TSO-C153 IMA Hardware Element

AEROSPACE ARP94910
RECOMMENDED
Issued 2012-12
PRACTICE
Aerospace - Vehicle Management Systems - Flight Control Design, Installation and Test of,
Military Unmanned Aircraft, Specification Guide For
RATIONALE
This document is published for the following reasons:
a. Address the need for standards and guide documents for Unmanned Aircraft onboard systems.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
b. Provide recommended practices for the specification of the flight control related functions of military Unmanned
Aircraft Vehicle Management Systems.
c. Recommend a method for the specification of the appropriate level of flight control capability for an Unmanned
Aircraft.
d. Address the integration of the flight control functions with all other elements of the vehicle.
TABLE OF CONTENTS
1. SCOPE .......................................................................................................................................................... 4
1.1 Vehicle Management Systems ..................................................................................................................... 4
1.2 Document Coverage ..................................................................................................................................... 4
1.3 Document Exclusions ................................................................................................................................... 4
1.4 Related Document ........................................................................................................................................ 4
1.5 Best Practices and Procuring Activity Approval ............................................................................................ 5
2. REFERENCES.............................................................................................................................................. 5
2.1 Applicable Documents .................................................................................................................................. 5
2.1.1 SAE Publications........................................................................................................................................... 5
2.1.2 ASME Publications........................................................................................................................................ 6
2.1.3 ASTM Publications ........................................................................................................................................ 6
2.1.4 FAA Publications ........................................................................................................................................... 6
2.1.5 IEEE Publications.......................................................................................................................................... 6
2.1.6 International Standards Organization (ISO) Publications ............................................................................. 6
2.1.7 ICAO Publications ......................................................................................................................................... 6
2.1.8 National Aerospace Standards (NAS) Publications...................................................................................... 6
2.1.9 RTCA Publications ........................................................................................................................................ 7
2.1.10 U.S. Government Publications ...................................................................................................................... 7
2.2 Abbreviations, Acronyms, Symbols and Their Definitions .......................................................................... 10
2.3 Definitions ................................................................................................................................................... 12
2.3.1 UA Design and Operational Categorization Schemes................................................................................ 12
2.3.2 Flight Control Functional Classifications ..................................................................................................... 19
2.3.3 VMS Operational State Classifications ....................................................................................................... 20
2.3.4 VMS Criticality Classifications..................................................................................................................... 21
2.3.5 VMS Component Structural Classifications ................................................................................................ 21
__________________________________________________________________________________________________________________________________________
SAE Technical Standards Board Rules provide that: “This report is published by SAE to advance the state of technical and engineering sciences. The use of this report is
entirely voluntary, and its applicability and suitability for any particular use, including any patent infringement arising therefrom, is the sole responsibility of the user.”
SAE reviews each technical report at least every five years at which time it may be revised, reaffirmed, stabilized, or cancelled. SAE invites your written comments and
suggestions.
Copyright © 2012 SAE International
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior written permission of SAE.
TO PLACE A DOCUMENT ORDER: Tel: 877-606-7323 (inside USA and Canada) SAE values your input. To provide feedback
Tel: +1 724-776-4970 (outside USA) on this Technical Report, please visit
Fax: 724-776-0790 http://www.sae.org/technical/standards/ARP94910
Provided by IHS Email: CustomerService@sae.org Licensee=Bogazici University/5964815002, User=albert, sam
SAEorWEB
No reproduction ADDRESS:
networking permitted without license from IHS http://www.sae.org Not for Resale, 11/04/2014 05:37:25 MST
SAE ARP94910 Page 2 of 113
2.3.6 Document Definitions .................................................................................................................................. 21

2.3.7 Definitions of Terminology for Precision Ship Board Landing .................................................................... 21
2.3.8 Safety and Operability Terminology Definitions .......................................................................................... 22
2.3.9 Definitions of Modal and Other Auxiliaries .................................................................................................. 22
3. RECOMMENDATIONS ............................................................................................................................... 23
3.1 General System Recommendations ........................................................................................................... 23
3.1.1 Safety and Operability Considerations ....................................................................................................... 23
3.1.2 Reliability Considerations ............................................................................................................................ 28
3.1.3 Redundancy Considerations ....................................................................................................................... 29
3.1.4 Maintainability Considerations .................................................................................................................... 31
3.1.5 Survivability Requirements ......................................................................................................................... 32
3.1.6 Electromagnetic Interference (EMI) Limits.................................................................................................. 35
3.2 System Performance Recommended Requirements ................................................................................. 35
3.2.1 General VMS Flight Control Performance Recommendations ................................................................... 35
3.2.2 Primary Flight Control Recommended Requirements ................................................................................ 42
3.2.3 Secondary Flight Controls ........................................................................................................................... 43
3.2.4 Ground Control Modes ................................................................................................................................ 44
3.2.5 Manual, Assisted and Autonomous Control Mode Performance Recommended Requirements .............. 46
3.3 System Testability Recommendations ........................................................................................................ 60
3.3.1 System Test and Monitoring Provisions ..................................................................................................... 60
3.3.2 Built-In-Test Equipment .............................................................................................................................. 60
3.3.3 Maintenance BIT ......................................................................................................................................... 61
3.3.4 Preflight or Pre-engage BIT ........................................................................................................................ 61
3.3.5 Preflight BIT Status Annunciation Support for CS ...................................................................................... 61
3.3.6 Portable Test Equipment ............................................................................................................................ 61
3.3.7 Ground Power Requirements for System Test ........................................................................................... 61
3.3.8 Protection Against Dormant Failures .......................................................................................................... 61
3.4 System Design Recommended Requirements ........................................................................................... 62
3.4.1 System General Design Recommended Requirements ............................................................................. 62
3.4.2 Mechanical VMS Design ............................................................................................................................. 62
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.4.3 Fixed Wing V/STOL Aircraft Requirements ................................................................................................ 63

3.4.4 Rotorcraft Requirements ............................................................................................................................. 63
3.4.5 Electrical VMS Design ................................................................................................................................ 64
3.4.6 Computational Methods and Software ........................................................................................................ 66
3.5 Subsystem Design Recommendations ....................................................................................................... 69
3.5.1 Subsystem General Design Recommended Requirements ....................................................................... 69
3.5.2 Electrical Power Subsystems...................................................................................................................... 69
3.5.3 Hydraulic Power Subsystems ..................................................................................................................... 70
3.5.4 Pneumatic Power Subsystems ................................................................................................................... 70
3.5.5 Actuation Subsystems ................................................................................................................................ 70
3.5.6 Display and Annunciation ........................................................................................................................... 84
3.5.7 Sensors ....................................................................................................................................................... 84
3.6 Component Design and Fabrication Recommendations ............................................................................ 85
3.6.1 General Component Recommended Requirements .................................................................................. 85
3.6.2 Mechanical Components ............................................................................................................................ 86
3.6.3 Electrical and Electronic Components ........................................................................................................ 87
3.6.4 Assembly Design ........................................................................................................................................ 90
3.6.5 Component Installation ............................................................................................................................... 92
3.6.6 Component Fabrication............................................................................................................................... 93
4. VERIFICATION AND VALIDATION ............................................................................................................ 94

4.1 General Recommendations ........................................................................................................................ 94
4.1.1 Methods for Demonstration of Compliance ................................................................................................ 94
4.2 Analysis Recommendations........................................................................................................................ 95

4.2.1 Simulations .................................................................................................................................................. 96
4.2.2 Reliability and Failure Mode, Effects and Criticality Analysis ..................................................................... 96
4.2.3 Vulnerability Analysis .................................................................................................................................. 96
Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

No reproduction or networking permitted without license from IHS Not for Resale, 11/04/2014 05:37:25 MST
4.2.4 Maintainability Analysis ............................................................................................................................... 96

4.2.5 System Safety Analysis............................................................................................................................... 96
4.2.6 Operation in Turbulence Analysis ............................................................................................................... 97
4.2.7 Stability Analysis ......................................................................................................................................... 97
4.2.8 Nuclear Survivability Analysis ..................................................................................................................... 97
4.3 Software and Firmware Verification ............................................................................................................ 97
4.4 Test Recommendations .............................................................................................................................. 98
4.4.1 General Test Recommended Requirements .............................................................................................. 98
4.4.2 Laboratory Tests ......................................................................................................................................... 99
4.4.3 Aircraft Ground Tests ................................................................................................................................ 100
4.4.4 Aircraft Flight Tests ................................................................................................................................... 101
4.5 Qualification (Preproduction) Tests .......................................................................................................... 101
4.5.1 Reliability Development Tests................................................................................................................... 101
4.5.2 Maintainability Demonstration ................................................................................................................... 101
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
4.5.3 Human Factors Engineering Verification Tests ........................................................................................ 101
4.5.4 Production/Acceptance Testing ................................................................................................................ 102
4.6 Documentation .......................................................................................................................................... 102
4.6.1 VMS Development Plan ............................................................................................................................ 102
4.6.2 VMS Specification ..................................................................................................................................... 103
4.6.3 Design and Test Data Recommendations ................................................................................................ 103
4.6.4 Software Documentation........................................................................................................................... 105
5. NOTES ...................................................................................................................................................... 105
APPENDIX A RECOMMENDATION APPLICABILITY BY VMS TYPE........................................................................... 106
FIGURE 1 UA SYSTEM FUNCTIONAL ARCHITECTURE .......................................................................................... 18

FIGURE 2 TYPICAL SYSTEMS INTERFACES WITH VMS FLIGHT CONTROLS ..................................................... 19
FIGURE 3 SELECTION OF BASELINE VMS TYPE .................................................................................................... 27
TABLE 1 UNMANNED AIRCRAFT CATEGORIES ................................................................................................... 13

TABLE 2 VMS QUANTITATIVE FLIGHT SAFETY REQUIREMENTS ...................................................................... 24
TABLE 3 VMS TYPES ................................................................................................................................................ 26
TABLE 4 UA OPERATING AREA .............................................................................................................................. 27
TABLE 5 SUGGESTED VMS TYPE BASED UPON UA CATEGORY AND OPERATING AREA ............................ 27
TABLE 6 REDUNDANCY EXAMPLES ...................................................................................................................... 30
TABLE 7 GAIN AND PHASE MARGIN REQUIREMENTS ........................................................................................ 37
TABLE 8 TURBULENCE INTENSITY EXCEEDANCE PROBABILITY ..................................................................... 39
TABLE 9 ROOT-MEAN-SQUARE GUST INTENSITIES FOR SELECTED CUMULATIVE EXCEEDANCE
PROBABILITIES (FEET PER SECOND TRUE AIRSPEED) ..................................................................... 40
TABLE 10 FAILURE TRANSIENT CASES .................................................................................................................. 42

1. SCOPE
This document establishes recommended practices for the specification of general performance, design, test,
development, and quality assurance requirements for the flight control related functions of the Vehicle Management
Systems (VMS) of military Unmanned Aircraft (UA), the airborne element of Unmanned Aircraft Systems (UAS), as
defined by ASTM F 2395-07. The document is written for military unmanned aircraft intended for use primarily in military
operational areas. The document also provides a foundation for considerations applicable to safe flight in all classes of
airspace.
1.1 Vehicle Management Systems
UA VMS include all components and functions used to sense vehicle position, velocity, speed, inertial attitudes, rates and
accelerations, heading and altitude, to generate flight path commands and to control aircraft force and moment producers
to satisfy these commands. Guidance and navigation elements and functions of the VMS normally control aircraft altitude,
airspeed, heading, attitude, aerodynamic or geometric configuration, and structural modes, including commands received
from a remote operator.
1.2 Document Coverage
The document recommends requirements for the general performance, design, test, development and quality assurance
measures for the flight control of remotely controlled, augmented and autonomous UA. At the system performance level
the document employs a functional emphasis. It recommends a practice for specifying the levels of flight control
capability, particularly fault accommodation after failures, required for UA of differing size, function and operational
strategy. It defines the boundaries of UA flight control to include hardware and functionality not typically considered core
flight control elements in a manned aircraft, such as navigation sensors and flight path and engine power command
generation. It also guides the specification of the flight control Interfaces with all other systems and subsystems of the
vehicle.
At the subsystem and component levels the document addresses those aspects of hardware design that impact system
performance. Among components included are the inertial sensors, global positioning sensors, air data sensors, test
devices, actuators, electrical power sources, hydraulic power sources, and signal transmission lines within the vehicle
and dedicated to flight control.
1.3 Document Exclusions
Because of the wide range of UA size and capability UA VMS hardware design architectures differ widely. At the system
level the document avoids any hardware emphasis and does not recommend particular hardware design approaches.
The document provides guidance for the specification of elements of the UA vehicle only and not the other elements of
the UAS such as the Control Station (CS). For example, it addresses the integration with the up-link and down-link of the
command loop but not the specification of these links. Also excluded are aerodynamic surfaces, engines and engine
control systems, rotorcraft rotors and fire control devices. The requirements for UAS operation in non-segregated
airspace include factors such as See and Avoid and other functions, beyond those considered for manned military
aircraft. These requirements are still evolving and are beyond the scope of this document.
1.4 Related Document
This Aerospace Recommended Practice (ARP) is closely related to the Aerospace Standard AS94900, for the flight
control systems of manned aircraft and follows a similar format.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

1.5 Best Practices and Procuring Activity Approval
This ARP is intended as a guide to standard practice and is subject to change to keep pace with experience and technical
advances. Most of the technical concepts and approaches covered by the document represent industry "best practice".
They are based on sound and proven engineering practices and have demonstrated successful production experience.
Others require specific approval from the procuring activity before use. This recommendation for approval is not intended
to inhibit their use; but rather to ensure that the prime contractor has fully investigated their capability to perform reliably
and to be sufficiently durable under the required conditions and that the prime contractor can present substantiating
evidence for approval before the design is committed to.
2. REFERENCES
2.1 Applicable Documents
The following publications form a part of this document to the extent specified herein. The latest issue of SAE publications
shall apply. The applicable issue of other publications shall be the issue in effect on the date of the purchase order. In the
event of conflict between the text of this document and references cited herein, the text of this document takes
precedence. Nothing in this document, however, supersedes applicable laws and regulations unless a specific exemption
has been obtained.
2.1.1 SAE Publications
Available from SAE International, 400 Commonwealth Drive, Warrendale, PA 15096-0001, Tel: 877-606-7323 (inside
USA and Canada) or 724-776-4970 (outside USA), www.sae.org.
ARP490 Electrohydraulic Servovalves
ARP988 Electrohydraulic Mechanical Feedback Servoactuators
AIR1083 Airborne Hydraulic and Control System Survivability for Military Aircraft
ARP1281 Actuators: Aircraft Flight Controls, Power Operated, Hydraulic, General Specification For
ARP4058 Actuators: Mechanical, Geared Rotary, General Specification For
ARP4386 Terminology and Definitions for Aerospace Fluid Power, Actuation and Control Technologies
ARP4493 Aerospace - Direct Drive Servovalves
ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and
Equipment
AS5440 Hydraulic Systems, Military Aircraft, Design and Installation, Requirements For
AS7997 Motor, Aircraft Hydraulic, Constant Displacement, General Specification For
AS8775 Hydraulic System Components, Aircraft and Missiles, General Specification For
AS15002 Fitting, Lubrication, Hydraulic, Surface Check, Straight Threads, Steel, Type II
AS35411 Fittings, Lubrication
AS50881 Wiring Aerospace Vehicle
AS94900 Aerospace - Flight Control Systems - Design, Installation and Test of Piloted Military Aircraft, General
Specification For
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

2.1.2 ASME Publications
Available from American Society of Mechanical Engineers, 22 Law Drive, P.O. Box 2900, Fairfield, NJ 07007-2900, Tel:
973-882-1170, www.asme.org.
2.1.3 ASTM Publications
Available from ASTM International, 100 Barr Harbor Drive, P.O. Box C700, West Conshohocken, PA 19428-2959, Tel:
610-832-9585, www.astm.org.
ASTM F 2395 - 07 Standard Terminology for Unmanned Aircraft Systems
ASTM F 2501- 06 Standard Practices for Unmanned Aircraft System Airworthiness
2.1.4 FAA Publications
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
Available from Federal Aviation Administration, 800 Independence Avenue, SW, Washington, DC 20591, Tel: 866-835-
5322, www.faa.gov.
Advisory Circular 120-29 Criteria for Approving Category I and Category II Weather Minima for Approach
2.1.5 IEEE Publications
Available from Institute of Electrical and Electronics Engineers, 445 Hoes Lane, Piscataway, NJ 08854-1331, Tel: 732-
981-0060, www.ieee.org or http://www.ieee.org/web/publications/home/index.html.
IEEE 1394.3-2003 IEEE Standard for a High Performance Serial Bus Peer-to-Peer Data Transport Protocol (PPDT)
2.1.6 ISO Publications
Available from American National Standards Institute, 25 West 43rd Street, New York, NY 10036-8002, Tel: 212-642-
4900, www.ansi.org or http://webstore.ansi.org/ansidocstore/.
ISO/IEC 12207 Systems and software engineering - Software life cycle processes
ISO 22072 Aerospace - Electrohydrostatic actuator (EHA) - Characteristics to be defined in procurement

specifications
2.1.7 ICAO Publications
Available from the International Civil Aviation Organization, Document Sales Unit, 999 University Street, Montreal,
Quebec H3C 5H7 Canada, Tel: +1-514-954-8022, http://icaodsu.openface.ca/mainpage.ch2.
Annex 11 to the Convention on International Civil Aviation, ‘Air Traffic Services’
2.1.8 NAS Publications
Available from Aerospace Industries Association, 1000 Wilson Boulevard, Suite 1700, Arlington, VA 22209-3928, Tel:
703-358-1000, www.aia-aerospace.org.
NAS 516 Fitting, Lubrication - 1/8 Inch Drive, Flush Type
NASM15981 Fasteners, Externally Threaded, Self-Locking Design And Usage Limitations For
NASM24665 Pin, Cotter (Split)

NASM33540 Safety Wiring And Cotter Pinning
NASM33588 Nut, Self-Locking, Aircraft, Reliability and Maintainability Usage Requirements For
NASM33602 Bolts, Self-Retaining, Aircraft Reliability and Maintainability, Design and Usage Requirement for
2.1.9 RTCA Publications
Available from RTCA, Inc., 1150 18th Street, NW, Suite 910, Washington, DC 20036, Tel: 202-833-9339, www.rtca.org.
DO-178 Software Considerations in Airborne Syatems and Equipment Certification
DO-254 Design Assurance Guidance for Airborne Electronic Hardware
DO-304 Guidance Material & Considerations for Unmanned Aircraft Systems
2.1.10 U.S. Government Publications
Available from the Document Automation and Production Service (DAPS), Building 4/D, 700 Robbins Avenue,
Philadelphia, PA 19111-5094, Tel: 215-697-6257, https://assist.daps.dla.mil/quicksearch/.
Specifications
MIL-A-8860 Airplane Strength and Rigidity, General Specification
MIL-A-8861 Airplane Strength and Rigidity, Flight Loads
MIL-A-8865 Airplane Strength and Rigidity, Miscellaneous Loads
MIL-A-8867 Airplane Strength and Rigidity, Ground Tests
MIL-A-8870 Airplane Strength and Rigidity, Divergence, and Other Aeroelastic Instabilities
MIL-A-87229 Auxiliary Power Systems, Airborne
MIL-C-18244 Control and Stabilization Systems: Automatic, Piloted Aircraft, General Specification for
MIL-DTL-781 Terminal, Wire Rope Swaging, General Specification for
MIL-DTL-6193 Joints, Universal, Plain, Light and Heavy Duty, General Specification for
MIL-I-8500 Interchangeability and Replacementability of Component Parts
MIL-PRF-5503 Actuators: Aeronautical Linear Utility, Hydraulic, General Specification for
MIL-PRF-7958 Push-Pull Controls, Flexible and Rigid

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
MIL-S-8512 Support Equipment, Aeronautical, Special, General Specification for the Design of

Standards
MIL-STD-130 Identification Marking of US Military Property
MIL-STD-202 Test Method Standard, Electronic and Electrical Component Parts
MIL-STD-461 Electromagnetic Interference Characteristics
MIL-STD-464 Electromagnetic Environmental Effects Requirements for Systems
MIL-STD-704 Aircraft Electric Power Characteristics
MIL-STD-810 Environmental Engineering Considerations and Laboratory Tests
MIL-STD-882 Standard Practice for System Safety
MIL-STD-1472 Human Engineering Design Criteria for Military Systems, Equipment and Facilities
MIL-STD-1553 Digital Time Division Command/Response Multiplex Data Bus
MIL-STD-1773 Fiber Optics Mechanization of an Aircraft Internal Time Division Command/Response Multiplex Data
Bus
MIL-STD-1797 Flying Qualities of Piloted Aircraft
MIL-STD-7080 Selection and Installation of Aircraft Electric Equipment
Military Handbooks
MIL-HDBK-336 Survivability, Aircraft, Nonnuclear
MIL-HDBK-454 General Guidelines for Electronic Equipment
MIL-HDBK-470 Designing and Developing Maintainable Products and Systems, Volume I and Volume II
MIL-HDBK-516 Airworthiness Certification Criteria
MIL-HDBK-781 Reliability Test Methods, Plans and Environments for Engineering Development, Qualification and
Production
MIL-HDBK-838 Lubrication of Military Equipment
Publications of the Office of the Secretary of Defense (OSD)
FY 2009 - 2034 Unmanned Systems Integrated Roadmap
FY 2011-2036 Unmanned Systems Integrated Roadmap

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

2.1.10.1 Inactive Specifications and Standards
The requirements of these specifications apply to re-procurements of in-service equipment or of legacy systems,
subsystems or components being used in new systems or later model aircraft.
MIL-E-5400 Electronic Equipment, Airborne, General Specification for
MIL-M-7969 Motor, AC, 400 Cycle 115/200 Volt System, Aircraft, General Specification for
MIL-M-8609 Motor, DC, 28 Volt System, Aircraft, General Specification for
MIL-H-8890 Hydraulic Components, Type III (-65 Deg to Plus 450 Deg F) General Specification for (ASG)
MIL-H-8891 Hydraulic Systems, Manned Flight Vehicles, Type III Design, Installation and Data Requirements For,
General Specification For
MIL-M-38510 Microcircuits, General Specification For
2.1.10.2 Military Guide Specifications
Available from ASC/ENSI, Building 560, 2530 Loop Rd West, Wright-Patterson AFB OH 45433-7101, Tel: 937-255-6296.
JSSG-2001 DOD Joint Service Specification Guide, Air Vehicle
JSSG-2006 Aircraft Structures
JSSG-2008 DOD Joint Service Specification Guide, Vehicle Control and Management System
AFSC DH 1-2 General Design Factors
AFSC DH 1-4 Electromagnetic Compatibility
AFSC DH 1-5 Environmental Engineering
AFSC DH 1-6 System Safety
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
AFSC DH 2-1 Airframe
2.1.10.3 Rotorcraft Design Standards
Available from U.S. Army Aeroflightdynamics Directorate (AFDD) Mail Stop 243-11, Moffet Field, CA 94035.
ADS-33E-PRF Aeronautical Design Standard Performance Specification Handling Qualities Requirements for Military
Rotorcraft
2.1.10.4 Related U.S. Government Publications
The following related document is listed for informational purposes only.
MIL-HDBK-2069 Aircraft Survivability

2.2 Abbreviations, Acronyms, Symbols and Their Definitions
A/D Analog-to-Digital
AC Alternating Current
ADS-B Automatic Dependent Surveillance - Broadcast
AEI All-Engines Inoperative
AFDD Army Aeroflight Dynamics Directorate
AGL Above Ground Level
ALS Automatic Landing System
ANSI American National Science Institute
AOA Angle of Attack
ARINC Aeronautical Radio Inc
ARP Aerospace Recommended Practice
ASA American Standards Association
ASG Aerospace, Specification, General
ATF Auto Throttle Function
BIT Built-In-Test
c Fault Coverage Factor
CBIT Continuous Built-In-Test
COTS Commercial Off-The-Shelf
CPCI Computer Program Configuration Item
CS Control Station
CSCI Computer Software Configuration Item
CV/CVN Aircraft Carrier/Aircraft Carrier Nuclear Propulsion
DAPS Document Automation and Production Service
DC Direct Current or District of Columbia
DDV Direct Drive Valve
DGPS Differential Global Positioning System
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
DLC Direct Lift Control

DMC Deck Motion Compensation
DSP Digital Signal Processor
DTED Digital Terrain Elevation Data
EEPROM Electronically Erasable Programmable Read Only Memory
EGI Embedded GPS/INS Unit
EHA Electrohydrostatic Actuators
EHSV Electrohydraulic Servovalves
ELT Emergency Locator Transmitter
EMA Electromechanical Actuator
EMI Electromagnetic Interference
EMP Electromagnetic Pulse
EO/IR Electro-Optical/Infra-Red
ESS Environmental Stress Screening
FAA Federal Aviation Administration
FAR Federal Agency Regulation
FBW Fly-By-Wire
FCT Fracture Critical Traceable
fM Open Loop Crossover Frequency
FMEA Failure Modes and Effects Analysis
FMECA Failure Mode Effects and Criticality Analysis
FPGA Field Programmable Gate Array
FTA Fault Tree Analysis
FTE Flight Technical Error
FY Fiscal Year
GCAS Automatic Ground Collision Avoidance System
GM Gain Margin
GPS Global Positioning System
GPWS Ground Proximity Warning System

h/hc Ratio of Altitude to Altitude Command

Hc/Ze Ratio Altitude Command to Altitude Error
H-DOT Vertical Rate
HSTA Horizontal Stabilizer Trim Actuator
IAP Integrated Actuation Package
IBIT Initiated Built-in Test
ICAO International Civil Aviation Organization
ICD Interface Control Document
IEC International Electrotechnical Commission
IEEE Institute of Electrical and Electronic Engineers
IFF Identification, Friend or Foe
IFPC Integrated Flight and Propulsion Control
ILS Instrument Landing System
IMU Inertial Measurement Unit
INS Inertial Navigation System
IR Infra-Red
ISO International Organization for Standardization
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
JPALS Joint Precision Approach and Landing System

JSSG Joint Service Specification Guide
JUAS COE Joint Unmanned Aircraft System Center of Excellence
KCAS Knots Calibrated Airspeed
KIAS Knots Indicated Airspeed
LAL Lateral Alert Limit
LOA Levels of Autonomy
LOC Loss of Command and Control Data, identifying an event or a VMS state
LRU Line Replaceable Unit
LSO Landing Signal Officer
LVDT Linear Variable Differential Transformer
MBIT Maintenance Built-In-Test
MMS Mission Management System
MSL Mean Sea Level
MTBF Mean Time Between Failure
MTTR Mean Time To Repair
N/A Not Applicable
NA Not Available
NAVAIDS Navigational Aids
NDT Non-Destructive Testing
nm Nautical Mile
NSE Navigation System Error
NWS Nose Wheel Steering
OEI One-Engine Inoperative
OFP Operational Flight Program
OSD Office of the Secretary of Defense
PBIT Periodic Built-In-Test
PBW Power-By-Wire
PCS Propulsion Control System
PDE Power Drive Electronics
PIO Pilot Induced Oscillation
PLOA Probability of Loss Of Aircraft
PLOC Probability of Loss of Control
PM Phase Margin
POST Power-On Self-Test
PROM Programmable Read-Only Memory
QM(VMS) Mission Failure Rate due to VMS Failures (per flight hour)
QS(VMS) Quantitative Flight Safety, Loss of Control Rate, due to VMS Failures (per flight hour)
R Reliability of a Component
RA Resolution Advisory
Rs Reliability of a Subsystem

RBD Reliability Block Diagram

ROM Read Only Memory
RTCA Radio Technical Commission for Aeronautics
RVDT Rotary Variable Differential Transformer
RVSM Reduced Vertical Separation Minimum
SAA Sense and Avoid
SAP Safety Assessment Plan
SAS Stability Augmentation System
SDP Software Development Plan
SMS Ship Motion Sensor
SOF Safety-of-Flight
SRA Shop Replaceable Assembly
STOL Short Take-Off and Landing
TA Traffic Advisory
TACAN Tactical Air Navigation
TCAS Traffic Collision Avoidance System
TOW Take-Off Weight
TSE Total System Error
UA Unmanned Aircraft
UAS Unmanned Aircraft System
UCS Utility Control System
V/STOL Vertical and/or Short Take-off and Landing
VAL Vertical Alert Limit
VG Turbulence Penetration Airspeed
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
VHF Very High Frequency

VL Maximum Limit Speed
VMC Vehicle Management Computer
VMS Vehicle Management System
VoMAX Maximum Operational Airspeed
VoMIN Minimum Operational Airspeed
VOR VHF Omni-directional Range
VSTOL Vertical and Short Takeoff and Landing
VTOL Vertical Takeoff and Landing
WAAS Wide Area Augmentation System
WOW Weight-On-Wheels
WRA Weapon Replaceable Assembly
2.3 Definitions
2.3.1 UA Design and Operational Categorization Schemes
2.3.1.1 Types of VMS, Categories of UA and UA Operating Area
VMS TYPE: The performance capability of a UA VMS, related to its behavior following VMS failures of differing
probability. The level of this capability will be specified by the procuring activity and identified as VMS Types T0 through
T4. The minimum acceptable behavior for each of these Types is specified in 3.1.1.4.1, in terms of their Operational
State, defined in 2.3.3, following failure. A method for the determination of the Type applicable to each UA procurement is
also suggested in 3.1.1.4.2.
UA CATEGORY: The UA Category is typically defined by its weight and performance capability and assigned by the
procuring activity. VMS Types are mapped to the appropriate UA Category in 3.1.1.4.2. At the time of writing, competing
categorizing schemes exist and no single standard has been generally adopted. For the purpose of this document the
schemes of Table 1, as defined by the Joint Unmanned Aircraft System Center of Excellence (JUAS COE) and recorded
in Figure A.4. of the OSD FY 2009-2034 Unmanned Systems Integrated Roadmap and, in more graphic form, in Figure 1
of the Unmanned Systems Integrated Roadmap FY2011-2036, has been assumed.
NOTE: The Roadmap figures define categories for complete Unmanned Aircraft Systems, though distinguished by the
characteristics of the UA, the airborne element of the UAS. This ARP applies the same Category names to the
UA element alone.

TABLE 1 - UNMANNED AIRCRAFT CATEGORIES
UA Attributes
UAS Maximum Gross Takeoff Normal Operating Speed
Category Weight (lb) Altitude (ft) (KIAS) Current/Future Representative UAS
WASP III, TACMAV RQ-14A/B, BUSTER,
BATCAM,
Group 1 0 - 20 < 1 200 AGL 100 knots
RQ-11B/C (Raven), FPASS, RQ-16A, Pointer,
Aqua/Terra Puma
Vehicle Craft Unmanned Aircraft System,
Group 2 21 - 55 < 3 500 AGL
ScanEagle, Silver Fox, Aerosonde
< 250 knots
RQ-7B (Shadow), RQ-15, RQ-21A, XPV-1,
Group 3 55 - 1320
< 18 000 MSL XPV-2
Group 4 MQ-5B, MQ-8B*, MQ-1A/B/C, A-160*
Any
> 1320 MQ-9A, RQ-4, RQ-4N, MQ-4C, Global
Group 5 > 18 000 MSL Airspeed
Observer, X-47B
Footnotes:
1. 1 lb = 0.453 kg
2. 1 ft = 0.304 9 m
3. 1 knot = 1 852 km/h
NOTE: The two UA identified in this DoD chart with an asterisk (*) are rotary wing aircraft. All others listed in-service
vehicles are fixed-wing aircraft.
Operating altitude measured Above Ground Level (AGL) or above Mean Sea Level (MSL)
UA OPERATING AREA: The area in which the UA is designed to operate. The UA Operating Area is related to its
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
potential for injury or death to non-combatant personnel, damage to property or environment and is a primary
consideration affecting the choice of VMS Type. Operating Area levels A1 through A4 are defined in 3.1.1.4.2.
AIRSPACE: The portion of the atmosphere controlled by a country above its territory, including its territorial waters. More
generally, any specific three-dimensional portion of the atmosphere. For the purposes of this document the terms non-
segregated and segregated airspace refer to airspace in which simultaneous operation of UA and manned aircraft is
allowed or prohibited, respectively.
CLASSES OF AIRSPACE: The ICAO subdivisions of airspace into seven classes from Class A through Class G, see
Annex 11, “Air Traffic Services”, to the Convention on International Civil Aviation. Generally, increasing degrees of ATC
control are required with increasing alphabet position. Mostly adopted world-wide though many countries use only a
subset and apply some modifications.
RESTRICTED AREA: An area into which entry is prohibited without special clearance. Typically used for military sensitive
zones such as test firing ranges.
WARNING AREA: An area similar to a Restricted area, requiring special clearance for entry, but over international waters.
EXCLUSION ZONE: A predefined geographical area or demarcation that the UAS should never penetrate or cross
regardless of any on-board or GCS generated commands. To the best of its abilities, the UAS should also attempt to
steer clear of exclusion zones while in degraded Operational States.

