeller, maximum engine RPM must not be exceeded with full throttle setting the Certifying Authority.
taking into account during take-off, climb or flight at VCmax; 110% maximum continuous RPM must not be exceeded
environmental effects and during a glide at VCmax with throttle closed;
conditions. - for propeller that can be controlled in flight but does not have constant speed controls:

15
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
• maximum engine RPM must not be exceeded with the lowest possible pitch selected
and full throttle setting during take-off, climb or flight at VCmax;
• 110% maximum continuous RPM must not be exceeded during a glide at VCmax with
the highest possible pitch selected and throttle closed;
- for controllable pitch propeller with constant speed controls:
• with the governor in operation, there must be a means to limit the maximum engine
rotational speed to the maximum allowable take-off speed;
• with the governor inoperative, there must be a means to limit the maximum engine
rotational speed to 103 % of the maximum allowable take-off speed with the
propeller blades at the lowest possible pitch and the UA stationary with no wind at
full throttle position;
- each propeller with metal blades or highly stressed metal components must have vibration
stresses in normal operating conditions, not exceeding values demonstrated by the propeller
manufacturer, to be safe for continuous operation (see UL.P.8).
UL18.2 The installation must comply with the instructions provided by the engine and propeller
manufacturers (see UL.RE.1, UL.EE.1, UL.TE.1, UL.P.1).
UL18.3 Performance compatibility between UA design usage spectrum requirements identified in UL.0
and the engine and propeller limits verified under UL.16 and UL.17 must be assured. Flight
demonstration should be performed at the more severe and demanding operating conditions.
UL18.4 Environmental compatibility between UA design usage spectrum requirements identified in UL.0
and the engine and propeller limits verified under UL.16 and UL.17 must be assured. In particular,
UA power-plant cooling provisions must maintain the temperatures of propulsion system
components and engine fluids within the temperature limits established by the engine
manufacturer during all likely operating conditions. Flight demonstrations should be performed at
the more severe and demanding operating conditions.
UL18.5 Air inlet
18.5.1. Air induction (for reciprocating engine applications)
- The air induction system must supply the air required by the engine under the operating
conditions defined in UL.0.
- If operating conditions defined in UL.0 specify operations in icing conditions, then the
air-induction system must have means to prevent and eliminate icing.
18.5.2. Air inlet (for turbine engine applications)

16
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- The installation of turbine engine must be compatible with maximum distortion limits
allowed by the engine.
- There must be means to prevent hazardous quantities of fuel leakage or overflow from
drains, vents or other components of flammable fluid systems from entering the engine
intake system.
- The air intake duct should be located or protected so as to minimize foreign objects
ingestion in hazardous quantity during take-off, landing and taxiing.
UL18.6 The exhaust system (where applicable) must ensure safe disposal of exhaust gases without
posing a fire hazard to the UA.
UL18.7 Reserved.

ER.1.2.2 The fabrication This Essential Requirement is met by compliance with UL.16 and UL.17.
process and materials used
in the construction of the
propulsion system must
result in known and
reproducible structural
behaviour. Any changes in
material performance related
to the operational
environment must be
accounted for.

ER.1.2.3 The effects of This Essential Requirement is met by compliance with UL.16 and UL.17.
cyclic loading, environmental
and operational degradation
and likely subsequent part
failures must not reduce the
integrity of the propulsion
system below acceptable
levels. All necessary
instructions for ensuring
continued airworthiness in

17
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
this regard must be
promulgated.

ER.1.2.4 All necessary This Essential Requirement is met by compliance with UL.16 and UL.17.
instructions, information and
requirements for the safe and
correct interface between the
propulsion system and the
UAS must be promulgated.

ER.1.2.5 Fuel and UL.19 Fuel system ME19 Description and tests
electrical power system of the fuel system.
UL19.1 The fuel system must be able to provide the necessary fuel flow at the necessary conditions
The engine must be safely required by the engine throughout the operational envelope, under the most critical conditions.
fed by the quantity of fuel
UL19.2 The unusable fuel quantity for each tank must be established by test and must not be less than
required to perform the UA
the quantity at which the first evidence of engine fuel starvation occurs under each intended flight
missions it is certified for.
operation and manoeuvre.
The electrical power system
UL19.3 Tanks must be protected against wear from vibrations, and their installation must be able to
must safely provide the
withstand the applicable inertial loads.
electrical power required to
perform the UA missions it is UL19.4 Fuel tanks and associated supporting structure should be designed to withstand the pressure
certified for. developed during maximum ultimate acceleration with a full tank.
UL19.5 Fire hazard related to fuel vapour accumulation in the tank zone must be minimized (e.g. each
tank should be vented).
UL19.6 There must be means to ensure the engine is fed with fuel meeting the engine manufacturer
specification with respect to the maximum acceptable level of contaminants and water (e.g. safe
drainage to remove water and contaminants; a fuel strainer or filter accessible for cleaning and
replacement).
UL19.7 The fuel lines must be properly supported and protected from vibrations and wear.
UL19.8 Fuel lines located in an area subject to high heat (engine compartments) must be fire-resistant
or protected with a fire-resistant covering.

18
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
UL19.9 Depending on the safety analysis results, the possibility of introducing a fuel shutoff valve which
can be activated by the remote operator should be considered (e.g. taking into account engine
fire risk, shutoff valve failure effects, temperature sensor failure effects, etc.).
UL19.10 The maximum exposed surface temperature of any component in the fuel tank must be less, by
a safe margin, than the lowest expected auto-ignition temperature of the fuel or fuel vapour in
the tank. Compliance with this requirement must be shown under all operating and all failure or
malfunction conditions of all components inside the tank.
UL19.11 The fuel system design must take into account the following:
a. Possible sources of ignition including electrical faults, over-heating of equipment and the
malfunction of protective devices
b. Possible sources and paths of fluid leakage and means of detecting leakage.
c. Flammability characteristics of fluids, including effects of any combustible or absorbing
materials.

UL.20 Electric power ME20 Description and tests

of the battery.
UL20.1. Electrical System
20.1.1. The electrical power subsystem must be able to provide the necessary voltage and current
required by the engine and electrical equipment throughout the operational envelope. An
electrical Load Analysis should be provided.
20.1.2. The electrical system should include overload protection devices (fuses or circuit breakers),
a failure warning system and enough power to meet peak load.
20.1.3. Electrical bonding should be guaranteed be installed in accordance with standard aerospace
practices, (e.g. STANAG 3659 or equivalent can be used as a guideline).
20.1.4. The electrical wiring should be installed in accordance with standard aerospace practices,
SAE AS50881 or equivalent can be used as a guideline.
20.1.5. The electrical system should be installed such that the risk from mechanical damage and/or
damage caused by fluids, vapours, or sources of heat, is minimized.
20.1.6. The power subsystem must include a voltage sensor.
20.1.7. There must be a master switch or switches arranged to allow ready disconnection of all
electric power sources. The point of disconnection must be adjacent to the sources controlled
by the switch.

19
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
20.1.8. The electrical System must be designed that the risk of electrical shock is reduced to a
minimum.
UL20.2. Battery System
20.2.1. The battery installation must be able to withstand the applicable inertial loads.
20.2.2. The installation provisions, the environment and the intended usage of all batteries must meet
all performance, operating and safety requirements established by the battery manufacturer.
20.2.3. There must be means to minimize the risk of battery overheating/explosion (e.g. cooling,
temperature sensor, active battery management system).
20.2.4. A minimum voltage threshold that indicates low remaining capacity must be determined in
the worst environmental conditions. A low battery warning must be provided in the UCS/UCB
in order to alert the UA operator that the battery has discharged to a level which requires
immediate UA recovery actions. The procedure to be followed in case of low battery warning
must be established and provided in the Flight Manual.
20.2.5. The battery pack charger must be considered part of the UAS. The charger must have
indicators for fault and charging status.
20.2.6. Information concerning battery storage, operation, handling, maintenance, safety limitations
and battery health conditions must be provided in the applicable manuals.
20.2.7. Saltwater compatibility must be considered (where applicable) as per UL.0.
20.2.8. For rechargeable Lithium batteries, installed separately or in avionics equipment aboard
aircraft, RTCA-DO-311 (or equivalent, as agreed with the Certifying Authority) must be used
as standard applicable to the chemical composition, cell size, cell construction, cell
interconnection methods within batteries, venting provisions, operational and storage
environments, packaging, handling, test, storage and disposal.

ER.1.3 Systems and

equipment

ER.1.3.1 The UAS must UL.21 The Applicant should substantiate that the design criteria are either derived from standard aerospace ME21 Design criteria (see
not have design features or practices or that novel design criteria are based on sound engineering principles. ME1)
details that experience has
As examples:
shown to be hazardous in
their intended application. - positive drainage of moisture should be provided wherever necessary (e.g. static pressure
measuring devices);
- drainage and venting should be provided where flammable fluid vapour may accumulate.

20
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.22 See UL.65. ME22 Reserved

UL.23 Flight test experience must be accumulated before Type Certification, exploring the complete design ME23 Evidence of
usage spectrum as per UL.0, in order to provide a sufficient level of confidence to the Certifying Authority. accumulated flight test activity
and problem report tracking.
The flight test campaign plan must be provided to the Certifying Authority.
Any technical events that occur during this flight test experience must be reported, analyzed and
corrected when necessary.
Both the occurrences and their corrective actions must be made available to the Certifying Authority.

ER.1.3.2 The UAS, with UL.24 Equipment ME24 Evidence of the

those systems, equipment detailed requirement
UL24.1 All equipment required for type-certification or by operating rules must function properly within
and appliances required for deployment from high level
the design usage spectrum (UL.0), including icing conditions, if required.
type-certification, or by requirements to sub-systems
operating rules (e.g. under UL24.2 Equipment Specification and Declaration of Design and Performance (DDP) and to equipment
operational air traffic (OAT) - For all installed equipment the UAS manufacturer should approve its technical specifications.
and general air traffic (GAT)), specification, in order to assess compatibility with UAS higher-level requirements.
+ Collection of the DDPs.
must function as intended - All equipment should have a Declaration of Design and Performance (DDP)), or
under any foreseeable equivalent, released by its manufacturer and accepted by the UAS manufacturer showing
operating conditions, compliance with applicable specifications.
throughout and by a defined
margin beyond the UL24.3 The installation provisions, environment and the intended usage of all equipment must meet
all performance, operating and safety limitations to which the equipment is qualified (i.e. it
operational envelope of the
meets its specifications).
UAS, taking due account of
the system, equipment or UL24.4 The minimum necessary accuracy of each measuring device used to control UA trajectory and
appliance operating to acquire navigation data must be established by the UAS manufacturer and be compatible
environment. Other systems, with UA high-level requirements.
equipment and appliance not
required for type-certification, UL24.5 Each measuring device must be calibrated as necessary (e.g. airspeed sensors).
or by operating rules, UL24.6 Any equipment whose failure could lead to loss of functions or misleading data with hazardous
whether functioning properly or catastrophic effects on safety must have fault detection / fault isolation capabilities as agreed
or improperly, must not with the Certifying Authority.

21
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
reduce safety and must not A minimum essential set of Built-In-Test (BIT) performance should be included in the design.
adversely affect the proper For example:
functioning of any system,
equipment or appliance Air Vehicle
required for type-certification Computers Checksum
or by operating rules. Data Link Health
Systems, equipment and GPS Receiver Receiver failure indication from power-
appliances must be operable up, self-test or background BIT
without needing exceptional Motherboards Under-voltage
skill or strength. Temperature
UA faults and status information must be transmitted to the UCS/UCB for display to
the operator, when the link is available

UCS/UCB
Computers Checksum
Data Link Health
Motherboards Under-voltage
Temperature
UL.25 Each sub-system of the UA, UCS/UCB, Data-Link, Launch/Recovery equipment (where applicable) and ME25 Functional and
of any other system required for type-certification or by operating rules must function as intended within environmental tests.
the design usage spectrum in UL.0.
- Identify all functions of each sub-system.
- Characterize the operational environment of each sub-system.
- Perform all necessary functional tests at sub-system level.
- Perform all necessary environmental tests (e.g. vibration, humidity, EMC/HIRF, etc.).
- Show that the operation of any sub-system or item of installed equipment not required for type-
certification or by operating rules does not reduce safety and it is installed in a way that does not
adversely affect the proper functioning of those sub-systems or items of installed equipment
required for type-certification or by operating rules.
The test plans must be provided to the Certifying Authority. Test plans must include, but not limited to:
test objectives, applicable standards/specifications, test article description, test description, test
instrumentation, test condition, test acceptance criteria.

22
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.26 Command and control data link subsystem ME26 Functional tests +
EMI/EMC test.
A UAS must include a command and control data link (such as a radio-frequency link) for control of the
UA with the following functions.
- transmittal of UA crew commands from the UCS/UCB to the UA (uplink), and
- transmittal of UA status data from the UA to the UCS/UCB (downlink). The UA status data must
include, to the appropriate extent, navigational information, response to UA crew commands, and
equipment operating parameters in accordance with UL.32.
UL26.1 The command and control data link must be electromagnetically compatible (EMC) with other
UCS/UCB and UA equipment, protected against electromagnetic interference (EMI).
UL26.2 Data link performance:
- the effective maximum range for the full range of operating altitudes must be determined
and provided to the operator in the operating manual;
- latencies must be determined and provided to the operator in the operating manuals as a
function of all relevant conditions; these latencies must not lead to an unsafe condition in
any FCS operating mode (including manual direct piloting conditions, where applicable);
- performing a transfer of the UA command and control from one data link channel to
another channel within the same UCS/UCB must not lead to an unsafe condition;
- minimum information to be provided to the UCS/UCB display is in UL.32;
- warning cues should be provided to alert the operator of detrimental degradation in data
link capabilities (e.g. approaching antenna masking attitudes where applicable,
approaching external interfering antennas, approaching maximum data link range, etc.)
in order to prevent potential total loss of the data link.
- The capacity of the data link must be determined to provide an acceptable safety margin
under the highest usage condition expected as determined by UL.30.

UL26.3 In case of data link loss, an automatic reacquisition process must try to re-establish the
command and control data link in a time period and with a flight behaviour agreed with the
Certifying Authority.
In case the reacquisition fails:
- a warning must alert the operator, and the Applicant must specify whether the alert will be
audible, visual, or both,
- the alert should sound/be displayed continuously until acknowledged and extinguished,

23
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- a loss strategy must be established and agreed with the Certifying Authority. The data link
loss strategy must be provided to the operator in the operating manual.

UL.27 UCS/UCB ME27 Technical description

+ Functional tests + Human
UL27.1 The UCS/UCB must guarantee correct functioning of all functions necessary to safely
Machine Interface
accomplish all design missions under all conditions of the design usage spectrum in UL.0,
evaluations.
including the performance of emergency and recovery procedures.
UL27.2 The UCS/UCB must be able to display the minimum information required by UL.32.
UL27.3 UCS/UCB Human-Machine Interface aspects must be designed to facilitate the safe
accomplishment of the design missions under all the conditions of the design usage spectrum in
UL.0. Particular consideration must be given to the information layout, to the information
readability in all external lighting conditions, to aural signals (if applicable) and announcements.
The risks of controls interference and misuse of controls must be minimized.
UL27.4 A communication system should be provided, as agreed with the Certifying Authority, in order to
allow a two-way communication with the ATC.
UL27.5 The Data Recorder in the UCS/UCB and/or on the UA, if required, should comply with the
following:
a) all the data transmitted via the command and control data link is continuously recorded;
b) the same data as per UL.32 is recorded;
c) the storage capacity of the data recorder is compatible with recording the maximum duration
of flight for which the certification is requested;
d) there is an aural or visual means for pre-flight checking of the recorder for proper recording
of data in the storage medium;
e) a universal time reference signal is recorded. For instance, the GPS time signal can be used
for this purpose.
f) The data recorder is designed to prevent unauthorised or unintentional editing;

24
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
g) for UCS/UCB data recorders, the UCS/UCB provides a function that is able to read the data
recorder for post-flight operation;
h) if required, the recorder container mounted to the UA is:
(1) either bright orange or bright yellow;
(2) to have reflective tape affixed to its external surface to facilitate its location under
water; and
(3) to have an underwater locating device, when required by the operating rules, on or
adjacent to the container which is secured in such a manner that they are not likely
to be separated during crash impact; and
i) on board flight recorder has a means to automatically stop recording immediately after a
crash of the UA in order to avoid overwriting of data;
j) on board flight recorders comply with EUROCAE ED-112 or ETSO-C124a or any equivalent
standard, as approved by the Certifying Authority.
UL27.6 UCS/UCB electrical systems (when installed) must be:
- free from both internal and external hazards;
- designed to prevent electrical shock;
- designed to be protected against electrostatic, lightning and EME hazards.
UL27.7 The UCS/UCB power supply must be designed such that the operations in normal and failure
conditions shall not lead to an unsafe condition; the corresponding minimum UCS/UCB power
required must be stated in the UAS operating manual.

UL.28 Payload ME28 Evaluation of the

effects of payload normal
UL28.1 The payload equipment, whether functioning properly or improperly, must not adversely affect
functioning and failures on the
the safe flight and control of the UA.
other UA sub-systems.
UL28.2 The payload equipment must be electromagnetically compatible with other UAS components.
UL28.3 All potential hazards caused by the payload (including lasers) to crew, ground staff or third
parties must be assessed and minimized.

25
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.29 Integration at UAS level ME29 The evidence given in

ME23 may be sufficient,
The UA, the UCB / UCS, the Data-Link, Launch/Recovery equipment (where applicable) and any other
except that the Certifying
system required for type-certification or by operating rules must function as intended when operated all
Authority may ask for
together.
additional evidence (e.g.
integration rig test report).

ER.1.3.3 The UAS, UL.30 A System Safety Assessment must be performed for the UAS (including all contributions coming from the ME30 Safety Assessment
equipment and associated UA, UCS/UCB, Data Link and any other equipment necessary to operate the UAS) and submitted to the Report
appliances, including the Certifying Authority, which includes but is not limited to:
control station, its data links
- the definition of a Hazard Reference System to be agreed with the Certifying Authority (see Annex G).
etc., considered separately
and in relation to each other, - A Functional Hazard Assessment (FHA) (see SAE ARP 4761 – “Guidelines and methods for
must be designed such that conducting the safety assessment process on civil airborne systems and Equipment” or similar civil or
any catastrophic failure military aviation standard).
condition does not result
- Based on failure conditions identified in FHA, Preliminary System Safety Assessment (PSSA) and
from a single failure not
System Safety Assessment (SSA) should be conducted to show that the implemented systems meet
shown to be extremely
their safety requirements (see SAE ARP 4761 – “Guidelines and methods for conducting the safety
improbable. An inverse
assessment process on civil airborne systems and Equipment” or similar civil or military aviation
relationship must exist
between the probability of a standard to be agreed with the Certifying Authority). The PSSA and SSA must take into account the
failure condition and the complexity of the UAS systems and be agreed with the Certifying Authority.
severity of its effect on the - A Failure Mode Effect and Criticality Analysis (see SAE ARP 4761 or similar civil or military aviation
UA, crew, ground-crew or standard).
other third parties. Due
allowance must be made for - A Fault Tree Analysis (see SAE ARP 4761 or similar civil or military aviation standard) for failure
the size and broad conditions of Catastrophic or Hazardous severity.
configuration of the UAS - Common Cause Analysis (CCA) (see SAE ARP 4761 or similar civil or military aviation standard). The
(including specific military CCA must take into account the complexity of the UAS systems and be agreed with the Certifying
systems and operations). Authority.
This may prevent this single
failure criterion from being The Safety Assessment must demonstrate compliance with the following.
met for some parts and some UL30.1 All credible hazards must be identified and their consequences determined. The associated
systems on helicopters, failure conditions must be determined and classified in accordance with UL.HRS.1.

26
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
small or single engine UL30.2 Each failure condition must meet the Hazard Reference System criteria in Annex G, as agreed
aeroplanes and uninhabited with the Certifying Authority. Failure conditions that do not comply with these criteria due to state
aerial vehicles (with no of the art technology and technological constraints shall be submitted to the Certifying Authority
persons onboard the aircraft, and may be accepted on a case by case basis, showing well proven methods for the design and
the airworthiness objective is construction and on the basis of appropriate justification (for instance through operational
primarily targeted at the restrictions, through a rationale considering UA weight and/or kinetic energy at impact, based
protection of people on the upon the risk to UAS crew, ground staff and third parties) and provided their number is reduced
ground). to the strict minimum.
UL30.3 The cumulative probability per flight hour of all catastrophic failure conditions (with all the
contribution of all UAS systems and sub-systems, including propulsion, navigation, data-link,
CS/UCB, etc.) must not be greater than the Hazard Reference System cumulative safety
requirement (UL.HRS.2) as agreed with the Certifying Authority.

UL.31 Software Development Assurance Levels ME31 The minimum

software life-cycle data to be
The software integrated in the UAS should perform intended functions with a level of confidence in safety
submitted to the Certifying
that complies with the following requirements.
Authority are:
UL31.1 A software safety program should provide software development assurance evidence of safe
- Software / Hardware
software engineering (e.g, RTCA/DO-178 for software and RTCA/DO-254 for firmware), and
architecture and DAL
analyze safe use within the context of hardware design (e.g, using guidelines in the US DoD
allocation
Joint Software System Safety Committee Software System Safety Handbook, MIL-STD-882,
and/or STANAG 4404). - Plan for Software Aspects
of Certification
UL31.2 The software life cycle assurance process agreed with the Certifying Authority should be
demonstrated with the approach defined in RTCA DO-178 / ED-12 “Software considerations in - Software Configuration
airborne systems and equipment certification”, for the process objectives and outputs by Index
software level. If equivalent standards are provided, a Plan for Software Airworthiness should be
- Software Accomplishment
provided and agreed with the Certifying Authority in order to present how the quoted standards
Summary
will be applied.
UL31.3 The Functional Development Assurance Level (FDAL) and Item Development Assurance Level
(IDAL) should be based upon contribution to potential failure conditions as determined in the
Safety Assessment Process described in UL.30. The FDAL allocation should follow the FDAL
Assignment with System Architecture Consideration process described in ARP4754:

27
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

DEVELOPMENT ASSURANCE LEVEL (NOTE 2)

TOP-LEVEL
FAILURE FUNCTIONAL FAILURE SETS WITH MULTIPLE
FUNCTIONAL
CONDITION MEMBERS
FAILURE SETS
CLASSIFICATION WITH A SINGLE Option 1
MEMBER Option 2
(NOTE 3)
FDAL B for one Member, FDAL C for two of the
additional Member(s) Members leading to top-
contributing to the top- level Failure Condition.
level Failure Condition at The other Members at
the level associated with the level associated with
FDAL B the most severe the most severe
Catastrophic individual effects of an individual effects of an
(Note 1) error in their error in their
development process for development process for
all applicable top-level all applicable top-level
Failure Conditions (but Failure Conditions (but
no lower than level D for no lower than level D for
the additional Members). the additional Members).
FDAL C for one Member,
additional Member(s)
contributing to the top-
level Failure Condition at
the level associated with
the most severe
Hazardous FDAL C individual effects of an See Note 4
error in their
development process for
all applicable top-level
Failure Conditions (but
no lower than level D for
the additional Members)

28
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
FDAL C for one Member, FDAL D for two of the
additional Member(s) Members leading to top-
contributing to the top- level Failure Condition.
level Failure Condition at The other Members at
the level associated with the level associated with
Major FDAL C the most severe the most severe
individual effects of an individual effects of an
error in their error in their
development process for development process for
all applicable top-level all applicable top-level
Failure Conditions. Failure Conditions
FDAL D for one Member, additional Member(s)
contributing to the top-level Failure Condition at the
Minor FDAL D level associated with the most severe individual
effects of an error in their development process for all
applicable top-level Failure Conditions.

No Safety Effect FDAL E FDAL E

NOTE 1: When a FFS has a single Member and the mitigation strategy for systematic errors is to
be FDAL B alone, then the applicant may be required to substantiate that the development process
for that Member has sufficient independent validation/verification activities, techniques and
completion criteria as agreed with the Certifying Authority to ensure that potential development
error(s) having a catastrophic effect have been removed or mitigated.
NOTE 2: It is necessary to stay in the same row no matter the number of functional decompositions
performed (e.g. for a Catastrophic Failure Condition any degree of decomposition from a top FDAL
B FFS should include at least one FDAL B or two FDAL C Members).
NOTE 3: If there is a large disparity on the numerical availability of the Members in the Functional
Failure Set, the higher level FDAL should generally be assigned to the higher availability Member.
NOTE 4: Exceptionally, FDAL D for two members leading to the top level failure conditions may be
accepted on a case by case basis, as agreed with the certifying authority. The applicant is

29
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
responsible for providing sufficient evidence to the certifying authority to demonstrate an equivalent
level of safety.

UL31.4 In case of new hardware development with use of a PLD (programmable logic device), the
development assurance level process should be agreed with the Certifying Authority by use of
a specific Special Condition.
UL31.5 The use of legacy software must be agreed with the Certifying Authority. The Applicant must
provide a cross reference comparison between the followed process objectives and the
objectives defined by RTCA DO-178, as agreed with the Certifying Authority. The Applicant must
provide an equivalent level of confidence of the legacy software used and the corresponding
level required as per UL31.3.

ER.1.3.4 Information UL.32 Depending on the UAS design features complexity, the Applicant must define and agree with the ME32 Description of the
needed for the safe conduct Certifying Authority the minimum information on the UA (e.g. dangerous areas warnings, basic minimum information
of the flight and information assembling indications), in the UCS/UCB (e.g. warnings, announcements, flight data, navigation displayed to the operator
concerning unsafe data, power-plant data, other sub-system data) and on any other equipment necessary to
conditions must be provided operate the UA (e.g. warnings on the antenna apparatus or on the battery charger) to be provided
to the crew, or maintenance to the UA operator and ground staff in order to allow the safe conduct of operations under the
personnel, as appropriate, in design usage spectrum in UL.0, including the management of the failure conditions which may
a clear, consistent and occur.
unambiguous manner.
UL32.1 The minimum flight and navigation data that should be displayed in the UCS/UCB at an update
Systems, equipment and
rate consistent with safe operation are:
controls, including signs and
announcements must be - indicated airspeed,
designed and located to - ground speed,
minimise errors which could - pressure altitude and related altimeter setting,
contribute to the creation of - heading,
hazards. - track,
- UA position on a map at a scale selectable by the operator, together with the deviation
between the planned ground track and the actual UA flight path (see also UL44.3),
- UA position relative to the LOS data link transmitter/receiver displayed in terms of range,
bearing and altitude,

30
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- where semi-automatic flight control modes (e.g. altitude hold, heading hold, airspeed hold)
are activated, the commanded flight or navigation parameters sent to the UA must be
displayed,
- airspeed minimum and maximum limitations (see UL2.1) and corresponding speed warnings,
- UA attitude,
- vertical speed,
- navigation system status,
- g-meter (in order to avoid structural limit exceedances in manual direct piloting conditions,
where there are no other alternative means to avoid g exceedances).
UL32.2 The minimum propulsion system data that should be displayed in the UCS/UCB at an update
rate consistent with safe operation are:
- for reciprocating and turbine engines, information concerning the remaining usable fuel
quantity in each tank and the rate of fuel consumption should be provided to the operator,
- for electrical engines, the information concerning the remaining level of battery charge should
be provided to the operator,
- a means to indicate engine health status such as engine RPM, oil pressure and engine
cylinder head (for internal combustion engines) or exhaust gas (for turbine engines) or case
(for electrical engines) temperature, along with corresponding caution and warning alerts
when specified minimum and maximum limitations are being approached, reached, and/or
exceeded.
UL32.3 As a minimum, information concerning the Data Link system, the strength and integrity (i.e.
frame/bit error rate) of the uplink and downlink should be provided and continuously monitored
at a refresh rate consistent with safe operation.
UL32.4 The UCS/UCB should include an automatic diagnostic and monitoring capability for the status
of the UAS and all monitored subsystems and provide to the UA crew appropriate warning
indication, with the following colour codes.
- red, for warning information (information indicating a hazard which may require immediate
corrective action);
- amber, for caution information (information indicating the possible need for future corrective
action);
- green, for safe operation information.

31
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.33 The necessary information must be displayed in UCS/UCB in a clear, consistent, unambiguous manner, ME33 Demonstration of
in such a way that a trained crew of average skill allowed to remotely control the UA is capable of effectiveness of the
managing any situation (both in normal functioning conditions and in failure conditions) which may occur information provided to a
under UL.0. This should be demonstrated with a representative trained crew of average skill by inspection, “minimum operator”
simulation and/or flight test.
The necessary information displayed in UCS/UCB must be visible under all lighting conditions.

UL.34 Depending on the complexity of the UAS, the Applicant must define, getting agreement by the Certifying ME34 Description of the
Authority, the minimum information to be provided on the UA, on the UCS/UCB and on any other minimum information to be
equipment necessary to operate the UAS to be given to the maintenance personnel in order to allow the provided to maintenance
safe conduct of servicing and maintenance operations. This minimum information has to be in accordance personnel
with the instructions for continued airworthiness for the UAS of paragraph UL 37.

ER.1.3.5 Design UL.35 External Threats ME35 Description of the

precautions must be taken to reasonably probable external
UL35.1 The behaviour of the UAS must be determined and demonstrated in all weather conditions as
minimise the hazards to the threats, the derived hazards,
defined in the design usage spectrum per UL.0 (including where applicable rain, hail, lightning,
UAS, crew or other third the design mitigations, the
cold weather, hot weather, sand and dust, HIRF, etc.) Design precautions and/or operating
parties from reasonably eventual operating limitations
limitations must be established in order to minimise hazards to the UAS, the operator or other
probable threats, both inside mitigations.
third parties.
and external to the UAS,
Verification of protection
including protecting against UL35.2 Any UAS equipment (including redundant equipment) performing functions whose failure could
measures used to minimize
the possibility of a significant lead to loss of functions or misleading data with hazardous or catastrophic effects on safety must
the hazards to the UAS, crew,
failure in, or disruption of, pass appropriate environmental tests (see UL.25). RTCA-DO-160D or MIL-STD-810F should be
ground staff or third parties
any UAS appliance. used as reference material for UAS equipment environmental tests.
from reasonably probable
UL35.3 Identify the hazards which may be created by simultaneous operation of more than one UA by threats, both inside and
the same UCS/UCB, or by handover of a UA between two UCS/UCB, and develop design external to the UAS
precautions and/or operating limitations in order to prevent occurrence(see UL.66 and UL.67).
UL35.4 Identify the hazards which may be created by simultaneous operation of more than one UA in
close proximity and develop design precautions and/or operating limitations in order to prevent
occurrence.
UL35.5 External lighting system requirements must be approved by the Certifying Authority and must be
consistent with the intended airspace and system usage.
UL35.6 Frangibility (for UA<=8lb)
32
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
If the UA is intended to be operated in operational scenario that pose at risk other
aircrafts/helicopters in flight, the UA and its components should be configured and constructed
such that, in the event of a mid-air collision with another aircraft/helicopter, the energy impacted
by the UA and its components is dissipated in a manner that minimizes damage to the other
aircraft. Particular attention should be given to the effect of traditionally dense and solid UA
components such as, but not necessarily limited to, batteries, payloads and motors and their
associated propeller assemblies during a collision.
UA frangibility design features may include one or more of the following:
(a) fracture points within UA airframe to aid dissipation of UA kinetic energy;
(b) incorporation of energy absorbing structure into the UA;
(c) distribution of high mass and high density components around the UA in a configuration
that will reduce the likelihood of a ‘train’ of high mass and high density components
impacting the same point during a collision;
(d) external shape that encourages deflection during a collision.

UL.36 Internal threats ME36 Description of the

reasonably probable internal
UL36.1 There must be design features adequate to prevent incorrect installation of equipment (e.g.
threats, the derived hazards,
installation in the wrong place or with the wrong orientation).
the design mitigations, the
UL36.2 It must be demonstrated that any risk of incorrect in-field structural assembling by the operator eventual operating limitations
(where applicable) has been reduced to the minimum by adequate mitigating solutions (e.g. mitigations.
appropriate joints design features, warnings labelled on the UA, pre-flight checks, etc.).
Human errors analysis.
UL36.3 The UAS should have (where applicable) design features which limit and segregate the
Zonal Hazard Analysis may
consequences of an equipment disruption or failure in order to reduce, to the maximum extent,
be required by the Certifying
its effects on UAS function and structural integrity.
Authority.
UL36.4 If not covered by other evidence, the Certifying Authority may deem necessary to require, in
EMRADHAZ test and/or
addition to the safety analysis per UL.30, a Hazard Zonal Analysis to cover hazards derived from
analysis report.
installation aspects.
UL36.5 Considering the UA operator as an element internal to the system, all foreseeable hazards which
may arise from human errors when operating the UA in all FCS operating modes, under all

33
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
operational environmental conditions (as per UL.0), with normal functioning performances, must
be identified and mitigated to a level acceptable to the Certifying Authority.
UL36.6 Foreseeable hazards which may arise from operating the UAS with degraded performance in
condition of failure, including the risks associated to human errors, must be identified and
mitigated to a level acceptable to the Certifying Authority.
UL36.7 Electromagnetic radiation hazards (EMRADHAZ): the system design must protect personnel,
fuels (where applicable), and ordnance (where applicable) from hazardous effects of
electromagnetic radiation. MIL-STD-464A may be used as a reference.
UL36.7.1 Hazards of electromagnetic radiation to personnel (HERP): personnel must not be
exposed to an electromagnetic field whose energy exceeds the permissible exposure
limits specified in approved current standards (e.g. US-DoD policy 6055.11, EU-
ICNIRP).
UL36.7.2 A minimum safe distance from the data link antenna must be established and the
value provided to the UA operator (mandatory information must be given in the flight
manual; safe distance should be labelled on the antenna apparatus, where possible).