2.3.1.2 Flight Phase Categories
For the purpose of this document, the flight profile of the aircraft is separated into categories A, B, and C as follows. When
no flight phase is stated in a recommended requirement, that requirement is recommended for all three Phase
Categories.
Category A: Non-terminal Flight Phases that require rapid maneuvering, precision tracking, or precise flight-path control.
Category B: Non-terminal Flight Phases that are normally accomplished using gradual maneuvers without precise
tracking, although accurate flight-path control may be required.
Category C: Terminal Flight Phases that are normally accomplished using gradual maneuvers and usually require
accurate flight-path control. This may include ground handling as required, for example precision taxi on a
ship flight deck.
2.3.1.3 Modes of Operation, Human Operator and Flight Characteristics
MANUAL: Those modes of operation wherein the operator provides, in at least one phase of flight, direct and continuous
control of the UA, acting as an element of the UA control inner loop by directly manipulating control force effectors and
engine power setting and employing visual cues, video feedback or other sensory feedback, in combination or
individually. The onboard UA control system may still be augmenting stability but the trajectory of the vehicle is completely
dependent upon continuous control inputs from the operator.
ASSISTED: Those modes of operation wherein the operator periodically adjusts UA outer loop controlled states such as
airspeed, altitude, heading, climb/descent rate, etc., and determines or adjusts the waypoints the vehicle should fly to. In
the absence of new inputs, the UA control system maintains the last controlled states.
AUTONOMOUS: Those modes of operation wherein the UA executes a pre-planned mission and the operator plays no
part in the UA control outer loop but may provide decision-making, supervisory or initiation and termination inputs. In this
mode of operation, the UA may also generate waypoints independently of the mission plan or otherwise alter trajectory
autonomously based on decisions made aboard the vehicle.
NOTE: At the time of writing, competing schemes exist defining Levels of Autonomy (LOA) and no single standard has
been generally adopted. The higher levels of mission autonomy, when defined and employed are not expected to
require levels of VMS capability beyond those presently defined by this recommended practice.
OPERATOR: The human being responsible for controlling, directing or supervising the operation of the UA from a remote
CS. The operator is responsible for the safe, orderly flight of one or more UA, as related to this physical control capability.
The operator is often trained and identified by a government agency as a pilot. In the civil field the term is often used for
the organization responsible for the UA but it is never used in this manner in this document. The term Operator is
analogous to the term Pilot in Command, for a manned aircraft.
UA FLIGHT CHARACTERISTICS: Those flying characteristics necessary for a vehicle in Autonomous or Assisted modes
of operation to complete its required mission tasks safely. Flight characteristics requirements would be defined by the
procuring activity and derived from the vehicle:
Category, see 2.3.1.1
Operational mission requirements
Flight envelope and intended airspace operating environment
Relevant performance requirements of this document
Relevant sections of JSSG-2001 and MIL-STD-1797 for fixed wing aircraft or ADS-33E-PRF for rotorcraft
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

The applicable atmospheric disturbances defined in JSSG-2001, MIL-STD-1797 and ADS-33
Three levels of UA flight characteristics are defined. The levels are as follows:
Level l: Flight characteristics clearly adequate for the mission flight phase.
Level 2: Flight characteristics adequate to accomplish the mission flight phase, but some degradation in mission
effectiveness exists.
Level 3: Flight characteristics such that the aircraft can be controlled safely, but mission effectiveness is inadequate.
Category A flight phases can be terminated safely, and Category B and C flight phases can be completed.
2.3.1.3.1 Out-of-Scope Flight Characteristics
UAS HANDLING CHARACTERISTICS: Defined, for the purposes of this document, to be those flight characteristics
necessary for the mission effectiveness of a UAS configuration by an operator located at a CS. The inputs may be
augmented, for stability or control enhancement, and they can directly alter the vehicle flight path in real time or near-real
time. These requirements would also be specified by the procuring activity and derived by the “tailoring” of the
requirements of JSSG-2001, MIL-STD-1797 and ADS-33.
NOTE: The ability of the UAS to perform its mission, including the UA stability required for acceptable payload sensor
performance, is determined by the complex interaction of the UA flight characteristics, the CS software, hardware
and flight displays and the communication time delays and latencies. UAS Handling characteristics are beyond
the scope of this document.
2.3.1.4 Flight Envelopes
For the purpose of this specification, the flight envelopes are defined as follows:
Operational Flight Envelopes: The Operational Flight Envelopes define the boundaries in terms of speed, altitude, and
normal acceleration within which the aircraft must be capable of operating in order to
accomplish the required missions. Envelopes for each applicable Flight Phase are
defined by the prime contractor in the UAS Detail Specification.
Service Flight Envelopes: For each Aircraft Normal State, the prime contractor defines, in the Aircraft Detail
Specification, Service Flight Envelopes showing the combinations of speed, altitude, and
normal acceleration derived from aircraft limits, as distinguished from the mission
requirements. For each applicable Flight Phase and Aircraft Normal State, the
boundaries of the Service Flight Envelopes can be coincident with or lie outside the
corresponding Operational Flight Envelopes, but in no case do they fall inside those
Operational Boundaries.
Permissible Flight Envelope: The prime contractor defines Permissible Flight Envelopes, which encompass all regions
in which operation of the aircraft is both allowed and possible. These envelopes define
boundaries in terms of speed, altitude, and normal acceleration. From all points in the
permissible flight envelope, it should be possible to return to the service flight envelope
without exceptional control system capability.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

2.3.1.5 UA Control Systems and Functions
The functional architecture for the control systems of the typical UA assumed for the purposes of this document is shown
in Tabular form in Figure 1. The hierarchical form of this structure is explained through the following definitions:
a. MISSION MANAGEMENT SYSTEM (MMS): The top level system that controls the mission related subsystems such
as; data link communication, mission payload control, weapon control, Sense and Avoid systems, and the mission
task manager, to provide waypoint sequencing or generation per the specified level of autonomy. The MMS may
reside in separate computer hardware or may be a software partition within the VMS.
1. Functionally the MMS accepts guidance and navigation information from the VMS and provides commands to the
lower level control systems defined in this section.
2. The interface with the VMS will require comprehensive MMS failure detection and isolation to ensure flight safety,
particularly if the MMS is not as redundant as the VMC or if the MMS is using non-redundant sensor inputs for
decision making.
3. The MMS requirements will be defined by the procuring activity based on the UA Group, size, missions, payload,
and intended airspace.
4. There may not be a clear distinction between MMS and VMS functionality, particularly in failure conditions where
the VMS may assume waypoint and path generation responsibility to steer the vehicle away from population
centers or exclusion zones.
b. VEHICLE MANAGEMENT SYSTEM (VMS): An integrated combination of functions many of which are critical to
safety of flight and which permit an air vehicle to be controlled in a manner that allows its specified missions to be
accomplished satisfactorily. For the purposes of this document, the functions included are limited to primary and
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
secondary flight control, though, because of the nature of UA control, these are defined to include the historically
separate Guidance and Navigation functions and may include waypath generation and tracking, control of an
electrical Environmental Control System (ECS) and hydraulic subsystem management functions required for safe
flight operations.
The VMS capability may vary significantly to address unique requirements based on the specific vehicle categories,
missions, intended Operating Areas and the overall weapon system specification of the procuring activity. Potential
VMS Functional Architectures encompass all of the UA Categories listed in Table 1. Required VMS functions may
range from a simple control law hosted in non-redundant hardware for a Group 1 Category 20 lb UA with a T0 VMS,
to a complex redundant VMS for an Group 5 Category 15 000+ lb (679+ kg) vehicle with a T4 VMS which may be
similar to, or exceed, the complexity of a VMS designed for a high performance manned aircraft.
The VMS design will not be a function of UA Category only; the intended operational use, Operating Area and
economics may dictate a higher or lower level of VMS capability. For example, a Group 1 or 2 Category UA intended
to provide surveillance capability over densely populated areas will require more fault tolerance and hence
redundancy than a T0 VMS will provide, whereas a large UA intended to provide meteorological data over remote
oceanic areas, and based away from populated areas and non-segregated airspace may not require the capability of
a T4 VMS.
The VMS may implement flight control and actuator control with either “centralized” or “distributed” architectures.
Some current Tactical UA employ a centralized, simplex, Commercial Off-The-Shelf (COTS), autopilot system
including conventional autopilot functions, Autonomous modes of operation, and Global Positioning System/Inertial
Navigation System (GPS/INS) with aided Attitude and Heading Reference System backup for graceful degradation in
GPS denied environments.

1. The functional rather than implementation emphasis of this recommended practice is illustrated by the generic
functional architecture for the onboard control subsystems of a UA shown in Figure 1. The VMS functions listed in
this figure are typical of those required for a T4 VMS. Less capable VMS Types would employ only the functions
needed to meet the requirements for the specific UA Category and Operating Area. The VMS commands result in
control of aircraft altitude, airspeed, flight path, attitude, aerodynamic or geometric configuration, and take into
consideration structural modes. The VMS includes all components used to translate trajectory commands from
the MMS or other sources to appropriate flight control force and moment producers. These include the data bus
to the MMS, the logic switching, system inertial, GPS and air data sensors, signal computation, test devices,
mechanical transmission devices, actuators, power sources, and signal transmission lines dedicated to flight
control.
2. The VMS interfaces with the MMS, which controls mission related subsystems and waypoint sequencing, but the
VMS may assume some control of MMS functions in the event of a MMS failure. Such functions may include flight
termination or enforcement of pre-defined exclusion zones.
3. The VMS includes redundancy management, analytical redundancy, mode switching and control system
reconfiguration following failures.
4. The VMS control laws provide the required vehicle stability augmentation, primary and secondary flight control,
and automatic or semiautomatic flight path control capabilities such as; Select and or Hold Attitude, Altitude,
Airspeed, and Heading including integration with propulsion controllers when necessary. The outer loop control
may use inertial and radio navigation sensors (GPS, JPALS, etc.) which are considered components of the VMS
for the purposes of this document.
5. The VMS interfaces with the Utility Control System and Propulsion Control System for both normal control and
degraded modes where some flight critical functionality may be assumed by the VMS.
c. UTILITY CONTROL SYSTEM (UCS): This is defined to include all those functions required for ancillary controls such
as nosewheel steering, braking, fuel and environmental control, many of which are often included within the VMS. A
list of typical Utility and other functions which will interface with the flight control elements and functions of the VMS is
provided in Figure 2.
d. PROPULSION CONTROL SYSTEM (PCS): Defined to include all of the functions required for primary, degraded and
fail safe control of the engine. These functions are sometimes considered to be part of the VMS and sometimes of the
UCS.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

Subsystems and Functions Requirements Defined By:
Mission Management System (MMS)

Data Link Receiver Prime Contractor and Approved by
Modes of Operation the Procuring Activity
− Manual, Assisted, Autonomous
Mission Task Execution
Payload Management
− Weapons Control, Video, Reconnaissance Sensors
Flight Termination (for operating MMS case)*
Interfaces with VMS, UCS, PCS
Health and Status Reporting to the CS
Vehicle Management System (VMS)

Interfaces with MMS VMS Functions and Requirements
− Normal, Degraded, Fail-Safe Defined in this ARP
− Flight Termination Functions if MMS failed*
Redundancy Management and Reconfiguration
Flight Control System Functions
− Control Laws
− Sensors
− Stability and Control Augmentation
− Integrated Flight and Propulsion Control (IFPC)
− Primary and Secondary Control Actuation
Outer Loop Control
− Sensors incl. IMU/INS, Radar Altimeter and Air Data
− NAVAIDS, incl. ILS, JPALS, GPS, and DGPS
− Control Laws
− Autoflight Guidance and Navigation
− Altitude, Attitude, Airspeed, Heading
− Autonomous Modes
Interfaces with UCS, incl. Mode Control
Interface with PCS, incl. Emergency Power and Mode Control
Utility Control System (UCS)

Interface with VMS, incl. Mode Control Prime Contractor and Approved by
− Normal, Degraded, Fail-Safe the Procuring Activity
Utility Function Sensors
Utility Actuation Control
Propulsion Control System (PCS)

Interface with MMS &VMS, incl. Mode Control Prime Contractor and Approved by
− Normal, Degraded, Fail-Safe the Procuring Activity
Engine Control System
Primary Power Systems
Secondary Power Systems
FIGURE 1 - UA SYSTEM FUNCTIONAL ARCHITECTURE
*NOTE: This document does not address requirements for, or implementation of, flight termination systems that may be
required for test range safety during development flight testing, or for destruction of classified equipment during
vehicle losses in operational service.
DGPS is the abbreviation for “Differential Global Positioning System”, ILS for “Instrument Landing System”, “IMU
for Inertial Measurement Unit”, JPALS for “Joint Precision Approach and Landing System”, NAVAIDS for
“Navigational Aids”
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

Category Function
Power Electrical Power
Distribution Hydraulic Power
MMS Radar
Radio
Aircraft Communications (TCAS,
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
Transponder, IFF, ELT)
Weapon Systems
Payloads
Test & Health Monitoring
ECM/ECCM
UCS Environmental Control
Fire Detection and Suppression
OBIGGS/OBOGGS
Landing Gear
Test and Health Monitoring
PCS Engine
Fuel
Propeller/Rotor
Test and Health Monitoring
Overhead Networks, Routers
Structures
FIGURE 2 - TYPICAL SYSTEMS INTERFACES WITH VMS FLIGHT CONTROLS
NOTE: ELT is the abbreviation for “Emergency Locator Transmitter”, IFF for “Identification, Friend or Foe”, TCAS for
“Traffic Collision Avoidance System”
2.3.2 Flight Control Functional Classifications
The flight contol functions provide the means for aircraft control and maneuvering and may include stability augmentation,
load limiting and envelope protection and limiting. Flight control may employ, singly or in combination, mechanical,
electrical or optical transmission of commands to the actuators that drive effectors that produce force or moments. The
actuation power source may be hydraulic, electric, or pneumatic. While the detail hardware, firmware and software design
requirements for these different configurations differ widely, the recommended performance requirements for all
configurations will be defined in terms of the Category of aircraft and its Operating Area according to 2.3.1.1, Flight Phase
per 2.3.1.2, Flying Characteristics per 2.3.1.3, Flight Envelopes according to 2.3.1.4 and for each Operational State
per 2.3.3.
2.3.2.1 Primary Flight Control
Primary flight control functions provide control of aircraft trim state (airspeed, altitude, heading, etc.) as well as
maneuvering in autonomous flight or in flight remotely controlled by the CS operator. These functions include stability
augmentation provided through closed loop feedback of aircraft states as well as command of aircraft response
necessary to meet task-oriented maneuvering requirements. Primary flight control may include provisions for load limiting
or envelope protection and limiting. Single or multi-axes thrust vectoring for maneuver or trim control may be included in
this classification. Continuous primary flight control is essential to aircraft flight safety and acceptable flying qualities.
Basic primary flight control would achieve longitudinal, lateral, and directional control by moving elevators, ailerons,
spoilers, rudders, and sometimes propulsion/reaction control devices.

2.3.2.2 Secondary Flight Control
Secondary flight control functions provide control of aerodynamic or propulsive configuration changes as necessary for
particular flight phases such as takeoff or landing. Control of flaps, slats, trimmable horizontal stabilizer, speedbrakes or
airbrakes, wing sweep, spoilers, ground-steering, braking and propulsion-reversing devices may be included. Secondary
flight control is essential to satisfactory performance and may be required for flight safety.
2.3.2.3 Outer Loop Control.
In most cases navigation waypoints are predefined in the mission plan, entered/modified by the CS in real-time, or
generated internally (Autonomous operation). Generation of suitable trajectories to execute the control between
waypoints may be a shared responsibility between the MMS and the VMS. The VMS, however, may need to include pre-
programmed strategies for waypoint and trajectory generation, in the event of an MMS functional or hardware failure, in
order to meet the minimum Operational State as defined in Table 3.
2.3.3 VMS Operational State Classifications
NOTE: These definitions differ from those used in manned aircraft specifications, particularly Operational State IV, which
for a manned aircraft requires sufficient control for descent and immediate emergency landing, but for a UA only
requires sufficient control for some amount of influence on the impact location of the vehicle, not a safe
emergency landing.
2.3.3.1 Operational State I (Normal Operation)
Operational State I is the normal state of VMS operation providing sufficient performance, safety and reliability to allow the
mission tasks and system requirements of the particular UA to be met within the required flight envelope and safe
operation in the intended airspace.
2.3.3.2 Operational State II (Restricted Operation)
Operational State II is the state of less than normal VMS operational performance, safety or reliability with no loss of flight
critical functions. Any degradation in mission effectiveness and restrictions of flight envelope will not prevent the vehicle
from completing a modified mission or from making a degraded landing at the destination of original intent.
2.3.3.3 Operational State III (Minimum Safe Operation)
Operational State III is the state of degraded VMS performance, safety or reliability which permits the vehicle safe
termination of the current mission task, maneuver capability limited to cruise, navigation, transition to appropriate
Operating Areas and an emergency landing.
2.3.3.4 Operational State IV (Controllable to a Safe Termination or Predetermined Heading)
Operational State IV is the state of degraded VMS operation in which neither continued safe flight nor safe landing of the
vehicle is possible; but sufficient control remains to safely terminate flight, see 3.1.1.1, or, as a minimum, acquire and hold
a pre-defined heading which minimizes hazards to others on the ground or in the airspace.
2.3.3.5 Operational State V (Loss of Control)
Operational State V is the immediate loss of control VMS state which allows no control of the vehicle impact site or of
heading prior to impact.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

2.3.4 VMS Criticality Classifications
2.3.4.1 Essential VMS Functions
A function is Essential if loss of the function results in an unsafe condition or inability to maintain VMS Operational
State III.
2.3.4.2 Flight Essential VMS Functions
A function is Flight Essential if loss of the function results in an unsafe condition or inability to maintain VMS Operational
State IV.
2.3.4.3 Flight Phase Essential VMS Functions
A function is Flight Phase Essential if loss of the function results in an unsafe condition or inability to maintain VMS
Operational State III only during specific flight phases.
2.3.4.4 Noncritical VMS Functions
A function is noncritical if loss of the function does not affect flight safety or result in control capability below that required
for VMS Operational State III.
2.3.5 VMS Component Structural Classifications
2.3.5.1 Fracture Critical Part
A primary structural or subsystem component that is predominantly designed and limited by fatigue crack initiation and
crack growth requirements rather than static requirements, the single failure of which could lead to the loss of the aircraft.
These parts generally call for special fracture toughness controls, quality control procedures, Non-Destructive Testing
(NDT) practices, and analytic requirements.
2.3.5.2 Fracture Critical Traceable (FCT) Part
A single load path part, the single failure of which would cause the immediate loss of the aircraft. In addition to the
requirements for a Fracture Critical part, an FCT part requires serialization and traceability from starting stock to tail
number or major subassembly number and reverse.
2.3.6 Document Definitions
2.3.6.1 Aircraft Detail Specification
The detailed specification for the aircraft provided by the procuring activity.
2.3.7 Definitions of Terminology for Precision Ship Board Landing

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
AIR BOSS: A Naval term used on the flight deck of an aircraft carrier. The Air Boss is in charge of all aircraft operations
on the hangar deck, the flight deck and airborne out to 5 nm (9.3 km).
LANDING SIGNAL OFFICER (LSO): A Naval aviator trained to facilitate the safe and expeditious recovery of naval
aircraft aboard an aircraft carrier.
NAVIGATION SENSOR ERROR (NSE): The difference between the actual aircraft path and the desired path caused by
all sensor errors and computation errors due to things such as granularity and time tag accuracies.

FLIGHT TECHNICAL ERROR (FTE): The difference between the actual aircraft path and the desired path caused by air
turbulence and ship motion including the effect of the gain and phase inaccuracies of the ship motion compensation
filters. FTE represents the ability of the aircraft to follow the commanded path.
PATH DEFINITION ERROR: Includes any other error sources besides the NSE and FTE errors defined above, such as
errors in the surveyed locations of the GPS Antennas, Airborne INS, Ship Motion Sensor and Touchdown Point. It also
includes the effects of structural flexure in either the ship or UA.
TOTAL SYSTEM ERROR (TSE): The sum of the NSE, the FTE and the Path Definition Error, all as defined in this
paragraph.
2.3.8 Safety and Operability Terminology Definitions
LOSS OF CONTROL: A failure effect, the result of a single failure or multiple failures, which prevents continued flight and
also prevents safe flight termination.
SAFE FLIGHT TERMINATION: Termination without harm to others on the ground or in the airspace. The form it takes is
therefore dependent on the hazard potential of the vehicle, as determined by its size, category and design mission. For
high hazard vehicles safe termination would demand a controlled crash at a predetermined location or outside
predetermined unsafe or undesirable exclusion zones. Safe termination for lower hazard vehicles could be an
uncontrolled crash along a predetermined heading. For the lightest and slowest vehicles it could be an immediate
uncontrolled crash.
PROBABILITY OF LOSS OF CONTROL (PLOC): The probability of all of those single and combined failures that would
cause loss of control, that is, the inability to achieve safe flight termination. Conventionally specified by the procuring
activity for the entire aircraft, including all of its systems, the allocation to the VMS is made by the procuring activity or the
prime contractor.
VMS PLOC: The allocated probability of the sum of all of those VMS failure conditions, for all of the elements defined in
3.1.1.2 that would cause loss of control.
VMS CRITICAL FAILURE: A failure which causes loss of VMS function and thereby contributes to the VMS PLOC.
2.3.9 Definitions of Modal and Other Auxiliaries
The following definitions apply to the usages in this ARP only.
SHALL: Denotes requirements that must be met. From SAE 2008 Style Manual - "”Shall" is to be used wherever the
criterion for conformance with the specific recommendation requires that there be no deviation.”
SHOULD: Denotes requirements that are desired to be met. From SAE 2008 Style Manual - "”Should" is to be used
wherever noncompliance with the specific recommendation is permissible.” The ARP provides many guidance statements
employing this word.
WILL: Employed by this ARP in the descriptions of typical actions to be performed by the procuring activity, or the prime
contractor, in the future.
MAY: Used by this ARP in the description of the possible or allowable, for example, recommended courses of action or
VMS characteristics.
OR: Used by this ARP for recommendations which may be followed by satisfying any one of a set of listed options.
AND: Used for recommendations which can only be met if all of a set of listed options are satisfied. If they must all be
satisfied at the same time the word “simultaneously” is added.
N/A: Used for data or recommendations that are not applicable.

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3. RECOMMENDATIONS
If the recommendations of this document are invoked as contractual requirements for a UA program the following rules of
precedence apply. The detail requirements for a particular system should be specified in the VMS Specification (see
4.6.2), the Aircraft Detail Specification, the contract, or the purchase order for that system and these take precedence
over the recommendations of this document. See 2.1 for the precedence between this document and other documents
referenced in 2.1.
The recommended flight controls requirements in this document are applicable to the Autonomous, Assisted and Manual
operational modes of operation of the UA. The UA Systems requirements are defined by the procuring activity in the Air
Vehicle Systems Specification.
The recommendations of this section, and of section 4, will not all be applicable to all UA. Most of the recommendations
would be expected to be applicable to the UA with the highest level of VMS flight control capability, T4, and fewer of the
recommendations would be applicable to UA with less VMS flight control capability. These expectations are illustrated by
the recommendation applicability guide table in Appendix A. but, in practice, the UA procuring activity would specify the
precise requirement applicability.
NOTE: Within this Aerospace Recommended Practice there are many actions recommended by the use of the modal
auxiliary “should”. There are also many statements about the customary and appropriate contractual division of
responsibility between the “procuring activity” and the “prime contractor” and these are described with present
tense verbs.
3.1 General System Recommendations
The VMS should comply with the recommended requirements contained in this document to the degree specified by the
procuring activity. The compliance should be in a manner such that the aircraft missions defined by the procuring activity
can be performed satisfactorily. The VMS should meet all of the environmental requirements of the Aircraft Detail
Specification and those recommended by this document.
3.1.1 Safety and Operability Considerations
3.1.1.1 Definitions
The quantitative flight safety recommended requirements in this standard employ terminology that requires the definitions
in 2.3.8.
3.1.1.2 Flight Safety Assessment
The assessment of the quantitative flight safety of an VMS should include calculation of the PLOC and also an
assessment of the consequence of a single failure or multiple failures across the Operational Flight Envelope.
The prime contractor should develop a Safety Assessment Plan (SAP) for approval by the procuring activity to address
the Hazard, VMS PLOC and failure immunity requirements recommended in 3.1.1.3 and 3.1.1.4. The Fault Tree Analysis
(FTA), and Failure Modes and Effects Analysis (FMEA) methods in ARP4761 should be used as a guide. A Reliability
Block Diagram (RBD) representation of the end-to-end flight critical VMS functionality should be developed and provided
to support the PLOC analysis.
The quantitative flight safety assessment of the VMS should include all flight critical functions, components and
subsystems. These should include items such as: mechanical controls, VMS electronic set, including all control Guidance
and Navigation sensors and functions, air data and aircraft motion sensors, control effectors, hydraulic system
components, electrical power system components, including constant speed drives for generators and hydraulic system
pump drive gear boxes. All moment producers integrally controlled by the engine control system, and the engine itself
should not be included. For a Short Take-Off and Landing (STOL) or Vertical and/or Short Take-off and Landing (V/STOL)
aircraft the approach to be adopted for all of the functions controlled by the engine control system should be agreed
between the procuring activity and the prime contractor.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

A representative mission to which this requirement applies, including mission duration, is defined by the procuring activity
and described in more detail by the prime contractor, to allow the component failure rate calculations. The prime
contractor, subject to approval of the procuring activity, should define whether the FTAs and RBDs will be developed for
one hour of flight or be developed for the duration of one flight and the end result divided by the flight length in hours.
These two approaches will give differing results when combined failures or dormant failures with long exposure times are
significant to the end result. If the planned usage of the UAS provides, after a failure, for a time to return to base which is
significantly shorter than the mission time, the maximum-return-to-base time should be specified by the procuring activity.
3.1.1.3 Quantitative Flight Safety
The VMS PLOC should not exceed the value specified by the procuring activity, or if otherwise specified, a value
numerically equal to, the maximum acceptable aircraft Loss of Control rate due to relevant VMS failures (QS(VMS)). The
procuring activity defines the VMS PLOC and the VMS Type requirements (see 3.1.1.4.2), based on mission
requirements, Operating Area, and payload considerations. The prime contractor develops the mission system and VMS
architectures, fault detection/isolation capability, fault accommodation and reconfiguration concepts to minimize the
effects of component failures.
The VMS PLOC requirement should include consideration of the mission time and the time to return to base after a failure
before normalizing requirements on a per-hour basis.
If the VMS PLOC is not specified by the procuring activity, the numerical requirements of Table 2 apply. They are
recommended for use by the procuring activity as minimum requirements.
If the VMS PLOC requirement is an allocation from a vehicle requirement, and, in the absence of a rational analysis to
support allocation from vehicle PLOA to individual subsystems, it is recommended that a value, due to relevant failures of
systems and subsystems onboard the aircraft, of between 0.25 and 0.375 of the contractually defined vehicle Probability
of Loss of Aircraft (PLOA) be used.
NOTES: 1. The range of allocation recommended in this ARP is a judgment based on traditional allocations and historical
data from manned aircraft, modified for the broader definition of UA VMS flight control content employed
through this document.
2. For UA with flight safety requirements that dictate VMS Types T3 or T4, the failure probabilities in Table 2 are
consistent with the manned aircraft PLOC definition and requirements in AS94900. The PLOC requirements
in Table 2 are decremented for UAs with mission requirements or Operating Areas which allow the use of
VMS Types T0 through T2.
TABLE 2 - VMS QUANTITATIVE FLIGHT SAFETY REQUIREMENTS
Maximum Aircraft Loss of Control Rate

From VMS Failures Per Flight Hour,
after accounting for mission length,
VMS Type QS(VMS)
T0 1.0 x 10-3
T1 1.0 x 10-4
T2 1.0 x 10-5
T3 1.0 x 10-6
T4 1.0 x 10-8
NOTE: Loss of Control in Table 2 means not only loss of the vehicle but also a total loss of the ability to influence the
impact location.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.1.1.3.1 Effects of Imperfect Fault Detection
PLOC calculations for VMS with multiple redundant channels, typically quadruplex, triplex or dual, should account for
imperfect fault detection. The inability to correctly select and isolate the failed channel can strongly diminish the increased
VMS reliability provided by the redundancy. The significance of this effect increases with diminished redundancy.
The PLOC calculation for a dual VMS with no independent tie-breaker source; can only consider in-line fault coverage of
the dual redundant elements. These dual elements should be considered to have a net reliability equal to
Rs = R2 + 2R(1-R)c
-λ*t
where R is the reliability of a single element (typically e , where λ is the critical failure rate in failures per flight hour), Rs
is the reliability of a subsystem and c is the coverage factor ranging from zero to one. The prime contractor should
substantiate any coverage factors above 90% (c ≥ 0.9).
3.1.1.4 Failure Immunity and Safety
UA differ widely in their size, speed, payload and mode of operation and consequently in their potential for harm to other
aircraft and to people on the ground. Those with a potential for harm of the same order as manned aircraft must comply
with the requirements of this paragraph. UA with a lower potential for harm may employ a lower level of VMS capability.
For these, a lower level of failure immunity and safety may be defined by the procuring activity. See 3.1.1.4.1 for further
discussion of levels of VMS capability.
A failure immunity and safety assessment should be made to determine if the fault accommodation features of the system
provide a safe reaction to, and recovery from, a single failure or a combination of failures.
The VMS should strive to provide sufficient on-board fault detection capability to determine loss of any flight critical
function and report the VMS status to the operator, regardless of the level of redundancy. Typically fault monitors are
more effective and less prone to false detections if they are targeted at the VMS component level. For example, it is more
effective to determine the health of an actuator with a monitor designed to assess actuator response (position versus
command, motor currents, etc.) than to deduce a failure by the departure of the UA from the commanded flight path. This
guidance, however, is not meant to exclude system-wide integrity monitors that may employ on-board aerodynamic and
propulsion models that assist in fault detection and possibly with control reconfiguration to mitigate the loss of a control
effector. Even in non-redundant implementations, such approaches may be appropriate to provide “get home” capability
or at least a level of control sufficient to steer clear of population centers or other exclusion zones.
Within the Permissible Flight Envelope, no single failure or combination of failures in the VMS or related subsystems,
which is not at least a factor of ten less probable than the VMS PLOC, should result in any of the following effects before
the VMS takes effective corrective action:
a. Flutter, divergence, or other aeroelastic instabilities of the aircraft, or a structural damping coefficient for any critical
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
flutter mode below the fail-safe stability limit of MIL-A-8870.
b. Uncontrollable motions of the aircraft or uncommanded maneuvers, which exceed limit airframe loads.
c. Any asymmetric, unsynchronized, unusual operation or lack of operation of flight controls that results in worse than
VMS Operational State IV.
d. Exceedance of the Permissible Flight Envelope or inability to return to the Service Flight Envelope.
e. VMS failures that could cause total loss of thrust.
f. Erroneous, false, misleading, or missing aircraft information such as altitude/attitude/angle-of-attack/etc., that could
result in either incorrect or no flight control commands to the UA or erroneous situational awareness to operators at
the CS.

Generally, the procuring authority will also wish to specify certain failure states to be excluded from or accommodated by
the above requirement, regardless of failure probability. For example, failures of turbomachinery are generally excluded
from the above requirement although failures of the turbomachinery controls are not. The particular exclusions and
inclusions specified will directly impact the hardware architecture adopted.
To accommodate certain failures states, regardless of their probability, the procurement authority should include wording
in the Aircraft Detail Specification that requires the aircraft to maintain control for failure cases that might include, for
example, complete loss of engine thrust, loss of a primary electrical power system, a single actuator jammed, or loss of
GPS signals. In addition, to exclude from accommodation certain other specific failure states, the Aircraft Detail
Specification should allow aircraft control to be lost for cases that might include, for example, failures of the hot sections
of turbomachinery, tire bursts, birdstrikes, actuator jamming failures, or structural component fractures.
3.1.1.4.1 VMS Type Capability
The behavior of the UA following single or combinational VMS failures of different probabilities is a critical measure of
VMS capability. Table 3 defines five levels of capability identified as T0 (see 2.3.1.1), the lowest, through T4, the highest,
in terms of the degradation of the Operating State for failure states of different probability. At the higher levels of capability
only failure states of very low probability will degrade the Operational State and, conversely, relatively probable failure
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
states will degrade the Operational State of the lower levels of capability.
The level required, or VMS Type should be defined by the procuring activity. It will be dependent on a combination of the
UA characteristics, its mission and its operational environment. A method for selecting the appropriate VMS Type is
contained in 3.1.1.4.2.
NOTE: Table 3 helps to define the contribution of a VMS to the probability of a mission failure, see 3.1.2.1. It is
determined by the total probability of all of the failure conditions, of those VMS elements defined in 3.1.1.2, that
would prevent mission completion by causing a degradation to Operational State III or worse.
TABLE 3 - VMS TYPES
VMS Type T0 T1 T2 T3 T4
For All Failure Conditions
of Probability Greater
Than or Equal to
(for one flight hour) Minimum Resulting Operational State
-3
1.0 x 10 V I I I I
-4
1.0 x 10 N/A II II I I
-5
1.0 x 10 N/A IV III II II
-6
1.0 x 10 N/A V IV III II
-7
1.0 x 10 N/A N/A V IV III
-8
1.0 x 10 N/A N/A N/A V IV
3.1.1.4.2 Determination of Required VMS Type
The baseline required VMS Type should follow the general guidance of Table 5, based upon the combination of the UA
Category, from Table 1 and its Operating Area, as defined in Table 4.
UA that are required to takeoff or land in a more stringent (higher number) Operating Area must have a VMS Type
appropriate for that area or be prepared to accept flight restrictions (launch and recovery headings, speeds and fly-away
altitudes) to minimize risks until a less stringent Operating Area is reached.

TABLE 4 - UA OPERATING AREA
Operating
Definition of UA Area of Operation
Area
A1 Restricted Areas and Warning Areas under controlled and supervised
conditions, or combat zones.
A2 Sparsely populated areas that are within Class G airspace, and/or in
Restricted areas or Warning Areas, and/or in a maritime environment,
and/or in combat zones.
A3 Densely populated areas, or areas of high aviation traffic density, or
areas within Class B, C, D or E airspace.
A4 All classes of airspace including those outside of Restricted/Warning
Areas and combat zones.
TABLE 5 - SUGGESTED VMS TYPE BASED UPON UA CATEGORY AND OPERATING AREA
Group Group Group Group Group

UA Category 1 2 3 4 5
Operating Area VMS Type
A1 T0 T1 T2 T3 T4
A2 T0 T1 T2 T3 T4
A3 T1 T3 T4 T4 T4
A4 T3 T3 T4 T4 T4
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
FIGURE 3 - SELECTION OF BASELINE VMS TYPE

In addition, the VMS Baseline Type may be adjusted upward for the following operational factors:
a. Shipboard operations
b. Aerial refueling capability
c. Weapons carriage
d. Payload security classification
e. Active structural load control
f. “Swarming” operations (Multiple UA in the same airspace)
NOTE: All of these factors would tend to increase the required capability, and hence the Type number specified, from the
baseline number obtained from Table 5.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.1.1.5 Transient Electrical Power Effects
VMC, or embedded subsystem computers such as microprocessors, Digital Signal Processors (DSP) or Field
Programmable Gate Arrays (FPGA), should tolerate electrical power source variations, within the limits specified for the
applicable power system in the Aircraft Detail Specification, without suffering adverse effects which result in operation at
below the specified VMS Operational State, or, if not specified, below Operational State III. In the event of primary power
source interruption, no adverse effects should result which limit operation or performance of flight control computers upon
resumption of normal quality power. The use of independent, uninterruptable backup power for the VMC is strongly
encouraged to prevent VMS dropout during momentary primary power interruptions. The hold-up time should be long
enough to ensure uninterrupted VMC operation through the worst case transient electrical power system drop-out.
3.1.1.6 Priority
Essential and Flight Phase Essential flight controls should be given priority over noncritical controls and other actuated
functions during simultaneous demand operation. However, no specific priority provisions, such as hydraulic priority
valves, are required unless there is a likelihood of simultaneous demands which could prevent one or more Essential or
Flight Phase Essential actuation systems from meeting their performance requirements. Where provided, priority controls
should be highly resistant to deterioration, binding or failure while dormant under normal aircraft operations so that they
will function as required when conditions dictate. If flight safety can be endangered by failure of such controls, ground
checkout means for ready determination of their operability should be provided and procedures specified.
3.1.2 Reliability Considerations
VMS reliability should be consistent with overall system requirements.
3.1.2.1 Mission Accomplishment Reliability
The probability of mission failure per flight hour, QM(VMS), due to relevant material failures in the VMS, should be an
allocation by the prime contractor from the vehicle requirement provided by the the Aircraft Detail Specification. The
allocation should be supported by failure analysis from the Safety Plan, see Note following 3.1.1.4.1.
NOTES: 1. The probability of failure-induced degradation from Operational State II to Operational State III, which would
compel mission termination, see 2.3.3, is determined by the selection of VMS Type, see 3.1.1.4.2 and the
total number of failure conditions that can cause degradation to Op State III.
2. Failures in hydraulic or electrical power sources and power distribution, or other subsystems that do not
otherwise cause mission failure should be considered where pertinent.
3. Each mission to which this requirement applies should be established and defined by the contractor, subject
to approval of the procuring activity.