ER.1.4 Continued
airworthiness of the UAS

ER.1.4.1 Instructions for UL.37 Identify and provide the instructions for continued airworthiness for the UAS which must include the ME37 Instructions for
continued airworthiness information essential to the continued airworthiness of the UAS. continued airworthiness are
must be established to given in the form of a manual
In particular, provide instructions for continued airworthiness of the UA structure, engine, propeller and
ensure that the UAS type or manuals, as appropriate for
any subsystem for which inspection, substitution (e.g. life limited parts), adjustment, lubrication are
certification airworthiness the quantity of data to be
required. Information must be given to cover for:
standard is maintained provided.
throughout the operational UL37.1 UAS maintenance schedules and instructions, as well as instructions for unscheduled
The format of the manual or
life of the UAS. maintenance (to include system and subsystem overhaul and refurbishment schedules),
manuals must be agreed with
UL37.2 UAS repair and replace instructions, the Certifying Authority and
may differ according to
UL37.3 UAS troubleshooting information, National Regulations.
UL37.4 UA structural inspection intervals and procedures, Appropriate labelling on the
UL37.5 UAS servicing information, UA may be necessary.

34
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
UL37.6 UA assembling and disassembling instructions (where applicable as for Micro UA).
UL37.7 For UAS which are required to be assembled before being operated, pre-flight and/or post-flight
structural integrity checks (and any mandated tool requirements) must be prescribed.

ER.1.4.2 Means must be UL.38 Means must be provided to allow inspection, adjustment, lubrication, removal or replacement of parts and ME38 Description of the
provided to allow inspection, appliances as necessary for continued airworthiness. means provided to allow
adjustment, lubrication, continued airworthiness
removal or replacement of implementation.
parts and appliances as
necessary for continued
airworthiness.

ER.1.4.3 The instructions See UL.37 and ME37.

for continued airworthiness
must be in a format
appropriate for the quantity of
data to be provided (e.g.
paper or electronic). The
instructions must cover
maintenance and repair
instructions, servicing
information, trouble-shooting
and inspection procedures.

ER.1.4.4 The instructions UL.39 A specific section called “Airworthiness Limitations“ should be clearly distinguishable in the applicable ME39 Section called
for continued airworthiness manuals, containing prescriptions for each mandatory replacement time, inspection interval and related “Airworthiness Limitations“ in
must contain airworthiness inspection procedure. the manual or manuals as per
limitations that set forth each ME37.
mandatory replacement time,
inspection interval and
related inspection procedure.

35
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

ER.2 Airworthiness
aspects of system
operation

ER.2.1 The following See the following.

must be shown to have been
addressed to ensure a
satisfactory level of safety for
those on the ground during
the operation of the system:

ER.2.1.1 The kinds of Structure, engine, propeller, and general UA sub-system integrity within the limitations identified in design usage
operation for which the UAS spectrum of UL.0 has been previously demonstrated. Only the aspects deriving from the UA flight characteristics
is approved must be are hereby addressed.
established and limitations NOTE
and information necessary
The performances in the following paragraphs should be determined as “minimum
for safe operation, including
values” at the most severe conditions according to the design usage spectrum in
environmental limitations
UL.0, considering mass and balance, environmental conditions, wind, etc.
and performance, must be
established.
UL.40 Kinds of operation: ME40 Justification of the
airspace classes in which the
UL40.1. Identify the airspace classes for which the UA may be authorized, taking into account the UAS
UA may be authorized to fly
design features.
and platforms other than land
UL40.2. All platforms, both stationary and moving, from which UA operations will be conducted, to include from which operations may be
launch, command and control and recovery, must be considered and incorporated in the UAS conducted.
design to ensure required levels of safety and airworthiness are maintained.

UL.41 Stalling speeds ME41 Flight test and

analysis report.
UL41.1 Wing level stalling speeds at all relevant aerodynamic configurations must be determined for the
most appropriate combination of weight and CG either by analysis (as agreed with the Certifying
Authority) or by flight test (at a rate of speed decrease of 1knot/s or less and closed throttle).

36
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
UL41.2 If the stalling speeds are not demonstrated by flight test, a “minimum demonstration speed”
[VminDEMO] must be demonstrated in flight, sufficiently below the minimum operational speed [VC-
min].

UL41.3 If stall is used as a means to recover or land the UA, the stall speeds must be demonstrated by
flight test.
UL41.4 Stalling speeds must be provided to the operator, when necessary to avoid undesirable
conditions as agreed with the Certifying Authority.

UL.42 Take-off / launch ME42 Flight Test and

analysis report.
UL42.1 It must be shown that the take-off / launch sequence is a reliable, repeatable and predictable
safe operation, for each weight, altitude, temperature, and wind conditions, within the operational
limits in UL.0.
UL42.2 A take-off safety trace must be determined as the area (associated with a UA conventional take-
off or launch by catapult or by hand) in which there may be a hazard which could result in an
unacceptable risk to UAS crew, ground staff or third parties. Winds, navigational accuracies,
communication latencies, etc. must be considered in the establishment of the take-off safety
trace.
UL42.3 For conventional take-off procedures, with the UA at MTOW and full throttle, the following must
be measured:
- ground roll distance to take-off on a runaway with minimal grade,
- distance to clear a 15m (50 ft) obstacle,
- speed at 15m (50 ft) height greater than the stalling speed by a defined margin to be agreed
with the Certifying Authority (e.g. 1.2 VS),
- rotation speed (speed at which the UA crew or the flight control system makes a control
input with the intention of lifting the UA out of contact with the runway) such that the required
50 ft obstacle climb speed is obtained.
UL42.4 For catapult assist or hand launch the UA must remain in a stable and controllable condition
throughout the launch phase and during the transition to normal flight conditions.
UL42.5 For catapult assisted UAS, with the UA at MTOW, safe take-off procedures and UA/catapult
settings must be determined and the following must be measured:
- distance to clear a 15 m (50 ft) obstacle,

37
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- speed at 15m (50 ft) height greater than the stalling speed by a defined margin to be agreed
with the Certifying Authority (e.g. 1.2 VS),
- end of catapult airspeed such that the required 50 ft obstacle climb speed is obtained.
UL42.6 For hand launch UAS, with the UA at MTOW, safe take-off procedures and settings must be
determined and the following must be measured:
- distance to clear a 15 m (50 ft) obstacle,
- speed at 15m (50 ft) height greater than the stalling speed by a defined margin to be agreed
with the Certifying Authority (e.g. 1.2 VS).
Due account should be taken of the variability of force and launch angle in hand launches.

UL42.7 When an automatic take-off system is provided,

- it must not cause unsafe sustained oscillations or undue attitude changes or control activity
as a result of configuration or power changes or any other disturbance to be expected in
normal operation;
- where a UAS is designed for conventional take-off on a runway, it should incorporate a
manual abort function, easily accessible to the UA operator in order to stop the UA on the
runway during the take-off run at every speed up a pre-determined maximum abort speed.
UL42.8 Take-off/launch procedures and performance must be provided to the UA operator in the flight
manual.

UL.43 Climb and descent ME43 Flight Test and

analysis report.
UL43.1 The ISA sea level rate of climb at Vy (speed for best rate of climb) should be at least 1.5 m/s with
no more than take-off power, at MTOW, retracted landing gear (where applicable), wing flaps in
take-off position (where applicable).
UL43.2 The ISA sea level gradient of climb at Vx (speed for best angle of climb) must be determined with
no more than take-off power, at MTOW, retracted landing gear (where applicable), wing flaps in
take-off position (where applicable).
UL43.3 The climb performances at Vx and Vy must be provided to the operator in the flight manual.
UL43.4 The climb performances for flaps retracted (if applicable) at maximum continuous power for the
UL.0 usage envelope airspeeds and altitudes must be provided to the operator in the flight
manual.

38
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.44 Navigation accuracy ME44 Flight Test report.

UL44.1 Navigation accuracy must be agreed with the Certifying Authority and verified by flight test in all
the UA operational modes, in terms of maximum error from an established waypoint on ground,
altitude and speed.
UL44.2 The information about the worst possible navigation accuracy must be provided to the UA
operator in the flight manual.
UL44.3 Where automatic or semi-automatic FCS modes are activated, a flight-path deviation warning
must be displayed and the appropriate procedure established (see ER.2.1.5) when excessive
deviation (as agreed with the Certifying Authority) from the pre-programmed flight-path occurs.

UL.45 Glide ME45 Flight Test and

analysis report.
UL45.1 The maximum horizontal distance travelled in still air, in nautical miles per 1,000 ft of altitude lost
in a glide, the speed necessary to achieve this and the glide time must be determined with the
engine inoperative and its propeller in the minimum drag position, landing gear and wing flaps in
the most favourable available position
UL45.2 The glide performances and instructions to achieve the best glide range must be provided to the
UA operator in the flight manual.

UL.46 Landing ME46 Flight Test and

analysis report.
UL46.1 It must be shown that the landing sequence is a reliable, repeatable and predictable safe
operation.
UL46.2 A landing safety trace must be determined as the area (associated with a UA conventional,
arrested, parachute or stalling landing), in which there may be a hazard which could result in a
risk to personnel, third parties, equipment and/or property. Winds, navigational accuracies,
communication latencies, etc. must be considered in the establishment of the landing safety
trace.
UL46.3 Conventional landing:
- a safe landing speed and a safe gradient of descent must be determined with sufficient
margin above stalling speed in landing configuration;

39
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- the horizontal distance necessary to land and come to a complete stop from a point 15 m
(50 ft) above the landing surface must be determined;
- minimum safe balked landing height must be determined together with the corresponding
gradient of climb.
UL46.4 Recovery with parachute:
- a minimum parachute safety height must be determined and provided to the operator;
- the normal landing under parachute must be made without excessive vertical acceleration
or tendency to bounce, nose over, ground loop or porpoise,
- the landing accuracy must be determined.
UL46.5 Recovery by arrestment
- a safe landing speed and a safe gradient of descent must be determined with sufficient
margin above stalling speed in landing configuration;
- the landing accuracy must be determined
- for automatic recoveries, a predefined go-around feature should be incorporated into the
UAS design such that, when conditions established to promote safe and successful
recovery cannot be achieved, the UAS commands the UA to go-around.
- the recovery rate performance (defined as the statistical percentage of successful
recoveries of the UA to its recovery device while operating under all established operational
and environmental envelopes) must be determined and provided.
UL46.6 When normal recovery is done by stalling the UA, the landing accuracy must be determined.
UL46.7 When an automatic landing system is provided,
- it must not cause unsafe sustained oscillations or undue attitude changes or control activity
as a result of configuration or power changes or any other disturbance to be expected in
normal operation;
- where a UAS is designed for conventional landing on a runway, it should incorporate a
manual abort function, easily accessible to the UA operator in order to initiate a go-around
procedure during the landing phase at every height down to a pre-determined decision
point. Specific go-around procedures must be provided in the UAS flight manual (where
applicable).
UL46.8 Landing procedures and performances must be provided to the operator in the flight manual.

UL.47 Controllability and Manoeuvrability ME47 Flight Test Report.

40
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
UL47.1 The Flight Control System (including sensors, actuators, computers and all those elements
ER.2.1.2 The UA must be
necessary to control the attitude, speed and trajectory of the UA) should be designed to provide
safely controllable and
UA control in the following operational modes:
manoeuvrable under all
anticipated operating - Automatic: the UA attitude, speed and flight path are fully controlled by the flight control
conditions and, where system. No input from the UCS/UCB is needed other than to load or modify the required
applicable, up to the flight plan.
activation of the recovery - Semi-automatic: the UA operator commands outer loop parameters such as altitude,
system. Due account must heading and air speed. The flight control system operates the UA controls to achieve the
be taken of UCS/UCB commanded outer loop parameter value.
environment, UA Operator - Manual direct piloting mode: the UA operator directly commands UA controls. This control
workload and other human- mode may be limited to some flight phases (e.g. take-off and landing) or emergency
factor considerations and of conditions, as agreed with the Certifying Authority.
the phase of flight and its
UL47.2 There must be a clear unambiguous means in the UCS/UCB to indicate to the UA operator the
duration.
active mode of control of the FCS.
UL47.3 The UA must be safely controllable and manoeuvrable in all FCS operating modes and in manual
direct piloting mode (where applicable), in the most severe operating conditions as per UL.0,
during all flight phases including
- take-off;
- climb;
- level flight, including mission relevant special manoeuvres;
- descent;
- go-around (except where UA is designed to be recovered by parachute);
- landing (power on and power off) with the wing flaps extended and retracted (except where
UA is designed to be recovered by parachute);
- ground taxi and arresting (with maximum allowable crosswind component).
UL47.4 The UA flight mechanics behaviour when it encounters the gust as per UL5.3 must be
characterized and potential limitations (taking due account of the design usage spectrum as per
UL.0) established where applicable and documented in operating manuals. Potential stalling
condition due to gust and FCS recovery capabilities must be taken into account when applicable.

UL.48 Trim ME48 Flight Test Report.

41
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
The Flight Control System (FCS) must trim the UA in such a manner that a maximum of control remains
and that dynamic characteristics and safety margins are not compromised.

UL.49 Minimum Control Speed (for multi engine configurations that are capable of safe flight with one engine ME49 Flight Test Report.
inoperative) Model based analysis may be
deemed sufficient by the
- The Minimum Control Speed must be determined as the airspeed at which, when the critical engine
Certifying Authority.
is suddenly made inoperative, it is possible to maintain control of the UA, with that engine still
inoperative, and thereafter maintain straight flight at the same speed with an appropriate angle of
bank. The method used to simulate critical engine failure must represent the most critical mode of
power plant failure and most critical configuration with respect to controllability expected in service.
- The Minimum Control Speed must be provided to the operator.
- The Minimum Control Speed for take-off must not exceed a fixed margin above the stalling speed
agreed with the Certifying Authority.

UL.50 Stability (see Annex H for additional guidance) ME50 Model analysis and
flight test.
UL50.1 The UA in all its operating modes, both augmented by the FCS and in manual direct piloting
conditions (where applicable), including the effects of sensor and computational errors and
delays, must be longitudinally, directionally and laterally stable in any condition normally
encountered in service, at any combination of weight and centre of gravity for which certification
is requested.
UL50.2 Transient response in all axes during transition between different flight conditions and FCS flight
modes must be smooth, convergent, and exhibit damping characteristics with minimal overshoot
of the intended flight path.
UL50.3 In addition to data obtained by computation or modelling, stability analysis must be supported by
the results of relevant flight tests.
UL50.4 Stability also must be assessed in manual direct piloting conditions (where applicable), taking
due account of data-link latencies.
UL50.5 Pilot (UA Operator) induced oscillation (PIO) tendencies must be safe, with particular
consideration to manual direct piloting conditions flight characteristics (where applicable).

42
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

UL.51 A qualitative evaluation of the UA Operator workload and degree of difficulty in all FCS operating modes ME51 Flight Test Report
including manual direct piloting (where applicable) and in all flight phases (e.g. launching strength) should including workload
be done in order to demonstrate that the probability of piloting errors is reduced to the minimum. assessment.
Workloads in emergency conditions and in case of possible de-conflicting manoeuvres should also be
evaluated.
Note - Depending on the UAS design features complexity, the Certifying Authority may issue
recommendations concerning UA Operator training syllabus as necessary.

ER.2.1.3 It must be UL.52 It must be possible to make a smooth transition from one flight phase and/or condition to another ME52 Flight Test Report.
possible to make smooth (including turns and slips) without danger of exceeding the limit load factor, under any probable operating
transition(s) from one flight condition, (including, for multi-engine UA, those conditions normally encountered in the sudden failure of
phase to another without any engine).
requiring exceptional piloting
Where applicable, consideration must be given to the transition from launch phase and normal flight
skill, alertness or workload
condition, as well as the transition from normal flight condition to recovery phase.
under any probable operating
condition.
N/A
ER.2.1.4 The UA must
have handling qualities that [It concentrates on handling qualities effects on UA Operator controls; it is assumed that there is no
ensures the demands made artificial feedback on the controls in direct mode piloting condition.
on the UA Operator are not
In ER 2.1.2 due account has already been taken of UCSUCB environment, UA Operator workload and
excessive taking into account
other human-factor considerations].
the phase of flight and its
duration.