3.1.2.2 Availability
The VMS availability requirement should be an allocation by the prime contractor from the vehicle requirement provided
by the Aircraft Detail Specification. The allocation should be compatible with the Mean Time Between Failure (MTBF) see
3.1.2.3 and Mean Time To Repair (MTTR) specified for the VMS, the VMS mission accomplishment reliability, see
3.1.2.1, and hence the specified VMS Type, see 3.1.1.4.2.
3.1.2.3 MTBF
The VMS reliability, as measured by its MTBF, should meet the requirements of the VMS detail specification and, in
combination with the VMS Type fault tolerance, allow the vehicle to achieve the mission reliability and availability specified
in 3.1.2.1 and 3.1.2.2, respectively.
3.1.3 Redundancy Considerations
The prime contractor should determine the redundancy approaches to be employed by the VMS and should use the
minimum levels required to satisfy the recommendations of this standard.
3.1.3.1 Redundancy
In the design of a redundant VMS, the term redundancy refers to a mechanization which will retain functional integrity
after failures, and provide the same or similar flying characteristics and performance capability. In practice, it can take the
form of providing duplicate or alternate components, channels, or subsystems, each capable of performing the given
function. It can also take the form of analytical redundancy methods used to synthesize sensor data from remaining
functional sensors, or control the vehicle through reconfiguration of commands to the remaining functional control
effectors. In most cases, elements of both approaches are used, but the analytical redundancy approach requires higher
integrity for the computational resources and associated electrical power. The redundancy approach determined by the
prime contractor should be:
a. Based on meeting the flight safety and mission reliability recommendations of this specification.
b. Consistent with the use of the system test and monitoring provisions recommendations of 3.3.1 and associated
subparagraphs.
c. Based on fault accommodation features that are demonstrated by analysis and simulation to provide a safe reaction
to, and recovery from, single failures, including those that are at least a factor of ten less probable than the VMS
PLOC.
d. Addressed in the firmware and software requirements definition when applicable.
3.1.3.1.1 Examples of Redundancy Levels
The differing levels of capability defined in Table 3 for the various VMS Types would be achieved with differing levels of
redundancy. Examples of potential configurations with redundancy levels compatible with the Type capabilities are
provided in Table 6.
NOTES: 1. This ARP does not recommend specific architectural approaches. The possible solutions in Table 6 are
examples, for illustrative purposes only.
2. These examples are considered to be similar to the architectures conventionally employed to achieve
equivalent safety from control functions for manned aircraft. For UA, the different operating environment may
allow the exploration of less well established approaches.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

TABLE 6 - REDUNDANCY EXAMPLES
VMS
Type Possible Configuration Solution
T0 Single thread system with no analytical redundancy or control
reconfiguration features.
T1 Type 0 system but special efforts made to keep processors and
power sources alive for some, limited, analytical redundancy. If
data link available control station provides vector.
T2 Duplex or very high integrity simplex digital processors and
processor power supplies. Actuation simplex but designed for
minimal hardover probability. Analytical redundancy and control
reconfiguration to aid safe recovery or flight termination.
T3 Triplex or higher control & guidance processing and power
sources. Analytical redundancy, control reconfiguration or
sensor/actuator physical redundancy used to mitigate failure
effects.
T4 Triplex or higher control and guidance processing, sensors and
actuator control paths. Redundant actuation and/or split control
surfaces with separate actuation. Analytical redundancy and
control reconfiguration may be used to further mitigate failure
effects.
3.1.3.2 Isolation and Protection of Redundant Subsystems
Redundant subsystems should employ isolation of the redundant elements to preclude failure of one portion of the system
from affecting any other part of the system. Recommended requirements for isolation of electrical signal channels are
defined in 3.4.5, hydraulic subsystem recommended requirements are in 3.5.3, and mechanical component
recommended requirements are defined in 3.6.2.
3.1.3.3 Redundancy Management
The VMS should perform the redundancy management of the components and subsystems within the VMS itself and,
where necessary, of those external to the VMS, that are essential to its flight critical functions. Redundancy management
should provide failure detection and accommodation sufficient to satisfy the specified mission reliability and safety.
Redundancy management should be employed at various levels within the system or channel to perform such tasks as:
signal selection, fault isolation, accommodation, and actuator management. Redundancy management should accomplish
all of the following, as applicable to the configuration required to achieve the capability requirements of the VMS Type
(see Table 3) specified for the air vehicle:
a. Provide failure detection, isolation, and accommodation to meet the recommendations of 3.1.1.4 and the transient
limits in 3.2.1.10 within the time before divergence to double amplitude.
b. Prevent propagation of failures among aircraft control redundant elements.
c. Prevent propagation of failures from other systems or subsystems to and from aircraft control redundant elements.
d. Provide physical and electrical isolation between redundant elements.
e. Provide use of voting and comparison on redundant elements to the maximum extent possible.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

f. Permit re-admittance of previously failed elements back into the voting plane only when operation within tolerance is
evident. The system should be able to determine that the transient motions resulting from the reset will fall within the
failure transient guidelines in 3.2.1.10 prior to allowing the reset. Operator action is preferred over automatic reset
logic (see NOTE).
g. Provide for an automatic in-flight restart of the VMS to maintain aircraft control, in the event of an all-channel “generic
software design or specification error”.
h. Provide protection against shut down of the last channel remaining (sometimes known as “last man standing” logic).
i. Voters and signal selectors for logic devices, such as switches or dials, which provide discrete inputs, should default
to a fail-safe state when the truth state cannot be positively determined.
j. Similarly, a set of fail-safe values should be defined for all proportional inputs where feasible, for default use when
they cannot be positively identified as valid or are outside the expected input range. Analytical redundancy may be
used to provide for continued safe operation in the case of those inputs which do not have a fixed fail-safe value.
NOTE: Permitting re-admittance of a previously failed element can result in undesired consequences when the good
signals return to values near the failed signal. For example, in a triplex system a signal, such as pitch rate, which
fails to a near zero value may be declared failed when the other, good, pitch rate signals deviate from zero while
maneuvering. After the maneuvering has ended the good signals may return to zero while the aircraft is trimmed.
If the failed signal is re-admitted after this occurs, it is possible a subsequent identical failure of another pitch rate
signal may cause the remaining good signal to be declared failed, by majority vote while maneuvering, as the two
failed signals may agree. This is especially problematic in triplex systems, where a 2 (failed) on 1 (good) condition
can occur or quad systems, where a 2 (failed) on 2 (good) conditions can occur, both situations which are
extremely difficult to isolate. Any re-admittance scheme should err on the conservative side and not allow a reset
if the resulting effect cannot be determined.
3.1.4 Maintainability Considerations
VMS design and installation should permit normally assigned maintenance personnel to perform required maintenance
safely and easily under all anticipated environmental conditions. Means should be provided to permit the accomplishment
within the allocated maintenance budget and personnel skill level of all required organizational and intermediate level
maintenance functions including: operational checkouts, system malfunction detection, fault isolation to the Line
Replaceable Unit/Weapon Replaceable Assembly (LRU/WRA) level, LRU/WRA removal and replacement, inspection,
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
repair, servicing, and testing. In addition the design should employ provisions to facilitate efficient overhaul and
performance testing and evaluation at the depot level.
3.1.4.1 Operational Checkout Provisions
The VMS should be designed with provisions for operation on the ground, without operating the propulsion system, to
verify system operation and freedom from failure, including verifying system redundancy and the absence of dormant
system failures that would not normally be detected without intrusive operation of the system, to the maximum extent
possible. Electric and electronic components should be designed to operate with the electric power generators supplied
by standard ground carts. Hydraulic components should be designed to operate with the standard hydraulic ground carts.
If it is not feasible or economic for a UA to interface with standard equipment, because of size or other characteristics,
non-standard ground equipment may be employed.
3.1.4.2 Malfunction Detection and Fault Isolation Provisions
The VMS should have a malfunction detection probability sufficiently high to support the specified safety and mission
reliability requirements. The VMS should also monitor critical performance parameters as required to isolate faults with a
probability sufficient to allow the MTTR specified by the procuring activity to be met. These means may include CS
displays and built-in-test functions.

3.1.4.3 Accessibility and Serviceability
The VMS components should be designed, located, and provided with easy access so that inspection, rigging, removal,
repair, and replacement can be readily accomplished. Suitable provisions for rigging pins, or the equivalent, should be
made to facilitate correct rigging of the VMS. In addition, all VMS components should be designed so their removal and
replacement can be accomplished without disturbing the rigging insofar as practicable. Special tools required for
installation and rigging should be avoided to the maximum extent possible. Any automated rigging features should allow
periodic checking of the rigging accuracy achieved. If rig or other system setup information is stored in non-volatile
memory within a LRU/WRA, provisions should be made for electronic transfer of this data from redundant LRU/WRAs into
an LRU/WRA which has been installed to replace one removed for maintenance.
3.1.4.4 Maintenance Personnel and Safety Provisions
Systems and components should be designed to preclude injury of personnel during the course of all maintenance
operations including testing. All devices which contain any type of stored energy (such as mechanical, electrical,
hydraulic, or pneumatic), or which can produce energy capable of causing injury to maintenance personnel, should be
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
provided with a positive means of disconnecting the energy source, allowing controlled release of the energy, or
preventing its inadvertent release. Where positive protection cannot be provided, precautionary warnings or information
should be affixed in the aircraft and to the equipment to indicate the hazard; and appropriate warnings should be included
in the application maintenance instructions. Safety pins, jacks, locks, or other devices intended to prevent actuation
should be readily accessible and should be highly visible from the ground, or include highly visible streamers. All such
streamers should be of a type which cannot be blown out of sight such as up into a cavity in the aircraft. Streamers should
be in accordance with MIL-S-8512.
3.1.5 Survivability Requirements
The VMS should withstand and operate in any unnatural, induced, hostile environment specified in the Aircraft Detail
Specification. The VMS should provide at least Operational State III performance in all situations where damage
sustained by the airframe and other systems would not cause total loss of control. Design options and techniques to
enhance the survivability of redundant systems are provided in AIR1083.
3.1.5.1 All-Engines-Out Control
If engine generated power is normally required for VMS operation, supplementary sources of power may be needed to
allow continued control for the all-engine-out case, as defined by the procuring activity. Different considerations apply
during the Flight Test phase from those applicable to the operational aircraft and the ability or inability to restart the engine
in flight is of prime importance.
3.1.5.1.1 Operational Vehicle
Independent supplementary sources of electrical power and, if needed, hydraulic power should be provided as necessary
for VMS Types T2 through T4. The prime contractor, with the concurrence of the procuring activity, should establish the
minimum time requirement for fill-in VMS electrical power after an engine loss. The design of the VMS, including its power
sources, should be such that unintentional loss of any or all engine thrust and engine-generated power does not result in
less than VMS Operational State III, including any necessary transition to emergency sources of power, for the duration of
this specified time requirement. Provision should be made for in-flight return to normal power wherein the transition
should not result in a worse VMS Operational State.
3.1.5.1.2 Flight Test Aircraft
Supplemental power should be provided for flight test vehicles with VMS Types T2 through T4. This requirement should
apply at least during the envelope expansion phase, when engines are as yet unproven, airframe aerodynamics and
airframe/inlet flow field interactions are not yet adequately verified in flight, or if wind milling power is insufficient to
maintain at least Operational State III control capability anywhere in the aircraft Permissible Flight Envelope. This
supplementary power should be provided for a minimum run time specified by the procuring activity.

3.1.5.2 Power Capacity
Sufficient electrical, hydraulic, and pneumatic power capacity should be provided in all flight phases and with all
corresponding engine speed settings such that the probability of losing the capability to maintain at least VMS Operational
State III aircraft performance should be at least a factor of ten less probable than the VMS PLOC, when considering the
combined probability of system and component failure and the cumulative exceedance probability of turbulence. Analysis
and integration studies of ground and in-flight VMS power requirements should be performed to ensure that the power
demands can be met with appropriate margin and, if multiple power systems are used, are appropriately balanced
between those systems.
3.1.5.3 Invulnerability Considerations for VMS Design
Degradation in VMS operation due to variations in natural environments, adverse events of nature, induced environments,
onboard failure of other systems, maintenance error, operator error or enemy actions should be within the limits specified
in the following subparagraphs.
3.1.5.3.1 Invulnerability to Natural Environments
VMS should be designed to withstand the full range of natural environmental extremes established for the particular
aircraft or system without permanent degradation of performance below VMS Operational State I, or temporary
degradation below VMS Operational State II. Reduction below State I should be experienced only at adverse
environmental extremes not normally encountered and should be transient in nature only; and, the function should be
recovered as soon as the aircraft has passed through the adverse environment. System component clearances with
structure and other components should be adequate to preclude binding or jamming, instability, or out-of-specification
operation of any portion of the system due to possible combinations of temperature effects, ice formations, if flight in icing
conditions is specified by the Aircraft Detail Specification, loads, deflections, including structural deflections, and buildup
of manufacturing tolerances. The environmental requirements are defined in the Aircraft Detail Specification and the
recommended test methods and procedures are defined in 4.4.2.1.
3.1.5.3.2 Invulnerability to Lightning Strike and Static Atmospheric Electricity
Types T2 through T4 VMS should maintain Operational State II capability or better when subjected to electric field and
lightning discharge except that a temporary, recoverable, more extensive loss of performance to State III is allowable in
the event of a direct lightning strike to the aircraft. Structural and VMS bonding should meet the requirements of MIL-STD-
464 and follow the guidance of its referenced documents.
3.1.5.3.3 Invulnerability to Induced Environments
VMS should withstand the full range of worst-case induced temperatures and temperature shock, acceleration, vibration,
noise, and shock, induced pressures, explosive and corrosive atmospheres, electromagnetic Interferences (EMI) and
nuclear environment, projected in missions for the particular aircraft, without permanent degradation or loss of the ability
to maintain VMS Operational State II capability. Specific induced environmental conditions should be in accordance with
the Aircraft Detail Specification. These induced environments, within structural limits, should not result in temporary
degradation below VMS Operational State II capability during the exposure to the environment. Requirements for directed
energy and high power microwave weapons, and nuclear radiation including Electromagnetic Pulse (EMP) should be
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
defined by the procuring activity. The VMS should meet the applicable requirements of MIL-STD-464 and MIL-STD-461.
3.1.5.3.4 Invulnerability to Enemy Action
The specific enemy threats, and operational capability after encountering the threats, should be defined by the procuring
activity. If the threats are not defined, the Essential and Flight Phase Essential VMS functions for VMS Types T3 and T4
only, including associated structure and power supplies, should withstand at least one direct encounter from the implied
threat inherent to the mission defined in the Aircraft Detail Specification, without degradation below Operational State III.
The prime contractor should identify the vulnerable areas (see MIL-HDBK-336) associated with the implied threat. MIL-
HDBK-2069 and AIR1083 are recommended reference documents for Aircraft Survivability design.

3.1.5.3.5 System Operation and Interface
Whenever a non-critical control or other aircraft system is interfaced with Essential or Flight Phase Essential flight control
channels, sufficient separation and isolation should be provided to make the probability of propagated or common mode
failures to be at least a factor of ten less probable than the VMS PLOC.
3.1.5.3.6 Signal Path Protection
Where redundant signal or computing paths are provided they should be isolated or separated to meet the invulnerability
requirements of 3.1.5.3 and 3.4.5.2.
3.1.5.3.7 Invulnerability to Onboard Failures of Other Systems and Equipment
The VMS should meet its failure state/reliability budget, as allocated within the weapon system, for self-generated failure
(within the VMS) and for those VMS failures induced by failures of other interfacing systems within the aircraft (3.1.2.1,
3.1.1). In addition, the VMS design should comply with the following:
a. For VMS Types T3 and T4 only, Essential and Flight Phase Essential VMS functions should retain capability at
Operational State III (minimum safe) or better, after sustaining the following failures:
1. Failure of the critical engine in a two-engine aircraft.
2. Failure of the two most critical engines in aircraft having three or more propulsive engines.
3. Failure of any single equipment item or structural member which, in itself, does not cause degradation below
State III. This includes any plausible single failure of any onboard electrical or electronic equipment in any
subsystem of the aircraft.
b. For VMS Types T3 and T4 only, the associated structure and power supplies should be designed so that the
probability of failing to maintain VMS Operational State IV, as a result of an engine or other rotor burst, should be at
least a factor of ten less probable than the VMS PLOC.
c. In the event of a detected failure that has no immediate effect, such as loss of required cooling for electrical signal
computation, or a series of such failures not shown to be at least a factor of ten less probable than the VMS PLOC,
which will unavoidably lead to degraded VMS operation, undegraded operation should be provided for a period of
time determined by the prime contractor and approved by the procuring activity.
3.1.5.3.8 Invulnerability to Command Loss
VMS Types T3 and T4 should be designed to ensure that loss of command from the MMS results in a capability no worse
than Operational State III, Type T2 should meet State IV and Types T1 and T0 may fail to State V.
3.1.5.3.9 Invulnerability to Maintenance Error
The VMS should be designed so that it is physically impossible to install or connect any component item improperly
without one or more overt modifications of the equipment or the aircraft. Provisions for adjusting the VMS on the aircraft,
except during initial buildup, major overhaul, software or firmware modification, or rigging during major maintenance
activities, should be minimized. LRU/WRAs should be designed to permit making internal adjustments only on the bench.
The system should require only a minimum of re-rigging following replacement of LRU/WRAs. In addition, all control
linkages and other flight control mechanisms should be designed to minimize the probability of jamming from inadvertent
entry of maintenance tools or other material.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.1.5.3.10 Invulnerability to Software Maintenance Error
The following provisions should be implemented to prevent propagation of software errors from any source:
a. Means for identification of the Operational Flight Program (OFP) should be provided, and procedures should be
established to prohibit the implementation of unintended versions of software in the VMS.
b. For systems designed for on-aircraft software loading, the system should have provisions to prevent loading the same
version of software already in the VMC and associated VMS processors to discourage software reload claimed as a
legitimate maintenance action for intermittent hardware failures that cannot be duplicated after flight.
c. Software configuration control and OFP installation requirements should be documented in the Software
Development plan, 4.6.1 (h).
d. Safety requirements should include the establishment of safety design processes to design safety into the subsystem,
as defined in 3.4.6.1.
e. For VMS having redundant channels or software functions distributed over multiple LRUs/WRAs, provision should be
made for the system to automatically detect any software version incompatibilities and alert the ground crew and CS
at power-up.
3.1.6 Electromagnetic Interference (EMI) Limits
The VMS should operate safely within the EMI environment and should meet the requirements of this specification and
any additional requirements dictated by the Aircraft Detail Specification. Special consideration should be given to
protecting the electronic subsystems of the VMS from lightning effects. The VMS should operate within the limits of MIL-
STD-464 and MIL-STD-461 environments, including both the VMS susceptibility to, and generation of, electromagnetic
interference. Electromagnetic Interference created by the systems and components during normal operation should be
within the limits of MIL-STD-464 and MIL-STD-461, respectively. The applicable detail requirements should be specified
by the procuring activity. Failure modes of all onboard systems and equipment, including flight controls, where these limits
may be exceeded should be identified in addition to sources of conducted EMI that may be detrimental to VMS operation.
Additionally, the estimated magnitude of EMI created by these failure modes should be provided for the assessment of
the safety of the VMS.
3.2 System Performance Recommended Requirements
3.2.1 General VMS Flight Control Performance Recommendations
The VMS should comply with the applicable general requirements of AS94900 unless superseded by the
recommendations herein, many of which are derived from AS94900.
3.2.1.1 Warm-up
The cold weather warm-up time is defined as that time elapsed between the application of power and the availability of
VMS full take off performance. The procuring activity should specify the maximum warm-up time required to meet the
system concept of operations. The VMS should provide a positive indication when this warm-up time is complete. This is
in addition to the normal air vehicle initialization time. Operational performance should be met by the VMS not more than
90 s after power is applied during initial startup on the ground, except for cold weather startup at temperatures not greater
than -40 °F (-40 °C), where the allowable startup time should be set by the prime contractor or procuring activity. If the
VMS controls and commands fluid powered actuation, such as flight control, the procuring activity should define a
different cold weather start up temperature, time or both.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.2.1.2 Disengagement
Provisions should be made for positive in-flight disengagement of Flight Phase Essential and noncritical controls under all
load conditions. The operator should be informed of automatic disengagement. Automatic disengagement circuitry should
be designed such that a failure of the circuitry itself does not prevent manual disengagement.
3.2.1.3 Status of Modes
A means should be provided so that the operator can visually determine the operational status and mode of the VMS
flight controls.
3.2.1.3.1 Mode Compatibility
Mode compatibility logic should provide flexibility to the VMS flight controls operation and ease of mode selection. The
mode selection logic should include the following additional requirements:
• Prevent the engagement of incompatible modes.
• Disconnect, as appropriate, previously engaged modes upon selection of higher priority modes.
• Provide arming of appropriate modes while certain modes are engaged.
• Provide for the emergency disengagement of a higher priority mode, in the event of its failure, and reversion to the
basic flight controls mode.
• Provide for mode engagement after mode engagement criteria have been met and provide positive notification of
mode engagement.
• Provide appropriate operator notification of modes as selections and de-selections are made. Mode status, warnings
and cautions should be clear, concise and not ambiguous.
• Minimize engage and disengage transients as dictated by mission requirements.
• Automatically disconnect automatic modes when in conflict with operator inputs. Levels should be dictated by the
procuring activity.
3.2.1.4 Stability
All flight control modes should be able to rapidly decrease any transient oscillation, and changes in parameters within the
3 sigma tolerance limits for all of the VMS components should not result in instability.
3.2.1.4.1 Aerodynamic-Closed Loop Stability Margins
An aerodynamic loop is one which relies on aerodynamics and/or thrust vectoring for loop closure such as stability
augmentation. The procuring activity should define gain and phase margins to meet operational requirements. In the
absence of guidance, the margins of Table 7 should be used. For the automatic modes, the stability requirement applies
only to the airspeed range of operation of these modes. In multiple loop systems, variations should be made with all
feedback paths held at their nominal values except for the path under investigation. A path is defined to include those
elements connecting feedback sensors to a force or moment effector. The loop breaks for analysis should be made at the
actuator commands. Where it is appropriate to do so based on symmetry, the loop break can be made at the point where
the command feeds a pair of actuators (symmetric stabilator command, for example).
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

The margins specified by Table 7 should be maintained under flight conditions of most adverse center-of-gravity, mass
distribution, and external store configuration throughout the Operational Flight Envelope and during ground operations. If
the control laws or associated gains change significantly with an angle-of-attack or aircraft geometric configuration, the
stability analysis should be made at representative values within the Operational Flight Envelope and not just 1 g flight.
Where analysis is used to demonstrate compliance with these stability requirements, the effects of major system
nonlinearities should be included when possible. The probability of loss of gain margin or phase margin, which results in
an unrecoverable condition, should be comparable with the required probability for loss of the aircraft due to VMS failure.
Analysis of the flexible aircraft models should be verified by ground vibration testing and airframe/VMS “structural
coupling” ground testing. “Phase stabilization” should not be used for achieving the stability margins for flexible aircraft
modes.
TABLE 7 - GAIN AND PHASE MARGIN REQUIREMENTS
Mode Airspeed
Frequency VOMIN At At
(Hz) To VOMAX Limit Airspeed (VL) 1.15 VL
fM < 0.06 GM = ±4.5 dB GM = ±3.0 dB GM = 0 dB
PM = ±30 degrees PM = ±20 degrees PM = 0 degrees (Stable

at Nominal Phase and
Gain)
0.06 ≤ fM GM = ±6.0 dB GM = ±4.5 dB GM = 0 dB
First Aeroelastic
Mode PM = ±45 degrees PM = ±30 degrees PM = 0 degrees (Stable
Gain)
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
fM > First GM = ±8.0 dB GM = ±6.0 dB GM = 0 dB
Aeroelastic
Mode PM = ±60 degrees PM = ±45 degrees PM = 0 degrees (Stable
Gain)
where:
VL = Limit Airspeed (MIL-A-8860)
VOMIN = Minimum Operational Airspeed (MIL-STD-1797)
VOMAX = Maximum Operational Airspeed (MIL-STD-1797)
Aeroelastic Mode = A characteristic aeroelastic response of the aircraft as described by an

aeroelastic characteristic root of the coupled aircraft/VMS dynamic
equation of motion.
GM = Gain Margin = The change in open loop gain required to reach unity
(0 dB) at the frequency where open loop phase is at 180 degrees.
PM = Phase Margin = The change in open loop phase required to reach

-180 degrees at the frequency where the open loop gain crosses unity
(0 dB).
fM = Frequency in Hz where the loop gain crosses 0 dB (phase margin

crossover) or phase crosses -180 degrees (gain margin crossover).
NOTE: In more complex systems, there may be multiple frequencies where the open loop system
crosses -180 degrees or where open loop gain crosses unity. All crossovers shall be
analyzed.

3.2.1.4.2 Non-Aerodynamic-Closed Loop Stability Margins
A non-aerodynamic closed loop is one which does not rely on aerodynamics for loop closure, such as a servoactuator.
3.2.1.4.2.1 Stability Margins
All non-aerodynamic-closed loops should be stable on-ground or in-air, inertially loaded and installed within the aircraft
load loop structure. The stability margins for all VMS Types should meet or exceed the following, unless otherwise
specified by the procuring activity.
a. In the nominal gain tolerance and operating condition, 8 dB and 60 degrees gain and phase, respectively should
apply to the flexible aircraft modes. Analysis of the servoactuators and flexible aircraft models must be verified by
ground vibration testing and airframe/VMS “structural coupling” ground testing.
b. The loops should be stable with the loop in the worst-case operating condition at a tolerance condition established by
a Monte Carlo or equivalent analysis that varies component values up to their 3 sigma level. The prime contractor
should provide the rationale for the worst-case conditions in the VMS Analysis Report, 4.6.3.1.
3.2.1.4.3 Sensitivity Analysis
The sensitivity analysis should be performed as described in AS94900.
3.2.1.5 Operation in Atmospheric Disturbances and Atmospheric Models
The VMS must be capable of operating while flying in the following applicable random and discrete turbulence
environments for all design centers of gravity, mass distributions, and external stores configurations. The dynamic
analysis or other means used to satisfy these requirements should include the effects of rigid body motion, significant
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
flexible degrees of freedom, and the VMS. The effect of the turbulence on any feedback sensor system utilized by the
VMS must be considered. Mission sensor stabilization requirements may also lead to adjustments of VMS capabilities to
suppress the effects of turbulence.
a. In normal operation (Operational State I) and in the turbulence environments of 3.2.1.5.1 and 3.2.1.5.2 the VMS
should provide a safe level of operation and maintain mission accomplishment capability.
b. While operating in the turbulence levels of 3.2.1.5.1 with only the Essential controls engaged and active, the VMS
should provide at least Operational State I performance.
c. The VMS should provide at least Operational State III for gust intensities corresponding to exceedance probabilities
specified in Table 8 with the Essential controls engaged and active.
d. Noncritical controls should provide at least Operational State II in atmospheric disturbances at the intensities
corresponding to 10 -2 probability of exceedance.
e. Noncritical controls operating in disturbances with gust intensities above those specified should not degrade flight
safety or mission effectiveness below the level that would exist with the control inactive. Automatic or manual means
to inactivate the noncritical control for flight in heavy disturbances should be used when required.

TABLE 8 - TURBULENCE INTENSITY EXCEEDANCE PROBABILITY
Probability of Probability of
UA Max Gross Normal Speed Exceedance Exceedance
Category TOW (lb) Op. Alt (ft) (KIAS) (Essential) (Non-critical)
< 1200 100
Group 1 0 - 20 10-3 10-2
AGL knots
< 3500
Group 2 21 - 55 < 250 10-3 10-2
AGL
knots
Group 3 55 - 1 320 < 18 000 10-4 10-2
Group 4 MSL 10-5 10-2
Any
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
> 1 320 > 18 000
Group 5 Airspeed 10-6 10-2
MSL
NOTE: TOW is the abbreviation for “Take-off weight”
Procuring activities may adjust these requirements (more or less stringent) based upon the mission and performance
requirements of the UA. These adjustments may be related to VMS Types where the probability of exposure to turbulence
could also be related to the probability of failure of the entire VMS during a mission (the driving requirement for VMS
Type). Mission length may increase the exposure to larger (less common gust intensities) which might cause the loss of
the vehicle as well as increase the exposure to system failures which might also cause the loss of the vehicle. Example:
To require a simplex UA VMS which has a probably of loss of control of 10-2 to be able to tolerate a gust intensity which
has a probability of exceedance of 10-4 (11.8 ft/s) (3.6 m/s) gust may be excessive if the mission completion requirements
are still met.
3.2.1.5.1 Random Turbulence
The root-mean-square turbulence intensity to be used for normal flight and for terrain following should have a cumulative
probability of exceedance as listed in Table 8. The relationship among vertical, lateral, and longitudinal root-mean-square
intensities and scales should be investigated and the results used to establish intensities for lateral and longitudinal gusts.
The listed turbulence intensity levels apply at the Turbulence Penetration Airspeed (VG). The mathematical forms of
continuous random turbulence to be used in conjunction with the specified intensity levels should meet the applicable
requirements of MIL-STD-1797, MIL-F-83300, or ADS-33E-PRF requirements as applicable. Table 9 defines root-mean-
square vertical gust amplitudes versus altitude for selected exceedance probabilities.

TABLE 9 - ROOT-MEAN-SQUARE GUST INTENSITIES FOR SELECTED CUMULATIVE EXCEEDANCE

PROBABILITIES (FEET PER SECOND TRUE AIRSPEED)
Flight Altitude Probability of Exceedance

Segment (ft-AGL) -1 -1 -2 -3 -4 -5 -6
2 x 10 10 10 10 10 10 10
Up to 1000
4.0 5.1 8.0 10.2 12.1 14.0 23.1
Terrain (Lateral)
Following Up to 1000
3.5 4.4 7.0 8.9 10.5 12.1 17.5
(Vertical)
500 3.2 4.2 6.6 8.6 11.8 15.6 18.7
1750 2.2 3.6 6.9 9.6 13.0 17.6 21.5
3750 1.5 3.3 7.4 10.6 16.0 23.0 28.4
7500 0 1.6 6.7 10.1 15.1 23.6 30.2
Normal 15 000 0 0 4.6 8.0 11.6 22.1 30.7
Flight 25 000 0 0 2.7 6.6 9.7 20.0 31.0
Climb
Cruise 35 000 0 0 0.4 5.0 8.1 16.0 25.2
and 45 000 0 0 0 4.2 8.2 15.1 23.1
Descent 55 000 0 0 0 2.7 7.9 12.1 17.5
65 000 0 0 0 0 4.9 7.9 10.7
75 000 0 0 0 0 3.2 6.2 8.4
Over
0 0 0 0 2.1 5.1 7.2
85 000
Footnote:
1. 1 ft = 0.304 8 m
3.2.1.5.2 Discrete Gusts
Discrete gust amplitudes to be used should be established using the relationship between random and discrete gust
amplitudes in accordance with the applicable requirements of MIL-STD-1797, MIL-F-83300, or ADS-33E-PRF
requirements, and the root-mean-square amplitudes specified in 3.2.1.5.1. The maximum discrete gust to be used should
be defined as a single full wave of a (1-cos) function with a peak amplitude of 60 ft/s which may be encountered
anywhere within the Operational Flight Envelope. The wavelength of the discrete gust should be tuned to provide
maximum excitation.
3.2.1.5.3 Low-Altitude Disturbance Model
MIL-STD-1797 specifies the model of atmospheric disturbances to be used for all Category C operations. The effects of
wind shear, turbulence and gusts may be analyzed separately. Some analysis and piloted simulation is required
considering a complete environmental representation, demonstrating compliance with the requirements with the
cumulative effects of wind shear, turbulence and gusts. A non-Gaussian turbulence representation together with a wind
model may also be used to represent the patchy, intermittent nature of actual measured turbulence.
3.2.1.5.4 Carrier Landing Disturbance Model
MIL-STD-1797 specifies the model of atmospheric disturbances to be used for carrier landing operations. The model
should be used in analysis and simulations to determine aircraft control response and path control accuracy during carrier
landing. This model supplements but does not replace the low-altitude model of 3.2.1.5.3.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.2.1.6 Internal Noise
There should be no noticeable high frequency motion of the control surfaces due to noise signals generated by the VMS.
3.2.1.7 Residual Oscillations:
Residual oscillations should not interfere with the UA performance of its required tasks. For normal operation during
steady flight in calm air, the VMS induced aircraft residual oscillations in pitch, roll and yaw attitude angles should satisfy
the mission requirements in conjunction with the pointing, accuracy and stabilization capabilities of the mission payload
and mission maneuvering. Residual oscillations in pitch, roll and yaw attitude at any sensor location where pointing
accuracy is required should not exceed 0.6 degree peak to peak for any flight phase requiring use of the payload.
Residual oscillations in pitch, roll and yaw attitude of the vehicle should not exceed 0.6 degree peak to peak for any flight
phase requiring precision control of attitude. These flight phases include, but are not limited to, aerial refueling, formation
flight with manned or unmanned aircraft, payload pointing or presentation, weapon delivery, or any terminal operation
including landing and takeoff. These limits do not apply to States below Operational State I. Residual oscillations that
result in measurable actuator motion or cylinder chamber pressure variation or motor current variation should be
considered in defining actuator service life. Residual oscillations of any control surface should not exceed 0.5 degree
peak to peak consistent with the wear and expected life characteristics of the actuation system.
The procuring activity may find that more stringent requirements are necessary to obtain desired performance.
3.2.1.8 Acceleration Effects
Acceleration forces acting upon the VMS components should not cause un-commanded control inputs, cause
components to malfunction or become inoperative within the Operational Flight Envelope and during launches.
3.2.1.9 Structural Protection
In all operational modes and within the Operational Flight Envelope, means should be provided to prevent the VMS from
applying commands that will cause the aircraft to exceed the limit load factor. Structural protection requirements shall be
defined in the Aircraft Detail Specification. In Manual and Assisted operational modes, means should be provided to
allow the operator to override these limiting provisions, to achieve maximum obtainable load factor.
3.2.1.9.1 Flight Load and Fatigue Alleviation
Provisions for flight load and fatigue alleviation should be defined in the Aircraft Detail Specification. These provisions
should be developed using best system engineering practice to determine the tradeoff with flying qualities and flight
control actuator requirements.
3.2.1.9.2 Gust and Maneuver Load Alleviation
Provisions for flight maneuver load and gust alleviation should be determined by the prime contractor and documented in
the VMS Specification, 4.6.2. These provisions should be developed using best system engineering practice to determine
the tradeoff with flying qualities and flight control sensor and actuator requirements.
3.2.1.10 Failure Transients

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
The failure transient requirements apply only to VMS Types with redundancy management and/or reconfiguration
capability. Aircraft motions following VMS or VMS component failures should be such that dangerous conditions can be
avoided by automatic VMS corrective action. During operation at a trimmed flight condition the transients immediately
after the failure and during the period of automatic VMS corrective action should not exceed the Case levels, C1 through
C3 defined in Table 10. During maneuvering flight no single failure within the VMS, of Types T2 through T4, should result
in: flight characteristics that prevent mission operations, intolerable flying characteristics, a dangerous change in flight
path, departure from controlled flight, flutter or aeroelastic divergence, or exceeding the aircraft structural limits.

TABLE 10 - FAILURE TRANSIENT CASES
VMS Type
Operational State Definition T0 T1 T2 T3 T4
Normal Operation Most
Demanding Mission NA NA C2 C1 C1
I segment or task
Normal Operation all
NA NA C2 C2 C2
other Missions
II Restricted Operation NA NA C3 C2 C2
Minimum Safe
III NA NA C3 C3 C3
Operation
Controllable to
IV NA NA NA NA NA
Predetermined Heading
V Loss of Control NA NA NA NA NA
NOTES: 1. Case C1 - Not more than ±0.5 g max incremental normal acceleration, and
not more than ±0.5 g lateral acceleration at the aircraft center of gravity, and
not more than ±10 degrees/s roll rate, except that neither stall angle of attack
nor structural limits should be exceeded.
For Category A and C flight phases,
not more than ±5 ft (±1.5 m) vertical or lateral excursions, and
not more than ±2 degrees pitch and bank angle.
2. Case C2 - Not more than ±2.0 g max incremental normal acceleration, or
that which would cause the structural limit of the vehicle to be exceeded,
not more than ±20 degrees/s roll rate, and
the lesser of 5 degrees sideslip and the structural limit.
3. Case C3 - No dangerous attitude reached or structural limit exceeded and no dangerous alteration of the
flight path from which recovery is impossible.
For Manual and Assisted control vehicles requiring human operator intervention to mitigate VMS failures, a specified
value of time delay between the failure and initiation of operator corrective action should be included in the analysis when
determining compliance. The value of time delay should be determined by the prime contractor and approved by the
procuring activity. This time delay includes an interval between the occurrence of the failure and the occurrence of a cue
such as acceleration, rate, displacement, or sound that will definitively indicate to the operator that a failure has occurred,
plus an additional interval which represents the time required for the operator to diagnose the situation and initiate
corrective action. A time delay of at least 2 s between the failure recognition and initiation of operator corrective action
should be included in the analysis when determining compliance.
3.2.2 Primary Flight Control Recommended Requirements
The following recommendations apply. References to mechanical or electrical flight controls apply only when that
mechanization is used.
3.2.2.1 Primary Functional Modes of the VMS
The primary functional modes control the basic longitudinal, lateral, and directional axes of the aircraft through such
control effectors as elevators, ailerons, rudders and canards for fixed wing aircraft and swashplates and tail rotors for
rotorcraft. The Aircraft Detail Specification should determine the applicable modes. The modes may be separated and
divided by axis and selectable by the operator or there may be one primary mode of operation, nonselectable.
--`,`,,``````,

3.2.2.2 Operability Following Failures
The performance and capability of any of the Primary Functional Modes after a failure or failures should be determined by
the prime contractor and documented in the VMS Specification, 4.6.2.
3.2.2.3 Augmentation
When used, augmentation should be designed such that incompatible control modes should be inhibited. Single failures
in a gain scheduling function, which are not at least a factor of ten less probable than the VMS PLOC, should not degrade
augmentation performance below Operational State III. Positive electrical, or software/firmware limits should be provided
in gain schedulers to preclude exceeding limiting gain values.
3.2.2.4 Surface Rate Capability
The VMS control surface rate capability should be adequate to satisfy the flying characteristics and control margin,
requirements defined in the VMS Specification 4.6.2.
3.2.2.5 Data Latency
The VMS data latency and computational delay should be minimized to assist the UAS to satisfy the Flying
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
Characteristics, Control Margin, and Pilot Induced Oscillation (PIO) requirements specified in MIL-STD-1797 and ADS-
33E-PRF.
NOTE: For the design of UAS employing vehicles with Manual control capability, industry experience indicates that the
total system delay between control stick input and an observed change of vehicle state on CS displays should not
exceed 135 ms when the system is in Operational State I or II.
3.2.2.6 Command and Control Link Redundancy
Loss of one path of a redundant command and control link between the UA and CS should result in an indication to the
operator that the link is degraded. The required UA response to a loss or degradation of command and control data, (see
3.2.5.1.5), should be defined by the procuring activity. It is recommended that this response be configurable by the
operator. Particular care should be exercised regarding holding last command in a lost command and control link
condition; example: command to descend (seek and maintain a vertical velocity).
3.2.3 Secondary Flight Controls
The Aircraft Detail Specification should specify which modes are applicable. Typical secondary modes include but should
not be limited to the following:
a. High Lift Control
b. Speed Brakes
c. Direct Lift Control
d. Variable Wing Sweep Control
e. Maneuver Flaps
f. Stability Altering Systems
g. Wheel Brake Control Anti-Skid
Outputs from the Secondary Functional Mode controllers should not cause objectionable aircraft response characteristics.

3.2.3.1 High Lift Control
A control system should be provided for actuating high lift devices. Unless specified in the Aircraft Detail Specification, the
time to operate the landing flaps under normal operating conditions should in the range of 15 to 20 s, at the maximum
aircraft speed for which they should be operated. For Type T2, T3 and T4 VMS the following safety features should be
incorporated. High lift devices should contain provisions for synchronous operation, unless it can be demonstrated that no
hazardous flight attitude will result from unsynchronized operation. The demonstration may be conducted using operator
simulation provided the aerodynamic data base has been explicitly developed to include asymmetric flap forces and
moments. In the event of a failure in the high lift control system, the high lift device should maintain synchronization, or
remain synchronized without motion. The degree of asymmetry and the flight conditions for demonstration should
generally be the most critical for inducing hazardous flight attitudes. This demonstration should be approved by the
procuring activity and included in the VMS Development Plan, 4.6.1. An emergency means for operating the high lift
devices should be provided on aircraft where safe operational landings cannot be accomplished without use of the high lift
devices. The emergency system should be completely independent of the basic high lift system up to, but not necessarily
including, the actuators.
3.2.3.2 Speed Brakes
If the VMS employs a dedicated speed brake surface or surfaces, the actuation control system should prevent structural
damage if opened at VL. Blowback may be used to prevent structural damage. The time to extend the speed brakes over
the operating range should be as specified in the Aircraft Detail Specification. For Type T2, T3 and T4 VMS the following
safety features should be incorporated. Emergency retraction is required on speedbrakes that will not automatically
retract, as a result of airloads, when the control is moved to the retract position. Where asymmetric operation of speed
brakes would cause uncontrollable aerodynamic moments on the aircraft, provisions should be made to prevent this
condition. Where these devices perform functions requiring asymmetric operation, provisions should be made to prevent
unintentional operation. If the speed brake function of increased drag is obtained with an unconventional deployment of
the primary control effectors the VMS should provide aircraft protection equivalent to the requirements above.
3.2.3.3 Direct Lift Control (DLC)
If the VMS includes the use of a DLC function to enhance mission performance, as defined in the Aircraft Detail
Specification, its use and operation should be consistent with the level of flight path control necessary and the
implications of any failures which might compromise the safety of the operation of the vehicle, consistent with the VMS
Type.
3.2.3.4 Wing Sweep Control
The Variable Wing Sweep Control System should be able to vary the rate of change of wing sweep angle over the entire
flight envelope consistent with mission performance and flight safety requirements. The servomechanism controlling wing
sweep angle should be stable and free of limit cycle oscillations for all flight conditions. For Type T3 and T4 VMS the
following safety features should be incorporated. Variable wing sweep control systems should be designed as a minimum
to the single-failure, fail-safe criterion. The control system should contain a failure detection system. The provisions
should be made for an emergency back-up system to actuate the wings to the landing position in case of failure of the
main control system if such is necessary to permit a safe landing of the aircraft.
3.2.4 Ground Control Modes
The required ground control functions, such as combinations of Nose Wheel Steering (NWS), differential braking, and
deflected aerodynamic effectors, should be determined by the prime contractor and documented in the VMS
Specification, 4.6.2.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

For VMS Types T2, T3 and T4 the VMS should provide mode switching logic and failure detection and isolation for the
primary steering control, as specified in 3.1.3.3. The primary controls should have at least fail-safe capability, for example:
a. For NWS, to a shimmy damper function
b. For differential braking, to symmetric braking
c. For aerodynamic steering, to use other aerodynamic control surfaces, NWS, or differential braking
NWS and differential braking may also provide variable gain or control authority, selected by the VMS as a function of
variables such as speed and flight phase, to provide lower gains or control authority for takeoff and landing and higher for
ground maneuvering at low speeds.
3.2.4.1 Ground Control Loop Stability Margins
A ground control loop is one which relies on nose wheel steering (NWS), differential/symmetrical braking, and/or
aerodynamics for loop closure such as stability augmentation and outer loop navigational control. The stability
requirement applies only to the groundspeed and/or airspeed range of operation of these modes. In multiple loop
systems, variations should be made with all feedback paths held at their nominal values except for the path under
investigation. A path is defined to include those elements connecting feedback sensors to a force or moment effector. The
loop breaks for analysis should be made at the actuator commands. Where it is appropriate to do so based on symmetry,
the loop break can be made at the point where the command feeds a pair of actuators (symmetric braking command, for
example).
All ground control closed loops should be stable, inertially loaded and installed within the aircraft load loop structure. The
stability margins for all VMS Types should meet or exceed the following, unless otherwise specified by the procuring
activity:
a. In the nominal gain tolerance and operating condition, 8 dB and 60 degrees gain and phase, respectively should
apply to the flexible aircraft modes. Analysis of the servoactuators and flexible aircraft models must be verified by
ground vibration testing and airframe/VMS “structural coupling” ground testing.
b. The loops should be stable with the loop in the worst-case operating condition at a tolerance condition established by
a Monte Carlo or equivalent analysis that varies component values up to their 3 sigma level. The prime contractor
should provide the rationale for the worst conditions in the VMS Analysis Report 4.6.3.1.
These margins should be maintained for the ground operating conditions of most adverse center-of-gravity, mass
distribution, and external store configuration throughout the ground operating envelope. If the control laws or associated
gains change significantly with an aircraft state such as ground speed, or with an aircraft geometric configuration, such as
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
nose wheel steering engaged or castered, or aircraft loading, the stability analysis should be made at representative
values within the ground operating envelope and not just one condition. Where analysis is used to demonstrate
compliance with these stability requirements, the effects of major system nonlinearities should be included when possible.
The probability of loss of gain margin or phase margin, which results in an unrecoverable condition, should be
comparable with the required probability for loss of the aircraft due to VMS failure.
3.2.4.2 Ground Control Issues
The following issues should be considered when designing the UAS steering functions:
a. Effective braking variations between left and right wheels, for example:
1. Carbon-carbon brake systems lot-to-lot variability in friction performance
2. Tire to ground friction variability, including dry and wet runway
3. Tire radius differences from, for example, different tire pressures or a blown tire

4. Controllability in high crosswinds (>20 knots).
5. Robust interlocks to prevent brake application during a catapult launch
b. Blending of low speed steering functions (NWS, differential braking) and high speed steering functions (aerodynamics
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
surfaces)
c. Ground operation specific failure modes:
1. Braking system: Asymmetric loss of braking or locked brake
2. NWS: failed to caster, fixed/hard-over deflection, NWS actuator stall
3. Blown tire
The prime contractor should obtain detailed design details for the brake control unit (if using a sub-contracted system) to
ensure the VMS is robust to “black box” design issues (destabilizing feedback loops that require additional VMS control to
stabilize, for example). Sufficient effort and attention should be given to the modeling of these system features for design
and analysis purposes.
3.2.5 Manual, Assisted and Autonomous Control Mode Performance Recommended Requirements
3.2.5.1 Manual Mode and General Recommended Requirements
Engage and disengage, selection logic, and functional safety criteria and limits for the Manual control mode and each
automated function, as applicable, should be established and specified in the Aircraft Detail Specification. When the
following functions are used, the specified performance should be as specified herein. Unless otherwise specified, these
requirements apply in smooth air and include sensor error. Manual, Assisted and Autonomous mode requirements for
rotorcraft should be the applicable sections of ADS-33E-PRF.
3.2.5.1.1 Damping
Except where otherwise specified, a damping ratio of at least 0.3 critical should be provided for nonstructural Manual,
Assisted and Autonomous operational mode responses. Specified damping requirements apply only to the response
characteristics for perturbations an order of magnitude greater than the allowable residual oscillation.
3.2.5.1.2 Assisted Flight Control for Remotely Piloted Aircraft
The operator in Assisted mode should retain full capability to rapidly maneuver the aircraft. Automatic disengagement of
Assisted control and reversion to Manual control upon operator input is permitted. Specific requirements for reversion
logic should be developed by the prime contractor and documented in the VMS Specification, 4.6.2.
3.2.5.1.3 Lateral Acceleration and Sideslip Limits
The following performance should be provided when any lateral-directional function is engaged. Lateral acceleration
refers to apparent (measured, sensed) body axis acceleration at the aircraft center of gravity.
3.2.5.1.3.1 Coordination in Steady Banked Turns
The procuring activity should determine the applicability of AS94900, as dictated by the mission requirements. In the
absence of such direction the following should apply:
The incremental sideslip angle should not exceed 2 degrees from the trimmed value, and lateral acceleration should not
exceed 0.03 g, while at steady bank angles up to the maneuver bank angle limit reached in normal maneuvers. For
Vertical Takeoff and Landing (VTOL) and Vertical and Short Takeoff and Landing (VSTOL) vehicles, only the lateral
acceleration limit applies. It should be noted that these recommended performance requirements are the historical values
from manned aircraft practice (see AS94900).

3.2.5.1.3.2 Lateral Acceleration Limits, Rolling
The procuring activity should determine the applicability of AS94900, as dictated by the mission requirements.
3.2.5.1.3.3 Coordination in Straight and Level Flight
The procuring activity should determine the applicability of AS94900, as dictated by the mission requirements. In the
absence of such direction the following should apply:
The accuracy while the aircraft is in straight and level flight should be maintained with an incremental sideslip angle of
±1 degree from the trimmed value or a lateral acceleration of ±0.02 g at the c.g., whichever is lower. For VTOL and
VSTOL vehicles, only the lateral acceleration limit applies. It should be noted that these recommended performance
requirements are the historical values from manned aircraft practice (see AS94900).
3.2.5.1.3.4 Sideslip Limits
The procuring activity should determine the applicability of AS94900, as dictated by mission requirements.
3.2.5.1.4 Emergency Disengagement
Emergency disengagement of all modes should be provided. A method for continued operation of the vehicle after mode
disengagement should be provided.
3.2.5.1.5 Control Mode Response to Loss of Command and Control Data Link
Loss or degradation of the command and control data should cause the VMS to enter a Loss of Command and Control
(LOC) state. The thresholds and conditions for entering a LOC state, as well as the required behavior of the UA in that
state, must be established in detail with the procuring activity. Consideration should be given to mode of operation
(Manual, Assisted or Autonomous) to be employed, mission phase and risk to the vehicle or third parties. Threshold
values for entering an LOC state should be established based on the acceptability of a degraded link condition if
applicable.
3.2.5.1.6 Switching
Switching between guidance sources or between normal control modes should not cause transients greater than ±0.5 g
and 10 degrees bank angle. These values are not applicable for precision maneuver tasks such as formation flight, in-
flight refueling and landing, for which transient requirements of ±0.05 g and ±1 degree bank should be considered.
3.2.5.1.7 Ground Collision Avoidance System
If required and implemented, the VMS should be capable of providing the functionality of an automatic Ground Collision
Avoidance System (GCAS) or of responding to terrain avoidance flight path commands generated by a separate GCAS.
For the purpose of this document the term “GCAS” refers to a fully automatic function which requires no operator input, at
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
least while fully operational. A non-automatic function, in which the operator intervenes upon warnings provided by a
Ground Proximity Warning System (GPWS), a GPWS-type function might be viable for a UA but would require generous
thresholds to allow for data latency and human operator reaction time.
3.2.5.1.7.1 GCAS Functional Requirements
The GCAS function should continuously compute a ground avoidance trajectory using a digital terrain data base,
determine when a recovery is required, take control from the operator, command the recovery, provide nuisance-free
performance, and return control when the flight path clears the terrain of concern. If the VMS also includes an Automatic
Terrain Following function, see 3.2.5.3.7, or an Automatic Terrain Avoidance function, see 3.2.5.3.9, that function should
take precedence over GCAS.

The operator should be able to set or vary the height above terrain while the GCAS is in use. The minimal settable altitude
above terrain should not be less than maximum error of the sensors plus the maximum error of the GCAS performance
model. Sensing failures of the GCAS function during normal flight should be annunciated and result in automatic
disengagement of GCAS and an automatic recovery by means of a maneuver such as an automatic fly-up, if necessary.
The maneuver should provide clearance from local terrain, consistent with the UAS mission and vehicle requirements and
the terrain. Failures of the GCAS function occurring during a recovery maneuver should not prevent its completion.
The VMS should be responsible for automatically rolling the air vehicle to wings level and producing a fly-up with enough
positive gs to avoid the terrain. Once the flight path is clear of the threatening terrain feature the maneuver is terminated.
The VMS should ensure the maneuver does not cause the structural limits of the vehicle to be exceeded.
3.2.5.1.7.2 GCAS Performance Requirement Recommendations
Performance requirements should be as specified by the procuring activity. The digital terrain system should provide
digital terrain elevation data (DTED) in front of and around the air vehicle. The DTED should be Level 1 resolution (3 arc
second) or higher. The INS/GPS should provide position data to place the air vehicle on the DTED map. The system
should not allow a set distance less than twice the accuracy of the sensors.
3.2.5.1.7.3 GCAS Integrity
The VMS should monitor the integrity of all elements providing the functionality.
The required recovery maneuver is commanded by the VMS only when VMS integrity management has ensured that all
the elements are operational.
The VMS Integrity Management should include:
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
a. Receiving Built In Test (BIT) data from all GCAS elements
b. Ensuring the integrity of the communication between all GCAS elements and receiving answers to ensure the function
is safe to perform an automatic maneuver
c. Completion of an automatic maneuver in the event that a failure occurs during the maneuver
3.2.5.2 Assisted Modes
The operator relief category should include those Assisted control functions which simplify or ease the control of the flight
path of the aircraft. The performance requirements for Assised Modes are dependent upon: the aircraft configuration,
mission, and VMS Type. When the following functions are used the specified performance requirements should be
provided. These requirements apply in smooth air and include sensor errors. The performance requirements below are
typical for VMS Types T3 and T4. The performance requirements may be relaxed for specific vehicles and VMS Types.
The performance requirements may be more stringent to accommodate sensor packages associated with some missions.
If the performance requirements differ from those listed below the requirements should be defined in the VMS
Specification, Section 4.6.2.
3.2.5.2.1 Attitude Hold (Pitch and Roll)
Attitudes should be maintained in smooth air with a static accuracy of ±0.5 degree pitch attitude with wings level and
±1.0 degree in roll attitude with respect to the reference attitude. The root-mean-square attitude deviations should not
exceed 5 degrees in pitch and 10 degrees in roll attitude in turbulence at the intensities specified in 3.2.1.5. Accuracy
requirements should be achieved and maintained within 3 to 5 s of mode engagement for a 5 degree attitude disturbance.
Upon completion of an operator-controlled maneuver, the aircraft attitude maintained by the VMS should be the aircraft
attitude at the time the commanded forces were removed, if this attitude is within the limits of the Attitude Hold mode.

3.2.5.2.2 Heading Hold
In smooth air, heading should be maintained within a static accuracy of ±0.5 degree with respect to the reference
heading. In turbulence, the heading deviation should not exceed 5.0 degrees, root-mean-square, and at least Operational
-2
State II should be provided at the gust intensities corresponding to a cumulative exceedance probability of 10 , as
defined in 3.2.1.5, Table 8. When Heading Hold is engaged, and the aircraft is rolled to wings level, the aircraft should
capture and hold the heading that exists at the time the aircraft is within approximately 3 degrees of wings level.
3.2.5.2.3 Heading Select
The aircraft should automatically turn through the smallest angle to any heading selected or preselected by the operator
and maintain that heading to the tolerances specified for Heading Hold. The procuring activity should specify a minimum
required turn rate. The prime contractor should determine a bank angle limit consistent with the speed and altitude limit,
which allows the specified minimum turn rate and precludes impending stall or exceedance of a vehicle load limit. The
heading selector should have 360 degrees control. The aircraft should not overshoot the selected heading by more than
1.5 degrees with flaps up or 2.5 degrees with flaps down. Entry into and exit from the turn should be smooth and rapid.
The procuring activity should establish limits for the maximum roll rate and roll acceleration based upon the vehicle size,
mission, maneuvering and sensor performance requirements. The historical limits from manned aircraft operation are
10 degrees/s and 5 degrees/s/s, respectively (see AS94900).
3.2.5.2.4 Altitude Hold and Altitude Select
Altitude Hold may be referenced to barometric, radar altimeter or GPS altitude measurements, each with its own
performance capability.
3.2.5.2.4.1 Barometric Altitude Hold and Altitude Select
Engagement of the Barometric Altitude Hold or Altitude Select function at rates of climb or descent less than 2000 ft/min
(610 m/min) should select the existing indicated barometric altitude or selected altitude, respectively, and control the
aircraft to this indicated barometric altitude as reference. For engagement at rates of climb above 2000 ft/min (610 m/min)
the VMS should not cause any unsafe maneuvers. The procuring activity should define the required control accuracy. In
the absence of such specification, within the aircraft thrust/drag capability and at steady bank angles, the control
accuracies specified in MIL-C-18244 should be required. Alternatively, where the mission requirements, Operating Area
and payload considerations allow it, the control accuracy specified may be allowed to degrade to the numbers that follow:
±100 ft (±30.5 m) (3-sigma) from 0 to 18 000 ft (0 to 5490 m) altitude
±245 ft (±75 m) (3-sigma) from 18 000 to 80 000 ft (5490 to 24 400 m) altitude
NOTE: These accuracies are with respect to the altitude reference signal and are not the total system errors, which also
include altitude sensor source errors and position errors induced by the local airframe flow field. The procuring
activity may impose more stringent control accuracies if the vehicle must meet Reduced Vertical Separation
Minimum (RVSM) requirements. Those requirements are not within the scope of this document.
Following a perturbation which disturbs the vehicle while the altitude hold or altitude select mode is engaged, the
specified accuracy should be achieved within 30 s. Following engagement of altitude hold mode at an altitude rate of
2000 ft/min (610 m/min) or less, the specified accuracy should be achieved in 30 s. Following engagement of altitude
select mode, the specified accuracy should be maintained within 30 s of attaining the selected altitude, within the desired
accuracy band. Any periodic residual oscillation within these limits should have a period of at least 20 s. Altitude Select
allows for the attainment of an altitude preselected by the operator, or automatically selected by a guidance or navigation
program.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.2.5.2.4.2 Radar Altitude Hold
For Radar Altitude Hold, radar altitude at engagement should be used as the reference altitude. The procuring activity
should define the Radar Altitude Hold control accuracy required. In the absence of that definition, the Radar Hold control
accuracy defined for rotary wing aircraft in MIL-C-18244 should be specified. Alternatively, for the close-to-the-ground
operations typical for rotorcraft, the control accuracy specified may be increased to ±4 ft (1.22 m) with respect to the radar
altitude reference. Aircraft climb/descent responses to abrupt radar altitude changes (flying over a building, etc.) should
be limited to 200 ft/min (61 m/min). When a radar altimeter failure occurs, the Barometric Altitude Hold function should
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
automatically engage at the existing altitude and a warning should be sent to the operator that VMS is using barometric
altitude inputs for the Altitude Hold function. For rotary wing vehicles, particular care should be taken regarding the
location of radar altimeter antennas to preclude locking on to external sling loads, both in forward flight and in hover.
3.2.5.2.4.3 GPS Altitude Hold
GPS Altitude Hold should not be used below a nominal 300 ft. AGL. This limit should be supported by, or adjusted to
conform with, an analysis by the prime contractor of the GPS system capability, the mission requirements, the potential
consequences of other system faults and the ability of the VMS to accommodate them.
3.2.5.2.5 Mach Select and Mach Hold
The requirements of this paragraph should be met in straight, steady flight, and also in climb or descent. After selection of
a Mach number or, if a Mach Hold function is implemented, the engagement of and stabilization in Mach Hold, the VMS
should maintain the Mach number and the error should not exceed ±0.01 Mach or ±2.0% of indicated Mach, whichever is
larger, with respect to the reference. When Mach Hold is engaged, the Mach number existing at the moment of
engagement should be the reference. Any periodic oscillation within these limits should have a period of at least 20 s. The
prime contractor should establish a mode response or maximum-time-to-capture requirement which is suitable for the
mission phases where this mode is used. The resolution of the selected Mach number or the value used to adjust the
Mach number in Mach Hold (by the operator or mission plan) should be no greater than ±0.01 Mach. The Mach Select or
Mach Hold function should not cause the vehicle to decelerate below the minimum airspeed or accelerate above the
maximum Mach number or airspeed of the vehicle.
3.2.5.2.6 Airspeed Select and Airspeed Hold
The requirements of this paragraph should be met in straight, steady flight, and also in climb or descent. After selection of
an airspeed or, if an Airspeed Hold function is implemented, the engagement of and stabilization in Airspeed Hold, the
VMS should maintain the Indicated airspeed and the error should not exceed ±10 knots or ±2% of the reference airspeed,
whichever is greater. When Airspeed Hold is engaged, the airspeed existing at the engagement should be the reference.
Any periodic oscillation within this limit should have a period of at least 20 s. The prime contractor should establish a
mode response or maximum time to capture requirement which is suitable for the mission phase where this mode is used.
The resolution of the selected airspeed or value used to adjust the airspeed in Airspeed Hold (by the operator or mission
plan) should be no greater than ±1 knot. The Airspeed Select or Airspeed Hold function should not cause the vehicle to
decelerate below the minimum airspeed or accelerate above the maximum Mach number or airspeed of the vehicle.
3.2.5.2.7 VMS Control of Engine Thrust

Throttle and engine thrust control by the VMS should be compatible with Manual, Assisted and Autonomous operational
modes, as necessary. Control performance should be compatible with closed loop control of the speed/Mach hold and
Altitude Hold, and with the general maneuvering requirements of the UA. The throttle control should not create adverse
engine stability margin issues nor degrade engine stall margins. The VMS should have the authority to control the throttle
from OFF to the MAXIMUM thrust allowed by the flight conditions and provide acceptable operation. The VMS should
support operator override if necessary. Operation of the throttle for closed loop control should compensate for the effects
of temperature. The procuring activity, and the prime contractor, should define the success criteria for each of the above
requirements.
Any powerplant controls that are used for direct flight path control or to provide aircraft damping should be considered an
integral part of the VMS, and should be designed to conform to the philosophical and hardware requirements for that
system.

3.2.5.2.8 Payload Environment
The “Ride smoothing” and “Discomfort Index” considerations appropriate for a manned aircraft have no relevance for a
UA. The control of the environment for a payload sensor should be considered.
3.2.5.2.9 Sense and Avoid Maneuver Assist
A Sense and Avoid (SAA) mode may be required for all aircraft operating in non-segregated airspace to provide a means
for collision avoidance and self-separation. The VMS should provide a means for changing the flight path of the aircraft
autonomously, or through operator inputs, while maintaining positive aircraft control and avoiding departure from
controlled flight. This requirement applies to both cooperative and non-cooperative aircraft intruders. Cooperative
intruders may broadcast their position through a Mode S transponder for Traffic Collision Avoidance System II (TCAS II)
Resolution Advisory (RA) operation, a Mode A or C transponder for TCAS I Traffic Advisory (TA) only operation or
Automatic Dependent Surveillance-Broadcast (ADS-B) or other cooperative sensors. Non-cooperative intruders may be
detected using on-board Electro-Optical/Infra-Red (EO/IR) sensors, radar or other non-cooperative sensors. For systems
with multiple sensors a means will be provided for track association and sensor fusion to provide one track for each
intruder. For TCAS II the VMS will respond to RA messages but will use TA messages only for situational awareness.
TCAS II SAA implementation will comply with DO-185B requirements. A collision threshold that may be considered is
defined by TCAS II and is ±100 ft (±30 m) vertically and ±500 ft (±150 m) horizontally or it may be re-defined by the
procuring activity. The self-separation threshold will be defined by the procuring activity. In implementing SAA the
contractor should consider requirements for both autonomous and operator initiated maneuvers. For operator initiated
maneuvers, means should be provided for such maneuvers to be commanded rapidly and with a minimum of operator
inputs. The SAA design should consider communication and control station latencies and should provide for safe system
operation during LOC. The design should allow the operator to approve or override autonomous maneuvers during
normal link operation. Autonomous operation during LOC will be defined by the procuring activity. FAA right-of-way rules,
as defined by Federal Agency Regulation (FAR) 91.111, 91.113, and 91.115 will be adhered to in designing the SAA
function.
NOTES: 1. For TCAS, during LOC the operator has essentially had a display failure and for TCAS operation display
failures result in the TCAS being set to TA only mode.
2. Definitions from FAA SAA Workshop 1:
Collision avoidance - An SAA function where the UA takes appropriate action to prevent an intruder from
penetrating the collision volume. Action is expected to be mitigated within a relatively short time horizon
before closest point of approach. The collision avoidance function engages when all other modes of
separation fail.
Self-separation - An SAA function where the UA maneuvers within a sufficient timeframe to prevent activation
of a collision avoidance maneuver while conforming to accepted air traffic separation standards. Any UA
maneuvers will be in accordance with regulations and procedures.
Self-Separation Threshold - The boundary around the UA at which the self-separation function declares that
action is needed to preclude a threat aircraft from penetrating the collision avoidance threshold, thereby
maintaining self-separation and keeping the aircraft "well clear" of each other.
Well Clear - The state of being able to maintain a safe distance from other aircraft so as not to cause the
initiation of a collision avoidance maneuver. The Well Clear boundary is a variable region in space dependent
on UA performance characteristics, intruder approach geometry, closure rates, and relative accelerations.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.2.5.3 Autonomous Modes
The guidance category should include those control functions which provide automatic flight path control in accordance
with steering signals generated by guidance and control functions internal to the VMS or with steering signals generated
by systems, some of which may not be redundant, external to the VMS. During the automatic guidance functions, the
VMS - aircraft combination is an element within the overall guidance loop. The requirements of the guidance loop, the
guidance method and the particular guidance computer should be determined by the prime contractor and documented in
the VMS Specification, 4.6.2. Unless specific performance data are established in the applicable system specification, the
following requirements should be met. Refer to 3.2.5.2 and subparagraphs for control accuracies applicable to barometric,
radar altimeter and GPS altitude control.
3.2.5.3.1 General Tie-In Requirements
Provisions should be made for the acceptance of external guidance signals from various computers generating the
necessary commands in attitude, speed, altitude, flight path rate, acceleration, etc., to control the flight path of the aircraft.
The VMS hardware and software design should not assume 100% data integrity of externally generated guidance signals,
including any externally generated validity flags. The VMS should incorporate independent reasonability checks and other
measures as required to protect against erroneous guidance signals.
3.2.5.3.1.1 Operator Override Capability
If the operator control station provides Manual control of the UA, it should be possible to take control of the UA when in
Autonomous mode. Operator override of the Autonomous mode should not result in a UA instability.
3.2.5.3.2 Command Signal Limiting
The VMS should comply with 3.2.1.9 with respect to any structural protection it provides through command limiting. In
Autonomous modes it should not generate command signals such that the aircraft exceeds maneuver limits that are
consistent with the mission and the flight conditions.
3.2.5.3.3 Noise Compatibility
The VMS should be so designed that the noise content in the external guidance signal, as specified in the applicable
system specification, should not saturate any component of the VMS or limiters in VMS software, should not impair the
response of the aircraft to the proper guidance signals, and should not cause objectionable control surface motion or
attitude variation. If the specified noise content is too great to achieve this goal, additional noise filtering should be
employed. Since additional noise filters may impair the stability and guidance performance, a compromise between
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
performance and noise filtering should be determined by the procuring activity and prime contractor, consistent with the
UA mission and its effects on the payload performance.
3.2.5.3.4 Data Link
For the steering information transmitted to the VMS via a digital data Iink, the sampling frequency and number of bits per
signal should be compatible with the accuracy and dynamic performance requirements of the guidance loop. If the
steering information is transmitted to the VMS via an analog data link, the gain variation and the zero shift of the data link
should be compatible with the performance and accuracy requirements of the guidance loop.

3.2.5.3.5 Automatic Approach and Landing (Land Based)
If required, a mission-planned automatic approach and landing function will be integrated into the VMS. This will be
designed to automatically steer the aircraft all the way to touchdown in all applicable conditions. The VMS will employ
sufficiently accurate measurements of position (e.g., INS/GPS coupled, ILS, JPALS, microwave or optical reference
position) to drive the lateral, longitudinal and vertical guidance signals. Guidance commands should be computed to
maintain tracking to an appropriate glideslope from capture to an intended touchdown point. Precision requirements
should be dictated by the intended operational runway or landing area requirements for the UAS. Precision beyond
standard GPS (e.g., augmented with other sources such as Wide Area Augmentation System (WAAS), DGPS or JPALS
information) may be required in order to land on runways of less than 150 ft (46 m) in width. The function should provide a
signal to execute a go-around following any single failure not shown to be at least a factor of ten less probable than the
VMS PLOC. The function should comply with the tracking requirements of 3.2.5.3.5.1 and 3.2.5.3.5.2 for probable
combinations of headwind, tailwind, and crosswind, to be defined by the procuring activity, with the probability of
occurrence of such winds and associated turbulence and wind shears as defined in 3.2.1.5.3 in a no-wind condition.
3.2.5.3.5.1 Glideslope Mode
When preconditions for capturing the glideslope are satisfied, the first overshoot should not exceed 0.16 degree of radial
error from glideslope center when capturing in a no-wind condition from above or below under normal approach
configurations. The mode should exhibit a damping ratio of 0.20 or greater subsequent to the first overshoot and the
transient errors encountered during the tracking mode should not exceed 0.16 degree of radial error or 12 ft (3.7 m) of
deviation from glideslope, whichever is greater.
3.2.5.3.5.2 Waveoff/Go-Around Mode
In the event that a Waveoff/Go-Around Mode is implemented, the Automatic Go-Around initiation or operator initiated Go-
Around should be locked out at altitudes below which a safe Waveoff/Goaround cannot be completed. The VMS should
be designed such that no single failure which is not at least a factor of ten less probable than the VMS PLOC, will cause
the aircraft to maneuver to increase the rate of descent upon engaging the Go-Around mode.
3.2.5.3.5.3 Pitch Performance for Go-Around
The VMS pitch command should cause the aircraft to smoothly rotate sufficiently to establish a positive rate of climb such
that the aircraft will not intersect the obstacle clearance planes defined in FAA Advisory Circular 120-29 more often than
6
1 in 10 events for the wind conditions defined in 3.2.5.3.5, and including high altitude, hot day conditions as defined by
the procuring activity. In the event of inadvertent loss of an engine just prior to or during automatic go-around, the system
should not cause the aircraft to approach stall within 30 s of mode engagement, based on design approach speed. If
operating procedures require the mode to be disengaged upon inadvertent loss of an engine, a timely warning should be
provided for the operator to initiate the disengage procedure. Disengagement under this condition should be
accomplished manually.
3.2.5.3.5.4 Lateral-Heading Go-Around Performance Standards
The Lateral-Heading command should maintain the aircraft 4-sigma position within the lateral-boundaries of the obstacle
clearance planes defined in FAA Advisory Circular 120-29 during wind conditions as specified in 3.2.5.3.5. This capability
should be maintained in the event of the most critical engine failure just prior to or during automatic Go-Around. If normal
procedure is to disengage the Go-Around mode after inadvertent loss of one engine, under the wind conditions cited, an
operator of normal skill should be able to recover aircraft heading such that intersection with the obstacle clearance
planes will occur no more than 1 in 106 events during recovery.
3.2.5.3.5.5 Minimum Go-Around Altitude
A minimum altitude for engaging automatic Go-Around should be established such that the probability of incurring
structural damage to the landing gear, wing tips, or control surface is at least a factor of ten less probable than the VMS
PLOC. The analysis to support this minimum altitude should assume normal performance under the wind conditions
specified in 3.2.5.3.5 and, for multi-engine vehicles, the probability of inadvertent loss of an engine at any time within 12 s
preceding mode engagement.
--`,`,,``````,

3.2.5.3.6 Automatic Landing System (ALS)
The sample performance specification guidance provided in the following paragraphs would be appropriate for a large,
conventional, fixed wing UA.
3.2.5.3.6.1 Typical System Performance Requirements
The following automatic land system requirements pertain to the latter stages of the approach; i.e., that portion of the
approach below the decision height or the alert height. The ALS should be designed to comply with the following landing
accuracies and operational requirements:
a. Longitudinal dispersion should be controlled to ensure a successful landing on the available runway. The probability
of leaving the runway should be at least a factor of ten less probable than the VMS PLOC. The aircraft sink rate at
touchdown should not cause the structural limit of the landing gear and any other part of the aircraft to be exceeded
unless the probability of occurrence is shown to be at least a factor of ten less probable than the VMS PLOC.
b. At touchdown, the two-sigma value for the lateral error of the aircraft centerline from its desired location should not
exceed ±20% of the runway width. The roll out guidance system should cause the aircraft to track parallel to or
convergent with the centerline of the runway.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
c. The systems should meet these requirements considering reasonable combinations of head winds, as defined in
3.2.5.3.5 according to the probability of encountering these winds and their associated turbulence, as specified in
3.2.1.5.3, along with expected variations in ground facility performance as specified in 3.2.5.3.6.3.
d. Means should be provided to inform the operator continuously of the mode of operation of the ALS. Indication of
system malfunction should be conspicuous and unmistakable. Positive indication should be provided that the flare
has been initiated at the minimum normal flare engage heights.
e. ALS malfunction should not cause significant displacement of the aircraft from its approach path, including altitude
loss, or cause any action of the VMS that is not readily apparent to the operator, either by control movement or
advisory display. Upon system disconnection, the automatic landing system should not cause any out-of-trim
condition not easily controlled by the operator.
3.2.5.3.6.2 ALS Performance Standards - Variations of Aircraft and Airborne Equipment Configurations
Automatic landing performance requirements should be met while including the effects on performance of the following
aircraft and airborne equipment variations expected to occur in normal service:
a. Landing weight and center of gravity variations.
b. High lift or lift augmentation variations.
c. Aircraft approach speed variations.
d. Glideslope and localizer airborne receiver centering errors.
e. Automatic landing system sensor, computer and servoactuator tolerances.
f. Performance tolerances of automatic control systems operating concurrently with the UAS automatic landing system
(e.g., stability augmentation systems, load alleviation systems).
g. Other sources of position or terminal guidance information, including GPS, non-GPS or ground based or ground
augmented (i.e., DGPS) systems.