ER.2.1.5 Procedures for UL.53 Emergency recovery capability ME53 Technical description
normal operations, failure
UL53.1 The UAS must integrate an emergency recovery capability that consists of:
and emergency conditions
must be established. - a flight termination system, procedure or function that aims to immediately end normal flight,
or,
- an emergency recovery procedure that is implemented through UA crew command or
through the execution of a predefined course of events in order to mitigate the effects of
critical failures with the intent of minimising the risk to third parties, or,

43
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- any combination of the previous two options.
UL53.2 The emergency recovery capability must function as desired over the whole flight envelope
under the most adverse combination of environmental conditions.
UL53.3 The emergency recovery capability must be safeguarded from interference leading to
inadvertent operation.

UL.54 Conflict Avoidance Manoeuvres ME54 Flight Test Report

Possible conflict avoidance manoeuvres should be investigated according to the UA manoeuvrability and
identified in order to minimize the risk of in-flight collision.

UL.55 Engine shut down procedure ME55 Technical description

In the event of an engine failure that causes loss of thrust, an appropriate procedure must be defined and
provided in the flight manual; the following apply.
UL55.1 The UA must be designed to retain sufficient control and manoeuvrability until it has reached a
forced landing area.
UL55.2 The emergency electrical power must be designed in such a way that its reliability and duration
are compatible with UL55.1. The time period needed to perform a glide from maximum
certificated altitude to sea level (ISA conditions) and reach a forced landing area includes the
time needed for the UA crew to recognise the failure and to take appropriate action, if required.
UL55.3 The engine shut down procedure must be analysed considering the existence of the emergency
recovery capability specified in UL.53.

UL.56 The Flight Manual provided to the UA operator must clearly and unambiguously define all the ME56 Flight Manual
- operating procedures, and
- operating limitations, and
- performance information,
for
- normal operations, and

44
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- failure conditions and emergency conditions. Where the emergency recovery capability includes a
pre-programmed course of action to reach a predefined site where it can be reasonably expected
that fatality will not occur, the dimensions of such areas must be stated in the UAS Flight Manual,
- possible conflict avoidance manoeuvres.

ER.2.1.6 Warnings, or UL.57 The UAS should be designed so that: ME57 Technical description
other deterrents intended to of UA flight envelope
UL57.1 in automatic or semi-automatic operating modes, the UA should be automatically protected from
prevent exceeding the protection design features
stalling (except in auto-landing modes in which stall is the design means to land the UA);
normal flight envelope, must
be provided, as appropriate UL57.2 in manual direct piloting mode (where applicable) a stall warning should alert the operator when
to type. approaching stalling conditions and should include a sufficient safety margin;
UL57.3 in automatic or semi-automatic operating modes, the UA should be inherently incapable of
spinning, due to FCS flight envelope protection or any other means;
UL57.4 in manual direct piloting mode (where applicable), if the UA is capable of spinning, sufficient
information should be given to the operator in order to prevent unintentionally entering into this
condition;
UL57.5 in automatic or semi-automatic operating modes, the UA should remain within a flight envelope
sufficiently protected by the FCS in order to avoid any unsafe condition (see UL.58);
UL57.6 in manual direct piloting mode (where applicable), the operator should be alerted with sufficient
margin when approaching any unsafe condition.

UL.58 Flight Envelope Protection (where applicable) ME58 Technical description

of UA flight envelope
UL58.1 Flight envelope protection must be implemented in the flight control system as follows.
protection design features +
- Characteristics of each envelope protection feature must be smooth, appropriate to the model simulation analysis +
phase of flight and type of manoeuvre. flight test report
- Limit values of protected flight parameters must be compatible with:
- UA structural limits,
- required safe and controllable manoeuvring of the UA,
- margin to catastrophic failure conditions.
- The minimum speed allowed by the flight control system must be compatible with the
margin specified in UL41.2.
- The UA must respond to intentional dynamic manoeuvring within a suitable range of
parameter limit.
45
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
- Dynamic characteristics such as damping and overshoot must also be appropriate for the
manoeuvre and limit parameter concerned.
- Characteristics of the flight control system must not result in residual oscillations in
commanded output due to combinations of flight envelope protection limits and any other
flight control internal limit.
UL58.2 When simultaneous envelope protection limits are engaged, adverse coupling or adverse priority
must not result.
UL58.3 The Applicant must define clearly the borders and prioritization within the control system of the
flight envelope protection maintained by the flight control system.

ER.2.1.7 The UL.59 A safe return from the extremes of the flight envelope that may be encountered in all operating modes ME59 Flight Test Report.
characteristics of the UA and must be demonstrated by simulation and it should be demonstrated in flight.
its systems must allow a safe
return from extremes of the
flight envelope that may be
encountered.

ER.2.2 The operating The information needed for the safe conduct of the flight and information concerning unsafe conditions are
limitations and other displayed in the UCS/UCB as per UL.32 and UL.33.
information necessary for
UL.60 The Flight Manual provided to the UA operator must clearly and unambiguously define all the operating ME60 Flight Manual
safe operation must be made
limitations and other information necessary for safe operation (see also UL.56).
available to the crew
members.

ER.2.3 System See UL.35 and UL.36.

operations must be protected
from hazards resulting from
adverse external and internal In particular, environmental tests are required by UL35.2.
conditions, including
Consideration to bird-strike is given in UL.13.
environmental conditions.

ER.2.3.1 In particular,
account must be taken of the
exposure to phenomena
such as, but not limited to,
46
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
adverse weather, lightning,
bird strike, high frequency
radiated fields, ozone, etc.,
expected to occur during
system operation.

ER.2.3.2 Where N/A

applicable, cabin
For the UCS/UCB see also UL.27 and UL.30.
compartments must provide
passengers with suitable
transport conditions and
adequate protection from any
expected hazard arising in
flight operations or resulting
in emergency situations,
including fire, smoke, toxic
gases and rapid
decompression hazards.
Provisions must be made to
give occupants every
reasonable chance of
avoiding serious injury and
quickly evacuating the
aircraft and to protect them
from the effect of the
deceleration forces in the
event of an emergency
landing on land or water.
Clear and unambiguous
signs or announcements
must be provided, as
necessary, to instruct
occupants in appropriate
safe behaviour and the
location and correct use of
safety equipment. Required

47
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
safety equipment must be
readily accessible.

ER.2.3.3 Crew For UCS/UCB, see UL.27, UL.32, UL.33.

compartments must be
In particular human-machine interface aspects are covered by UL27.3.
arranged in order to facilitate
flight operations, including
means providing situational
awareness, and
management of any
expected situation and
emergencies. The
environment of crew
compartments must not
jeopardise the crew's ability
to perform their tasks and its
design must be such as to
avoid interference during
operation and misuse of the
controls.

ER.3 Organisations
(It includes natural persons
undertaking design,
manufacture or
maintenance)

ER.3.1 Organisations
involved in design (including
flight test), production
(manufacture) or
maintenance activities must
satisfy the following
conditions:

48
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

ER.3.1.1 The UL.61 The Applicant should ensure certification as per AS/EN 9100 for undertaking Light UAS design and ME61 Approved AS/EN
organisation must have all production activities and the documented statement of the quality policy should explicitly include system 9100 Certificate or equivalent.
the means necessary for the safety as one of the main objectives: this should give a minimum confidence that safety management is
scope of work. These means implemented and that safety-related work is undertaken by competent individuals, in adequate facilities,
comprise, but are not limited with adequate tools, material, procedures and data.
to the following: facilities,
personnel, equipment, tools
and material, documentation
of tasks, responsibilities and
procedures, access to
relevant data and record-
keeping.

ER.3.1.2 The UL.62 The Applicant must ensure implementation, documentation, operation and maintenance of an auditable ME62 The minimum
organisation must implement Safety Management System. evidence to comply with this
and maintain a management requirement is a Safety
Safety must be considered from the earliest stage in a programme and used to influence all activities
system to ensure compliance Management Plan, which is a
from the concept of requirements definition, the development phase, production, operation, etc., until
with these essential significant document that
disposal.
requirements for provides a basis on which to
airworthiness, and aim for Safety management should be integrated into a Systems Engineering approach that gives due achieve trust in the
continuous improvement of consideration to safety alongside related issues. effectiveness of the Safety
this system. Management System.
The Applicant must submit to the Certifying Authority a Safety Management Plan which details the
specific actions and arrangements required to operate the Safety Management System and define safety Guidelines on information to
milestones for the project. It must provide the link between safety requirements and general be included in the Safety
management processes for the project, to ensure that safety is achieved and maintained for the complete Management Plan are
UAS life cycle. provided in Annex I.
The Certifying Authority may audit the Safety Management System at its discretion.

UL.63 The aim for continuous improvement must be verified when assessing the Company management ME63 Approved AS/EN
system. Normally it is covered under AS/EN 9100. Additional confidence may be obtained by complying 9100 certificate + ISO 9004 or
with ISO 9004 [“Quality Management – Quality of an organization – Guidance to achieve sustainable equivalent
success”].

49
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS

ER.3.1.3 The UL.64 The organisation must establish an interface with other relevant organisations, as necessary, to ensure ME64 The Safety
organisation must establish continuing compliance with these essential requirements for airworthiness. Management Plan (see
arrangements with other Annex I).
relevant organisations, as
necessary, to ensure
continuing compliance with
these essential requirements
for airworthiness.

ER.3.1.4 The UL.65 The organisation must establish an occurrence reporting and/or handling system, which must be used ME65 The Safety
organisation must establish by the management system under point ER.3.1.2 and the arrangements under point ER.3.1.3, in order Management Plan (see
an occurrence reporting to contribute to the aim of continuous improvement of the safety of systems (“continued airworthiness of Annex I)
and/or handling system, the type design”). The reporting system should include interaction with other relevant organisations to
which must be used by the ensure the continued airworthiness of the type design including for example Airworthiness Directives,
management system under post incident recommendations, service bulletins and technical instructions.
point ER.3.1.2 and the
arrangements under point
ER.3.1.3, in order to
contribute to the aim of
continuous improvement of
the safety of systems
(“continued airworthiness of
the type design”).

ER.3.2 In the case of N/A

maintenance training
organisations, the conditions
under points 3.1.3 and 3.1.4
do not apply.

ER.3.3 UA UL.66 Where the UAS is designed for UA handover between two UCS/UCB: ME66 Technical description
HANDOVER + Flight test report
UL66.1 The in-control UCS/UCB must be clearly identified to all UA operators.
(where applicable)
UL66.2 Positive control must be maintained during handover.

50
Edition C Version 1

\r
 AEP-83
AIRWORTHINESS DETAILED ARGUMENTS MEANS OF EVIDENCE
ESSENTIAL
REQUIREMENTS
UL66.3 The command and control functions that are transferred during handover must be approved by
the Certifying Authority and defined in the UAS Flight Manual.
UL66.4 Handover between two UCS/UCB must not lead to unsafe conditions.
UL66.5 The in-control UCS/UCB must have the required functionality to accommodate emergency
situations

UL.67 Where a UCS/UCB is designed to command and control multiple UA: ME67 Technical description
+ Flight test report
UL67.1 The minimum UAS crew must be established so that it is sufficient for safe operation of each UA
and emergency condition.
UL67.2 The UA data must be displayed in the UCS/UCB in a manner that prevents confusion and
inadvertent operation.
UL67.3 The UA controls must be available to the UA crew for each UA of which it has command and
control, in a manner that prevents confusion and inadvertent operation.
UL67.4 All indicators and warnings must be available to the UA crew for each UA, in a manner that
prevents confusion and inadvertent operation

UL.68 Where the UCS has more than one workstation designed for controlling the UA: ME68 Technical description
+ Flight test report
UL68.1 The in-control workstation must be clearly identified to all UA crew members.
UL68.2 Positive control must be maintained during handover.
UL68.3 The command and control functions that are transferred during handover must be approved
by the Certifying Authority and defined in the UAS Flight Manual.
UL68.4 Handover within the same UA UCS must not lead to unsafe conditions.
UL68.5 The in-control workstation must have the required functionality to accommodate emergency
situations.

UL.69 Where the UCS/UCB is designed to monitor multiple UA, there must be a means to clearly indicate to ME69 Technical description
the UAS crew the UA over which it has command and control. + Flight test report

51
Edition C Version 1

\r
 AEP-83

INTENTIONALLY BLANK

52
Edition C Version 1

\r
 Annex A to
AEP-83

TERMS AND DEFINITIONS

A1 Acronyms and abbreviations

A.2. Terms and definitions

A.1. Acronyms and Abbreviations.

The following acronyms are used for the purpose of this agreement.
ARP Aerospace Recommended Practices
ATC Air Traffic Control
BIT Built in Test
CCA Common Cause Analysis
CG Centre of Gravity
DAL Development Assurance Level
DDP Declaration of Design and Performance
EMC Electromagnetic Compatibility
EME Electromagnetic Emission
EMI Electromagnetic Interference
EMRADHAZ Hazards of Electromagnetic Radiation to Personnel
EMV Electromagnetic Vulnerability
FCS Flight Control System

FCS Flight Control System

FDAL Functional Development Assurance Level
GAT General Air Traffic
GPS Global Positioning System
h Hour
HIRF High Intensity Radio Frequency
HW Hot Wet
IDAL Item Development Assurance Level
LOS Line of Sight
MTOW Maximum Take-Off Weight
NATO North Atlantic Treaty Organization
OAT Operational Air Traffic
PIO Pilot Induced Oscillation
PLD Programmable Logic Device
PSE Primary Structural Elements
PSSA Preliminary System Safety Assessment
RPM Revolutions per Minute
A-1
Edition C Version 1

\r
 Annex A to
AEP-83
RTD Room Temperature Dry
SSA System Safety Analysis
STANAG (NATO) Standard Agreement
UA Unmanned Aircraft
UAS Unmanned Aircraft System.
UCS / UCB UA Control Station / UA Control Box
VC Design cruise speed – it is the design operational speed
VC-max Maximum cruise speed – it is the maximum operational speed

VC-min Minimum cruise speed – it is the minimum operational speed

VD Dive speed – it is the maximum design speed
VminDEMO Minimum demonstration speed
VS Stalling speed
Vx Speed for best angle of climb
Vy Speed for best rate of climb

A.2. Terms and Definitions

The following terms and definitions are used for the purpose of this agreement.
Applicant The entity applying for the Type Certificate
Automatic The execution of a predefined process or event that requires UAS
crew initiation
Continued Airworthiness All tasks to be carried-out to verify that the conditions under which a
type-certificate or a supplemental type-certificate has been granted
continue to be fulfilled at any time during its period of validity.
Continuing Airworthiness All of the processes ensuring that, at any time in its operating life, the
UAS complies with the airworthiness requirements in force and is in a
condition for safe operation
Data link Wireless communication channel between one or more UCS/UCB and
one or more UA, or between multiple UAS. Its utility may include but
is not limited to exchange of command & control or payload data. A
data link may consist of:
• Uplink - Transmittal of UAS crew commands from the UCS/UCB to
the UA.
• Downlink - Transmittal of UA status data from the UA to the
UCS/UCB.
Effective maximum Measure of data link coverage over a horizontal distance that is a
range function of frequency, availability, bit error rate, climate area and
altitude.
Electromagnetic Ability of equipment or a system to function in its electromagnetic
Compatibility EMC environment without causing intolerable electromagnetic disturbances
to anything in that environment.

A-2
Edition C Version 1

\r
 Annex A to
AEP-83
Electromagnetic The totality of electromagnetic phenomena existing at a given location.
Environment EME
Electromagnetic Any electromagnetic disturbance, whether intentional or not, which
Interference EMI interrupts, obstructs, or otherwise degrades or limits the effective
performance of electronic or electrical equipment.
Emergency recovery Procedure that is implemented by UAS crew command or by means
capability of autonomous design in order to mitigate the effects of critical failures
with the intent of minimizing the risk to third parties. This may include
automatic pre-programmed course of action to reach a predefined and
unpopulated forced landing or recovery area.
Emergency landing Exceptional landing condition that could lead to a severe level
constraint on the structure.
Failure conditions A condition having an effect on the UAS, UAS crew, ground staff
and/or third parties, either direct or consequential, which is caused or
contributed to by one or more failures or errors considering flight
phase and relevant adverse operational or environmental conditions
or external events.
Fire-resistant With respect to materials, components and equipment, means the
capability to withstand the application of heat by a flame, as defined
for ‘Fireproof’, for a period of 5 minutes without any failure that would
create a hazard to the UAS. For materials this may be considered to
be equivalent to the capability to withstand a fire at least as well as
aluminium alloy in dimensions appropriate for the purposes for which
they are used.
Flight control system The flight control system comprises sensors, actuators, computers
FCS and all those elements of the UAS System, necessary to control the
attitude, speed and flight path of the UA. The flight control system can
be divided into 2 parts:
Flight control computer - A programmable electronic system that
operates the flight controls in order to carry out the intended inputs.
Flight controls - Sensors, actuators and all those elements of the UAS
(except the flight control computer), necessary to control the attitude,
speed and flight path of the UA.
Flight load factor Ratio of the aerodynamic force component (acting normal to the
assumed longitudinal axis of the UA) to the weight of the UA. A
positive flight load factor is one in which the aerodynamic force acts
upward, with respect to the UA.
Flight Envelope System that prevents the UA from exceeding its designed operating
Protection limits.
Flight termination System to immediately terminate flight.
system:
Forced landing Condition resulting from one or a combination of failure conditions.
Ground staff Qualified personnel necessary for ground operations (such as
supplying the UAS with fuel and maintenance) as stated in the UAS
Flight Manual or in the UAS Maintenance Manual.

A-3
Edition C Version 1

\r
 Annex A to
AEP-83
Handover Operation that consists in performing a UA command and control
transfer from one UCS to another one or from one workstation to
another one in the same UCS.
Landing The process in which an aircraft is brought from a safe flight condition
to a standstill on the intended landing surface (ground, sea surface,
etc.).
Line of Sight Visually unobstructed straight line through space between the
transmitter and receiver.
Masking Blockage of data link due to fuselage blockage or unfavourable UA
attitude.
Multi-Engine Inoperative When more than one engine fails to supply adequate power during
any phase of flight.
Must Indicates a mandatory requirement (see also “shall”).
Payload Device or equipment carried by the UA which performs the mission
assigned. The payload comprises all elements of the air vehicle that
are not necessary for flight but are carried for the purpose of fulfilling
specific mission objectives.
Pcumcat The cumulative probability resulting from the probabilities per flight
hour of all Individual Catastrophic Failure Conditions caused by all
systems
Safety trace Area associated with the take-off/launch and landing/recovery phases
of a UA in which an otherwise unacceptable risk is mitigated by
clearing that area.
Shall Indicates a mandatory requirement (see also “must”).
Should Indicates a preferred, but not mandatory, method of accomplishment.
Take-off Process by which an aircraft leaves the surface and attains controlled
flight (includes launch via catapult or rocket assistance).
Third Parties Members of the public and any non-participating personnel
UAS Crew One or more qualified people responsible for monitoring and
controlling the flight-path, flight status and function of one or more UA.
Includes the UA Operator and also all support crew members
responsible for operating on-board systems (e.g. payload).
UA Operator The UAS crew member in the UA Control Station tasked with overall
responsibility for operation and safety of the UAS. See STANAG 4670
for UA Operator training guidance.
UAS Control Station / A facility or device from which the UA is controlled and/or monitored
UAS Control Box / for all phases of flight.
Unmanned Aircraft A UAS comprises individual UAS elements consisting of the UA, the
System UA control station and any other UAS elements necessary to enable
flight, such as a command and control data link, communication
system, and take-off and landing element. There may be multiple UA,
UCS, or take-off and landing elements within a UAS. Includes the UA,
modular mission payloads, data links, launch and recovery equipment,
mission planning and control stations, data exploitation stations and
logistic support.

A-4
Edition C Version 1

\r
 Annex A to
AEP-83
Unmanned Aircraft Aircraft which is designed to operate with no human pilot on board and
which does not carry personnel. Moreover a UA is:
• capable of sustained flight by aerodynamic means,
• remotely piloted or automatically flies a pre-programmed flight
profile,
• reusable,
• not classified as a guided weapon or similar one shot device
designed for the delivery of munitions.
UCS flight control Flight controls used by the UAS crew in the UCS to operate the UAS
in the semi-automatic mode of control.
Unsafe Condition or situation that is likely to cause a Hazardous or more
serious event.
Workload Amount of work assigned to or expected from a person in a specified
time.
Workstation Computer interface between an individual UAS crew member and the
UAS to perform the functions of mission planning, flight control and
monitoring and for display and evaluation of the downloaded image
and data (where applicable).

A-5
Edition C Version 1

\r
 Annex A to
AEP-83

INTENTIONALLY BLANK

A-6
Edition C Version 1

\r
 Annex B to
AEP-83

LANDING CONDITIONS FOR CONVENTIONAL LANDING GEAR CONFIGURATIONS

(WHERE APPLICABLE)

This guidance is based on traditional manned aircraft configurations. Alternative design

solutions may require a case by case tailoring.

UL.GL.1 Basic Landing Condiitons

The loads for the basic landing conditions are given in the following table and figure

Table – Basic landing condition

Figure – Basic landing condition

B-1
Edition C Version 1

\r
 Annex B to
AEP-83

1.1 The load factor on the wheels, nj, may be calculated as follows:
h+d
nj = 3
ef  d
,
where
h = drop height [in] = 3.6  W / S with W/S in [lb/ft2], but h larger than 9 in.,
d = total shock absorber travel [in] = dtire + dshock,
ef = shock efficiency, and
ef x d = 0.5 x d for tire and rubber or spring shocs, or
= 0.5 x dtire + 0.65 x dshock for hydraulic shock absorbers.
1.2 If nj is larger than the maximum load factor in UL5.2 minus 0.67 (nmax - 0.67), all
concentrated masses (engine, fuel tanks, ballast, payload, etc.) must be substantiated for
a limit landing load factor of n = nj + 0.67 which is greater than nmax.
1.3 The usual ultimate factor of safety of 1.5 applies to this conditions, unless a drop test from
the reserve energy height, hr=1.44h, shows that a lower factor may be used. If the shock
absorber is of a fast energy absorbing type, the ultimate loads are the limit loads multiplied
by the conservative reserve energy factor of 1.2.

UL.GL.2 One-wheel landing condition

For the one-wheel landing condition, the UA is assumed to be in the level attitude and to contact
the ground on one side of the main landing gear. In this attitude, the ground reactions must be
the same as those obtained on that side under Level Landing conditions of §UL.GL.1.

B-2
Edition C Version 1

\r
 Annex B to
AEP-83
UL.GL.3 Side Load Conditions
The loads for the side load conditions on the main wheels in a level attitude are given in the
following figure (the shock absorbers and tires are assumed to be in their static position).
Figure – Side Load Conditions

UL.GL.4 Braked Roll Condiitons

The loads for the braked roll conditions on the main wheels in a level attitude are given in the
following figure (the shock absorbers and tires are assumed to be in their static position).
Figure – Braked Roll Conditions

B-3
Edition C Version 1

\r
 Annex B to
AEP-83
UL.GL.5 Supplementary Conditions for Tail Wheel
The loads for the tail wheel conditions in a tail down attitude are given in the following figure (the
shock absorbers and tires are assumed to be in their static position).
Figure – Supplementary Conditions for Tail Wheel Conditions

UL.GL.6 Supplementary Conditions for Nose Wheel

The loads for supplementary conditions for nose wheels are given in the following figure (the
static load is at the combination of weight and CG that gives the maximum loads; the shock
absorbers and tires are assumed to be in their static position).
Figure – Supplementary Conditions for Nose Wheel

B-4
Edition C Version 1

\r
 Annex C to
AEP-83

SPARK AND COMPRESSION IGNITION RECIPROCATING ENGINES

GENERAL

UL.RE.1 Instruction manual

An instruction manual containing the necessary information essential for installing,
operating, servicing and maintaining the engine must be provided.

UL.RE.2 Engine ratings and operating limitations

Engine ratings, including transients, and operating limitations are to be established
and based on the operating conditions demonstrated during the bench tests
prescribed in this Annex. They include power ratings and operational limitations
relating to speeds, temperatures, pressures, fuels and oils which are necessary for
the safe operation of the engine.

UL.RE.3 Selection of engine power ratings

Each selected rating, including transients, must be for the lowest power that all
engines of the same type may be expected to produce under the conditions to
determine that rating.

ENGINE CONTROL SYSTEM

UL.RE.4 It must be substantiated by tests, analysis or a combination thereof that the Engine
Control System performs the intended functions in all its control modes and in
accordance with the design usage spectrum as per UL.0:
- without exceeding operating limits within the flight envelope,
- allowing adequate modulation of power/thrust,
- without creating excessive power/thrust oscillations,
- with safe transition between different control modes,
- without surge and stall of the engine.

DESIGN AND CONSTRUCTION

UL.RE.5 Materials
The suitability and durability of materials used in the engine must
(a) be established on the basis of experience or tests;
(b) conform to approved specifications that ensure their having the strength and
other properties assumed in the design data;
(c) demonstrate that measures are taken to ensure protection from corrosion and
deterioration.

UL.RE.6 Strength
The maximum stresses developed in the Engine must not exceed values
conforming to those established by satisfactory practice for the material involved,
due account being taken of the particular form of construction and the most severe
operating conditions.

C-1
Edition C Version 1
 Annex C to
AEP-83
UL.RE.7 Fire prevention
(a) The design and construction of the engine and the materials used must
minimise the probability of the occurrence and spread of fire because of
structural failure, overheating or other causes.
(b) Each tank, external line or fitting that conveys flammable fluids must be at least
fire-resistant. Components must be shielded or located to safeguard against the
ignition of leaking flammable fluid.

UL.RE.8 Electrical bonding.

Any components, modules, equipment and accessories that are susceptible to or
are potential sources of static discharges or currents from electrical faults, must
be designed and constructed so as to be grounded to the main Engine earth, as
necessary to minimise the accumulation of electro-static or electrical charge that
would cause:
- Injury from electrical shock,
- Unintentional ignition in areas where flammable fluids or vapours could be
present,
- Unacceptable interference with electrical or electronic equipment.

UL.RE.9 Durability
Engine design and construction must minimise the probability of occurrence of an
unsafe condition of the engine between overhauls
(a) The effects of cyclic loading, environmental and operational degradation must
not reduce the integrity of the engine below acceptable levels.
(b) The effects of likely subsequent part failures must not reduce the integrity of
the engine below acceptable levels.

UL.RE.10 Engine cooling

Engine design and construction must provide the necessary cooling under
conditions in which the UA is expected to operate.

UL.RE.11 Engine mounting attachments and structure

(a) The maximum allowable loads for engine mounting attachments and related
structure must be specified, taking account of the flight and ground loads
calculated from the UA design usage spectrum (UL.0.).
(b) The engine mounting attachments and related structure must be able to
withstand the specified loads without failure, malfunction or permanent
deformation.

UL.RE.12 Accessory attachment

Each accessory drive and mounting attachment must be designed and constructed
so that the engine will operate properly with the accessories attached. The design
of the engine must allow the examination, adjustment or removal of each essential
engine accessory.

UL.RE.13 Vibration
The engine must be designed and constructed to function throughout its normal
operating range of crankshaft rotational speeds and engine powers without
inducing excessive stress in any of the engine parts because of vibration and
without imparting excessive vibration forces to the structure of the UA.

C-2
Edition C Version 1
 Annex C to
AEP-83

UL.RE.14 Fuel and induction system

(a) The fuel system of the engine must be designed and constructed to supply the
appropriate mixture of fuel to the combustion chambers throughout the complete
operating range of the engine under all starting, flight and atmospheric
conditions.
(b) The intake passages of the engine through which air, or fuel in combination
with air, passes must be designed and constructed to minimise ice accretion
and vapour condensation in those passages. The engine must be designed and
constructed to permit the use of a means for ice prevention.
(c)Filters, strainers or other equivalent means must be provided to protect the fuel
system from malfunction due to contaminants. These devices must have the
capacity to accommodate any likely quantity of contaminants, including water,
in relation to recommended servicing intervals and, if provided, the blockage or
by-pass indication system.
The Applicant must show (e.g. within the endurance test prescribed in
UL.RE.22(a)) that foreign particles passing through the prescribed filtering
means will not critically impair engine fuel system functioning.
Any main fuel filter or strainer having a significant function for the control of the
power must have a means to permit indication to the UA Operator of impending
blockage of the filter or strainer and all necessary instructions must be provided.
If a by-pass means is provided on any filter or strainer, it must be demonstrated
that open by-pass operation is safe.
(d) Each passage in the induction system that conducts a mixture of fuel and air,
and in which fuel may accumulate, must be self-draining to prevent a liquid lock
in the combustion chambers. This applies to all attitudes that the Applicant
establishes as those the engine can have when the UA in which it is installed is
in the static ground attitude.

UL.RE.15 Oil system (four-stroke engines only)

(a) The oil system of the engine must be designed and constructed so that it will
function properly in all attitudes and atmospheric conditions in which the UA is
expected to operate. In wet-sump engines this requirement must be met when
the engine contains only the minimum oil quantity, the minimum quantity being
not more than half the maximum quantity.
In particular the oil breather (vent) must be resistant to blockage caused by icing.
(b) The oil system of the engine must be designed and constructed to allow
installing a means of cooling the lubricant.
(c) The crankcase must be vented to preclude leakage of oil from excessive
pressure in the crankcase.
(d) All parts of the oil system that are not inherently capable of accepting
contaminants likely to be present in the oil or otherwise introduced into the oil
system must be protected by suitable filter(s) or strainer(s). These must provide
a degree of filtration sufficient to preclude damage to the engine and engine
equipment and have adequate capacity to accommodate contaminants in
relation to the specified servicing intervals.
If the most critical main oil filter does not incorporate a by-pass, then it must
have provision for appropriate indication to the UA Operator of impending
blockage and all necessary instructions must be provided.

C-3
Edition C Version 1
 Annex C to
AEP-83
If a by-pass means is provided on any filter or strainer, it must be demonstrated
that open by-pass operation is safe. Indication of by-pass operation must be
provided to permit appropriate maintenance action to be initiated.
(e) Each oil tank must:
- have, or have provision for, an oil quantity indicator;
- have an expansion space of an adequate size which must be impossible
to inadvertently fill.
(f) Each brand and type of oil to be approved, and the associated limitations, must
be declared and substantiated.

UL.RE.16 Electromagnetic Compatibility

The reciprocating engine spark ignition system and the other UAS components
(e.g. data links, communication) must be electromagnetically compatible.

UL.RE.17 All engine components must be resistant to humidity (applicable standards that
should be used as a reference to tailor a humidity test are RTCA-DO-160D or MIL-
STD-810).

UL.RE.18 A failure analysis of the engine and its installation, including the control system,
must be made to establish that the engine does not introduce unacceptable
hazards as per the UAS Hazard Reference System.

BENCH TESTS

UL.RE.19 Vibration test

The engine must undergo a vibration survey to establish crankshaft torsional and
bending characteristics over a range of rotational speeds from idling to 110% of
the maximum continuous speed or 103% of the maximum desired take-off speed,
whichever is the greater. The survey must be conducted with a representative
propeller (the propeller should be so chosen that the prescribed maximum
rotational speed is obtained at full throttle or at the desired maximum permissible
manifold pressure, whichever is appropriate). No hazardous condition may be
present.

UL.RE.20 Calibration test

Each engine must be subjected to the calibration tests necessary to establish its
power characteristics and the conditions for the endurance test specified in
UL.RE.22(a) to (c). The results of the power characteristics calibration tests form
the basis for establishing the characteristics of the engine over its entire operating
range of crankshaft rotational speeds, manifold pressures, and fuel/air mixture
settings. Power ratings are based on standard atmospheric conditions at sea-level.

UL.RE.21 Detonation test (spark ignition only)

The engine must be tested to establish that it can function without detonation
throughout the range of intended conditions of operation.

UL.RE.22 Endurance test

(a) The engine must be subjected to an endurance test (with a representative
propeller) that includes a total of 50 hours of operation and consists of the cycles
specified in UL.RE.22(c).

C-4
Edition C Version 1
 Annex C to
AEP-83
(b) Additional endurance testing at particular rotational speed(s) may be required
depending on the results of the tests prescribed in UL.RE.19, to establish the
ability of the engine to operate without fatigue failure.
(c) Each cycle must be conducted as follows:

(d) During or following the endurance test the fuel and oil consumption must be
determined.

UL.RE.23 Operation test

The operation test must include the demonstration of backfire characteristics,
starting, idling, acceleration, over-speeding and any other operational
characteristics of the engine.

UL.RE.24 Engine component test

(a) For engine components that cannot be adequately substantiated by endurance
testing in accordance with UL.RE.22(a) to (c), the Applicant must ensure that
additional tests are conducted to establish that components are able to function
reliably in all normally anticipated flight and atmospheric conditions.
(b) Temperature limits must be established for each component that requires
temperature controlling provisions to ensure satisfactory functioning, reliability
and durability.

UL.RE.25 Teardown inspection

After the endurance test has been completed the engine must be completely
disassembled. No essential component may show rupture, cracks or excessive
wear.

C-5
Edition C Version 1
 Annex C to
AEP-83
UL.RE.26 Engine adjustment and parts replacement
Service and minor repairs to the engine may be made during the bench tests. If
major repairs or replacements of parts is necessary during the tests or after the
teardown inspection, or if essential parts have to be replaced, the engine must be
subjected to any additional tests the Certifying Authority may require.