3.2.5.3.6.3 ALS Performance Standards - Ground Based Equipment Variations
Proof of compliance with performance requirements for automatic systems should include the effects of expected
variation in type and quality of any ground based equipment used.
3.2.5.3.7 Automatic Terrain Following
If required and implemented, the VMS should be capable of responding to terrain following flight path commands and
maintain altitude clearance requirements. Flight parameters that are critical to terrain following should be coordinated
between the mission system and VMS. Failures in the sensing system should be annunciated to the VMS and operator
and result in an automatic disengagement of the terrain following and an automatic recovery to a condition which provides
clearance from local terrain (e.g., automatic fly-up) consistent with the UAS mission and requirements and local terrain.
Failures of the sensing system occurring during a recovery maneuver should not prevent the completion of the recovery
maneuver. Performance requirements should be as specified by the procuring activity.
3.2.5.3.8 Waypoint Navigation
The VMS requirements for waypont navigation should be determined by the prime contractor and documented in the VMS
specification 4.6.2. This includes: waypoint steering, criteria for waypoint capture, waypoint event response, lost
command and control data link or failure mode effects on waypoint selection or modification and the ability to continue
with waypoint navigation. The system should have the capability to modify waypoints (and any attribute of that waypoint)
while in route. Waypoint Navigation should be designed and implemented such that:
a. The computed path to the next waypoint is achievable. Path generation algorithms must take into account limits on
the performance of the vehicle and provide special logic to handle difficult geometries.
b. The UA will not turn through greater than 360 degrees to capture a new course. Path generation should provide a
solution that avoids unnecessary maneuvering.
c. The UA will not capture waypoints in rapid succession. Past waypoint capture algorithms have proven susceptible to
capture of waypoint while turning to acquire the course to the waypoint. This can potentially lead to repeated waypoint
capture as the aircraft makes a new turn to acquire the course to the new next waypoint.
d. The UA VMS Guidance, Navigation and Control function will prevent the air vehicle from entering pre-defined
Exclusion Zones or over-flying pre-defined restricted geographical regions except when commanded by the operator.
3.2.5.3.9 Automatic Terrain Avoidance
If required and implemented, the VMS shall be capable of responding to terrain avoidance flight path commands and
operate simultaneously with the feature which also maintains altitude clearance requirements (e.g., Automatic Terrain
Following). The operator shall be able to set or vary the height above terrain while the Automatic Terrain Avoidance is in
use. The minimal settable altitude above terrain shall not be able to be set to less than maximum error of the sensors plus
the maximum error of the terrain avoidance performance model. Failures in the sensing system during normal flight shall
be annunciated and result in automatic disengagement of the terrain avoidance and an automatic recovery to a condition
which provides clearance from local terrain (e.g., automatic fly-up) consistent with the UAS mission and requirements and
local terrain. Failures of the sensing system occurring during a recovery maneuver shall not prevent the completion of the
recovery maneuver. Performance requirements shall be as specified by the procuring activity.
3.2.5.4 Special VMS Performance Requirements for Fixed Wing V/STOL
The following requirements are unique for Fixed Wing V/STOL aircraft.
3.2.5.4.1 Attitude Hold
Precise changes to pitch or roll attitude may be made manually by the operator without requiring any VMS mode change.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.2.5.4.2 Heading Hold
Heading Hold during unaccelerated level flight should be maintained within ±1.0 degree of the desired heading, for
airspeeds below 50 Knots Calibrated Airspeed (KCAS), and within ±0.5 degree above 50 KCAS. Transient excursions
should be limited to ±5 degrees with one overshoot which should not exceed 20% of the initial deviation. Unless otherwise
dictated by the procuring activity, Heading Hold should be provided in the yaw axis for airspeeds below 50 KCAS and in
the roll axis for airspeeds above 50 KCAS. Operator repositioning of the aircraft to a new heading may be accomplished
by directional control inputs at airspeeds below 50 KCAS, through use of the coordinated turn capability for airspeeds
above 50 KCAS or by a Heading Select control at all airspeeds. The aircraft must be within ±3 degrees of wings level for
Heading Hold to engage. The VMS should not induce transients when switching from Heading Hold to turning mode.
V/STOL aircraft heading behavior under 200 ft (61 m) AGL, or as defined by the contracting activity, should be predictable
with respect to the relative wind. The vehicle should not exhibit yaw hunting in light and variable winds, making automatic
heading adjustments only to maintain sufficient yaw control power.
3.2.5.4.3 Airspeed Hold
The Airspeed Hold function should hold any desired airspeed to within 3 knots under steady state conditions. Transient
airspeed excursions should be limited to less than 5 knots. After transient response, the aircraft should return to the
reference airspeed with one overshoot that should not exceed the initial deviation by more than 20%.
3.2.5.4.4 Altitude Hold
Refer to 3.2.5.2.4 and subparagraphs for accuracies applicable to barometric, radar altimeter and GPS altitude
measurements.
3.2.5.4.5 Coordinated Turn Capability
Unless otherwise dictated by the procuring activity, an automatic, coordinated turn capability should be provided at
airspeeds above 50 KCAS.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.2.5.4.6 Automatic Approach Capability
An automatic approach to a operator selected ground speed and radar altitude should be provided. During the transition
from forward flight to hover, the aircraft should not enter rearward flight (negative ground speed).
3.2.5.4.7 Hover Hold and Hover Trim Control
The hover stability mode should engage at airspeeds less than 50 KCAS, or as defined by the procuring activity, either by
operator command or automatically at the end of an automatic approach. The Hover Stability mode should provide
ground speed hold within ±2 knots and should maintain pitch and roll attitudes within ±0.5 degree and heading within
±1 degree. A gust alleviation feature can be provided to damp longitudinal and lateral excursions if necessary. The
Altitude Hold must automatically engage when the altitude is less than or equal to the operator’s preselected altitude. If
the aircraft is at an altitude other than that commanded upon hover mode engagement, the VMS should provide control
inputs necessary for convergence upon the commanded altitude at a safe rate. The radar altitude or ground-referenced
hold should then engage.
3.2.5.4.8 Automatic Departure
During transition from hover to forward flight, the aircraft should not enter into rearward flight or decrease airspeed or
altitude, and heading should be maintained within a tolerance of ±2 degrees.
3.2.5.4.9 Automatic Hovering
Position should be maintained relative to the point of reference to an accuracy of ±10 ft (3 m) or as defined by the
procuring activity for the mission requirements of the aircraft. Unless otherwise dictated by the procuring activity, this
accuracy requirement applies to UA category Groups 3 through 5, while subject to gust and wind intensities from specific
directions. Required hovering wind envelope to be defined by the procuring activity.

3.2.5.5 Special VMS Performance Requirements for Rotorcraft
The following requirements are unique for rotorcraft.
3.2.5.5.1 Attitude Hold (Pitch, Rolls and Yaw)
During the Attitude Hold mode, the attitude, in calm air, should be maintained within ±1 degree of the reference attitude,
under conditions of fixed collective pitch control only. Allowable magnitudes and settling times of perturbations induced by
variations in collective pitch control should be as specified by the procuring activity. The dynamic requirements of
3.2.5.2.1 should be met.
3.2.5.5.2 Heading Hold and Heading Select
The VMS should maintain heading within 1 degree of commanded heading in forward flight at speeds above 40 knots
indicated. The aircraft should not overshoot the selected value by more than 2.5 degrees at speeds above 60 knots. The
roll rate should not exceed 5.0 degrees/s and roll acceleration should not exceed 3.0 degrees/s/s for ADS-33E-PRF Class
I and IV aircraft. The Heading Hold accuracies apply under conditions of fixed collective pitch control only. Allowable
magnitudes and settling times of perturbations induced by variations in collective pitch control should be determined by
the prime contractor and documented in the VMS Specification, 4.6.2. Rotorcraft heading behavior under 200 ft (61 m)
AGL, or as defined by the procuring activity, should be predictable with respect to the relative wind. The vehicle should
not exhibit yaw hunting in light and variable winds, making automatic heading adjustments only to maintain sufficient yaw
control power.
3.2.5.5.3 Altitude Hold
Refer to 3.2.5.2.4 and subparagraphs for accuracies applicable to barometric, radar altimeter and GPS Altitude Hold.
3.2.5.5.3.1 Barometric Altitude Stabilization
The requirements of 3.2.5.2.4.1 should be met when the rotorcraft is outside the ground effect as defined for the specified
rotorcraft.
3.2.5.5.3.2 Stabilization of Altitude Above the Terrain
The operational range of the absolute altitude control mode should be as specified in the applicable system specification.
The system should maintain altitude, in calm air, within ±7 ft (±2.1 m) of the altitude indicated by the altitude sensor.
3.2.5.5.4 Hover Hold
Position should be maintained with a drift of less than 20 ft (6.1 m) plus sensor error over a 2 min period. Altitude should
be maintained in ground effect within 5 ft (1.5 m) over a 5 min period. Where special mission requirements dictate, the
prime contractor should establish further requirements, subject to procuring activity approval.
3.2.5.5.5 Vernier Control for Hovering
For UAS which provide remote operator interaction, the VMS should support vernier control for accurate positioning of the
aircraft during hovering, unless control commensurate with minimum accuracy requirements can be obtained with the
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
regular controls.
3.2.5.5.6 Ground Speed Hold
Where Ground Speed Hold is a system requirement, provisions should be made to insert ground speed signals to the
pitch and roll controls. After engagement of the Ground Speed Hold mode, the ground speed existing at the time of
engagement should be held in steady flight in calm air within ±3 knots.

3.2.5.6 Interfaces with UAS Functionality
3.2.5.6.1 Precision Ship Board Landing Function
If required by the procuring activity for operations aboard an Aircraft Carrier or an Aircraft Carrier, Nuclear Propulsion,
(CV/CVN) class ship or similar, a precision ship board landing function should be integrated into the system. The
requirements of this section may be applicable to recovery activities aboard other classes and configuration of ships with
modifications as determined by the procuring activity and the prime contractor. See 2.3.7 for definitions of terminology
specific to this subsection.
Specific detailed system specifications will dictate required performance parameters and should take precedence over
any guidance provided here. The following guidance is appropriate for a large, conventional, fixed wing UA recovering
aboard an aircraft carrier. The performance guidance provided is considered typical for a complete system and
appropriate allocations to the UA VMS performance requirements should be made by the UAS prime contractor or, if the
UA is contracted for separately, the procuring activity.
3.2.5.6.1.1 System Configuration
The automatic system for shipboard landing may incorporate elements both external to and internal to the vehicle in order
to precisely determine the relative location and translation of the intended touchdown point. Typical system configurations
include a shipboard precision position/attitude/rate measurement component, data link between ship and air, air vehicle
precision position measurement, and relative solution algorithm including stabilization of glidepath. The assumed method
of precision relative position measurement for new designs is Precision Differential GPS provided from an Embedded
GPS/INS (EGI) unit incorporating advanced Kalman filtering. Relative position and glidepath solution may be incorporated
into the core VMS or remain external. Standard requirements as in 3.2.5.3.1 for integrity of data from external sources
should be applied to all signals received by the core. Core VMS guidance algorithms should have modes specific to
shipboard recovery and incorporate pre-defined Approach, Trap, and Bolter modes and flight paths. Pre-defined flight
paths relative to the available ship operations (approach 1, approach 2, waveoff) take the place of mission plan waypoint
derived flight paths for the carrier pattern. Flight path predictability and consistency near the ship is essential.
3.2.5.6.1.2 Typical System Performance Requirements
3.2.5.6.1.2.1 Boarding Rate
The landing system should provide an auto-landing successful “Boarding Rate” for Sea States of 4 or less, of at least
95%. The "non-boarding" rate can be allocated to TSE (failure to land within the wires), Air Boss or LSO waveoff because
of excessive lateral or longitudinal TSE, and other factors, such as hook-skip or excessive ship motion. Hook skips do not
count against the Boarding Rate if the aircraft first touches down in the desired landing area. Foul deck waveoffs and
other factors that cannot be attributed to the landing system do not count against the boarding rate.
3.2.5.6.1.2.2 Service Volume
Automatic Landing Approach, Waveoff, and Bolter should be provided for an azimuth of 360° to a range of 10 nm (18.5
km) from the ship and an elevation from line-of-sight to 10 000 ft (3 050 m) MSL.
3.2.5.6.1.2.3 Deck Motion Compensation
The landing system should provide a stable precision glide path to support autoland. The glide path data should include
the ability to transition from a stabilized path to tracking touchdown point motion as required for Deck Motion
Compensation (DMC).
3.2.5.6.1.2.4 Ship Motion Sensor (SMS)/Data Link Latency
The SMS and landing system data link should have an end-to-end latency no greater than 200 ms, from ship motion IMU
measurement until ship state parameters are received by the UAS, when transmitting ship motion for use in airborne
DMC calculations.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.2.5.6.1.2.5 Accuracy
The accuracy of the final phase of the automatic approach, during which DMC is active, measured as the sum of the NSE
and the Path Definition Error should be:
a. Vertical error - Not greater than 0.656 ft (20 cm), to a probability not less than 70%, and not greater than 1.640 ft
(50 cm), to a probability not less than 99%. Vertical accuracy during approach may be gradually relaxed as a function
of distance from touchdown beginning at the point of DMC actuation until the transition point between area navigation
and precision approach navigation is reached.
b. Lateral error - Not greater than 0.656 ft (20 cm), to a 70% probability, and not greater than 1.640 ft (50 cm), to a 99%
probability. Lateral accuracy during approach may be gradually relaxed as a function of distance from touchdown
beginning at the point of DMC actuation until the transition point between area navigation and precision approach
navigation is reached.
3.2.5.6.1.2.6 Touchdown Performance
The accuracy of the touchdown point, measured as the sum of the NSE, the FTE and the Path Definition Error, should be:
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
a. Longitudinal mean - The mean longitudinal touchdown point should be within 10 ft (3 m) of the targeted touchdown
point.
b. Longitudinal standard deviation - The longitudinal touchdown point standard deviation should be 17 ft (5.2 m) or less.
c. Lateral mean - The mean lateral touchdown point should be 2 ft (0.6 m) or less from the centerline.
d. Lateral standard deviation - The lateral touchdown point standard deviation should be 2.5 ft (0.8 m) or less.
3.2.5.6.1.2.7 Integrity
a. Vertical Alert Limits (VAL) - The landing system VAL during the final phase of the automatic approach during which
DMC is active should be 14.44 ft (4.4 m).
b. Lateral Alert Limit (LAL) - The landing system LAL during the final phase of the automatic approach during which
DMC is active should be 14.44 ft (4.4 m).
c. Integrity risk - The probability that the sum of the NSE and the Path Definition error for the landing system exceeds
the VAL or LAL without an alert should not exceed 1 x 10-6 per approach.
d. Time to alert - The time to alert a landing system integrity breach should not exceed 1 s. The time to alert may be
gradually relaxed as a function of distance from touchdown beginning at the point of DMC actuation until the transition
point between area navigation and precision approach navigation is reached.
3.2.5.6.1.2.8 Continuity
The landing system probability of unscheduled interruption of navigation function or navigation performance meeting the
integrity requirements of 3.2.5.6.1.2.7, assuming fault-free airborne system performance, should not exceed 1 x 10-8 in
any 15 s during the final phase of the automatic approach during which DMC is active. The probability of unscheduled
interruption of navigation function or navigation performance meeting the integrity requirements of section 3.2.5.6.1.2.7
may be gradually relaxed as a function of distance from touchdown beginning at the point of DMC actuation until the
transition point between area navigation and precision approach navigation is reached.

3.2.5.6.1.2.9 Waveoff Performance
a. The landing system should incorporate an interface to the Operator, LSO and Air Boss Waveoff command. The
landing system should transmit the Waveoff command to the UA with a latency not to exceed 100 ms. The total
Waveoff latency, including ship system processing, data link transmission, and UA processing until the time of UA
control actuation for Waveoff execution should not exceed 400 msec.
b. A Waveoff Inhibit Window may be established to prevent in-flight engagement of the hook. Autonomous Waveoff
should be inhibited during the final phase of approach, starting from the calculated time to touchdown, that, allowing
for all latencies and UA performance, should prevent the UA hookpoint descending below 10 ft (3 m) above the
touchdown point, throughout the Waveoff maneuver. The LSO and Air Boss Waveoff command should not be
inhibited during the Waveoff Inhibit Window.
3.2.5.6.1.2.10 Bolter Performance
During a Bolter, the lateral TSE should not cause the wingtip to cross the landing area foul line for a worst case,
off-center, three sigma touchdown as stated in 3.2.5.6.1.2.6.
3.3 System Testability Recommendations
3.3.1 System Test and Monitoring Provisions
Test and monitoring means should be incorporated into the Essential and Flight Phase Essential VMS as required to
meet the following requirements of this specification:
a. Mission Accomplishment Reliability (see 3.1.2.1)
b. Flight Safety and Failure Immunity (see 3.1.1.3 to 3.1.1.4.1)
c. Fault Isolation (see 3.1.3.2 to 3.1.3.3, 3.1.5 to 3.1.5.1)
d. Invulnerability (see 3.1.5.3 to 3.1.5.3.10)
e. Structural Integrity (see 3.4.2.1)
The effect of detected and undetected VMS failures taken with the probability of occurrence of such failures should
comply with the system reliability and safety requirements. This requirement should address all failures, including
mechanical, electrical, hydraulic components and power sources.
Typical industry terms for the various types of Built-In-Test (BIT) are “Power On Self Test” (POST) for the startup or
initialized BIT, “Periodic” (PBIT) or “Continuous” (CBIT) for real-time monitoring, “Maintenance” (MBIT) for operator
initiated, often interactive BIT and “Initiated” (IBIT), also initiated but for pre-flight check out instead of maintenance.
3.3.2 Built-In-Test Equipment
The total maintenance and testing, including BIT, and in-flight monitoring where used, should provide an integrated
means of fault isolation to the LRU/WRA level with a confidence factor of 90% or greater. BIT functions which prevent
normal operation should have multiple provisions to ensure they cannot be engaged in flight. The test equipment should
not have the capability of imposing signals which exceed operating limits on any part of the VMS or which reduce the
VMS endurance capability or fatigue life. Ground test signals should not be of sufficient magnitude to drive actuators into
hard-stop limits.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.3.3 Maintenance BIT
Where required, BIT should also be provided as a post flight maintenance aid for the VMS. BIT should be designed to
avoid duplicating test features included as part of the preflight test or monitoring functions. Maintenance BIT should
operate in various aircraft ground configurations such as with wings folded, swept back, etc., with hydraulic pressure on
and off, with the High Lift or lift augmentation system deployed, and should give meaningful test results. The BIT
operation should not stroke those actuators where proper clearance cannot be maintained. The BIT operation should not
exceed a time limit defined in the Aircraft Detail Specification.
3.3.4 Preflight or Pre-engage BIT
Preflight or pre-engage BIT may be automatic or operator-initiated, and includes any test sequence conducted prior to
takeoff or prior to engagement of a control to provide assurance of subsequent system safety and operability. It should be
demonstrated that redundant electronic channels and hydro-mechanical components are operating normally without any
safety-critical latent failures prior to takeoff. This includes all backup or normally disengaged channels, and the ability of
normally engaged channels to isolate or disengage elements upon detected failures. The design is required to have
Operational State I capability in the absence of failures and, except for Type 1 and Type 2 VMS, should have sufficient
pre-flight built-in test capability to detect any latent faults that would result in less than Operational State III after a first
failure. The preflight tests should not rely on special ground test equipment for their successful completion. Any test
sequence which could disturb the normal activity of the aircraft in a given mode should be inhibited when that mode is
engaged and the operator alerted of the skipped test. Preflight BIT that requires moving control surfaces should be
initiated only by the operator or maintenance personnel, to avoid the personnel danger inherent in automatic initiation.
The preflight BIT should take less than 90 s to complete. Operation of Preflight BIT should be prevented in flight by
methods determined by the prime contractor and documented in the VMS Specification, 4.6.2.
3.3.5 Preflight BIT Status Annunciation Support for CS
The VMS should support the following CS display functions:
a. Indicate the progress of the preflight test.
b. Instruct the operator to provide any required manual input.
c. Indicate lack of system readiness when failure conditions are detected.
3.3.6 Portable Test Equipment
Where the use of BIT equipment would cause excessive penalties and where the use of portable test equipment is
compatible with the maintenance support concept, provisions should be made to permit the use of generally available and
commonly used portable test equipment. Components which require peculiar, special, or new items of test equipment
should be avoided unless dictated by aircraft design, mission requirements, or state-of-the-art improvements.
3.3.7 Ground Power Requirements for System Test
Electric and electronic components should be designed to operate with the electric power generators supplied by
standard ground carts. Hydraulic components should be designed to operate with the standard hydraulic ground carts.
3.3.8 Protection Against Dormant Failures
The use of critical components that cannot be readily tested as installed, and therefore could be subject to dormant failure
leading to a catastrophic event following a second failure, should be minimized. Those that remain should be subject to
analysis of failure probability, and the required off-aircraft testing-interval exposure time, to ensure that the recommended
safety requirements of 3.1.1.3 are met.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.4 System Design Recommended Requirements
3.4.1 System General Design Recommended Requirements
3.4.2 Mechanical VMS Design
In the design of mechanical components, the reliability, strength and simplicity of the system should be paramount
considerations. The signal transmission between the servoactuators and the control surfaces should be redundant to the
extent required to meet reliability, failure immunity, invulnerability and other requirements of this specification.
Where the connection between the servoactuators and the control surfaces cannot be made redundant, the probability of
failure of the mechanical connection between any VMS component (e.g., rod end) and control surface should be of
sufficient reliability (<10-9 or consistent with the vehicle prime structure requirement) to meet the reliability and failure
immunity requirements identified elsewhere in this document.
3.4.2.1 Structural Integrity
3.4.2.1.1 Single-Point-Failure Points
All flight-critical, single-load-path mechanical components should be identified as Single-Point-Failure Points and
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
designated Fracture Critical.
3.4.2.1.2 Strength
Safety (Fracture) critical structural components should be designed to 4 lifetimes and tested to 2 lifetimes.
3.4.2.1.3 Damage Tolerance
Those structural elements of the VMS that are essential to safety of flight, to control Essential and Flight Phase Essential
functions, should meet the damage tolerance requirements of Joint Service Specification Guide, JSSG-2006.
3.4.2.1.4 Load Capability of Dual-Load-Path Elements
The load path remaining after a single failure in dual-load-path elements should meet the following requirements.
a. Where the failure is not evident by visual inspection or by obvious changes in control characteristics, the remaining
path should be capable of sustaining a fatigue spectrum loading based on one overhaul period. The time interval
corresponding to an overhaul period should be established by the prime contractor. The remaining path should also
withstand, as ultimate load, loading equal to 1.5 times the limit loads specified in MIL-A-8865, or 1.5 times the load
from an alternate source, such as a powered actuation system or loads resulting from aerodynamic or other forces, if
such load is greater.
b. Where the single failure is obvious, the remaining load path should be capable of withstanding, as ultimate load,
loading equal to 1.15 times limit loads specified in MIL-A-8865, or 1.15 times the load from an alternate source, such
as a powered actuation system or loads resulting from aerodynamic or other forces, if such load is greater.
3.4.2.1.5 Stiffness
The stiffness of the VMS should be sufficient to provide satisfactory operation and to enable the aircraft to meet the
stability, control, and flutter requirements. Normal structural deflections should not cause undesirable control system
inputs or outputs. The applicable design requirements specified in MIL-A-8870 should be met.

3.4.2.1.6 Durability
Durability of the VMS should be equal to that of the airframe primary structure considering the total number of ground and
flight load cycles expected during the specified design service life and design usage of the aircraft from all commands,
including primary and secondary flight control, Manual, Assisted and Autonomous commands, servo feedback and from
load inputs. Vibrations and sonic fatigue requirements should also be considered in the design of the VMS.
3.4.2.1.7 Wear Life
Mechanical elements of the VMS should be designed to have wear life equal to the wear life specified for the overall
aircraft. Parts subject to wear, such as hydraulic seals, bearings, control cables, sensors and hydraulic actuator barrels,
may be replaced or their wearing surfaces renewed after they exceed their useful life. The design, analysis and
verification of those parts intended to have their wearing surfaces renewed should take into account any reduction of
fatigue life caused by the renewal process. However, all replacements should be within the VMS wear out-replacement
budget established for the overall weapon system. Electronic and other non-mechanical LRUs/WRAs should remain
economically repairable and should meet reliability requirements throughout the specified airframe lifetime. The effects of
wear on actuator and control surface attachments should be considered to minimize the possibility of inducing limit cycle
oscillations, buzz or flutter.
3.4.3 Fixed Wing V/STOL Aircraft Requirements
3.4.3.1 Conversion Mechanisms
Conversion mechanisms, if required, should be powered in such a way that conversion can be accomplished at any time,
regardless of any system failure or conversion will halt in a safe landable state. If halted, conversion should be reversible
unless the failure prevents conversion.
3.4.3.2 Transition
The transition from one set of controls to another set should be smooth and should not cause undesirable transients.
3.4.3.3 Interface of Powerplant and VMS
Refer to 3.2.5.2.7.
3.4.4 Rotorcraft Requirements
3.4.4.1 Jamming of Swashplate Power Actuators
The swashplate power actuators in aircraft subject to combat damage should be jam proof when so directed by the
procuring activity. The threat should be specified by the procuring activity.
3.4.4.2 Actuation Stiffness
The stiffness of the swashplate support, in conjunction with rotor blade torsional stiffness should be adequate to minimize
control loads and shaking forces generated by the rotor.
3.4.4.3 Frequency Response
The swashplate power actuator frequency response should be adequate to meet the ADS-33E-PRF and other applicable
rotorcraft flying qualities requirements when operated in series with the direct linkage and rotating controls.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.4.4.4 Blade Flapping
Suitable provisions should be made to control the blade flapping when starting or stopping the rotor. The procuring activity
should specify the minimum wind velocity, with the wind from the most critical direction, at which starting and stopping
should be possible without physical contact of the rotor blades with any part of the airframe, excluding the rotor stops, and
without causing damage to the rotor system.
3.4.4.5 Fatigue Life Design
The procuring activity should approve any life limited parts. Fatigue lives should be substantiated by component bench
testing and flight strain survey. Fatigue lives should be determined using actual bench test strengths and measured flight
loads.
3.4.4.6 Engine-Out Requirement
One Engine Out (OEI) and All Engine Out (AEI) requirements for rotorcraft should be in accordance with the applicable
sections of ADS-33E-PRF.
3.4.5 Electrical VMS Design
3.4.5.1 Electrical Signal Transmission
The following requirements apply to all Essential and Flight Phase Essential signal paths. Except for power sources, such
systems should be independent of failure modes associated with any other electrical system. Cross connections between
redundant electrical signal paths should be eliminated, or minimized and electrically isolated. Wire runs and components
in redundant control paths should be physically separated and electrical shielding should be installed, as necessary, to
meet failure immunity and invulnerability requirements. All interconnecting wiring should be prefabricated, jacketed cable
assemblies. The outer jackets should be identifiable by a unique color or other means. Wiring installation should be in
accordance with AS50881.
3.4.5.2 Isolation and Protection of Redundant Electrical Circuits
VMS wiring in individual channels should be routed, isolated and protected to minimize the applicable threats to
redundancy. Channel loss due to any foreseeable hazard, which is not at least a factor of ten less probable than the VMS
PLOC, should be limited to a maximum of a single channel. The adequacy of the separation, isolation and protection
attainable in any given location for any given hazard should be evaluated for each aircraft design.
a. Redundant channels for the same control axis and electronic comparison model signals should not utilize the same
connectors or adjacent pins within connectors, cables or cable runways, or circuit cards unless the design can be
shown by demonstration or analysis to meet the appropriate isolation/separation requirements. If space constraints
require redundant signals to run through the same connector, the connector should have a cable continuity signal
(short pin) and be safety wired.
b. Cross connections between redundant electrical signal channels should be minimized, and failure detection/isolation
provisions should be mechanized in such a way that no single electrical failure can disable more than one channel.
Isolation should prevent any failure in one signal channel from initiating a failure or a cascade of failures in any other
signal channels.
c. Each redundant electrical signal channel should be associated with an electrical power source that is not connected
to any other signal channel. The loss of a single electrical power source should not result in the loss of more than one
signal channel in a redundant system.
d. The wiring of the redundant electrical channels for a given control effector should be separated to the maximum
extent possible. If adequate separation is not possible, physical and thermal barriers should be provided between the
channels.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

e. VMS wiring should be separated from the wiring of other systems to the maximum extent possible so that a failure in
other systems cannot introduce failures in the VMS.
f. Wiring should be supported to minimize chafing, stress, vibration, and shock.
g. Wiring in areas subject to maintenance action and possible abuse by maintenance personnel should be protected to
the maximum extent possible with over-braiding or conduits.
Additional protection should be provided for the wiring where analysis shows that any single hazardous event, which is
not at least a factor of ten less probable than the VMS PLOC, could cause the loss of more than one VMS channel.
Primary structural components should be used to afford this protection where possible. Where it is necessary to route the
wiring through wheel wells or other areas subjected, during flight, to the slipstream or impingement of runway fluids,
gravel, etc., the wiring should be protected by enclosures and routed directly through without unnecessary termination or
junctions. Where terminations or junctions to equipment in these areas are required, they should be protected from such
impingements. This should also be done in areas where a high level of maintenance is likely to be required on other
systems and equipment.
3.4.5.3 Cable Assembly Design and Construction
During design of the cable assemblies, particular attention should be paid to the requirements of the circuits within the
cable
a. The outer jacketing for VMS wiring should not create stresses on the wire and connector terminations and should not
stress the wires in a manner which opens the connector grommet seals.
b. Cable construction near LRU/WRA terminals should be ruggedized to prevent damage due to repeated replacement
of the LRU/WRA.
c. Cable construction near LRU/WRA terminals should provide provisions for repairs of damaged connectors/pins over
the life of the aircraft.
d. Wire gages should be selected based on peak current and wire length. For Fly-by-Wire (FBW) signal applications
within aircraft wiring harnesses interconnecting LRU/WRAs wires smaller than 24 gauge should not be used without
approval of the procuring activity.
e. Adequate EMI and EMP control methods (e.g., shielding, twisting, etc.) should be incorporated into the design.
f. Where shielded wires are used, provisions should be made for carrying the shields through the connectors where
single point grounding is necessary.
g. A signal return wire should be provided for each signal level circuit in the cables.
h. Terminal boards should not be used in VMS wiring. Splices should be qualified, permanent-type splices.
i. For wire harnesses which are considered part of an LRU/WRA, including actuators, the design should not allow
potting material to escape into the wire crimp areas during fabrication.
3.4.5.3.1 Cable Assembly Construction
All cable assemblies should be constructed in an area with temperature and humidity controls and positive pressure
ventilation and should be cleaned (all wire cuttings, etc., removed) and inspected after layup and prior to jacketing to
assure that no potentially damaging particles have been included, particularly at the entrance to the grommet seal. All
cable assemblies should be constructed, tested and inspected by specially trained and certified personnel.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.4.5.4 Wire Terminations
Crimp type wire terminations (spade, lug, or connector) should be used on all VMS cables. Soldered and potted
connections should not be used. With the terminal installed on the wire, the wire should be visible for inspection at both
ends of the crimp barrel. The length of wire visible between the insulation and barrel should not exceed 0.060 in
(1.55 mm).
3.4.5.5 Inspection and Replacement of VMS Electrical Wiring
The VMS electrical wiring, or the conduit containing the wiring, should be installed so as to satisfy the requirements of
3.1.3.2 and so that it can be inspected for damage and replaced as necessary. The installation should provide for visual
inspection in critical areas such as hazardous environment areas or areas where a high level of maintenance is required
on systems or equipment in close proximity.
3.4.5.6 Water Intrusion
LRUs/WRAs of the VMS that are installed in the aircraft with electrical connectors located on the top or on the side,
should be designed so that moisture traveling along the cables should have no deleterious effect. Electrical connectors
pertaining to the VMS should not be installed in a position to trap moisture. For all designs, discrete inputs that utilize
open/ground logic should be designed to prevent false triggering due to moisture intrusion into connectors or external
wiring.
3.4.5.7 Electrical Power
The electrical power sources of the VMS should be designed consistent with the VMS reliability, operation, and safety
requirements. Each redundant electrical signal channel should be associated with an electrical power source that is not
connected to any other signal channel. The loss of a single electrical power source should not result in the loss of more
than one signal channel in a redundant system.
3.4.5.7.1 Transient Power Effects
VMC, or embedded subsystem computers such as microprocessors or DSPs, should not suffer adverse effects due to
power source variations within the limits specified for the applicable power system. The performance during these
variations should meet the requirements of 3.1.1.5. In the event of power source interruption, no adverse effects should
result which limit operation or performance of flight control functions upon resumption of normal quality power.
3.4.6 Computational Methods and Software
The requirements for the computational systems should be consistent with the VMS electronics architecture: primarily
analog, hybrid analog/digital, or primarily digital. The VMS architecture should be determined by the prime contractor and
documented in the VMS Development Plan, 4.6.1. The computational systems should provide the following capability:
a. Redundancy and fault tolerance provisions should include failure detection and accommodation features consistent
with 3.1.3 and the performance and safety requirements established for the VMS.
b. Separation of functional elements should preclude the propagation of failures across boundaries of redundancy or
propagation of failures across functional boundaries.
c. The scaling of signals and calculations should provide satisfactory resolution and sensitivity under all possible
combinations of demands and disturbances imposed on the system.
d. Sufficient dynamic response capability should be provided throughout all aspects of the analog and digital elements to
satisfy the overall control system bandwidth requirements.
e. Invulnerability to external influences defined in 3.1.5.3.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.4.6.1 Analog Computation
The requirements for analog systems and circuits are dependent on VMS architecture. The specific VMS architecture
should be determined by the prime contractor and documented in the VMS Development Plan, 4.6.1. The analog
computational systems should provide the following capability:
a. Redundant electrical signal paths within a computer should be isolated as required by failure immunity, safety, and
invulnerability requirements specified in 3.1.1.4.
b. The circuits and signal path designs should be consistent with the electromagnetic interference requirements of 3.1.6,
and the system testability requirements of 3.3.1.
c. For failures which may cause a hazardous deviation in the aircraft path, the computer should have provisions for
rapidly disabling its command outputs or servos unless other fail-safe provisions exist.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
d. Analog signals should be scaled to provide satisfactory resolution and sensitivity to ensure continuous safe operation
for all possible combinations of maneuvering demand and gust or other plausible disturbances, and to prevent
unacceptable levels of nonlinear characteristics or instabilities.
e. The analog computation growth capability should be consistent with the VMS architecture. The growth capability of
analog circuits, programmable logic devices, input/output circuits and connectors/pins, and spare card slots should be
determined by the prime contractor and documented in the VMS Development Plan, 4.6.1.
f. Analog command paths and monitors to verify the response of those command paths should not reside in the same
analog microcircuit package (e.g., quad operational amplifier or similar).
3.4.6.2 Digital Computation
Redundant signal computation should be implemented as required by the flight safety and failure immunity and
invulnerability requirements specified herein and to meet the closed loop flying qualities requirements. At the time of full
rate production aircraft acceptance by the procuring activity, the total computation time and workspace storage used in
the VMS should not exceed the following for worst-case conditions:
a. For central flight control or aircraft management computers the worst case real-time-critical computation time should
not exceed 60% of the total computation time allocated for flight control use.
b. For embedded subsystem microprocessors or digital signal processors that specialize in hardware-intensive
applications which have low functional volatility over their product life, the real-time-critical computation time should
not exceed 80% of the total computation time of the processor.
c. For designs which use multiple processors, the estimate of available remaining throughput should account for inter-
processor timing and not take credit for processor idle time waiting for required co-processor task completion.
d. For central flight control or aircraft management computers the program and workspace storage should be sized such
that at least 40% of the total storage for each VMS Type is available for growth.
e. For subsystem computers that specialize in hardware-intensive applications the program and workspace storage
should be sized such that at least 25% of the total storage for each VMS Type is available for growth.
f. Computation and sample rate should be established at a level which ensures that the digital computation process will
not introduce unacceptable phase shift, round-off error, nonlinear characteristics, and frequency fold over or aliasing
into the system response.
g. Anti-aliasing filters should be incorporated to the extent required to meet the VMS performance requirements.

3.4.6.3 Computational Input/Output Growth Capability
In the implementation of an analog or digital computer for electrical signal computation, the input/output growth capability
should be consistent with the growth capability of the computer and the computer connector reserve capacity.
3.4.6.4 Software Development and Support
For programmable computers, system software should be developed and controlled in accordance with a Software
Development Plan, 4.6.1(h), using the applicable sections of ISO/IEC 12207 as a guide A Software System Safety Plan
should be prepared by the prime contractor, in accordance with MIL-STD-882. Additionally, the procuring activity may
impose DO-178 software best practices for some UA.
3.4.6.5 Program Scaling
Parameter scaling, word size, input limiting, and overflow protection should ensure correct processing and continuous
safe operation for all possible combinations of maneuvering demand and gust or other plausible disturbance within the
Service Flight Envelope of the system. Any condition capable of producing an overflow in an Essential or Flight Phase
Essential function should be precluded by hardware overflow detection and software or firmware that provides for data
recovery and continuous safe operation following an overflow. Scaling should provide satisfactory resolution to prevent
the granularity due to digitizing processes from introducing, into the system response, unacceptable levels of nonlinear
characteristics or instabilities.
3.4.6.6 Memory Protection
Memory protection features should be provided to avoid inadvertent alteration of memory contents. Memory protection
should be such that neither EMI, as specified in 3.1.6, nor electrical power source transients should cause loss of
program memory, memory scramble, erroneous commands, or loss of ability for continued operation. The electrical power
source transients should be as specified in MIL-STD-704 for Category C utilization equipment. For applications where
system failures could be hazardous to safety of flight, the levels for normal, abnormal, and emergency electric system
operation should apply. For applications which are not critical to safety of flight, the levels for normal operation should
apply. These transient requirements should apply to cases when all or only one of the redundant power sources is
operating. For systems which load program instructions from volatile memory or use programmable gates (e.g., FPGA)
after startup, the design should incorporate features to automatically recover from single event upsets without inducing
transients which can exceed those defined in 3.2.1.10 or cause loss of control of the vehicle.
3.4.6.7 Software Maintenance and Verifiability
Any modification to system software should be evaluated prior to implementation on an aircraft in accordance with the
appropriate procedures of analysis, inspection, and test defined in the quality assurance section of this specification. To
aid in software maintenance, safety, and reliability, each loadable VMS Computer Software Configuration Item (CSCI)
should reserve at least one word to serve in identification of the software version and Operational Flight Program (OFP)
portion contained within the non-volatile memory (e.g., Flash, Read Only Memory (ROM), Electronically Erasable
Programmable Read Only Memory (EEPROM)).
3.4.6.8 Multiplexing Data Transmission
The multiplexing signal transmission circuits should be of a digital time-division-multiplexing type utilizing a twisted
shielded pair cable, or fiber optic cable as the transmission media for the multiplex bus, as specified in MIL-STD-1553,
MIL-STD-1773, IEEE 1394, or ARINC standards. Other standards may be applicable, as approved by the procuring
activity.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5 Subsystem Design Recommendations
3.5.1 Subsystem General Design Recommended Requirements
3.5.1.1 Power Subsystem Capacity
Sufficient electrical, hydraulic, and pneumatic power capacity should be provided to meet the requirements of 3.1.5.2.
3.5.1.2 Power Subsystem Redundancy
Multiple electrical and hydraulic power systems should be provided as necessary to meet the safety requirements of
3.1.1, the mission accomplishment reliability requirements of 3.1.2.1 and the survivability requirements of 3.1.5.
3.5.1.3 Priority
Essential and Flight Phase Essential flight controls should be given priority over noncritical controls and other actuated
functions to the degree specified in 3.1.1.6.
3.5.2 Electrical Power Subsystems
All electrical power generation and distribution subsystems used for flight control should provide electrical power in
accordance with MIL-STD-704. The VMS should operate in accordance with this specification when supplied with power
in accordance with MIL-STD-704. The prime contractor should specify the applicable revision of MIL-STD-704 for each
electrical power requirement, if the revisions differ.
3.5.2.1 Power Availability Protection
Electric systems which provide power to Essential or Flight Phase Essential controls should, in conjunction with the VMS
itself, ensure uninterruptible power to the VMS, of adequate quality to meet VMS requirements, after any malfunction not
considered to be at least a factor of ten less probable than the VMS PLOC. Uninterruptible power is defined as power that
at no time exhibits voltage or current disruptions of a magnitude or duration that would cause upset to, or disruption of,
Essential or Flight Phase Essential flight control functions. Redundant sources employed to achieve uninterruptibility
should be isolated and therefore, except for their basic power sources, should be independent of failure modes
associated with any other electrical system. At least one primary source of electrical power should be a VMS direct
source with no other equipment/functions tied to it. An alternate source of power should be provided for all Essential or
Flight Phase Essential control signal transmission paths, sufficient to continuously maintain at least VMS Operational
State III performance, in the event of loss of all electrical power supplied from engine-driven generators. For highly
augmented aircraft the transfer to this alternate source should be uninterruptible. The minimum flight time and
maneuvering requirements while operating on the alternate source of power should be defined by the prime contractor
and approved by the procuring activity.
3.5.2.1.1 Power Supply Interlocks
Control systems employing both alternating current (ac) and direct current (dc) power inputs should incorporate interlocks
to disconnect both power inputs should either type of power be lost. Alternatively, the control system may be designed to
accommodate a single loss of ac or dc power, either by maintaining VMS Operational State III or better with either power
source or, by ensuring that loss of either, safely disables the control channel.
3.5.2.2 Overload Protection
Overload protection of the primary power wiring to the system or component should be provided by the aircraft prime
contractor. Installation requirements of system or component specification should specify the value of starting current
versus time, surge currents if applicable, normal operating current, regenerative effects and recommended protective
provisions. Additional protection as necessary should be provided within the system or component. Such circuit protection
should be provided in signal circuits or other circuits to ensure that overload conditions from secondary units receiving
power from the VMS should not result in unsafe motion of the aircraft.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.2.3 Phase Separation and Polarity Reversal Protection
In systems affecting flight safety, practical methods to prevent phase reversal and polarity reversal should be
implemented.
3.5.3 Hydraulic Power Subsystems
All hydraulic power generation and distribution systems normally used for flight control should be designed in accordance
with AS5440.
3.5.4 Pneumatic Power Subsystems
The use of pneumatic power systems for VMS applications should be determined by the prime contractor and
documented in the VMS Specification, 4.6.2. Pneumatic systems used for VMS functions should be designed in
accordance with MIL-A-87229.
3.5.5 Actuation Subsystems
3.5.5.1 Actuation Subsystems General Requirements
3.5.5.1.1 Control Surface Flutter and Buzz Protection
All flight control surface actuation systems controlling surfaces which are not dynamically balanced should provide
sufficient dynamic stiffness or damping to prevent flutter, buzz, and all other related dynamic instabilities for all operating
modes and meet the requirements of MIL-A-8870, including the over-life requirements for control surface freeplay.
Techniques or mechanizations designed to artificially increase effective stiffness, damping, or natural frequency should
not be used without prior approval of the procuring activity. The prime contractor should determine the stiffness and
freeplay requirements to prevent flutter and buzz for each control surface installation. The prime contractor should
allocate these requirements to:
a. Structural stiffness of aircraft control surface installation and actuator backup structure, freeplay in installation
hardware, and damping.
b. Actuation subsystem freeplay and, for each mode of operation, its complex impedance in the form of dynamic
stiffness or damping or some combination of the two, over the frequency range of interest.
c. Control surface damper characteristics and freeplay.
3.5.5.1.1.1 Actuation Impedance in Failed Modes of Operation
The prime contractor should specify the impedance required from an actuation subsystem driving a flutter-critical surface
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
following loss of normal operation. The type of fail-safe operation required, such as fail-to-a-fixed position or damped-trail
should also be specified. For actuators employing hydraulic fluid, means should be incorporated within the actuator to
supply make-up fluid for a flight time and for a range of actuator temperature to be agreed upon with the procuring activity.
If the actuator is unbalanced this means should also accommodate the area imbalance. For electromechanical actuators,
the design should include fail-safe damping provisions to preclude control surface flutter after a complete loss of actuator
control functionality or electrical power to the actuator.
3.5.5.1.2 Control Surface Dampers
Damping requirements for surface dampers should be based upon the anticipated flutter frequency, but the endurance
requirements should be based upon the same criteria established for the surface control actuators. Detail design of
hydraulic dampers should conform to the applicable requirements of MIL-PRF-5503.

3.5.5.1.3 Synchronization of Redundant Actuation
3.5.5.1.3.1 Force Synchronization of Multiple Connected Servoactuators
In Essential and Flight Phase Essential flight control actuator installations employing multiple connected servoactuators,
the actuators should be synchronized as necessary to ensure the specified actuation subsystem performance and the
durability specified in 3.4.2.1.6 for the servoactuators and the structure between them.
3.5.5.1.3.2 Synchronization of Multiple Commands Within an Actuation Subsystem
When multiple, redundant commands to an actuation subsystem are used simultaneously, means should be adopted to
ensure that the commands work in unison in normal operation and during the shutdown and engagement of individual
channels to provide the specified performance and durability.
3.5.5.1.4 Load Capability
3.5.5.1.4.1 Load Capability of Elements Driven by Power Actuators
Elements subjected to loads generated by a powered actuation system, including all parts of the actuator, should be
capable of withstanding the worst-case combination possible of the maximum output of the actuation system, loads due to
bottoming including static and impact ground gust loading to the requirements of MIL-A-8865, jamming, other parallel
actuators and the maximum aerodynamic load, as controlled by load limiting provisions, as the limit load. Ultimate load
capability should be 1.5 times limit load or as specified by the prime contractor. In dual load path design, each path
should be capable of sustaining load as specified in 3.4.2.1.4 without failure. Surface position sensor mechanisms should
not be placed in the load path between the actuator and the surface. The stressing cases for the sensor mechanisms
should be specified by the prime contractor.
3.5.5.1.5 Actuation Subsystem Dynamic Performance
The prime contractor should perform analysis and simulation studies to establish the large amplitude and small amplitude
dynamic response requirement for the primary flight control servoactuators, together with the amplitudes to be used for
specification, analysis and test. The studies should include considerations such as the aircraft dynamic performance, the
flying qualities requirements, and the extent to which excessive phase lag can degrade flying qualities and increase the
potential for operator induced oscillations. The requirements that result from the studies should be specified at defined
tolerance and operating conditions and may include nominal and extreme cases. These requirements should apply to
both hydraulic and electrical actuation subsystems.
The large amplitude studies should include the effects of actuator rate limiting and/or acceleration limiting. The prime
contractor should define the amplitude to be used, surface by surface, and the dynamic performance to be achieved at
that amplitude, including the maximum acceptable total phase lag and time delay between the command and the actuator
output. This requirement should include the effects of all significant non-linearities such as servoactuator rate limiting
caused by design characteristics such as servovalve position saturation, servomotor velocity limits or hydraulic supply
flow limitations, or servoactuator acceleration limiting caused by control valve spool rate saturation or servomotor
acceleration limits. Common practice for these studies is to use an amplitude of at least 10% of full stroke, peak-to-peak.
The small amplitude studies should include nonlinearities such as control valve and servomotor threshold that can
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
produce distorted waveforms and result in excessive phase lag. The prime contractor should define the amplitude to be
used and the dynamic performance requirements at that amplitude. The allowable phase lags should be consistent with
the aircraft residual oscillations requirements of 3.2.1.7. Common practice for these studies is to use an amplitude of 1%
of full stroke, peak-to-peak.

3.5.5.1.5.1 Actuation Subsystem Stability Margins
The actuation subsystem stability should comply with the VMS requirements of 3.2.1.4. In the absence of any other
stability margin requirements imposed by the aircraft control concepts, the minimum stability margins for any actuator loop
closure, at the worst-case tolerance condition and operating condition, at the end of life, should be:
Gain margin: 6.0 dB and Phase margin: 45 degrees
For actuators installed in the aircraft and driving an aerodynamic control surface, the minimum stability margin for actuator
and the associated flexible aircraft modes should be:
Gain margin 8.0 dB and Phase margin 60 degrees.
NOTE: In this context, the associated flexible aircraft modes are typically bending or torsional modes of the control
surface and stiffness of the actuator attachment backup structure. Stability requirements for the overall closed
loop VMS including aircraft structural modes are defined in 3.2.1.4.1.
3.5.5.1.6 Operational Temperature Range
The prime contractor should specify the operational temperature range for the actuation subsystem. If preflight warming is
used to raise the minimum operational temperature, for functionality or performance reasons, the procuring activity should
approve any consequent operational impact.
3.5.5.1.7 Power Control Actuation Failure and Fail-Safe Provisions
FBW systems should include provisions to reduce the failure effects and ensure that Operational State IV is met after
failure of a control surface actuation system, such as the following:
a. Reconfiguration of the control law to use aerodynamic control power from the remaining operative surfaces to
override control moments generated by the failed surface.
b. Detection and isolation of the failures in accordance with the requirements of 3.2.1.10 and reversion to a fail-safe
mode such as damped bypass, powered to a neutral position or locked in the failed position.
3.5.5.2 Hydraulic Actuation Subsystems
3.5.5.2.1 Hydraulic Actuation Components
Hydraulic actuation components should be designed in accordance with AS8775 and program specific component
specifications and other documents as applicable.
3.5.5.2.1.1 Wiring Within Hydraulic Components
Electrical wiring within actuation components should be designed to provide robust protection so as to preclude damage
and/or degradation due to the ingress of water, cleaning and other fluids and to the specified environmental requirements
including but not limited to, temperature extremes, vibration and EMI. The prime contractor VMS Specification, 4.6.2,
should provide technical justification for wire gauges and installation, which may include prior successful use in
applications applying similar environments and similar wiring protection.
3.5.5.2.2 Actuating Cylinders

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
Actuating cylinders without control valves and feedback provisions in the same LRU/WRA should be designed in
accordance with MIL-PRF-5503, except that the life cycling requirements should be modified to reflect the specific usage
(see 3.4.2.1.7).

3.5.5.2.3 Hydraulic Actuation Mode Control
If hydraulic bypass of hydromechanical actuators is necessary to prevent fluid lock or excessive friction load or damping,
bypassing and resetting should occur automatically when system pressure drops below or returns to the minimum
acceptable value for actuation. Actuators employing solenoid-operated pilot valves driving spool valves to achieve mode
control, the change of mode required at loss of system pressure should occur automatically. The logic applied to control
the pilot valve state and govern reset should be specified by the prime contractor. If mode control is provided by spool
valves directly driven by electrical force motors, the logic governing both mode change and reset should be specified by
the prime contractor.
3.5.5.2.4 Hydraulic Motors
Hydraulic motors may be used to actuate relatively low-duty-cycle, noncritical flight control surfaces, such as wing flaps,
but specific approval from the procuring activity must be obtained before use in high duty cycle noncritical applications or
in any Essential or Flight Phase Essential application. They should be designed in accordance with AS7997.
3.5.5.2.5 Hydraulic Servoactuators
Hydraulic servoactuators should be designed in accordance with ARP1281. FBW servoactuators may be controlled by
Electrohydraulic Servovalves (EHSVs) designed in accordance with ARP490 or Direct Drive Valves (DDVs), designed in
accordance with ARP4493. If electrical-input hydraulic servoactuators having mechanical feedback of actuator position
are used, they should be designed in accordance with ARP988.
3.5.5.2.5.1 Hydraulic Servoactuator Electrical Loop Closure Circuitry
The design of the electrical loop closures for FBW servoactuators, whether centrally, locally or servoactuator located,
should meet the requirements of 3.4.5, 3.6.3, 3.6.5, and 3.6.6. Specific approval of the procuring activity must be obtained
for servoactuator mounting of electronics in Essential and Flight Phase Essential applications. For this location the
electrical loop closures should also be designed to meet the thermal, vibration and structural loading environment, the
thermal derating and any explicit thermal operating capabilities specified for the servoactuators by the prime contractor.
These may include continuous operation over a specified environmental and fluid temperature spectrum and range, cold
soak and startup, short term temperature overheat, fluid temperature shock and unpowered storage temperature
extremes.
3.5.5.2.5.2 Force to Clear Jammed Control Valves in FBW Servoactuators
All servoactuator control valve components should be designed for a load capability of 150% of the maximum force
capability of the EHSV or DDV. The minimum value for this chipshear capability should be specified by the prime
contractor after the consideration of factors that should include the required functional reliability, the functional criticality,
the redundancy within the servoactuator, the detail design of the servoactuator control valve, the surface redundancy and
the prior history of similar applications. The chip shear force can be minimized if:
a. The servoactuator controls include jammed valve failure detection, failure isolation and transition to a fail-safe
position.
b. Remaining control effectors can provide Operational State IV capability.
c. The maximum aircraft transients during jammed valve detection and isolation meet the requirements of 3.2.1.10 in the
Operational Flight Envelope, and do not cause the design structural loads to be exceeded anywhere in the Service
Flight Envelope.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`

3.5.5.2.5.3 Force to Clear Jammed Logic Valves in Servoactuators
All servoactuator bypass valves and other logic valves should be designed for an adequate chipshear force capability to
ensure that the potential for dormant failures that could cause hazard in the event of second failures is minimized. The
minimum value for this force should be specified by the prime contractor after the consideration of factors that should
include the required functional reliability, the functional criticality, the redundancy within the servoactuator, the detail
design of the logic valves, the surface redundancy and the prior history of similar applications.
3.5.5.2.5.4 Endurance Requirement for Hydraulic Servoactuators for Rotary Wing UA
The prime contractor, with the approval of the procuring activity, should establish detailed actuator load-stroke duty cycle
endurance requirements. For rotorcraft, the mean and oscillating loads imposed by the rotor system should also be
considered.
3.5.5.3 Electrical Actuation Subsystems
Electrical actuation is defined as any form of actuation that employs power generated and distributed by an electrical
rather than hydraulic or pneumatic power subsystem. These actuation subsystems are often referred to as Power-By-
Wire (PBW) subsystems, as defined by ARP4386. Essential or Flight Phase Essential applications require specific
approval from the procuring activity.
3.5.5.3.1 Electrohydrostatic Actuators (EHAs)
An EHA is an actuator configuration which uses a variable-speed-reversible electric motor to drive a fixed displacement
hydraulic pump coupled to a linear or rotary hydraulic actuator, together with the associated Power Drive Electronics
(PDE), as defined by ARP4386. EHAs should be specified in accordance with the applicable requirements of ISO 22072.
3.5.5.3.1.1 EHA Components
EHA components should be designed to the requirements of 3.5.5.2.1.
3.5.5.3.1.2 Wiring Within and to EHA Subsystems
Electrical power and signal wiring within actuation components should be designed to provide robust protection so as to
preclude damage and/or degradation due to the ingress of water, cleaning and other fluids and to the specified
environmental requirements including but not limited to, temperature extremes, vibration and EMI. The prime-contractor
VMS Specification, 4.6.2, should provide technical justification for wire gages and installation, which may include prior
successful use in applications applying similar environments and similar wiring protection. For high power electrical
actuation subsystems this justification must also be applied to the power wires to the subsystem.
3.5.5.3.1.3 EHA Actuating Cylinders
EHA actuating cylinders should be designed in accordance with MIL-PRF-5503, except that the life cycling requirements
should be modified to reflect the specific usage (see 3.4.2.1.7).
3.5.5.3.1.4 EHA Closed Hydraulic System
The EHA closed hydraulic system should include all of the elements required to prevent cavitation and overpressurization
under all operating conditions and storage temperatures, whether the actuator cylinder is balanced or unbalanced,
prevent thermal degradation of the fluid, prevent ferromagnetic particle contamination of the motor air gaps, permit mode
control to provide fail-safe functionality, enable fluid refilling and allow the specified life between refills. The accumulator
fluid level should be monitored and the status displayed for maintainer and/or operator actions.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.5.3.1.5 EHA Servoactuators
EHA flight control servoactuators require a PDE to control and drive the electric motor, and control electronics to provide
output position control. The EHA plus the two types of control electronics comprise an EHA subsystem however they are
packaged. The electronics may be packaged separately or integrated together and may also be integrated with the EHA
WRA/LRU. The packaging arrangement should be specified by the prime contractor.
3.5.5.3.1.5.1 EHA PDE
The electrical interconnections between the EHA PDE and the EHA electric motor should allow the servoactuator to meet
the EMI requirements of 3.1.6 and should not negatively impact the servoactuator performance. The PDE enclosure
should comply with any Explosion Proof requirements applicable to the location of the PDE in the UA, as determined by
the prime contractor, under normal operating and failed conditions.
3.5.5.3.1.5.2 EHA Loop Closure Circuitry

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
The EHA loop closure circuitry should be designed to the requirements of 3.5.5.2.5.1.
3.5.5.3.1.6 EHA Endurance
The EHA should be designed to meet the wear and thermal conditions induced by the duty cycle for the application and
the installation environment. The prime contractor, with the approval of the procuring activity, should establish detailed
actuator load-stroke duty cycle requirements for design, thermal sizing and life (endurance) testing. The combination of
simultaneous load and stroke should be based on the best available data for the actual planned usage, preferably from
relevant flight test data but at least simulation data with estimated loads. The design conditions should include operating
requirements for ground checkout and maintenance. In addition to the load-stroke requirements, the vibration
environment of the installed actuator should be carefully understood and defined. For rotorcraft, the mean and oscillating
loads imposed by the rotor system should also be considered.
3.5.5.3.1.6.1 EHA Thermal Design Considerations
The applicable thermal design philosophy and all of its conditions and requirements should be specified by the prime
contractor and approved by the procuring activity. All thermal-critical areas of the EHA subsystem, including the PDE, its
switching devices, the signal-level electronics, the motor windings and fluid, and of the surrounding structure, should be
considered. The low-temperature exposure and startup effects should be included and, for high-duty-cycle applications,
including primary flight control applications, particular attention should be paid to the high temperature cases. The worst-
case conditions should be evaluated for continued EHA operation and survival and the long-term operational duty cycle
should be evaluated for EHA endurance and reliability. In addition, for protection against ignition of flammable gases, the
worst-case-condition surface temperature of EHA subsystems should not exceed the maximum temperature requirement
of 3.6.5.3. The prime contractor should provide a complete definition of the installation thermal environment and should
specify whether directed cooling is acceptable, the capacity of the cooling and the acceptable consequences of its
temporary absence.
3.5.5.3.1.6.2 EHA Thermal Analysis
The worst-case conditions including ground checkout and maintenance and operational duty cycles for the EHA
application should be specified by the prime contractor and employed for the derivation of the local heat generation
throughout the EHA and, in conjunction with the specified thermal environment, which should include all conduction,
convection and radiation paths, used to predict the temperature distribution throughout the EHA.
3.5.5.3.2 Integrated Actuation Package (IAP)
An IAP is an actuator configuration which uses a non-reversible electric motor, operating continuously at high speed to
drive a hydraulic pump that is coupled to a linear or rotary hydraulic actuator. There may also be associated Power Drive
Electronics (PDE), see 3.5.5.3.2.4 and 3.5.5.3.2.5 for variant designs.

3.5.5.3.2.1 IAP Components
IAP components should be designed to the requirements of 3.5.5.2.1.
3.5.5.3.2.2 Wiring Within and to IAP Subsystems
Wiring within IAP components and to IAP subsystems should be designed to the requirements of 3.5.5.3.1.2.
3.5.5.3.2.3 IAP Actuating Cylinders
IAP actuating cylinders should be designed in accordance with MIL-PRF-5503, except that the life cycling requirements
should be modified to reflect the specific usage (see 3.4.2.1.7).
3.5.5.3.2.4 IAP Closed Hydraulic System
Variant designs may employ either a variable displacement pump with its displacement controlled with an EHSV, DDV or
directly with an electric motor, or a pressure-compensated pump with its flow output controlled with an EHSV or DDV. The
IAP closed hydraulic system should include all of the elements required to prevent cavitation and overpressurization
under all operating conditions and storage temperatures, whether the actuator cylinder is balanced or unbalanced,
prevent thermal degradation of the fluid, prevent ferromagnetic contamination of the motor air gaps, permit mode control
to provide fail-safe functionality, enable fluid refilling and allow the specified life between refills.
3.5.5.3.2.5 IAP Servoactuators
Flight control IAP servoactuators typically employ a fixed-speed electric motor driven by aircraft a.c. bus voltage through
motor contactors and therefore do not require motor control PDEs but might require PDEs for power conditioning to be
part of the actuation subsystem. Loop closure circuitry provides control valve and output position control. The PDE
enclosure should comply with any Explosion Proof requirements applicable to the location of the PDE in the UA, as
determined by the prime contractor, under normal operating and failed conditions.
3.5.5.3.2.5.1 IAP Loop Closure Circuitry
The IAP loop closure circuitry should be designed to the requirements of 3.5.5.2.5.1.
3.5.5.3.2.6 IAP Endurance
The IAP should be designed to meet the wear and thermal conditions induced by the duty cycle for the application and
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.5.5.3.2.6.1 IAP Thermal Design Considerations
contractor and approved by the procuring activity. All thermal-critical areas of the IAP subsystem, including any power
electronics and signal-level electronics, the motor windings and fluid, and of the surrounding structure, should be
considered. The low temperature exposure and startup effects should be included and, for high-duty-cycle applications,
case conditions should be evaluated for continued IAP operation and survival and the long-term operational duty cycle
should be evaluated for IAP endurance and reliability. In addition, for protection against ignition of flammable gases, the
worst-case-condition surface temperature of IAP subsystems should not exceed the maximum temperature requirement

temporary absence.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.5.3.2.6.2 IAP Thermal Analysis
The worst-case conditions including ground checkout and maintenance and operational duty cycles for the IAP
throughout the IAP and, in conjunction with the specified thermal environment, which should include all conduction,
convection and radiation paths, used to predict the temperature distribution throughout the IAP.
3.5.5.3.3 Electromechanical Actuators (EMAs)
The EMA is defined as an electrical actuator comprising an electric motor that is coupled to the load positioning element
either directly or through a mechanical power train, together, with an associated PDE, as defined by ARP4386. EMAs are
frequently used for UA primary and secondary flight control actuation.
3.5.5.3.3.1 EMA Components
EMA Components should be designed in accordance with MIL-STD-7080, the applicable requirements of 3.5.5.4 and
program specific component specifications and other documents as applicable.
3.5.5.3.3.2 Wiring Within and to EMA Subsystems
Wiring within EMA components and to EMA subsystems should be designed to the requirements of 3.5.5.3.1.2.
3.5.5.3.3.3 EMA Servoactuators
Flight control EMA servoactuators require a PDE to control and drive the variable speed electric motor and EMA loop
closure circuitry to provide motor velocity and output position control. The EMA plus the two types of control electronics
comprise an EMA subsystem however they are packaged. The electronics may be packaged separately or integrated
together and may also be integrated with the EMA WRA/LRU. The packaging arrangement should be specified by the
prime contractor.
3.5.5.3.3.3.1 EMA PDE

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
The electrical interconnections between the EMA PDE and the EMA electric motor should allow the servoactuator to meet
the EMI requirements of 3.1.6 and should not negatively impact servoactuator performance. The PDE enclosure should
comply with any Explosion Proof requirements applicable to the location of the PDE in the UA, as determined by the
prime contractor, under normal operating and failed conditions.
3.5.5.3.3.3.2 EMA Loop Closure Circuitry
The EMA loop closure circuitry should be designed to the requirements of.
3.5.5.3.3.3.3 EMA Bottoming Loads
The EMA should be designed such that mechanical components should provide the control surface stop function. The
control laws requirements in 3.5.5.6.1 include command position limiters that prevent mechanical bottoming during normal
operation. The actuation system should be capable of withstanding the worst-case end of stroke impact loads. In the
event that the kinetic energy of the actuation system installed in the aircraft is too great to be adequately absorbed by the
surface stops, electronic velocity limiting and/or kinetic energy absorbers or snubbers may be used to reduce the velocity
of the actuator gradually at the end of the stroke. The EMA powerscrew should be compliant with the criteria defined in
3.5.5.4.1.1.