RESTARTING CAPABILITY (where applicable)

UL.RE.27 According to the specific application, the Certifying Authority may require a
restarting capability as follows:
an altitude and airspeed envelope must be established for the UA
for in-flight engine restarting and the installed engine must have a
restart capability within that envelope.

C-6
Edition C Version 1
 Annex D to
AEP-83

ELECTRIC ENGINES

GENERAL

UL.EE.1 Instruction manual

An instruction manual containing the necessary information essential for installing,
operating, servicing and maintaining the engine must be provided.

UL.EE.2 Engine ratings and operating limitations

Engine ratings, including transients, and operating limitations are to be established
and based on the operating conditions demonstrated during the bench tests
prescribed in this Annex. They include power ratings and operational limitations
relating to voltage, current, speeds and temperatures which are necessary for the
safe operation of the engine.

UL.EE.3 Selection of engine power ratings

Each selected rating, including transients, must be for the lowest power that all
engines of the same type may be expected to produce under the conditions to
determine that rating.

ENGINE CONTROL SYSTEM

UL.EE.4 It must be substantiated by tests, analysis or a combination thereof that the Engine
Control System performs the intended functions in all its control modes and in
accordance with the design usage spectrum as per UL.0:
- without exceeding operating limits within the flight envelope,
- allowing adequate modulation of power/thrust,
- without creating excessive power/thrust oscillations,
- with safe transition between different control modes,
- without surge and stall of the engine.

DESIGN AND CONSTRUCTION

UL.EE.5 Materials
The suitability and durability of materials used in the engine must
(a) be established on the basis of experience or tests;
(b) conform to approved specifications that ensure their having the strength and
other properties assumed in the design data;
(c) demonstrate that measures are taken to ensure protection from corrosion and
deterioration.

UL.EE.6 Strength
The maximum stresses developed in the Engine must not exceed values
conforming to those established by satisfactory practice for the material involved,
due account being taken of the particular form of construction and the most severe
operating conditions.

UL.EE.7 Fire prevention - N/A

D-1
Edition C Version 1
 Annex D to
AEP-83
UL.EE.8 Electrical bonding.
Any components, modules, equipment and accessories that are susceptible to or
are potential sources of static discharges or currents from electrical faults, must
be designed and constructed so as to be grounded to the main Engine earth, as
necessary to minimise the accumulation of electro-static or electrical charge that
would cause:
- Injury from electrical shock,
- Unintentional ignition in areas where flammable fluids or vapours could be
present,
- Unacceptable interference with electrical or electronic equipment.

UL.EE.9 Durability
Engine design and construction must minimise the probability of occurrence of an
unsafe condition of the engine between overhauls.
(a) The effects of cyclic loading, environmental and operational degradation must
not reduce the integrity of the engine below acceptable levels.
(b) The effects of likely subsequent part failures must not reduce the integrity of
the engine below acceptable levels.

UL.EE.10 Engine cooling

Engine design and construction must provide the necessary cooling under
conditions in which the UA is expected to operate.

UL.EE.11 Engine mounting attachments and structure

(a) The maximum allowable loads for engine mounting attachments and related
structure must be specified, taking account of the flight and ground loads
calculated from the UA design usage spectrum (UL.0).
(b) The engine mounting attachments and related structure must be able to
withstand the specified loads without failure, malfunction or permanent
deformation.

UL.EE.12 Accessory attachment

Each accessory drive and mounting attachment must be designed and constructed
so that the engine will operate properly with the accessories attached. The design
of the engine must allow the examination, adjustment or removal of each essential
engine accessory.

UL.EE.13 Vibration
The engine must be designed and constructed to function throughout its normal
operating range of speeds and engine powers without inducing excessive stress
in any of the engine parts because of vibration and without imparting excessive
vibration forces to the structure of the UA.

UL.EE.14 Fuel and induction system - N/A

UL.EE.15 Lubrication system - N/A

UL.EE.16 Electromagnetic Compatibility

The electrical engine must be electromagnetically compatible with the
electromagnetic environment of the installation.

D-2
Edition C Version 1
 Annex D to
AEP-83

UL.EE.17 Humidity
The electrical engine must function properly in a humid environment (see 0.

UL.EE.18 A failure analysis of the engine and its installation, including the control system,
must be made to establish that the engine does not introduce unacceptable
hazards as per the UAS Hazard Reference System.

BENCH TESTS

UL.EE.19 Vibration test - N/A

UL.EE.20 Calibration test

Each engine must be subjected to the calibration tests necessary to establish its
power characteristics and the conditions for the endurance test specified in
UL.EE.22. The results of the power characteristics calibration tests form the basis
for establishing the characteristics of the engine over its entire operating range of
rotational speeds.

UL.EE.21 Detonation test - N/A

UL.EE.22 Endurance test

(a) The electric engine assembly, as installed in the UA, must be subjected to an
endurance test (with a representative propeller) that includes a total of 50 hours
of operation and consists of the cycles specified in UL.EE.22(c).
(b) N/A
(c) The endurance test procedure must be agreed with the Certifying Authority and
shall be more severe than the engine design duty cycle. If the UA is designed
to stress engine above maximum continuous power, this must be addressed in
the endurance test procedure.
As an example, each cycle could be conducted as follows:

Sequence Environmental Duration Power setting

Temperature [min]
1.1 Cold 2 Maximum continuous
power
1.2 Cold 43 Nominal power
1.3 Cold 2 Maximum continuous
power
1.4 Cold 43 Nominal power
TOTAL DURATION CYCLE 1: 90 [min]
2.1 Ambient 2 Maximum continuous
power
2.2 Ambient 43 Nominal power
2.3 Ambient 2 Maximum continuous
power

D-3
Edition C Version 1
 Annex D to
AEP-83
Sequence Environmental Duration Power setting
Temperature [min]
2.4 Ambient 43 Nominal power
TOTAL DURATION CYCLE 2: 90 [min]
3.1 Hot 2 Maximum continuous
power
3.2 Hot 43 Nominal power
3.3 Hot 2 Maximum continuous
power
3.4 Hot 43 Nominal power
TOTAL DURATION CYCLE 3: 90 [min]
4.1 Ambient 3 Maximum continuous
power
4.2 Ambient 102 Nominal power
TOTAL DURATION CYCLE 4: 105 [min]

TOTAL SEQUENCE DURATION (1 to 4): 375 [min]

Iterate the previous 4-cycle sequence 8 times.

Cold temperature setting = minimum temperature according to the

design usage spectrum as per UL.0
Ambient temperature setting = ISA sea level temperature (15°C)
Hot temperature setting = maximum temperature according to the
design usage spectrum as per UL.0
(d) N/A

UL.EE.23 Operation test

The operation test must include the demonstration starting, loiter and cruise related
power settings, acceleration, over-speeding and any other operational
characteristics of the engine.

UL.EE.24 Engine component test

(a) For engine components that cannot be adequately substantiated by endurance
testing in accordance with UL.EE.22(a) to (c), the Applicant must ensure that
additional tests are conducted to establish that components are able to function
reliably in all normally anticipated flight and atmospheric conditions.
(b) Temperature limits must be established for each component that requires
temperature controlling provisions to ensure satisfactory functioning, reliability
and durability.

D-4
Edition C Version 1
 Annex D to
AEP-83
UL.EE.25 Humidity test
The electric engine assembly should be subjected to combined temperature and
humidity test according to a procedure to be agreed with the Certifying Authority
(RTCA-DO-160D should be used as a reference to tailor a humidity test).
The procedure should include a series of functional tests after performing each
block of Environmental Cycling Conditioning at Cold, Ambient and Hot temperature
combined with 95 ± 5 % Relative Humidity.
The influence of humidity aspects in the design of the engines could also be
assessed using the Endurance Test (UL.EE.22) if, in addition to the Temperature,
the Relative Humidity is also controlled during endurance cycling as agreed with
the Certifying Authority.

UL.EE.26 Teardown inspection

After the endurance test has been completed the engine must be completely
disassembled. No essential component may show rupture, cracks or excessive
wear.

UL.EE.27 Engine adjustment and parts replacement

Service and minor repairs to the engine may be made during the bench tests. If
major repairs or replacements of parts is necessary during the tests or after the
teardown inspection, or if essential parts have to be replaced, the engine must be
subjected to any additional tests the Certifying Authority may require.

D-5
Edition C Version 1
 Annex D to
AEP-83

INTENTIONALLY BLANK

D-6
Edition C Version 1
 Annex E to
AEP-83

TURBINE ENGINES

UL.TE.1 Instruction manual

An instruction manual containing the necessary information essential for installing,
operating, servicing and maintaining the engine must be provided.
The instruction manual must also contain all appropriate safety procedures that
the UA operator and ground staff must respect during maintenance, pre-flight
checks, taxiing, take-off and landing, as identified in UL.TE.6.

UL.TE.2 Engine ratings and operating limitations

Engine ratings, including transients, and operating limitations are to be established
and based on the operating conditions demonstrated during the bench tests
prescribed in this Annex. They include thrust/power ratings, specific fuel
consumptions, operational limitations relating to speeds, temperatures, pressures,
fuels and oils which are necessary for the safe operation of the engine.

UL.TE.3 Selection of engine power ratings

Each selected rating, including transients, must be for the lowest thrust/power that
all engines of the same type may be expected to produce under the conditions to
determine that rating.

ENGINE CONTROL SYSTEM

UL.TE.4 It must be substantiated by tests, analysis or a combination thereof that the Engine
Control System performs the intended functions in all its control modes and in
accordance with the design usage spectrum as per UL.0:
- without exceeding operating limits within the flight envelope,
- allowing adequate modulation of power/thrust,
- without creating excessive power/thrust oscillations,
- with safe transition between different control modes,
- without surge and stall of the engine.

UL.TE.5 Over-speed protection should be provided (either electronic, hydro-mechanical or

mechanical) with reasonable assurance that it functions correctly.
If over-speed protection is not provided, the applicant must show compliance with
additional test requirements, in order to show at least that:
- each rotor does not burst up to 120% of the maximum permissible rotor speed;
- no detrimental vibrations occur for the entire UA up to 120% of the maximum
permissible rotor speed.

SAFETY

UL.TE.6 A system safety assessment (including the engine control system, power supply,
starting system and any applicable interfaces with UAS) must be completed for the
Engine to ensure that the UAS safety requirements are met (as perUL.30).
Particular consideration must be given but not limited to the following hazards:
uncontrolled fire, burst, uncontained high-energy debris, non-restartable in-flight
shutdown and loss of shutdown capability, release of the propeller by the engine
(if applicable).
E-1
Edition C Version 1
 Annex E to
AEP-83
The safety assessment must also identify all appropriate precautions and/or
actions that the UA operator and ground staff must respect during maintenance,
pre-flight checks, taxiing, take-off and landing.

UL.TE.7 Software design assurance level must be compatible with UL.31.

DESIGN AND CONSTRUCTION

UL.TE.8 Materials
The suitability and durability of materials used in the engine must
(a) be established on the basis of experience or tests;
(b) conform to approved specifications that ensure their having the strength and
other properties assumed in the design data;
(c) demonstrate that measures are taken to ensure protection from corrosion and
deterioration.

UL.TE.9 Strength
(a) The maximum stresses developed in the engine must not exceed values
conforming to those established by satisfactory practice for the material
involved, due account being taken of the particular form of construction and
the most severe operating conditions.
(b) The strength verification must consider all applicable loading conditions
resulting from normal operation. Loads from abnormal speeds and
temperature must be considered if over-speed and over-temperature
protection are not implemented. Gyroscopic loads resulting from normal flight
manoeuvres must be considered.
(c) The following factors of safety should be used to design all engine components
(including tanks):
Load type Limit Ultimate Load = (Limit Load) x (Factor of
Load Safety)
Externally applied 1.0 1.5
loads
Thermal loads 1.0 1.5 (1.0 could be used in case of over-
temperature protection)
Thrust loads 1.0 1.2 (1.0 could be used in case a Full
Authority Digital Engine Control Unit
prevents maximum thrust exceedance)
Internal pressures 1.0 2.0
UA flow field loads 1.0 1.5
(d) Blade-out condition
Subsequent to blade failure at maximum allowable steady state speed, the
engine must not experience: uncontained high-energy debris, uncontrolled fire;
catastrophic rotor, bearing, support or mount failures; over-speed conditions;
leakage of flammable fluid lines; loss of ability to shut down the engine.
Unbalance loads transmitted to the UA structure in engine blade-out conditions
must be determined and considered in the UA strength assessment.
(e) Bird ingestion protection must be agreed with the Certifying Authority in
accordance with UL.13UL13.2.

E-2
Edition C Version 1
 Annex E to
AEP-83
UL.TE.10 Fracture critical parts
a. Fracture critical parts must be clearly identified in a summary, as those parts of
the engine (and of the starting system, where applicable) whose failure may result
in catastrophic outcome as a result of non-containment either due to direct part
failure or by causing other progressive part failures
Examples of fracture critical parts are disks (including blisks), radial compressors
and turbines.
b. An Engineering Plan, a Manufacturing Plan and a Service Management Plan
must be established by the Applicant to identify processes and tasks that
guarantee each critical part will be withdrawn from service at an approved life
before structural failure can occur.
c. For each fracture critical part, the containment should be established by test,
analysis, or a combination thereof in the most critical condition with respect to
part integrity, as agreed with the Certifying Authority.

For fracture critical parts not shown to be contained, appropriate damage tolerance
assessments should be performed to address the potential for failure from material,
manufacturing and service-induced anomalies within the approved life of the part. The
damage tolerance assessment should identify inspection intervals adequate to prevent initial
flaws to grow to critical length before they will be detected. The methodology for damage
tolerance assessment must be detailed in the previous Plans and agreed with the Certifying
Authority.

The Certifying Authority may exempt the Applicant from assessing damage tolerance. For
instance, the following cases may apply:
- engines intended to be used for a sufficiently short life (expressed in engine
total accumulated cycles) with adequate field or test experience, as agreed
with the Certifying Authority;
- sufficiently short life limitations for fracture critical parts.

UL.TE.11 Fire prevention

(a) The design and construction of the engine and the materials used must
minimise the probability of the occurrence and spread of fire because of
structural failure, overheating or other causes.
(b) Each tank, external line or fitting that conveys flammable fluids must be at least
fire-resistant. Components must be shielded or located to safeguard against the
ignition of leaking flammable fluid.
(c) Engine control system components which are located in a fire zone must be at
least fire-resistant.
(d) Unintentional accumulation of hazardous quantities of flammable fluid within
the engine must be prevented by draining and venting.
(e) Those features of the engine which form part of the mounting structure or
engine attachment points must be at least fire-resistant.

UL.TE.12 Electrical bonding.

Any components, modules, equipment and accessories that are susceptible to or
are potential sources of static discharges or currents from electrical faults, must
be designed and constructed so as to be grounded to the main Engine earth, as
necessary to minimise the accumulation of electro-static or electrical charge that
would cause:

E-3
Edition C Version 1
 Annex E to
AEP-83
- Injury from electrical shock,
- Unintentional ignition in areas where flammable fluids or vapours could be
present,
- Unacceptable interference with electrical or electronic equipment.

UL.TE.13 Durability
The engine service life must be demonstrated for the engine usage determined in
accordance with the UAS design usage spectrum as per UL.0.
(a) Low Cycle Fatigue (LCF) life for cold parts and hot parts must be demonstrated.
(b) Engine structural components operating under combined steady and vibratory
stress conditions must be designed to ensure resistance to High Cycle Fatigue
(HCF) cracking(4).
(c) All engine parts must not creep to the extent that a hazard may occur.

UL.TE.14 Engine cooling

Engine design and construction must provide the necessary cooling under
conditions in which the UA is expected to operate.

UL.TE.15 Engine mounting attachments and structure

(a) The maximum allowable loads for engine mounting attachments and related
structure must be specified, taking account of the flight and ground loads
calculated from the UA design usage spectrum (UL.0).
(b) The engine mounting attachments and related structure must be able to
withstand the specified loads without failure, malfunction or permanent
deformation.

UL.TE.16 Accessory attachment

Each accessory drive and mounting attachment must be designed and constructed
so that the engine will operate properly with the accessories attached. The design
of the engine must allow the examination, adjustment or removal of each essential
engine accessory.

4
An acceptable means of compliance to this requirement is to show that the natural frequencies of this components are outside of the
engine operating range with a minimum of 20% margin. All fracture critical parts should be designed according to this criterion. For
other components it should be shown that the vibratory (HCF) stress should be restricted to 40% of the material capability in a Haigh
diagram (in the absence of data at a number of values of mean stress, the diagram could be constructed by connecting a straight line
from the data point from fully reversed alternating stress around zero mean stress and the Yield Tensile Stress. A maximum allowable
vibratory stress limit should be established. Besides the high mean stress regime should be avoided.