3.5.5.3.3.4 EMA Endurance
The EMA should be designed to meet the wear and thermal conditions induced by the duty cycle for the application and
3.5.5.3.3.4.1 EMA Thermal Design Considerations
contractor and approved by the procuring activity. All thermal-critical areas of the EMA subsystem, including the PDE, its
switching devices, the signal-level electronics and the motor windings, and of the surrounding structure, should be
considered. The low temperature exposure and startup effects should be included and, for high-duty-cycle applications,
case conditions should be evaluated for continued EMA operation and survival and the long-term operational duty cycle
should be evaluated for EMA endurance and reliability. In addition, for protection against ignition of flammable gases, the
worst-case-condition surface temperature of EMA subsystems should not exceed the maximum temperature requirement
temporary absence.
3.5.5.3.3.4.2 EMA Thermal Analysis
The worst-case conditions including ground checkout and maintenance and operational duty cycles for the EMA
throughout the EMA and, in conjunction with the specified thermal environment, which should include all conduction,
convection and radiation paths, used to predict the temperature distribution throughout the EMA.
3.5.5.3.3.5 EMA Failure Modes
The mechanical power train of an EMA requires special consideration with respect to failure modes, including open and
jam type failures.
3.5.5.3.3.5.1 EMA Flutter Considerations
EMA controlling flutter prone control surfaces should have fault accommodation features to prevent flutter after a total loss
of actuator control functionality or a total loss of electrical power to the actuator. These accommodations may include
features such as brakes to hold the surface at a pre-determined position or damping provided by shorting motor windings
on permanent magnet-type motors.
3.5.5.3.3.5.2 EMA Jam Failures
The prime contractor should evaluate the criticality of jamming of an EMA with respect to the integrity of the VMS and
probability of loss of mission or control and should consider either a tolerant control surface configuration such as split
surfaces, or the acceptability of the probability of jamming with respect to the UA mission and safety requirements.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.5.4 Mechanical Actuation Subsystems
Mechanical actuation subsystems are defined as any form of actuation that employs mechanical components to distribute
power from a power source to a surface or set of surfaces. The sub-system may also include safety and sensing devices.
Power sources may be electrical, hydraulic or pneumatic. The actuation components may be rotary actuators, linear
actuators, rods, bellcranks and links. The mechanical power distribution may employ push-pull rods, torque tubes, flexible
shafts, angle and other gearboxes. Safety devices may include various forms of brakes, clutches, overspeed protection,
symmetry protection, and overload protection, feel devices, gain or ratio changers, and other devices. Sensing devices
may include surface position, drivetrain position, speed, temperature, and others. For push-pull rod power distribution and
actuation, the requirements specified in 3.6.2 and subparagraphs apply. For primary flight control applications the prime
contractor should perform an analysis to develop requirement for mechanical actuation for inclusion in the VMS
Specification, 4.6.2. This analysis should include reliability, an FMEA including jams and opens, and a safety assessment.
Specific approval from the procuring activity must be obtained before use of such subsystems in Essential and Flight
Phase Essential applications.
3.5.5.4.1 Mechanical Force Transmitting Actuation
Mechanical force transmitting actuators are actuators that convert their input power to linearly acting mechanical force at
the surface. These actuators include sliding and rolling contact powerscrews. For subsystems that distribute power
mechanically to these linear actuators the requirements contained in the subparagraphs of 3.5.5.4.2 apply.
3.5.5.4.1.1 Force Transmitting Powerscrews
Powerscrews with rotary input and linear output motion may be used to actuate relatively low-duty-cycle flight control
surfaces, such as wing flaps and trimmable stabilizers but the prime contractor should provide specific justification to the
procuring activity before use in primary-flight-control-type duty cycle applications. Powerscrews should include non-
jamming mechanical stops to prevent disengagement of the nut at each end of its travel. These stops should be designed
to meet the load requirements of 3.5.5.6.1.1. Provisions should be incorporated into the nut to minimize entry of sand,
dust, and other contaminants; to retain its lubricant; and to preclude the entry or retention of water. The nut should also
include provisions for ice breaking. However, positive sealing and ice breakers are not required if the screw is installed
such that it is protected from such contamination, or ice, or is inherently resistant to wear and jamming by contamination,
or ice.
3.5.5.4.1.1.1 Sliding Contact Powerscrews
Any deviation from the use of standard Acme thread forms should be approved by the prime contractor. The thread roots
should be rounded as necessary to preclude stress cracking. Lubrication provisions should be adequate for controlling
efficiency, wear, and heating to acceptable values. Where in-service lubrication is necessary, lube fittings in accordance
with 3.6.2.4 should be provided. If the design is dependent on inherent friction to maintain irreversibility, this characteristic
must be adequate under all expected operating conditions, including the full range of loads, both steady loads and
reversing or variable-magnitude loads which may be encountered due to control surface buffeting or buzz, temperatures,
and environmental vibration over the full service life of the unit.
3.5.5.4.1.1.2 Rolling Contact Powerscrews
Rolling contact screws include all screws where the contact between the nut and the screw employs rolling elements to
transmit power. Rolling contact powerscrews include roller screws and ballscrews. The use of any rolling contact screw
other than ballscrews for any flight control application should be approved by the procuring activity. Ballscrews should
employ an adequate number of balls and ball circuits to keep individual ball loading within allowable non-brinelling limits.
On units used in Essential and Flight Phase Essential applications, at least two separate independent ball circuits should
be incorporated.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.5.4.1.1.3 Horizontal Stabilizer Trim Actuators (HSTA)
Aircraft with horizontal stabilizers adjustable in their angle of incidence for pitch trim, may use sliding or rolling contact
powerscrews for this function. The requirements of 3.5.5.4.1.1 should therefore apply to HSTA design. The HSTAs should
employ dual load paths when dictated by the requirements of 3.4.2 and the following additional requirements should then
apply:
a. If a ballscrew is used in the HSTA primary load path, the ballscrew should have more than a single thread start.
b. If a ballscrew is used in the HSTA primary load path, each thread start and its associated circuits should be capable
of withstanding static limit load after at least one-half an aircraft life of flight cycles.
c. HSTA dual load path structure that is subject to wear should have a discernible first load-path-open-type failure. A
discernible failure is a failure noted within a single flight through obvious changes in aircraft flight characteristics, an
actuator fault indication or during pre- or post-flight checks.
d. The HSTA secondary load path should be capable of supporting continued safe flight and landing after failure of the
primary load path until the primary load path failure is detected and corrected.
e. The secondary load path should be unloaded during normal operation.
f. Degradation of the HSTA secondary load path should be detected before its load-carrying capacity falls below limit
load.
g. No failure conditions, including common mode and adverse wear, should be allowed to disable all load paths without
detection.
HSTAs should provide the following failure performance:
1. No single failure within an HSTA system, regardless of probability, should result in loss of irreversibility.
2. No single failure within an HSTA system, regardless of probability, should cause stabilizer motion and also inhibit
shutdown functions.
3. The probability of the following uncommanded motion and position integrity-type failures should comply with the flight
safety requirements of 3.1.1.3:
a. The probability of uncommanded stabilizer motion greater than 1.0 degree as a result of loss of irreversibility.
b. The probability of loss of all HSTA position data.
c. The probability of erroneous HSTA position data.
4. The probability that HSTA system failures result in total loss of stabilizer trim capability should comply with the
Mission Accomplishment Reliability requirements of 3.1.2.1.
3.5.5.4.2 Mechanical Torque Transmitting Actuators
Mechanical torque transmitting actuators are actuators that convert their input power to mechanical torque at the surface.
These actuators include, torque tube systems, geared actuators, and self-contained screw-and-arm type actuators.
Backlash accumulation should not prevent the system from performing its required function throughout the service life of
the aircraft.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.5.4.2.1 Torque Tube Subsystems
All torque tubes should be coupled through jackshafts mounted to structure on antifriction bearings spaced at close
enough intervals and with sufficient misalignment capability to prevent undesirable bending or whipping of the tubes. In
addition, the prevention of spark generation in fuel system areas should be given careful consideration in the detail
design. Torque tubes which are exposed to possible misuse, such as support for maintenance personnel, should be
shielded from such misuse or should be of adequate stiffness to prevent damage to the installation. Each torque tube in a
linked run of tubes should be removable and reinstallable in the aircraft without disturbing the support, component, or
other interfacing system element at either end of the torque tube. Guards which are capable of containing a broken torque
tube against thrashing should be installed in appropriate locations to prevent damage to wiring, tubing, and other
equipment. The rated operating speed of a torque tube system should be not greater than 75% of the critical speed.
3.5.5.4.2.1.1 Torque Tubes
Torque tubes should have a minimum wall thickness of 0.035 in (0.9 mm) and should be seamless, except that steel
tubes, seam welded by the electrical resistance method, may be used.
3.5.5.4.2.1.2 Torque Tube End Fitting Attachment Methods
End fittings may be attached by riveting, bolting, swaging, welding or electromagnetic forming.
3.5.5.4.2.1.3 Torque Tube Slip Joints
Adequate engagement should be provided to insure that disengagement will not occur under all expected operating
conditions, or due to buildup of adverse manufacturing and installation tolerances.
3.5.5.4.2.1.4 Universal Joints
Universal joints should be in accordance with MIL-DTL-6193, as specified in AFSC Design Handbook DH 1-2, General
Design Factors, Section 4C, Universal Joints, and should not be used for angularities greater than specified therein or
recommended for the specific component by the manufacturer.
3.5.5.4.2.1.5 Bearing and Gearbox Loading
The antifriction bearing mountings and the gearbox brackets should have sufficient side load capability to accommodate
the worst-case shaft spline sliding force, to prevent secondary damage in the event of a jam elsewhere in the system.
3.5.5.4.2.2 Gearing
All gearboxes used in actuating systems should be designed in accordance with ARP4058.
3.5.5.4.2.3 Flexible Shafting
Flexible shafting may be used providing that minimum bend radii, rated rotational speed, and rated torque are not
exceeded, and that extreme temperatures and other operational variations and environments do not cause binding. It
should be designed to withstand the inertial loads produced by the mechanical system during its maximum acceleration
reversals. It should be sealed to protect against the ingress of water, cleaning and other fluids and against all anticipated
environments for the application, should be installed with the fewest possible bends and should be securely fastened to
supporting structure at close intervals.
3.5.5.4.2.4 Helical Splines
Involute helical splines should use only the American Standards Association (ASA) standard tooth forms Numbers 1
through 5. Ballsplines should meet the requirements specified in 3.5.5.4.2 for ballscrews.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.5.4.2.5 Rotary Mechanical Actuators
Rotary mechanical actuators used with a through-shaft which attaches to torque tubes at both ends, thus serving as a
portion of the torque distribution system, should be capable of reacting full system torque in both the forward direction
(due to a jam anywhere in the system) or in the backdriving direction (due to overrunning load), unless provided with a
torque limiter and no-back brake or other devices which would preclude such loading. All geared rotary mechanical
actuators should be designed in accordance with ARP4058.
3.5.5.4.2.6 Torque Limiters
Where used, torque limiters designed to slip or lock to adjacent structure should be properly located in the transmission
system to prevent drive loads in excess of control surface limit load from being transmitted past the limiter in the event of
overload or jamming. The rate of application of the limiter(s) and the spring rate of the transmission system should be
matched so that the stress in any member due to sudden application does not exceed its yield strength.
3.5.5.4.2.7 No-Back Brakes
No-back brakes should prevent back driving (or feedback) forces imposed on the output of an actuating mechanism from
being converted to torques which can cause the input shaft to rotate. In no-back brakes of the heat dissipative type,
provisions should be included to distribute heat generated by the brake so that temperature limitations are not exceeded.
No-backs should be designed to be non-jamming over the full temperature range required by the detailed specification,
including the effects of any such local heat generation.
3.5.5.5 Pneumatic Actuation
The use of pneumatic actuation systems for VMS applications should be recommended by the prime contractor and
approved by the procuring activity.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.5.5.6 Interfaces Between Actuation Subsystems, Support Structure, and Control Surfaces
3.5.5.6.1 Control Surface Stops
Surface stops should be provided at each flight control surface by the associated actuation subsystem to positively limit
its range of motion. The stops should prevent damage to the control surface and the associated structure and provide
personnel safety when the aircraft is on the ground. Stops should be located so that miss-rigging, wear, or adjustments
will not adversely affect the control characteristics of the aircraft because of a change in the range of surface travel. Each
stop should be able to withstand any loads corresponding to the design conditions for the control system. For FBW
actuation subsystems, the control laws should include command position limiters that prevent mechanical bottoming
during normal operation. The design of these limiters should consider the stackup of mechanical and electronics
tolerances, as well as the overtravel required to allow electronic rigging.
3.5.5.6.1.1 Stops for Linear Actuation
Where linear actuators, hydraulic, electrical, pneumatic or mechanical, are attached directly to the control surface, stops
should be provided within the actuator. Such actuators should not only be designed for maximum torsional and axial
impact loads, but also for the cumulative fatigue damage due to load cycling predicted during flight and due to bottoming
during ground checkout and taxiing.
3.5.5.6.1.2 Stops for Rotary Actuation
For mechanical actuation systems employing rotary actuators, a system stop at the drivetrain level should be provided.
Such actuators and system stops should not only be designed for maximum impact loads, but also for the cumulative
fatigue damage due to load cycling predicted during flight and due to bottoming during ground checkout and taxiing.

3.5.5.6.1.3 Adjustable Stops
All adjustable stops should be positively locked or safety wired in the adjusted position. Jam nuts (plain or self-locking
type) are not considered adequate as locking devices for this application.
3.5.5.6.2 Control Surface Ground Gust Protection
All flight control surfaces should have provisions to prevent damage from the ground wind loads specified in MIL-A-8865.
3.5.5.6.2.1 Control Surface Locks
Where control surface locks are used, the lock system should be internal within the aircraft. External locks may be used
for rotorcraft rotors. The locks should either engage the surfaces directly or lock the controls as near to each surface as
practicable and should be spring-loaded to the unlocked position. Control surface locks should be designed to preclude
attempting takeoff with controls locked. The system design should prevent any control modes from selecting or de-
selecting in-flight engagement of any surface locks.
3.5.5.6.2.2 Protection Against In-flight Engagement of Control Surface Locks
Control surface ground gust locks and their controls should be designed to preclude their becoming engaged during flight.
3.5.6 Display and Annunciation
The UA VMS should support the CS displays and annunciation.
3.5.6.1 In-flight Monitoring
Continuous in-flight monitoring of equipment performance and critical flight conditions should be active during all modes
of operation and should meet the requirements of 3.1.1.4. All detectable flight critical failures should be monitored for
annunciation by the CS. False monitoring warnings, including the automatic or normal operator response thereto, should
not constitute a specific hazard in excess of the system reliability requirements.
3.5.6.2 VMS Warning and Status Information
The VMS should support annunciation at the CS, designed to clearly indicate the severity and associated degree of
urgency:
a. WARNING - Immediate action required. Used for operating procedures, practices, conditions, etc., which may result
in loss of aircraft, injury or death, if not carefully observed or followed.
b. CAUTION - Action may be required. Used for operating procedures, practices, conditions, etc., which may result in
damage to equipment if not carefully observed or followed.
c. ADVISORY - Informational, no immediate action required.
3.5.6.3 Failure Status
The VMS should support CS failure annunciation sufficient to allow the operator to assess the operable status of the
VMS, including which modes are engaged and which been automatically disengaged, what degree of control is retained
and what operator action is required.
3.5.7 Sensors
Sensors should be installed at locations which minimize exposure to conditions which could produce failures or undesired
output signals. Careful attention should be given to the location and installation details of all sensors to ensure that they
provide signals of the quality necessary for the VMS without distortion due to undesirable structural modes, cross axis
coupling, or environmental effects.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

3.5.7.1 Motion Sensor Subsystems
The sensor system should be designed to be compatible with all applicable paragraphs of 3.1. The use of any
unconventional sensor configurations should be recommended by the prime contractor and approved by the procuring
activity. Data transmission from the sensors should minimize time delays in order to insure compliance with 3.2.
3.6 Component Design and Fabrication Recommendations
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.6.1 General Component Recommended Requirements
3.6.1.1 Choice of Components
Where practicable, systems, subsystems, or components that are in operational use today should be used in lieu of
design and developing new hardware. This existing hardware must meet the requirements of this specification and the
detail equipment specification. The order of preference should be:
a. In operational use by a branch of the United States military services.
b. Certified by a government agency for commercial aircraft.
3.6.1.2 Standardization
Where practical, prime-contractor designed equipment which has been approved for use in some models of aircraft
should also be used in later model aircraft if the installation and requirements are similar. Tolerances should be such that
interchange of any LRU/WRA with any other part bearing the same part number should not require resetting of
parameters or readjustment of other components in order to maintain overall tolerances and performance, with the
exception of mechanical system rigging.
3.6.1.3 Interchangeability
Regardless of the manufacturer or supplier, like assemblies, subassemblies, and replaceable parts should meet the
requirements of MIL-I-8500. Items which are not functionally interchangeable should not be physically interchangeable.
Tolerances should be such that interchange of any computer component, module, or LRU/WRA with any other part
bearing the same part number should require only minimum resetting of parameters or readjustment of other components
in order to maintain overall tolerances.
3.6.1.4 Selection of Specifications and Standards
Specifications and standards for necessary commodities and services not specified herein should be in accordance with
the Aircraft Detail Specification.
3.6.1.5 Identification of Product
Equipment components, assemblies, and parts of VMS should be identified in accordance with MIL-STD-130.
3.6.1.5.1 Inspection Seals
Corrosion resistant metallic seals should be provided at all strategic locations to indicate assembly inspection and any
unauthorized disassembly.
3.6.1.6 Workmanship
Workmanship of the VMS should be of sufficiently high grade to insure proper operation and service life of the system and
components. The quality of the items being produced should be uniformly high and should not depreciate from the
qualification test items.

3.6.1.7 Foolproof Protection
All components of the VMS should be designed so that incorrect assembly and reversed operation is impossible.
Direction of operation and other essential information should be conspicuously labeled.
3.6.1.8 Ground Operation
Components which, when operated during ground testing, are expected to be subject to high or low temperatures, should
be designed that such temperatures will not damage or impair the components. This should include the temperatures that
can be generated by operating states encountered during extended maintenance activities. Using externally operated
forced cooling or other similar cooling aids should be considered in the design only upon approval of the procuring
activity.
3.6.2 Mechanical Components
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
Mechanical components not covered by design requirements specified elsewhere within this specification should be
designed in accordance with applicable requirements in: Government and Industry specifications, in the order of
precedence specified in; in AFSC Design Handbooks DH 2-1, DN 3B1, Mechanical Flight Controls; and DH 1-2, General
Design Factors.
3.6.2.1 Structural Fittings
All structural fittings used in VMS should comply with the design requirements specified in AFSC Design Handbook DH
1-2, Design Note DN 4B1, Design Requirements, and where applicable the design considerations specified in Design
Note DN 4B2, Forgings and Castings.
3.6.2.1.1 Fail-Safe
Components subject to fatigue loads should not only be designed to the safe-life requirements specified in the Aircraft
Detail Specification, but also should be designed fail-safe. Fail-safe design should be achieved through either a redundant
load path, a failure warning system, or a damage tolerant/free design.
3.6.2.2 Moisture Pockets
All components should avoid designs which result in pockets, wells, traps, and the like into which water, condensed
moisture, or other liquids can drain or collect. If such designs are unavoidable, provisions for draining should be
incorporated.
3.6.2.3 Temperature Range of Mechanical Components
Mechanical components not covered by design requirements specified elsewhere should be designed to withstand
ambient temperatures in the range of - 65 °F (- 54 °C) to 203 °F (+ 95 °C) and operate in a range of - 65 °F (- 54 °C) to
160 °F (+ 71 °C).
3.6.2.4 Lubrication
Where applicable, lubrication fittings, in accordance with AS35411, and AS15002, or NAS 516 should be installed in
accordance with MIL-HDBK-838. NAS 516 fittings should be restricted to non-stressed areas only. Where lubrication
fittings are used venting of the lubricated cavity, or other appropriate means, should be employed to avoid excessive
build-up of internal pressure and possible damage to the unit. The prime contractor should specify the need for periodic
lubrication, when appropriate, and the servicing interval.
3.6.2.5 Wear Life
Mechanical elements of the VMS should be designed to the wear life and the replacement or renewal requirements of
3.4.2.1.7. Also, electronic and other non-mechanical LRUs/WRAs should also comply with the life requirements of
3.4.2.1.7.

3.6.3 Electrical and Electronic Components
VMS electrical and electronic components, assemblies, LRUs and WRAs not covered by design requirements
recommended elsewhere within this document should be designed in accordance with the guidance provided in MIL-
HDBK-454, MIL-STD-461, MIK-HDBK-5400, the requirements of DO-254, and the subparagraphs below:
3.6.3.1 General
The VMS electronics should be designed and built to withstand all induced and natural environments such as lightning,
EMI, electrostatic discharge, shock, vibration, temperature, pressure, humidity, etc. Redundancy should be employed
when necessary to achieve the PLOC and survivability requirements of the air vehicle. Reliability, maintainability,
supportability, simplicity, and survivability should be major design parameters. Additional consideration of any required
nuclear, chemical, biological, and TEMPEST criteria should influence the design as necessary and should be included in
the requirements. The complexity of the circuitry will depend on the mission and aircraft configuration. For complex
designs, an independent design review, such as sneak and first failure sneak analyses, is highly recommended. Isolation
of redundant channels, both physical and electrical, should be considered to provide a survivable system. Digital
electronic equipment is subject to the same guidance as above with extra consideration given to sampling times and
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
increased lags, plus processes for development and certification of programmable logic devices in accordance with DO-
254. For both analog and digital hardware, elimination of single-point failures is of primary concern.
3.6.3.2 Component Ratings
In cases where safety-critical VMS electronic components are required to operate in thermal conditions beyond the
component manufacturer’s published specifications, including emergency loss of cooling scenarios, the components in
question should be 100% up-screened at the expected worst case temperature condition, or the entire SRA, WRA or LRU
tested to this worst case condition as part of the normal production ESS testing.
3.6.3.3 Avoiding Premature Obsolescence
Components, firmware generation and support programs, and other technologies going into the VMS electronic hardware,
should be easily available on the open market. No parts should be predicted to become obsolete for at least ten years
after initial VMS production. Specialized hybrid/low production run components should be avoided. The contractor should
provide an analysis of system parts obsolescence, giving the parts which will become obsolete first, and the logistics plan
to keep the system maintained and producible after that happens.
3.6.3.4 Growth
A 25% growth capability is recommended for spare SRA slots in LRUs/WRAs, power supply capability and cooling
capability to support growth over the weapons system life cycle.
3.6.3.5 Solderless Wrap Wiring
Solderless wrap wiring, for internal wiring, should be used only to the extent approved by the Aircraft Detail Specification.
3.6.3.6 Insulation System Design
The VMS component electrical insulation system should be designed to the following Dielectric Strength and Insulation
Resistance requirements.

3.6.3.6.1 Dielectric Strength
The dielectric strength requirements should provide assurance that the VMS component parts will operate safely at their
rated voltages and withstand over-potential due to the higher voltages typically caused by switching, surges and similar
events. The dielectric stress voltage, voltage tolerance, test time and maximum leakage current applicable to each
specific VMS subsystem, LRU/WRA, and component should be defined by the prime contractor and documented in the
VMS Specification, 4.6.2. These requirements should be based on MIL-HDBK-454 and MIL-STD-202 and their applicable
referenced documents. No breakdown of insulation or air gap should occur when tested to these requirements. Dielectric
failure is evidenced through arcing, flashover, or other evidence of insulation breakdown. Failure is also indicated by
fluctuations in leakage current, steady increase in leakage current, or leakage current of more than the specified value at
the rated test voltage. When multiple applications of dielectric stress voltage are required by testing performed at the
component, subassembly and deliverable assembly level, followed by repair and rework, the initial application should be
at the rated test voltage and subsequent applications at a reduced potential not less than one-half of rated. Testing should
be performed between all mutually insulated circuits and between all circuits and case.
For systems employing 270 V DC power, conductor separation within connectors and WRA/LRU circuitry including
printed wiring boards, insulation and component mounting should be sufficient to preclude arcing or dieletric breakdown,
including the effects of altitude on air breakdown voltage levels (Paschen's Law).
3.6.3.6.2 Insulation Resistance
When 500 V DC ± 25 V DC is applied between all mutually insulated circuits and between all circuits and the case or
connector shell for a period of 2 min for qualification or 10 s for production acceptance testing, the resistance should be at
least 100 MΩ. The testing should be performed per the applicable requirements of MIL-STD-202.
3.6.3.7 Burn-In
All electronic LRUs/WRAs should be subjected to burn-in testing after the original acceptance testing and prior to
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
installation. The minimum number of hours of burn-in should be determined by the reliability requirements. The
performance after burn-in should meet the normal Acceptance Test Procedure requirements.
3.6.3.8 Position Sensors
3.6.3.8.1 Potentiometers
Wire wound potentiometers should not be used for VMS applications. The use of other types of potentiometers, such as
multi-wiper conductive polymer potentiometers, for such flight critical applications as position loop closures in lieu of
Linear Variable Differential Transformer (LVDTs), should be subject to the approval of the procuring activity. The prime
contractor should establish detailed potentiometer requirements for each VMS subsystem application to ensure the most
effective installation and integration and the required VMS performance. Particular attention should be paid to the
definition of:
a. The installation into the VMS subsystem; including the selection of single or multiple channel potentiometers and their
assembly, construction, mechanical design and envelope.
b. Electrical characteristics such as; excitation voltage, input power, input and output impedance, load, and impedance
of aircraft wiring between the VMS electronics and the sensor.
c. Output voltages, sensitivity and noise immunity including the following considerations:
1. Use of a 5-wire interface to include two sense signals; defined as the excitation and return voltage measured at
the input to the servoactuator and provided back to the VMS electronics to provide an absolute reference for
compensation for line losses and temperature effects.
2. Use of digital noise filters including a high resolution Analog-to-Digital (A/D) converter with oversampling
capability to minimize noise effects.

3. Use of an isolated stable excitation reference voltage.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

d. The required potentiometer performance, including the accuracy and linearity, inclusive of mechanical backlash of the
potentiometer, and, for multiple channel units, cross channel tracking over the entire stroke, as installed in the
servoactuator.
3.6.3.8.2 Linear Variable Differential Transformers (LVDT) and Rotary Variable Differential Transformers (RVDT)
The prime contractor should establish detailed LVDT or RVDT requirements for each VMS subsystem application to
ensure the most effective installation and integration and the required VMS performance. Particular attention should be
paid to the definition of:
a. The installation into the VMS subsystem; including the selection of single or multiple channel sensors and their
assembly, construction, mechanical design and envelope.
b. Electrical characteristics such as excitation voltage and frequency, excitation wave form, input power, residual null
and quadrature voltage and, because of the potential impact on gain and hence tracking for multiple channel
applications, input and output impedance. This should include the definition of the load and impedance of aircraft
wiring between the VMS electronics and the sensor, including the nominal capacitance and tolerance values for any
EMI filters or filter pin connectors employed.
c. The type of demodulation and monitoring to be used and therefore the number of sensor leads and the type of
winding, together with the significance of the input and output phase relationships.
d. The control of the intermodulation products for multiple channel applications by the use of adequate shielding or
excitation frequency separation.
e. The required sensor performance, including the accuracy, linearity and tracking over the operational temperature
range.
3.6.3.8.3 Alternative Transducer Types
Hall Effect devices are customarily used for commutation of the motors used in PBW subsystems.
The use of alternative types of transducer should be subject to justification, including the consideration of effects such as
failure detection and accommodation, contamination and life.
3.6.3.9 Electrical Tape
No pressure sensitive (adhesive or friction) fabric or textile tape should be used.
3.6.3.10 Switches
The design of special electric/mechanical switches, other than toggle switches, should be subject to the approval of the
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
procuring activity.
3.6.3.11 Thermal Design of Electrical and Electronic Equipment
Wherever feasible, components should be designed with heat-dissipating efficiency adequate to allow simple conductive,
radiation, and free convection cooling utilizing the ambient heat sink to maintain the components within their permissible
operating temperature limits. Operation under specified conditions should not result in damage or impairment of
component performance.
3.6.4 Assembly Design
3.6.4.1 Mechanical Joining
Individual parts may be mechanically joined with removable fasteners, or by riveted or threaded connections, or by
qualified methods for permanent joining.

3.6.4.1.1 Joining with Removable Fasteners
All removable fasteners should be selected and used in accordance with the applicable requirements specified in AFSC
Design Handbook DH 1-2, Design Notes 4A1, General Requirements, 4A3, Bolts, Nuts, and Washers; 4A4, Screws; 4A5.
Pins; and 4A6, Other Fasteners except as follows:
a. Bolts smaller than 0.25 in (6.3 mm) in diameter should not be used to make single bolt connections or connections
essential to proper functioning of the component.
b. Locknuts using pressure fingers in a bolt groove as a retention method should not be used.
c. Each removable bolt, screw, nut, pin, or other removable fastener, the loss of which would degrade operation below
VMS Operational State III, should incorporate two separate locking or retention devices either of which must be
capable of preventing loss of the fastener by itself and retain it in its proper installation with the other locking or
retention device missing, failed, or malfunctioning. Where self-retaining bolts are used, their selection and installation
should be within the limitations of NASM33602, and only one type I should be used in any given system.
d. No self-locking nut may be used on any bolt subject to rotation in operation unless a non-friction-locking device is
used in addition to the self-locking device.
e. Lockbolts listed in AFSC Handbook DH 1-2, Design Note 4A5, Swaged-Collar- Headed Straight Pins and Collars,
may be used for fastening applications not requiring removal on the aircraft.
f Bolts should be installed head up, nut down, where possible.
3.6.4.1.2 Joining with Rivets
Rivets for all riveted joints should be selected and used in accordance with the requirements specified in AFSC Design
Handbook DH 1-2, Design Note 4A2, Rivets.
3.6.4.1.3 Threaded Joints
All threaded joints should be provided with adequate wrenching and holding provisions for assembly and disassembly of
the joint before and after service use. Internal screw threads and external rolled threads should be in accordance with the
thread form requirements of AS8879. Pipe threads should not be used.
3.6.4.1.4 Joint Retention
All adjoining parts should be secured in a manner that will preclude loosening when subjected to internal or external loads
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
or vibration.
3.6.4.1.5 Retention of Threaded Joints
All threaded joints which carry critical loads should be positively locked in the assembled position so that load reversal at
the threads is prevented. The use of jam locknuts alone is not a positive locking means unless lockwired or otherwise
restrained.
3.6.4.1.6 Retention of Removable Fasteners
Unless restrained from moving by the attachment of adjoining parts, all removable fasteners should be positively locked in
place. Self-locking externally threaded fasteners should not be used except within the limitations specified in
NASM15981, and self-locking nuts should not be used except within the limitations specified in NASM33588. All other
types should incorporate positive locking means or be safetied with cotter pins in accordance with NASM24665, where
temperature and strength permit, or be safety wired. Cotter pins and safety wiring should be installed in accordance with
NASM33540.

3.6.4.1.7 Use of Retainer Rings
Retainer rings should not be used to retain loaded parts unless the rings are positively confined by a means other than
depending on internal pressure or external loads. They should not allow free-play which could result in structurally
destructive action or fatigue failure of the retained parts or failure of gaskets or packings.
3.6.4.2 Assembly of Electronic Components
3.6.4.2.1 Electrical and Electronic Parts Mounting
Electronic parts should be mounted so that ease of producibility and maintainability is assured. Whenever feasible, parts
such as resistors, capacitors, etc., should be mounted in an even, regular, row-type arrangement. These parts should be
mounted on a base so that the leads do not cross other leads or connections. Heavy electronic parts and assemblies
should be solidly mounted so that adverse effects when subjected to vibration and shock are minimized.
For surface mounted components, including ball grid arrays and "gull-leaded" parts, the coefficient of thermal expansion
of the printed circuit board materials should have a close match to that of the microcircuits to preclude solder fatigue.
Solder ball stress due to package dimensional change or warping over temperature should be considered for all ball grid
array applications. Mounting adhesives should not induce mechanical stress over the operating and storage temperature
range of the equipment. Metal package surface mount parts should not be mounted over printed circuit board "vias"
without using suitable insulation. All conductive mounting hardware should not overlap any circuit board traces under
worst-case manufacturing tolerances.
3.6.4.2.2 Shielding and Bonding on Finished Surfaces
Nonconductive oxides or other nonconductive finishes should be removed from the actual contact area of all surfaces
required to act as a path for electric current and from local areas to provide continuity of electrical shielding or bonding. All
mating surfaces should be clean and should be carefully fitted, as necessary, to minimize radio frequency impedance at
joints, seams and mating surfaces. The resultant exposed areas, after assembly at such joints or spots, should be kept to
a minimum.
3.6.4.2.3 Isolation of Redundant Circuits
Redundant circuits should be isolated from each other to preclude failure of one portion of the circuit from affecting any
other circuit.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.6.4.2.4 Electrical Connector Installation
The number of electrical connectors should be kept to a minimum within the required limitations for separation of
redundant circuits. Connectors should be mounted to preclude nuisance warning indications and intermittent operation
when subjected to applicable temperature differentials, vibration, and shock. They should be polarized so that it is
impossible to mismate them on a particular piece of equipment. Connectors should be installed in an orientation that
prevents water accumulation in any connector component. Vertically mounted connectors should be avoided whenever
possible.
3.6.4.2.5 Cleaning of Electrical Assemblies
All electrical assemblies should be thoroughly cleaned of loose, spattered, or excess solder, metal chips, or other foreign
material after assembly. Burrs, sharp edges and resin flash should be removed.
3.6.5 Component Installation
3.6.5.1 Basic Requirements
VMS components should be installed in compliance with the applicable requirements specified in AFSC Design
Handbook DH 1-6, Section 3J, Flight Control Systems, including Design Note 3JX, Safety Design Check List, and as
specified herein.

3.6.5.2 Locating Components
System components should be located to provide direct routing of the control system signal and power transmission
elements (cables, rods, lines, wires, etc.) in accordance with Design Note 3J1, Routing and Separation, only to the extent
that the components and transmission elements are not exposed to undue hazards.
3.6.5.3 Installation in Fuel System Areas
All component installations in fuel system areas should preclude the generation of sparks both during normal operations
and possible abnormal and failure conditions. In addition, for protection against the ignition of flammable gases, the worst-
case-condition component surface temperature should be determined by the prime contractor and documented in the
VMS Specification, 4.6.2.
3.6.5.4 Electrical and Electronic Component Installation
In addition to the requirements specified in AFSC Design Handbook DH 1-6, Section 3J, the applicable requirements in
Design Notes DN 3H1, Electrical/Electronic Safety Design Considerations and DN 3H2, Installation Safety Objectives,
should be met.
3.6.5.5 Electrical and Electronic Equipment Cooling
If cooling augmentation is required, the installation of flight control electrical and electronic equipment cooling should be
integrated with the cooling provisions for other electrical and electronic equipment. The requirements specified in AFSC
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
Design Handbook DH 1-6, DN 3H1; Temperature should be met. The prime contractor should assess the safety hazards
and operating limitations applicable over the Operating Flight Envelope that would result from failure of the primary
cooling system. The appropriate warnings should be implemented and emergency cooling such as ram air incorporated
as applicable.
3.6.6 Component Fabrication
High quality materials and workmanship and use of proven and controlled processes should be employed in the
fabrication of dependable VMS components. Special fabrication processes should be clearly specified on the detail
drawings and the fabrication instructions.
3.6.6.1 Materials
When Government specifications exist for the type material being used, the materials should conform to these
specifications. Non-specification materials may be used if it is shown that they are more suitable for the purpose than
specification materials. These materials should have no adverse effect upon the health of personnel when used for their
intended purposes. This requirement should be met for all probable failure modes and in the required environments.
3.6.6.1.1 Metals
Metals used in VMS components should be selected in accordance with the criteria and requirements specified in AFSC
Design Handbook DH 1-2, Design Note DN 7A1, Metals.
3.6.6.1.2 Nonmetallic Materials
Nonmetallic materials should conform to the requirements specified in AFSC Design Handbook DH 1-2, Design Note DN
7A2, Nonmetals.
3.6.6.1.3 Electric Wire and Cable
Electrical wire design and installation should be in accordance with AS50881. Airframe wire bundles may be constructed
in accordance with prime-contractor developed techniques provided such construction is approved by the procuring
activity.

3.6.6.2 Processes
3.6.6.2.1 Construction Processes
Heat treating, adhesive bondings, welding, brazing, soldering, plating, drilling, and grinding of high strength steels,
materials inspection, castings, forgings, sandwich assemblies, and stress corrosion factors used in the fabrication of VMS
components should comply with the requirements specified in AFSC Design Handbook DH 1-2, Design Note DN7B1,
Construction.
3.6.6.2.2 Corrosion Protection
All VMS component parts, except those inherently resistant to corrosion in the operational environments, should be
finished per AFSC Design Handbook DH 1-2, Design Note DN7B2, Corrosion.
3.6.6.2.3 Fabrication of Electrical and Electronic Components
The applicable requirements in AFSC Design Handbook DH 1-6, Design Note DN3H1, Electrical/Electronic Safety Design
Considerations, relating to the fabrication of electrical and electronic components should be met.
3.6.6.3 Identification
Equipment LRUs/WRAs subassemblies, components and parts of the VMS should be identified in accordance with MIL-
STD-130.
4. VERIFICATION AND VALIDATION

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
4.1 General Recommendations
4.1.1 Methods for Demonstration of Compliance
VMS compliance with each of the applicable requirements of the Aircraft Detail Specification or the VMS specification,
4.6.2, should be verified using one or more of the following methods. Except where a specific method is required,
selection of the method of proof should be made by the prime contractor subject to concurrence of the procuring activity.
The applicable sections and modifications to IEEE/EIA 12207 should be determined by the prime contractor and
documented in the Software and Firmware Development Plan, 4.6.1(h).
4.1.1.1 Analysis
Compliance with requirements in cases where testing or inspection would be hazardous or otherwise impractical may be
verified through analyses. These analyses may be linear or nonlinear, deterministic or probabilistic in nature, and may
include simulations, as best suited and adequate for the application. Where test verification is limited by test sample
considerations or is clearly inadequate, compliance should be verified by the appropriate analytical techniques. The
analytical methods to be employed should be defined in the VMS Development Plan in accordance with 4.6.1.
4.1.1.2 Inspection
Compliance with requirements associated with referenced component specifications, the physical arrangement of parts,
or the physical relationship of parts should be verified by inspection of documentation or inspection of the physical
installation. Documentation should include documents showing the qualification status of components which have been
qualified to the requirements specifications, or drawings showing clearances or other physical relationships. Where
applicable, VMS software and firmware specifications, documentation, and analyses should be inspected or reviewed by
the procuring activity as part of the verification process. The VMS Development Plan should define those requirements to
be verified through inspection. Unless otherwise specified the prime contractor may use his own or any other facilities
suitable for the performance of the inspection requirements specified herein.