All engine parts should have a minimum HCF life of 109 cycles. A reduction to lower values (e.g. 107 cycles for steel parts and 3*107
cycles for non-ferrous alloy parts) may be acceptable if it is demonstrated that this established number of HCF cycles will not occur
in a component during its lifetime (consider that a part subjected to a frequency of 5 kHz for 60 hours accumulates 10 9 cycles).
E-4
Edition C Version 1
 Annex E to
AEP-83
UL.TE.17 Vibration
The engine must be designed and constructed to function throughout the specified
UA flight envelope and its normal operating range of rotational speeds and engine
powers without inducing excessive stress in any of the engine parts because of
vibration and without imparting excessive vibration forces to the structure of the
UA.

UL.TE.18 Fuel system

(a) The fuel system of the engine must be designed and constructed to supply the
appropriate fuel flow at the appropriate temperature and pressure conditions to
the combustion chambers throughout the complete operating range of the
engine under all starting, flight and atmospheric conditions. The engine fuel
pump must have a margin of capacity over the maximum engine demand in the
flight envelope consistent with the assumed UA installation specifications.
(b) Each fuel specification to be approved, including any additive, and the
associated limitations in flow, temperature and pressure that ensure proper
engine functioning under all intended operating conditions must be declared and
substantiated.
(c)Filters, strainers or other equivalent means must be provided to protect the fuel
system from malfunction due to contaminants. These devices must have the
capacity to accommodate any likely quantity of contaminants, including water,
in relation to recommended servicing intervals and, if provided, the blockage or
by-pass indication system.
The Applicant must show (e.g. within the endurance test prescribed in
UL.TE.26(a)) that foreign particles passing through the prescribed filtering
means will not critically impair engine fuel system functioning.
Any main fuel filter or strainer having a significant function for the control of the
thrust or power must have a means to permit indication to the UA Operator of
impending blockage of the filter or strainer and all necessary instructions must
be provided.
If a by-pass means is provided on any filter or strainer, it must be demonstrated
that open by-pass operation is safe.

UL.TE.19 Oil system

(a) The design of the oil system must be such as to ensure its proper functioning
under all intended flight attitudes, installation, atmospheric and operating
conditions, including oil temperature and expansion factors.
(b) The oil system, including the oil tank expansion space, must be adequately
vented. All atmospheric vents in the oil system must be located, or protected, to
minimise ingress of foreign matter that could affect satisfactory Engine
functioning. Venting must be so arranged that condensed water vapour which
might freeze and obstruct the line cannot accumulate at any point.
(c) All parts of the oil system that are not inherently capable of accepting
contaminants likely to be present in the oil or otherwise introduced into the oil
system must be protected by suitable filter(s) or strainer(s). These must provide
a degree of filtration sufficient to preclude damage to the engine and engine
equipment and have adequate capacity to accommodate contaminants in
relation to the specified servicing intervals.

E-5
Edition C Version 1
 Annex E to
AEP-83
If the most critical main oil filter does not incorporate a by-pass, then it must
have provision for appropriate indication to the UA Operator of impending
blockage and all necessary instructions must be provided.
If a by-pass means is provided on any filter or strainer, it must be demonstrated
that open by-pass operation is safe. Indication of by-pass operation must be
provided to permit appropriate maintenance action to be initiated.
(d) Each oil tank must:
- have, or have provision for, an oil quantity indicator;
- have an expansion space of an adequate size which must be impossible
to inadvertently fill.
(e) Each brand and type of oil to be approved, and the associated limitations, must
be declared and substantiated.

UL.TE.20 Electromagnetic Compatibility

The engine ignition system and control unit and the other UAS components (e.g.
data links, communication) must be electromagnetically compatible.

ATMOSPHERIC CONDITIONS

UL.TE.21 All engine components must be resistant to humidity (applicable standards that
should be used as a reference to tailor a humidity test are RTCA-DO-160D or MIL-
STD-810).

UL.TE.22 It must be demonstrated that the engine can operate satisfactorily under the
meteorological conditions prescribed as per the UAS design usage spectrum
(UL.0), with particular consideration to:
- icing conditions (where applicable),
- sand and dust (where applicable),
- hail ingestion (where applicable),
- atmospheric liquid water ingestion capability (where applicable).

BENCH TESTS

UL.TE.23 All tests must be made with a representative test item configuration including
air intake, acceptable representative jet pipes, propelling nozzle and the
designated engine control system.

UL.TE.24 Vibration test

Each Engine must undergo vibration surveys to establish that the vibration
characteristics of those components that may be subject to mechanically or
aerodynamically induced vibratory excitations are acceptable throughout the
declared flight envelope.
The surveys must cover the ranges of power or thrust and both the physical and
corrected rotational speeds for each rotor system, corresponding to operations
throughout the range of ambient conditions in the declared flight envelope, from
the minimum rotational speed up to 103% of the maximum physical and corrected
rotational speed permitted for rating periods of two minutes or longer and up to
100% of all other permitted physical and corrected rotational speeds, including
those that are Over-speeds. If there is any indication of a stress peak arising at the
highest of those required physical or corrected rotational speeds, the surveys must

E-6
Edition C Version 1
 Annex E to
AEP-83
be extended sufficiently to reveal the maximum stress values present, except that
the extension need not cover more than a further 2 percentage points increase
beyond those speeds.
Consideration should be given to the effect on vibration characteristics of excitation
forces caused by typical fault conditions.

UL.TE.25 Calibration test

In order to identify the engine thrust/power changes that may occur during the
endurance test specified in UL.TE.26, each test engine must be subjected to the
calibration tests necessary to establish its thrust/power and specific fuel
consumption characteristics. The results of the thrust/power characteristics
calibration tests form the basis for establishing the characteristics of the engine
over its entire operating range of rotational speeds, pressures, temperatures and
altitudes. Thrust/power ratings are based on standard atmospheric conditions at
sea-level.

UL.TE.26 Endurance test

(a) The engine must be subjected to an accelerated endurance test to be agreed
with the Certifying Authority.
The duration and type of cycles of the test must be established in order to
demonstrate that the engine is durable for its entire design service life:
- an appropriate combination of different types of throttle cycles (Start-Max-
Shutdown, Idle-Max-Idle, Cruise-Max-Cruise) should test a low cycle
fatigue life at least equivalent to one design service life;
- rapid accelerations to max thrust/power should be included in the test;
- additional time at particular rotational speed(s) may be required depending
on the results of the tests prescribed in UL.TE.24, to establish the ability
of the engine to operate without high cycle fatigue failures for its entire
service life;
- during the endurance test the total time spent at the maximum turbine inlet
temperature should be as long as during the design service life;
- the ignition system should be operated during the test for periods
representative of the duration and frequency of operation of the system
during the design service life;
- a sufficient number of cold starts and hot starts (including consecutive hot
starts if allowed by the engine) should be performed during the test;
- part of the test should be performed with contaminated fuel as per
UL.TE.18;
- part of the test should be performed with the minimum allowed oil quantity.

An alternative acceptable endurance test for Turbine Engines is made by the

repetition of the following 6 hours stages in a number equivalent to the entire
engine design service life (but never more than 25):
Part 1 One hour of alternate 5-minute periods at Take-off Power or
Thrust and minimum ground idle
Part 2 30 minutes at
(A)Rated Maximum Continuous Power/Thrust during 3/5 of
the total number of the 6-hour endurance test stages
(B) Rated Take-off Power/Thrust during 2/5 of the total
number of the 6-hour endurance test stages.
E-7
Edition C Version 1
 Annex E to
AEP-83

Where Engine rotational speeds between Maximum

Continuous and Take-off may be used in service, and these
speeds would not be adequately covered by other Parts of
the endurance test, then the following Part 2 must be
substituted:
(C)Rated Maximum Continuous Power/Thrust during 2/5 of
the total number of the 6-hour endurance test stages.
(D) Rated Take-off Power/Thrust during 1/5 of the total
number of the 6-hour endurance test stages.
(E) 2/5 of the total number of the 6-hour endurance test
stages covering the range in 6 approximately equal speed
increments between Maximum Continuous and Take-off
Power/Thrust.

Part 3 One hour and 30 minutes at Maximum Continuous

Power/Thrust.

Part 4 2 hours and 30 minutes covering the range in 15

approximately equal speed increments from Ground Idling up
to but not including Maximum Continuous Power/Thrust
.
Part 5 30 minutes of accelerations and decelerations consisting of 6
cycles from Ground Idling to Take-off Power/Thrust,
maintaining Take-off Power/Thrust for a period of 30 seconds,
the remaining time being at Ground Idling.
NOTES
- During scheduled accelerations and decelerations in Parts 1 and
5 the power or thrust control lever must be moved from one
extreme position to the other in a time not greater than one
second.
- The oil pressure during the various stages must be varied in the
complete range from minimum to maximum.
- If a significant peak blade vibration is found to exist at any
condition within the operating range of the Engine, not less than
10 hours, but not exceeding 50%, of the incremental periods of
Part 4 of the endurance test must be run with the rotational speed
varied continuously over the range for which vibrations of the
largest amplitude were disclosed by the vibration survey; if there
are other ranges of rotational speed within the operational range
of the Engine where approximately the same amplitude exists, a
further 10 hours must be run in the same way for each such
range.
- An adequate part of the cycles should be performed with
contaminated fuel as per UL.TE.18.
- A sufficient number of cold starts and hot starts (including
consecutive hot starts if allowed by the engine) should be
performed during the test.

E-8
Edition C Version 1
 Annex E to
AEP-83
(b) Performance retention. The deteriorated engine after the endurance test must
retain adequate thrust/power and specific fuel consumption, as agreed with the
Certifying Authority.

UL.TE.27 Operation test

The operation test must include the demonstration of starting, idling, maximum
acceleration, over-speeding, shut-down, re-light (where applicable), engine
response characteristics (if required by the UA) and any other operational
characteristics of the engine required by the UA in the most severe conditions of
the operating envelope.
The engine should be run for sufficient time at the excess pressures and thrusts
which would result from operation at a defined margin (to be agreed with the
Certifying Authority) above the maximum operational speed (VC-max), under the
most critical ambient pressure and temperature conditions, with maximum
continuous thrust/power selected.

UL.TE.28 Engine component test

(a) For engine components (including gearbox, where applicable) that cannot be
adequately substantiated by endurance testing in accordance with UL.TE.26,
the Applicant must ensure that additional tests are conducted to establish that
components are able to function reliably in all normally anticipated flight and
atmospheric conditions.
(b) Temperature limits must be established for each component that requires
temperature controlling provisions to ensure satisfactory functioning, reliability
and durability.

UL.TE.29 Teardown inspection

After the endurance test has been completed the engine must be completely
disassembled. No essential component may show rupture, cracks or excessive
wear and deterioration.

UL.TE.30 Engine adjustment and parts replacement

Service and minor repairs to the engine may be made during the bench tests. If
major repairs or replacements of parts is necessary during the tests or after the
teardown inspection, or if essential parts have to be replaced, the engine must be
subjected to any additional tests the Certifying Authority may require.

FUNCTIONING

UL.TE.31 Surge and instability

The engine must be free from dangerous surge and instability throughout the
specified UA flight envelope and its operating range of ambient and running
conditions within air intake pressure and temperature conditions compatible with
the installation on the UA.

E-9
Edition C Version 1
 Annex E to
AEP-83
RESTARTING CAPABILITY (where applicable)

UL.TE.32 According to the specific application, the Certifying Authority may require a
restarting capability as follows:
an altitude and airspeed envelope must be established for the UA
for in-flight engine restarting and the installed engine must have a
restart capability within that envelope.

E-10
Edition C Version 1
 Annex F to
AEP-83

PROPELLERS

GENERAL

UL.P.1 Instruction manual

An instruction manual containing the information considered essential for installing,
servicing and maintaining the propeller must be provided.

UL.P.2 Propeller operating limitations

Propeller operating limitations must be established on the basis of the conditions
demonstrated during the tests specified in this Annex.

DESIGN AND CONSTRUCTION

UL.P.3 Materials
The suitability and durability of materials used in the propeller must
(a) Be established on the basis of experience or tests; and
(b) Conform to approved specifications that ensure their having the strength and
other properties assumed in the design data.

UL.P.4 Durability
Propeller design and construction must minimise the possibility of the occurrence
of an unsafe condition of the propeller between overhauls.
(a) The effects of cyclic loading, environmental and operational degradation must
not reduce the integrity of the propeller below acceptable levels.
(b) The effects of likely subsequent part failures must not reduce the integrity of
the propeller below acceptable levels.

UL.P.5 Pitch Control

(a) Failure of the propeller pitch control may not cause a hazardous overspeed
event under intended operating conditions.
(b) If the propeller can be feathered the control system must be designed to
minimize
(1) consequential hazards, such as a propeller runaway resulting from
malfunction or failure of the control system
(2) the possibility of an unintentional operation.

TESTS AND INSPECTIONS

UL.P.6 General
It must be shown that the propeller and its main accessories complete the tests
and inspections prescribed in UL.P.7 through 0 without evidence of failure or
malfunction.

UL.P.7 Blade retention test

The hub and blade retention arrangement of propellers with detachable blades
must be subjected to a load equal to twice the centrifugal force occurring at the
maximum rotational speed (other than transient over-speed) for which approval is

F-1
Edition C Version 1
 Annex F to
AEP-83
sought, or the maximum governed rotational speed, as appropriate. This may be
done either by a whirl test or a static pull test.

UL.P.8 Vibration load limit test

The vibration load limits of each metal hub and blade, and of each primary load-
carrying metal component of non-metallic blades, must be determined for all
reasonably foreseeable vibration load patterns.

UL.P.9 Endurance test

(a) Fixed-pitch or ground-adjustable propellers. Fixed-pitch or ground-adjustable
propellers must be subjected to one of the following tests:
(1) A 50-hour flight test in level flight or in climb. At least five hours of this flight
test must be with the propeller at the rated rotational speed and the remainder
of the 50 hours must be with the propeller operated at not less than 90% of
the rated rotational speed. This test must be conducted on a propeller of the
greatest diameter for which certification is requested.
(2) A 50-hour endurance bench test on an engine at the power and propeller
rotational speed for which certification is sought. This test must be conducted
on a propeller of the greatest diameter for which certification is requested.
(b) Variable pitch propellers. Variable pitch propellers (propellers the pitch of which
can be changed by the UA Operator or by automatic means while the propeller
is rotating) must be subjected to one of the following tests:
(1) A 50-hour test on an engine with the same power and rotational speed
characteristics as the engine or engines with which the propeller is to be
used. Each test must be made at the maximum continuous rotational speed
and power rating of the propeller. If a take-off performance greater than the
maximum continuous rating is to be established, an additional 10-hour bench
test must be made at the maximum power and rotational speed for the take-
off rating.
(2) Operation of the propeller throughout the engine endurance tests prescribed
in UL.RE.22 (Annex C), UL.EE.22 (Annex D) or UL.TE.26 (Annex E) as
applicable.

UL.P.10 Functional tests

(a) Each variable pitch propeller must be subjected to all applicable functional tests
of this paragraph. The same propeller used in the endurance test must be used
in the functional test and must be driven by an engine on a test stand or on a
UA.
(b) Manually controllable propellers. 500 complete cycles of control throughout the
pitch and rotational speed ranges, excluding the feathering range.
(c) Automatically controllable propellers. 1500 complete cycles of control
throughout the pitch and rotational speed ranges, excluding the feathering
range.

UL.P.11 Teardown inspection

After the endurance test has been completed the propeller must be completely dis-
assembled. No essential component may show rupture, cracks or excessive wear.

F-2
Edition C Version 1
 Annex F to
AEP-83
UL.P.12 Propeller adjustments and parts replacement
During the tests, service and minor repairs may be made to the propeller. If major
repairs or replacement of parts is found necessary during the tests or in the
teardown inspection, any additional tests that the Certifying Authority finds
necessary must be conducted.

F-3
Edition C Version 1
 Annex F to
AEP-83

INTENTIONALLY BLANK

F-4
Edition C Version 1
 Annex G to
AEP-83

HAZARD REFERENCE SYSTEM

UL.HRS.1 Severity Reference System

Catastrophic Failure conditions that are expected to result in at least uncontrolled

flight (including flight outside of pre-planned or contingency flight
profiles/areas) and/or uncontrolled crash.
Or
Failure conditions which may result in a fatality to UAS crew or
ground staff or third parties.
Hazardous Failure conditions that either by themselves or in conjunction with
increased crew workload, are expected to result in a controlled-
trajectory termination or forced landing potentially leading to the
loss of the UA where it can be reasonably expected that a fatality
will not occur:
Or, Failure conditions for which it can be reasonably expected that
a fatality to UAS crew or ground staff or third parties will not occur.
Major Failure conditions that either by themselves or in conjunction with
increased crew workload, are expected to result in an emergency
landing of the UA on a predefined site where it can be reasonably
expected that a serious injury will not occur.
Or
Failure conditions which could potentially result in injury to UAS
crew, ground staff or third parties.
Minor Failure conditions that do not significantly reduce UAS safety and
involve UAS crew actions that are well within their capabilities.
These conditions may include a slight reduction in safety margins
or functional capabilities, and a slight increase in UAS crew
workload.

UL.HRS.2 Cumulative Safety Requirement

The cumulative probability for catastrophic event (i.e. resulting from the combination of
all catastrophic failure conditions) takes into account all the contributions of all UAS
systems and sub-systems, including propulsion, navigation, data-link, UCS/UCB etc..

The cumulative probability per flight hour should be established as follows:

for MTOW below 15kg PCUM-CAT = 10-4
for MTOW between 15kg and 150kg PCUM-CAT = 0.0015 / (MTOW)

The cumulative probability per flight hour is an upper limit; therefore the result of
quantitative safety assessment process should be demonstrated as less than or equal to
PCUM-CAT.

G-1
Edition C Version 1
 Annex G to
AEP-83

UL.HRS.3 Probability Level Reference System

The following individual failure probability per flight hour safety objectives must be used.
The probability reference system is based on 10 individual catastrophic failure
conditions. Exceptionally, the individual failure quantitative safety objective (PIND-CAT) for
each catastrophic failure condition given by the result of PCUM-CAT divided by NCATFC
(number of catastrophic failure conditions) may be used as agreed with the Certifying
Authority. The number of individual catastrophic failure conditions should be determined
from the FHA.
(E) Extremely Improbable PCUM − CAT
P(E) ≤
10
(D) Extremely Remote P(E) < P(D) ≤ 10 x P(E)
(C) Remote 10 x P(E) < P(C) ≤ 100 x P(E)
(B) Probable. 100 x P(E)< P(B) ≤ 1000 x P(E)
(A) Frequent P(A) > 1000 x P(E)

UL.HRS.4 Hazard Acceptability Criteria

(2)
Hazard Risk Index (1) (3) (4)
HAZARDOU
(HRI) CATASTROPHIC MAJOR MINOR
S
3A 4A
1A 2A
(A) FREQUENT Unacceptabl Unacceptabl
Unacceptable Unacceptable
e e
G-2
Edition C Version 1
 Annex G to
AEP-83
3B
1B 2B 4B
(B) PROBABLE Unacceptabl
Unacceptable Unacceptable Acceptable
e
1C 2C 3C 4C
(C) REMOTE
Unacceptable Unacceptable Acceptable Acceptable
(D) EXTREMELY 1D 2D 3D 4D
REMOTE Unacceptable Acceptable Acceptable Acceptable
(E) EXTREMELY 1E 2E 3E 4E
IMPROBABLE Acceptable Acceptable Acceptable Acceptable

G-3
Edition C Version 1
 Annex G to
AEP-83

INTENTIONALLY BLANK

G-4
Edition C Version 1
 Annex H to
AEP-83

STABILITY AND RESPONSE ASSESSMENT GUIDANCE

This Annex should be used by the Applicant and the Certifying Authority as guidance to
demonstrate compliance with UA stability requirements concerning longitudinal / lateral
stability and transient response.

The accuracy and stability quantitative requirements should be established according to the
design usage spectrum as per UL.0 (e.g. best cruise height compared to a minimum safe
clearance above patrolled area buildings).

UL.SR.1 Accuracy
The UAS must be capable of maintaining the desired flight parameters in smooth
air with a sufficiently small static error, to be agreed by the Applicant and the
Certifying Authority. This should be demonstrated by model-based analyses and
verified by flight tests, for the following parameters, throughout the normal flight
envelope:
- attitude: pitch and roll angles;
- airspeed, heading or track, turn rate, and altitude.

UL.SR.2 Transient response

It must be demonstrated for the entire flight envelope that:

UL.SR.2.1 Pitch and Roll response following an abrupt command input or gusts,
are suitably damped so as not to cause exceedance of the:
- limit load factor,
- maximum torque allowed by the control surface actuators.

UL.SR.2.2 Transition to a selected altitude, or engagement of an altitude hold

function should not cause a deviation (overshoot) of the commanded
value by a tolerance greater than 3 times the tolerance agreed with the
Certifying Authority under paragraph UL.SR.1.

UL.SR.2.3 Transition to a selected heading or engagement of a heading hold

function should not cause transient deviation (overshoot) of the
commanded value by a tolerance greater than 3 times the tolerance
agreed with the Certifying Authority under paragraph UL.SR.1.

UL.SR.2.4 Transition to a selected airspeed or selection of an airspeed hold

function, within the permissible flight envelope protection, should not
cause the air speed to:
- fall below the minimum allowed air speed,
- exceed a defined margin agreed with the Certifying Authority
slightly above VC-max and sufficiently below VD.

H-1
Edition C Version 1
 Annex H to
AEP-83
UL.SR.3 Pilot (UA Operator) Induced Oscillations
The absence of PIO tendencies which may lead to unsafe conditions should be
demonstrated in flight for each FCS operational mode, with particular attention to
manual direct piloting mode (where applicable). Model based simulations with the
UA Operator in the loop may be used to integrate flight test evidence in extreme
operational conditions.

H-2
Edition C Version 1
 Annex I to
AEP-83

THE SAFETY MANAGEMENT PLAN

SAFETY MANAGEMENT

UL.SMP.1 The Safety Management Plan sets out to:

- Describe how the Safety Management System works, including descriptions
of organisational structure, processes, procedures and methodologies used
to enable the direction and control of the activities necessary to meet safety
requirements and objectives.
- Describe the project’s safety related timescales, milestones, targets and
other relevant date related information.
UL.SMP.1.1 The Safety Management Plan should link directly to the project
management plan, but focus on specific safety activities. Key safety
milestones should be included in the overall project management
plan alongside other engineering and design activities.
UL.SMP.1.2 The Safety Management Plan would typically address the
following:
- A description of the system and its purpose sufficient to provide
an understanding of what the Plan is referring to.
- Initial definition of all key safety requirements.
- Details of the Safety Management System to be operated.
- A description of defined safety tasks, including:
- Ownership.
- Methodology
- Resource requirements.
- Definition of milestones.
- Tolerability Criteria.
- Risk management processes, including the definition of
methods.
- The identification of specific tools to be utilised (such as hazard
log software).
- The safety programme.
- The safety audit plan.
- The compliance matrix for this STANAG, indicating procedures
and methods to be used.
- A list of deliverables and their format.
The safety programme usually comprises a ‘Gantt’ chart depicting
timescales, safety milestones and deliverables. It should also
include a treatment of potential unprogrammed activities such as
analysis of incidents and accidents. The programme can be
developed as required e.g. it could include the safety audit plan.

I-1
Edition C Version 1
 Annex I to
AEP-83
UL.SMP.1.3 Some of these items may be included by summarising and
referencing other management and engineering documents but, as
a key deliverable, the Safety Management Plan should contain an
adequate level of information and detail to provide a comprehensive
understanding of the way safety management will be implemented
and maintained.
UL.SMP.2 There are a number of events that could lead to a revision of the Safety
Management Plan e.g. change in overall requirements, changes in organisation,
major operational changes or problems etc.
The Safety Management Plan must consider the full life of the system and the
Applicant will be required to review and update it through the system life-cycle
UL.SMP.3 The Safety Management Plan is a significant document and one that provides
a basis on which to assess the effectiveness of the safety management process.
It is therefore important that the contents of the Safety Management Plan are
agreed with the Certifying Authority at the earliest possible stage in the
Certification Process
UL.SMP.4 A Safety Management System provides the Applicant with the means of
managing safety and defining the processes to be followed to achieve his
objectives. The Safety Management System should be fully documented within
the Safety Management Plan, so that processes for the management of safety
for the specific project are clearly defined and the effectiveness of the
implementation of the Safety Management System can be assessed.
UL.SMP.4.1 An effective Safety Management System will ensure co-
ordination of the right mix of resources to plan, organise, implement,
monitor, review, audit and improve specified tasks. The Safety
Management System should address safety policy and/or strategy,
defined levels of authority, lines of communication and procedures.
The Safety Management System would typically at least address
the following:
- The strategy for managing safety.
- The definition of individual and organisational roles and
allocation of safety authority and responsibilities including
identification of the ‘sign-off’ authority.
- The interface arrangements, particularly with other Safety
Management Systems (e.g. Sub-Contractors, Production
Organization, Maintenance Organization, Armed Forces, etc.).
- The definition of competency requirements and mechanisms for
measuring and ensuring competence of individuals performing
tasks affecting safety.
- The identification and allocation of resources required for the
Safety Management System to be implemented effectively.
- The identification of applicable legislation, regulations and
standards to be met.
- The interface with Occupational Health (e.g. applicable to the
UCS/UCB) and Safety arrangements as appropriate, either
directly or by reference.
- The audit arrangements.
- The change management arrangements.
I-2
Edition C Version 1
 Annex I to
AEP-83
- The arrangements for monitoring defect/failure reports and
incident/accident/near miss reports, and identifying and
implementing remedial action.
- The arrangements for managing and acting on feedback in
respect of the impact of such actions on safety requirements and
safety achievements.
- The arrangements for measuring the effectiveness of safety
management activities.
- The definition of a hazard reference system (as mentioned in
Annex G).
UL.SMP.4.2 The Safety Management System should demonstrate positive
safety culture. Safety culture is the product of individual and group
values, attitudes, perceptions, competencies and patterns of
behaviour that determine the commitment to, and the style and
proficiency of, safety management.
UL.SMP.4.3 The effectiveness of the implementation of the Safety
Management System must be assessed measuring the degree of
achievement of the objectives. Measuring the performance of the
Safety Management System provides the necessary information to
implement a continuous improvement of the Safety Management
System performances in time.
UL.SMP.5 It is important that safety is considered with all other engineering disciplines and
not as a separate entity, particularly as experience has shown that poor safety
management can be a significant source of project risk. As part of implementing
a systems engineering approach, different processes, documents, etc. may be
merged. However, the need to be able to consider safety issues independently
should be recognised, particularly when involving specialist experts and
Certifying Authority organisations. As a result, it may be necessary for safety
material to be tagged as such, to enable it to be differentiated from non-safety
material.

I-3
Edition C Version 1
 Annex I to
AEP-83

INTENTIONALLY BLANK

I-4
Edition C Version 1
 Annex J to
AEP-83
GUIDELINES FOR AIRWORTHINESS REQUIREMENTS APPLICABLE TO
UA BELOW THE 66J IMPACT ENERGY

This Annex should be used by the Applicant and the Certifying Authority as guidance
material to establish minimum airworthiness requirements for UA with an impact energy
below 66 J (calculated using the worst case terminal velocity based on the foreseeable
failure conditions).

1. Design Usage Spectrum

The Applicant must identify the design usage spectrum as the set of all the
foreseen operational conditions of the UAS:
- typical design missions;
- in-flight operation conditions;
- on-ground operation conditions;
- operational modes (automatic, speed-hold, altitude hold, direct manual, etc.);
- take-off / launch / ramp conditions;
- landing / recovery conditions;
- locations and platforms (e.g. land vehicle, water vessel, aircraft, building, etc.)
from which launch, command and control, and recovery operations will be
performed (e.g., land, littoral/maritime, air, );
- number of air vehicles to be operated simultaneously;
- transport conditions (define the transportation and storage environment of the
UAS – e.g. bag, package, truck or whatever is required);
- operating environmental conditions:
- natural climate (altitude, temperature, pressure, humidity, wind, rainfall rate,
lightning, ice, salt fog, fungus, hail, bird strike, sand and dust, etc.);
- electromagnetic environmental effects (electromagnetic environment among
all sub-systems and equipment, electromagnetic effects caused by external
environment, electromagnetic interference among more than one UAS
operated in proximity);
- lighting conditions (e.g., day, night, dawn, dusk, mixed, etc.);
- identify all the possible mass configurations (minimum and maximum flying
weight, empty CG, most forward CG, most rearward CG must be identified).

2. General Requirements

The Applicant should ensure certification as per AS/EN 9001 for undertaking Light
UAS design and production activities and the documented statement of the quality
policy should explicitly include system safety as one of the main objectives: this
should give a minimum confidence that safety management is implemented and
that safety-related work is undertaken by competent individuals, in adequate
facilities, with adequate tools, material, procedures and data.

The Applicant must identify design criteria, standards and practices used to
design UA structure, engine, propeller and UAS equipment.

The UA must be stable and controllable in all sequences of flight and in all
operational modes.

J-1
Edition C Version 1
 Annex J to
AEP-83
Navigation accuracy must be agreed with the Certifying Authority.

There must be a means to monitor and indicate the flight path and UAS (including
Data Link) status to the UA Operator.

Human-Machine Interface aspects must be considered.

There should be a means for flight termination in emergency conditions.

Standard operating and emergency procedures must be established and

documented.

For certification, the Applicant must demonstrate the whole usage spectrum
by flight test. The test plan must be accepted by the Certifying Authority. The flight
test plan must include, but not limited to:
- test objectives,
- applicable standards/specifications,
- test article description,
- flight test instrumentation,
- test condition,
- acceptance criteria.

3. Structures and Materials

Structural integrity
The UA must withstand, without rupture, the limit loads multiplied by a factor of
safety, at each critical combination of parameters. The significance of loads induced
by transportation and handling must be considered.
The factor of safety must be agreed with the Certifying Authority, taking into account
all the uncertainty factors in the design criteria (e.g. load modelling, stress
modelling, material allowables, environmental effects, barely visible damage effects
on composites, etc.).

The structural integrity should be considered also in relation to fatigue and the
expected service life of the air vehicle.

Materials
The Applicant must identify the materials and manufacturing processes used in the
construction of the UA and the criteria implemented to control materials
performance variability among specimens. Materials must be compatible with the
usage spectrum. Manufactured parts, assemblies, and the complete UAS must be
produced in accordance with the manufacturer’s Quality Management System.

4. Propulsion system

The entire propulsion system must be subjected to an endurance test, followed by

tear down inspection, according to a duration and a cycle to be agreed with the
Certifying Authority, in accordance with the design usage spectrum.

J-2
Edition C Version 1
 Annex J to
AEP-83
For electrical engine applications, the battery must be able to provide the necessary
voltage and current required by the engine and electrical equipment throughout the
operational envelope.

There must be means to minimize the risk of battery overheating/explosion (e.g.

cooling, temperature sensor, active battery management system).

Provisions must be provided to alert the UA operator that the battery has discharged
to a level which requires immediate UA recovery actions.

Information concerning battery storage, operation, handling, maintenance, safety

limitations and battery health conditions must be provided in the applicable
manuals.

5. Systems and equipment

All equipment (including Commercial-Off-The-Shelf) and subsystems (including

Data Link) must function properly within the design usage spectrum, when
integrated in the UAS.

The installation provisions, environment and the intended usage of all equipment
must meet all performance, operating and safety limitations to which the equipment
is qualified (i.e. it meets its specifications).

Environmental Electromagnetic Effects (E3) must be considered as agreed with the

Certifying Authority.

A data recorder should be provided in order to store typical flight data as agreed
with the Certifying Authority.

Safety
A System Safety Assessment must be performed for the UAS (including all
contributions coming from the UA, UCS/UCB, Data Link and any other equipment
necessary to operate the UAS). This assessment should include a Functional
Hazard Analysis, a Failure Mode Effect and Criticality Analysis and a Fault Tree
Analysis.
It must be verified that the probability of failures expected to result in at least
uncontrolled flight (including flight outside of pre-planned or contingency flight
profiles/areas) and/or uncontrolled crash is extremely remote as agreed with the
Certifying Authority, in accordance with Annex G probability thresholds.

A minimum essential set of Built-In-Tests (BIT) should be agreed with the Certifying
Authority (e.g. power-up self-test).

The software life cycle assurance process for the UAS must be agreed with the
Certifying Authority. A Plan for Software Airworthiness should be provided and
agreed with the Certifying Authority. Each configuration software item whose failure
could lead to uncontrolled flight and/or crash should be equivalent to Design
Assurance Level (DAL) C as per RTCA DO-178B / ED-12B.

J-3
Edition C Version 1
 Annex J to
AEP-83
6. Continued Airworthiness

The Applicant must promulgate all necessary instructions for ensuring continued
airworthiness.

The Applicant must provide a method to track technical occurrences affecting safety
throughout the life of the program and implement preventive and corrective actions
as necessary.

A Flight Manual must be provided to the UA operator that clearly and

unambiguously defines all the operating procedures, limitations and performance
information for normal operations and emergency conditions.

UA assembling and disassembling instructions (where applicable).

J-4
Edition C Version 1
 Annex J to
AEP-83

INTENTIONALLY BLANK

J-5
Edition C Version 1
AEP-83(C)(1)