4.1.1.3 Demonstration
Compliance with requirements where functional verification is predominantly determined by the observation of events
should be verified by Demonstration. Demonstration does not usually require measurements and data. When appropriate,
it includes the actual exercise of software together with appropriate drivers, simulators, or integrated hardware to verify
that the requirements have been satisfied. Demonstration requirements are defined within a test plan, operations plan or
test procedure.
4.1.1.4 Tests
To the largest extent possible, compliance with the quantitative requirements of the VMS Specification, 4.6.2, should be
demonstrated by tests. Tests should include hardware tests and, where applicable, software and firmware verification
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
tests, in the laboratory, with the aircraft on the ground and in flight, as defined in the VMS Development Plan, 4.6.1. In
conjunction with the Requirements Verification Plan of 4.6.2(c), the prime contractor should review the requirements,
determine the appropriate test facilities and methods for demonstrating specification compliance, and select compliance
methods and facilities to minimize test duplication.
4.1.1.5 Similarity
Components may be certified to be safe for flight because of prior documented qualification. The use of an existing
component from another aircraft may be allowed provided that the component design is identical to the previously
qualified part in all significant respects and that its ability to operate under all the conditions and to survive all the
potentially damaging test cases specified for its new application has been proven and documented.
4.2 Analysis Recommendations
Where compliance with specification requirements through analytical predictions is used, the prime contractor should
define the major assumptions and approximations used and verify that the modeling and analysis procedures used are
conservative. Verification should normally require prior use and validation through comparison with flight, wind tunnel or
ground testing data. In cases of digital flight control applications, validation should require comparison to simulation, or
emulation results obtained through the use of a general-purpose computer. Where digital mechanization is involved in the
VMS, pre-analysis of the simulation mechanization is required to assess its validity. The artifacts introduced by the
simulation mechanization used should be investigated to assess and minimize their effects on the simulation results. In all
cases, the prime contractor should establish tolerances on analytical predictions used to demonstrate compliance with
specification requirements. These tolerances should reflect anticipated variations in system or component characteristics,
such as:
a. Parameters that change with temperature, atmospheric pressure and other environmental factors
b. Parameters that change with failures or manufacturing tolerances
c. Parameters that critically affect system performance or stability
d. Parameters that are not accurately known (if they are significant)
e. Parameters that change as a result of aging or wear

4.2.1 Simulations
Simulations should be performed during VMS development to define and verify required functional characteristics and to
evaluate degraded mode effects. The simulation plan should be defined in the VMS Development Plan and should
include the number of operators and the conflict resolution methods to be used. As a minimum, the following simulations
should be accomplished:
a. Simulations using computer simulation of the VMS prior to hardware availability
b. Simulations using actual VMS hardware prior to first flight
c. Simulations of proposed software or firmware changes prior to their incorporation
4.2.2 Reliability and Failure Mode, Effects and Criticality Analysis
Reliability and Failure Mode, Effects and Criticality Analysis (FMECA) should be performed to demonstrate analytically
that the VMS satisfied the requirements of 3.1.1 and 3.1.2. When required by the procuring activity, the Reliability
Program Plan, following the guidelines of MIL-HDBK-781, should be used to define these analyses.
4.2.3 Vulnerability Analysis
An analysis should be performed to demonstrate analytically that the VMS meets the invulnerability requirements of
3.1.1.4 and 3.1.5.3. The prime contractor should establish and submit to the procuring activity a Vulnerability Analysis
Plan as part of the VMS Development Plan which defines analytical procedures to be used for the vulnerability analysis.
4.2.4 Maintainability Analysis
An VMS Maintainability Analysis should be accomplished as an integral part of the overall system analysis. This analysis
and the associated Maintainability Program Plan, prepared following the guidelines of MIL-HDBK-470, and included as
part of the VMS Development Plan, should be used to demonstrate analytically that the requirements of 3.1.4 are
satisfied.
4.2.5 System Safety Analysis
Hazards analyses should be accomplished as an integral part of the overall system analysis. These analyses and the
associated System Safety Program Plan, included as part of the VMS Development Plan, should demonstrate analytically
that the requirements of such paragraphs as 3.1.1.2, 3.1.5.3, and 3.1.3 are satisfied. MIL-STD-882 and ARP4761 should
be used for guidance.
4.2.5.1 Assessment of Average Risk of Hazard for Autonomous Landing
The average risk of a hazard due to use of autonomous landing should be established considering:
a. The effects of each failure and combination of failures on autonomous landing performance and the probability of their
occurrence
b. The effect of each relevant failure and combination of failures in systems operating concurrent with autonomous
landing on aircraft performance and the probability of the occurrence
c. The probability of the autonomous landing not performing within the required levels as specified in 3.2.5.3.5 taken in
conjunction with the probability that exceedance of those performance levels will result in a hazard
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

An assessment of autonomous landing safety should be compiled to correlate the reliability analyses. The assessment
should consist of the following:
1. An analysis of the average risk associated with autonomous landing
2. Analyses of specific risks incurred for unusual or limiting conditions
3. A description of assumptions and supporting rationale used to develop the preceding analyses
The average risks are defined as the risks incurred by autonomous landing under normal operational conditions. The
potential sources of these risks are comprehensive since many systems other than the VMS can cause conditions
contributive to a hazard during landing. The supportive analysis should include the possible contribution to hazard of such
systems.
4.2.5.2 Assessment of Specific Risk for Autonomous Landing
For each environmental limitation or operational restriction which limits the use of autonomous landing, the specific risk
should be established. The evaluation should comprise the average risk assessment, adjusted for a 1.0 probability of
occurrence of environmental limits associated with the operational restriction.
4.2.6 Operation in Turbulence Analysis
An analysis or simulation will normally be performed to analytically demonstrate that the turbulence penetration
requirements of 3.2.1.5 are satisfied.
4.2.7 Stability Analysis
A Stability Analysis should be required to predict gain and phase margins for all flight conditions.
4.2.8 Nuclear Survivability Analysis
A Nuclear Survivability Analysis may be required to determine the design requirements for Essential and Flight Phase
Essential VMS functions for operation in a survivable nuclear environment so that the requirements of 3.1.5.3.3 may be
satisfied.
4.3 Software and Firmware Verification

--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
The prime contractor should be responsible for providing all VMS digital computers and supporting computer firmware
and software to demonstrate that all performance requirements of the VMS digital computers and embedded software
have been met. The prime contractor should recommend for the approval of the procuring activity, the software and
firmware testing to be accomplished in accordance with the program testing requirements of ISO/IEC 12207. Firmware
devices such as Field Programmable Gate Arrays, Programmable Logic Devices, Application Specific Integrated Circuits
and Programmable Array Logic should adhere to the requirements of DO-254. The effects of failures of these devices on
VMS operation should be assessed to assign the appropriate DO-254 Level of Compliance to the firmware device.
Testing should be conducted during the progressive development of each Computer Program Configuration Item (CPCI)
through module, subprogram, and program development, integration and acceptance tests. The prime contractor should
demonstrate the successful performance of the firmware and software in the laboratory prior to final qualification testing in
the test aircraft. Acceptance or approval of testing during the course of software development should not be construed as
a guarantee of the acceptance of the finished item. Software testing should include unstructured stress testing in which
the simulated aircraft will be flown anywhere in the Permissible Flight Envelope with the flight control software executing
in the target flight control hardware. If self-adaptive algorithms such as adaptive neural networks, fuzzy logic or similar
techniques are used in the control design, the prime contractor should detail the methods and plans for verification and
validation in the VMS Development Plan, 4.6.1. For UA intended to regularly operate in non-segregated airspace, the
procuring activity may require software development, test and certification in accordance with DO-178B.

4.4 Test Recommendations
4.4.1 General Test Recommended Requirements
4.4.1.1 Test Witness
Before conducting a required test, the prime contractor should notify an authorized procurement activity representative.
An orientation briefing on specific test goals and procedures should be given procuring activity observers prior to any
required test sequence to be monitored by an observer.
4.4.1.2 Acceptance Tests
Appropriate VMS production item Acceptance Tests should be defined by the procurement detail specification. Where
interfacing components of the VMS are procured from various sources, sufficient acceptance testing should be performed
to ensure overall system performance repeatability.
4.4.1.3 Instrumentation
Accuracy of instruments and test equipment used to control or monitor test parameters should have been verified since its
last use prior to initiation of the sequence of design verification tests. All instruments and test equipment used in
conducting design verification tests should conform to laboratory standards whose calibration is traceable to the prime
standards at the U.S. Bureau of Standards. The contractor should establish a calibration plan for all sensors, signal
conditioning, and data acquisition equipment based on the best practices of the contractor to ensure the accuracy of the
instrumentation equipment over the period of the calibration. The calibration plan should be made available for review by
the procuring activity or any customer of equipment tested using contractor instrumentation.
4.4.1.4 Test Conditions
The prime contractor should establish operation test conditions which accurately represent system in-service usage
throughout the applicable flight phases and flight envelopes defined in accordance with MIL-STD-1797, MIL-F-83300, or
ADS-33E-PRF as applicable.
4.4.1.5 Test Tolerances
In conducting service condition tests, performance tolerances should be as specified in the system, or component
specifications.
4.4.1.6 Retesting Failed Components
Components failing a service condition test should not be resubmitted for test without furnishing complete information on
the corrective action taken subsequent to the failure. This information should be furnished to the procuring activity or in
the test report, depending upon location of testing. Depending upon the nature of the failure encountered and corrective
action required and at the option of the procuring activity, the rework or modifications accomplished should also be
incorporated into the other test samples. Where rework or modifications may be considered as sufficient to affect
performance under the other service condition tests already completed, at the option of the procuring activity, these tests
should be repeated in the specified order.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

4.4.2 Laboratory Tests
4.4.2.1 Component Tests
All components should be qualified to the applicable component specification by individual tests, by proof of similarity to
qualified components, by testing in system design verification tests, or suitable combinations of these methods. The prime
contractor should develop component qualification requirements for all VMS components. Component qualification
requirements should be based upon their use in a specific aircraft and its associated environment. Environmental test
methods and procedures should be selected from MIL-STD-461, or MIL-STD-810. The prime contractor should generate
additional methods and procedures where MIL-STD-461 or MIL-STD-810 is inadequate for the planned aircraft usage.
Wear life (see 3.4.2.1.7) should be demonstrated at the component level except where system wear life is more
meaningful due to component interaction. Component modifications to the original configuration should be requalified by
using appropriate verification methods from those listed in 4.1.
4.4.2.2 Component Interface Tests
Prior to initiation of system-level testing, components which interface functionally should be tested to verify proper
mechanical or electrical signal flow. Signal phasing and waveform should be verified. For digital interfaces, message
content and bus traffic control should be verified.
4.4.2.3 Functional Mockup and Simulator Tests
Extensive testing of the VMS prior to first flight and laboratory trouble-shooting throughout the program, should be
conducted with a functional mockup lab. This “Iron Bird” should duplicate the VMS and allow closed-loop, hardware-in-
the-loop testing. The functional mockup facility should be tailored for the specific aircraft, VMS configuration, and the
requirements that must be validated by system level testing. The VMS Development Plan should define the Functional
Mockup and Simulator facility. For Essential and Flight Phase Essential flight controls, an accurate electrical
representation should also be provided. Production configuration components should be used for all VMS parts, and the
hydraulic system should be compatible with AS5440 test requirements. Use of pre-production or production
representative VMS components should be approved by the procuring activity. Primary aircraft structure need not be
duplicated. Mechanical components of the VMS should be duplicated dimensionally. To aid in future testing and potential
VMS modifications the functional mockup should include a representative and, when ground and flight test data become
available, validated dynamics model of the air vehicle, including the propulsion system. The following minimum testing
should be conducted on the operational mockup, or other appropriate test facility, when approved by the procuring
activity:
a. Electrical and hydraulic power supply variation tests to demonstrate satisfactory operation over the range of allowable
variations specified in the applicable control power specifications referenced in 3.1.5.2
b. Stability margin tests to verify those requirements of 3.2.1.4 which can be verified by test using an aircraft simulation
or the operational mockup, but which cannot be economically or safely demonstrated in flight
c. Tests to determine the effects of single and multiple failures on performance, safety, and mission completion
reliability; and the development of emergency procedures to counteract the effects of failures
d. Miscellaneous tests to demonstrate VMS performance, and compatibility among VMS systems and with interfacing
systems
e. Tests to ensure that all software and firmware paths and functional elements are adequately exercised
4.4.2.4 Safety-of-Flight (SOF) Tests
Prior to first flight, sufficient performance, structural integrity and endurance testing should be accomplished to ensure
that the aircraft is safe for flight. These should be defined in the VMS Development Plan and should include, but not be
limited to satisfying the requirements of MIL-HDBK-516.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

4.4.2.4.1 Component SOF Tests
All system components should successfully demonstrate satisfactory performance and satisfactory operation under the
environmental extremes expected in the flight test program. The prime contractor should determine the percentage of
component qualification testing, including structural integrity and fatigue life that must be successfully completed prior to
the start of the flight test program. Certification should be provided to show that a component is safe for flight testing
before completion of qualification.
4.4.2.4.2 System SOF Tests
The complete system should successfully pass all of the operational mockup tests specified in 4.4.2.3 prior to first flight.
4.4.3 Aircraft Ground Tests
Ground tests should be performed as defined in the VMS Development Plan, to demonstrate compliance with
requirements. Prior to first flight the following minimum testing should be performed:
a. Functional, dynamic, and static tests to demonstrate that all VMS equipment items are properly installed and those
steady state responses meet VMS specification requirements. These tests should include integrated VMS and test
instrumentation as installed on the prototype aircraft. Compliance with the applicable residual oscillation requirements
of 3.2.1.7 should be demonstrated.
b. VMS BIT tests to demonstrate the requirements of 3.3.4 and 4.5.2.1.
c. Stability margin tests to demonstrate the zero airspeed stability margin requirements of 3.2.1.4. These test include
increasing control system gains until a limit-cycle oscillation is encountered that is greater than the residual oscillation
requirement in 3.2.1.7.
Primary and secondary structure should be excited, with special attention given to areas where feedback sensors are
located with loop gains increased to verify the zero airspeed requirement. For redundant and multiple-loop systems,
the stability requirement in degraded configurations should also be demonstrated.
d. Electromagnetic interference (EMI) tests to demonstrate compliance with the requirements of 3.1.6. Measurement of
interference limits should be made in accordance with MIL-STD-461 and MIL-STD-464.
e. An integrity test to insure soundness of components and connections, adequate clearances, and proper operation in
accordance with MIL-A-8867.
f. Ground vibration tests with controls active and air data conditions simulated using a soft suspension system to
simulate free-flight condition. Flight control sensor outputs and open loop frequency response data should be
recorded for correlation with analytical results used in predicting servoelastic and aero servoelastic stability.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
g. Structural mode interaction testing should be performed to demonstrate adequate structural filtering and compliance
with the gain margins of 3.2.1.4. These tests include the frequency response of each surface type to examine
structural mode coupling into the VMS.
h. Taxi tests with increasing speed and all feedback loops closed to examine servoelastic stability above zero airspeed.
Flight control sensor outputs and control surface deflections should be recorded. All safety-of-flight testing must be
completed and the aircraft cleared for flight before taxi tests.
4.4.3.1 Integrity of Test Instrumentation
The reliability and integrity of the flight test instrumentation should be established prior to first flight by its installation and
use for all of the ground testing of 4.4.3. This use should establish that the test installation will not degrade the reliability of
the VMS and interfacing subsystems. The effects of vibration, structural deflections, temperature differentials,
electromagnetic radiation and environmental effects should be investigated.

4.4.4 Aircraft Flight Tests
Flight tests should be conducted, as defined in the VMS Development Plan, to demonstrate compliance with requirements
where compliance cannot be demonstrated practicably by other tests or analyses. The design and test condition
guidelines tabulated in MIL-HDBK-516, MIL-STD-1797, MIL-F-83300, or ADS-33E-PRF as applicable should be
considered in establishing the Flight Test Plan. Flight test data should be used to verify the analytical trends predicted and
should be compared to the performance and design requirements of the VMS Specification, 4.6.2. Comparable data
trends should be required for verification where analytical data are used to extend or extrapolate flight test data to show
compliance. In addition, tests should be conducted to assure that the VMS, in all operational states, does not violate the
flutter requirements of MIL-A-8870.
The VMS should be evaluated for reliability and maintainability status and growth during the flight test program. A
continuing and cumulative assessment should be accomplished on all test aircraft and the specific VMS equipments and
interfacing subsystems installed therein. The progressive reliability and maintainability of the VMS should be monitored
and reported throughout the flight test program.
Aircraft flight tests should include evaluation of degraded flight control modes likely to be encountered during operational
service. These degraded modes may be simulated by using special flight test features within the Operational Flight
Program rather than by inducing actual component failures.
4.5 Qualification (Preproduction) Tests
VMS hardware furnished in accordance with this specification should be fully qualified. Qualification should prove that the
VMS satisfies the recommendations of Section 3 of this document and the requirements of the VMS Specification 4.6.2.
4.5.1 Reliability Development Tests
The reliability development test should be performed in accordance with the general requirements of MIL-HDBK-781.
4.5.2 Maintainability Demonstration
A maintainability demonstration should be made on a preproduction VMS in accordance with an approved maintainability
demonstration plan prepared in accordance with MIL-HDBK-470.
4.5.2.1 Maintainability Tests
Maintainability tests should include the following:
a. BIT Demonstration Tests. These tests should demonstrate the inherent BIT failure detection and isolation capability
incorporated in the VMS through a program of fault selection, insertion and BIT operation. The minimum number of
demonstrated faults should be in accordance with an approved maintainability demonstration plan.
b. Maintainability Design Assurance Demonstration Tests. These tests should be accomplished on representative VMS
hardware and should demonstrate the inherent accessibility, replaceability, reparability, interchangeability, and non-
reversibility aspects of the VMS design at both the LRU/WRA and Shop Replaceable Assembly (SRA) levels.
c. BIT Exercise and Verification Tests. These tests should be used to verify BIT capability through the exercise of the
BIT function whenever a fault detectable by BIT occurs during tests of the VMS. The results of all BIT tests should be
collected and analyzed in order to accumulate historical evidence of actual BIT performance levels achieved.
4.5.3 Human Factors Engineering Verification Tests
When contractually required, a human factors engineering verification test should be performed in an appropriately
dynamic environment, in accordance with the requirements of the Air Vehicle Specification, to demonstrate compliance
with the applicable human factors engineering standards and specifications. The effect of degraded inputs and degraded
equipment performance should be determined. Human factors engineering guidelines are identified in MIL-STD-1472.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

4.5.4 Production/Acceptance Testing
System level acceptance tests should be performed as defined in the VMS Development Plan. The acceptance tests for
subcontracted components and subsystems should be defined in the prime contractor procurement specifications and
related documents. For flight control electronics these tests should include an Environmental Stress Screening (ESS),
which includes both thermal and vibration stresses with the equipment powered and monitored for correct operation. If
commercial or industrial rated parts are used, additional testing (up-screening) may be required at the part level, and the
assembled equipment may require expanded ESS thermal levels.
4.6 Documentation
VMS data submittal and approval requirements for each specific model aircraft should be in accordance with contract
requirements. The data should be furnished in accordance with appropriate line items of the Contractor Data
Requirements List. Typical information and data items are listed in this section.
4.6.1 VMS Development Plan
A VMS Development Plan should be prepared by the prime contractor for approval by the procuring activity. This plan
should be revised and updated at intervals as specified by the procuring activity until it is mutually agreed that no further
revision is required. The plan should include a minimum of:
a. A detailed milestone chart showing the interrelationship between phases of development work to be accomplished.
Design reviews should be identified and scheduled and an outline of the progressive design verification process to be
used by the prime contractor should be included. Starting and completion dates for all work items and due dates for
all reports should be identified.
b. VMS synthesis and analysis plan describing the general approach and analytical procedures to be used. Analyses
planned to generate requirements for the VMS Specification, 4.6.2, should be described.
c. A verification plan defining the means selected by the prime contractor for verifying that the design meets each of the
requirements of the VMS specification. Verification means should be specifically correlated with each specification
requirement.
d. Flight Safety, Reliability, Maintainability, and Vulnerability analysis plans to include a description of the analytical or
other means selected by the prime contractor for design verification in these areas.
e. A Functional Mockup test plan, including the test procedures to be used and a listing of requirements to be satisfied
by each test.
f. A ground test plan and ground test procedures defining the ground tests and functional checks to be performed prior
to first flight.
g. A flight test plan and detailed flight test procedures. Each procedure should be correlated with one or more
requirements of the VMS specification.
h. A Software and Firmware Development Plan (SDP) to define how the flight software and firmware is to be developed,
documented, controlled, and verified, including specific documentation stages as they relate to computer hardware
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
design and overall VMS development and verification.

4.6.2 VMS Specification
An VMS Specification should be prepared by the prime contractor for approval by the procuring activity. It should
incorporate:
a. Applicable general system, implementation, and test requirements recommended by this document.
b. Special requirements of the procurement aircraft detail specification.
c. Special requirements determined by the prime contractor, as required by the general specification.
A preliminary VMS Specification should be prepared within 90 days of contract award and progressively updated, as
requirements are finalized.
4.6.3 Design and Test Data Recommendations
If applicable design data are available, the prime contractor should, in lieu of preparing new design data, use these
available data supplemented by sufficient information to substantiate their applicability.
4.6.3.1 VMS Design and Analysis Report
The prime contractor should prepare a report describing VMS design and analysis. This report should be initially prepared
immediately following the preliminary VMS design and analysis and periodically updated throughout the development
period. The final update should include as a minimum:
a. Design requirements and criteria used during the VMS design, analysis and synthesis.
b. Block diagrams of the VMS. These diagrams should include all linear and nonlinear control algorithms, gain
schedules, et cetera and indicate normal control paths, redundancy, emergency provisions, location and type of
sensors and control devices used.
c. A general description of the VMS. The various modes of operation should be described and the theory of operation
discussed.
d. Discussions of unusual design features.
e. A description of the stability and performance of the VMS and a correlation of system characteristics with the
requirements of the VMS Specification, 4.6.2. Data should be presented for both linear small perturbation analyses
and for nonlinear simulations or analyses which consider nonlinearities such as actuator rate limits, electronic
amplifier saturation, and actuator position and/or output force limits. Where analytical predictions are used to satisfy
specification requirements, the assumptions, analytical approximations and the tolerances placed on these analytical
predictions by the prime contractor should be documented and justified.
f. Results of the VMS flight safety, reliability, maintainability and vulnerability analyses. The reliability analysis results
should include a detailed listing of possible failure modes, their probability of occurrence, and their effects on aircraft
flying qualities. The approach and sources of data used should be discussed and the results compared to and
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
correlated with requirements of the VMS Specification, 4.6.2. Analytical methods used should be documented and
justified by the prime contractor.
g. A general control system layout or series of layouts showing all LRU/WRAs, control surfaces and actuation systems.
Means of providing redundancy and emergency provisions should be illustrated. Layouts should include wiring
schematics for all electrical and electronic portions of the VMS and attendant electrical, hydraulic, and pneumatic
power inputs to the VMS.
h. A description of simulations performed, as required by 4.2.1. Where simulation data are used to verify specification
requirements, the simulator and flight configurations simulated should be described and the data compared to and
correlated with the requirements of the VMS Specification, 4.6.2.

i. Mathematical models of the VMS, the unaugmented aircraft and other data required to allow the procuring activity to
independently simulate and analyze the VMS at any point during or following the aircraft development process.
Mathematical models, block diagrams, stability and performance data and layouts should be updated following flight
tests to incorporate modifications made during testing.
Validation of the vehicle dynamic and simulation models used to develop the VMS should occur during or after the
flight test. Methods for this validation are numerous and may include frequency-domain-based system identification
using control surface frequency sweeps as an excitation, or time-history-based system identification using
combinations of steps and doublets, or specific maneuvers. These methods provide estimates of the true
characteristics of the vehicle and can be used to update and validate the predicted models. Validation is a key part of
evaluation of compliance with many performance-related specifications. Prior to flight test, the modeling approach or
approaches should be exercised at the planned flight test point conditions. During flight test, these simulations or
analysis points should be repeated on the aircraft to update and validate the aircraft models.
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
j. Where applicable, a comprehensive system-oriented description of the flight software and firmware with regard to its
design, and analytical evaluation. Representations should be oriented toward understandability of various types,
aspects, or functions of the software and firmware.
k. A Failure Mode, Effects and Criticality Analysis (FMECA) of the VMS which should include assumed failure of each
critical component in the most adverse position and/or condition. For systems where the power source is hydraulic,
electrical, etc., the report should include a failure effects analysis of the power source system and components. For
each assumed failure, the consequences, compensating provisions, and probable reliability of critical components
should be evaluated and documented. For a fail-operative system, second failure effects should also be evaluated
and documented.
4.6.3.2 VMS Qualification and Inspection Report
The prime contractor should document results of inspections used to demonstrate compliance with requirements of the
VMS Specification, 4.6.2. Where inspection of component qualification status documentation is used to verify compliance
with the VMS specification, the component specification prepared by the prime contractor should be submitted as a part
of the VMS inspection report.
4.6.3.3 VMS Test Report
A report describing and correlating tests performed and data generated to verify requirements of the VMS Specification,
4.6.2, should be prepared by the prime contractor. This report may be prepared in volumes, and should include a
minimum of:
a. A detailed description of the operational mockup including part numbers and the test conditions under which data
were generated and a comparison with the VMS Specification. Inclusion or exclusion, of control surface aerodynamic
hinge moments, simulation, of aircraft structural compliance in lieu of airframe parts or use of other approximations in
operational mockup construction should be justified. All discrepancies or corrective action arising from operational
mockup testing should be reported.
b. A description of the aircraft ground tests performed and data generated and a discussion of any system adjustments
or modifications required to satisfy requirements of the VMS Specification.
c. A comparison of flight test data with requirements of the VMS Specification and a description of the aircraft
configurations and flight conditions tested. Modifications to the VMS made during the flight test phase to meet VMS
Specification requirements should be documented and justified.
d. Where applicable, a summary of flight software and firmware testing over the range of conditions addressed on a
system level.

4.6.3.4 Interface Control Document (ICD)
The prime contractor should prepare an ICD for each pair of components which interface mechanically or electrically and
which are not manufactured under the same purchase order. The ICD should define the physical and/or functional
exchange of signals between two components, the characteristics of the signals, the tolerances allowed, and the
degraded operation allowed following loss or out-of-tolerance receipt of each signal. The ICD should also define the built-
in-test (BIT) and monitoring/fault accommodation concepts to be implemented. The ICD should include a test plan to
verify the interface, including a schedule of testing and a definition of equipment to be used for the tests.
4.6.4 Software Documentation
All digital VMS computer software should comply with the requirements of ISO/IEC 12207 and other requirements
documented in the Software and Firmware Development Plan, 4.6.1(h).
5. NOTES
5.1 A change bar (l) located in the left margin is for the convenience of the user in locating areas where technical
revisions, not editorial changes, have been made to the previous issue of this document. An (R) symbol to the left
of the document title indicates a complete revision of the document, including technical revisions. Change bars and
(R) are not used in original publications, nor in documents that contain editorial changes only.
PREPARED BY SAE PANEL A-6A3 FLIGHT CONTROL SYSTEMS OF SAE COMMITTEE A-6, AEROSPACE
ACTUATION, CONTROL AND FLUID POWER SYSTEMS
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---

APPENDIX A - RECOMMENDATION APPLICABILITY BY VMS TYPE
Key: ‘ref’ - no recommendation content, ‘nc’ - no content; ‘apply’ - recommended; ‘if req’d’ - if specified, ‘N/A?’ - probably
not applicable
ARP94910 VMS TYPE

Paragraph Title Zero T1 T2 T3 T4
3 RECOMMENDATIONS nc nc nc nc nc
3.1 General System Recommendations apply apply apply apply apply
3.1.1 Safety and Operability Considerations apply apply apply apply apply
3.1.1.1 Definitions apply apply apply apply apply
3.1.1.2 Flight Safety Assessment apply apply apply apply apply
3.1.1.3 Quantitative Flight Safety apply apply apply apply apply
3.1.1.3.1 Effects of Imperfect Fault Detection N/A If req’d apply apply apply
3.1.1.4 Failure Immunity and Safety apply apply apply apply apply
3.1.1.4.1 VMS Type Capability apply apply apply apply apply
3.1.1.4.2 Determination of Required VMS Type apply apply apply apply apply
3.1.1.5 Transient Electrical Power Effects apply apply apply apply apply
3.1.1.6 Priority apply apply apply apply apply
3.1.2 Reliability Considerations apply apply apply apply apply
3.1.2.1 Mission Accomplishment Reliability apply apply apply apply apply
3.1.2.2 Availability apply apply apply apply apply
3.1.2.3 MTBF apply apply apply apply apply
3.1.3 Redundancy Considerations apply apply apply apply apply
3.1.3.1 Redundancy N/A if req'd apply apply apply
3.1.3.1.1 Examples of Redundancy Levels ref ref ref ref ref
3.1.3.2 Isolation and Protection of Redundant Subsystems N/A if req'd apply apply apply
3.1.3.3 Redundancy Management N/A if req'd apply apply apply
3.1.4 Maintainability Considerations apply apply apply apply apply
3.1.4.1 Operational Checkout Provisions apply apply apply apply apply
3.1.4.2 Malfunction Detection and Fault Isolation Provisions apply apply apply apply apply
3.1.4.3 Accessibility and Serviceability apply apply apply apply apply
3.1.4.4 Maintenance Personnel and Safety Provisions apply apply apply apply apply
3.1.5 Survivability Requirements apply apply apply apply apply
3.1.5.1 All-Engines-Out Control N/A apply apply apply apply
3.1.5.1.1 Operational Vehicle N/A N/A apply apply apply
3.1.5.1.2 Flight Test Aircraft N/A N/A apply apply apply
3.1.5.2 Power Capacity apply apply apply apply apply
3.1.5.3 Invulnerability Considerations for VMS Design N/A apply apply apply apply
3.1.5.3.1 Invulnerability to Natural Environments N/A apply apply apply apply
3. 1.5.3.2 Invulnerability to Lightning Strike and Static Atmospheric N/A apply apply apply apply
Electricity
3.1.5.3.3 Invulnerability to Induced Environments N/A apply apply apply apply
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.1.5.3.4 Invulnerability to Enemy Action N/A N/A apply apply apply

3.1.5.3.5 System Operation and Interface apply apply apply apply apply
3.1.5.3.6 Signal Path Protection N/A N/A apply apply apply
3.1.5.3.7 Invulnerability to Onboard Failures of Other Systems and N/A N/A apply apply apply
Equipment
3.1.5.3.8 Invulnerability to Command Loss apply apply apply apply apply
3.1.5.3.9 Invulnerability to Maintenance Error apply apply apply apply apply
3.1.5.3.10 Invulnerability to Software Maintenance Error apply apply apply apply apply
3.1.6 Electromagnetic Interference (EMI) Limits apply apply apply apply apply
3.2 System Performance Recommended Requirements nc nc nc nc nc
3.2.1 General VMS Performance Recommendations apply apply apply apply apply
3.2.1.1 Warm-up apply apply apply apply apply
3.2.1.2 Disengagement N/A apply apply apply apply
3.2.1.3 Status of Modes apply apply apply apply apply
3.2.1.3.1 Mode Compatibility apply apply apply apply apply
3.2.1.4 Stability apply apply apply apply apply
3.2.1.4.1 Aerodynamic Closed Loop Stability Margins N/A if req'd apply apply apply

ARP94910 VMS TYPE

3.2.1.4.2 Non-Aerodynamic Closed Loop Stability Margins N/A if req'd apply apply apply
3.2.1.4.2.1 Stability Margins N/A if req'd apply apply apply
3.2.1.4.3 Sensitivity Analysis N/A if req'd apply apply apply
3.2.1.5 Operation In Atmospheric Disturbances and Atmospheric apply apply apply apply apply
Models
3.2.1.5.1 Random Turbulence apply apply apply apply apply
3.2.1.5.2 Discrete Gusts apply apply apply apply apply
3.2.1.5.3 Low-Altitude Disturbance Model apply apply apply apply apply
3.2.1.5.4 Carrier Landing Disturbance Model N/A N/A N/A if req'd if req'd
3.2.1.6 Internal Noise apply apply apply apply apply
3.2.1.7 Residual Oscillations apply apply apply apply apply
3.2.1.8 Acceleration Effects apply apply apply apply apply
3.2.1.9 Structural Protection N/A N/A N/A? apply apply
3.2.1.9.1 Flight Load and Fatigue Alleviation If req'd if req'd apply apply apply
3.2.1.9.2 Gust and Maneuver Load Alleviation If req'd if req'd apply apply apply
3.2.1.10 Failure Transients N/A N/A apply apply apply
3.2.2 Primary Flight Control Recommended Requirements If req'd if req'd apply apply apply
3.2.2.1 Primary Functional Modes of the VMS if req'd if req'd apply apply apply
3.2.2.2 Operability. Following Failures if req'd if req'd apply apply apply
3.2.2.3 Augmentation if req'd if req'd apply apply apply
3.2.2.4 Surface Rate Capability apply apply apply apply apply
3.2.2.5 Data Latency FQ ? FQ? apply apply apply
3.2.2.6 Communication Link Redundancy if req'd if req'd apply apply apply
3.2.3 Secondary Flight Controls N/A? N/A? if req'd apply apply
3.2.3.1 High Lift Control N/A N/A if req'd apply apply
3.2.3.2 Speed Brakes N/A N/A apply apply apply
3.2.3.3 Direct Lift Control (DLC) N/A N/A if req'd apply apply
3.2.3.4 Wing Sweep Control N/A N/A if req'd apply apply
3.2.4 Ground Handling Modes N/A? if req'd if req'd apply apply
3.2.4.1 Ground Control Loop Stability Margins N/A if req'd if req'd apply apply
3.2.4.2 Ground Control Issues N/A if req'd if req'd apply apply
3.2.5 Manual, Assisted and Autonomous Control Mode nc nc nc nc nc
Performance Recommended Requirements
3.2.5.1 Manual Mode and General Recommended Requirements N/A? N/A? N/A? apply apply
3.2.5.1.1 Damping N/A? N/A? N/A? apply apply
3.2.5.1.2 Assisted Flight Control for Remotely Piloted Aircraft N/A? N/A? N/A? apply apply
3.2.5.1.3 Lateral Acceleration and Sideslip Limits N/A? N/A? N/A? apply apply
3.2.5.1.3.1 Coordination in Steady Banked Turns N/A N/A N/A N/A N/A
3.2.5.1.3.2 Lateral Acceleration Limits, Rolling N/A? N/A? N/A? apply apply
3.2.5.1.3.3 Coordination in Straight and Level Flight N/A N/A N/A N/A N/A
3.2.5.1.3.4 Sideslip Limits N/A? if req'd if req'd apply apply
3.2.5.1.4 Emergency Disengagement N/A? if req'd if req'd apply apply
3.2.5.1.5 Control Mode Response to Loss of Communication apply apply apply apply apply
3.2.5.1.6 Switching apply apply apply apply apply
3.2.5.1.7 Ground Collision Avoidance System if req'd if req'd apply apply apply
3.2.5.1.7.1 GCAS Functional Requirements if req'd if req'd apply apply apply
3.2.5.1.7.2 GCAS Performance Requirements if req'd if req'd apply apply apply
3.2.5.1.7.3 GCAS Integrity if req'd if req'd apply apply apply
3.2.5.2 Assisted Modes N/A? if req'd if req'd apply apply
3.2.5.2.1 Attitude Hold (Pitch and Roll) N/A? if req'd if req'd apply apply
3.2.5.2.2 Heading Hold N/A? if req'd if req'd apply apply
3.2.5.2.3 Heading Select N/A? if req'd if req'd apply apply
3.2.5.2.4 Altitude Hold and Altitude Select nc nc nc nc nc
3.2.5.2.4.1 Barometric Altitude Hold and Altitude Select N/A? if req'd if req'd apply apply
3.2.5.2.4.2 Radar Altitude Hold N/A? if req'd if req'd apply apply
3.2.5.2.4.3 GPS Altitude Hold N/A? if req'd if req'd apply apply
3.2.5.2.5 Mach Select and Mach Hold N/A? if req'd if req'd apply apply
3.2.5.2.6 Airspeed Select and Airspeed Hold N/A? if req'd if req'd apply apply
--`,`,,``````,,

ARP94910 VMS TYPE

3.2.5.2.7 VMS Control of Engine Thrust apply apply apply apply apply
3.2.5.2.8 Payload Environment N/A N/A if req'd apply apply
3.2.5.2.9 Sense and Avoid Maneuver Assist N/A? N/A? N/A? apply apply
3.2.5.3 Autonomous Modes if req'd if req'd apply apply apply
3.2.5.3.1 General Tie-In Requirements if req'd if req'd apply apply apply
3.2.5.3.1.1 Operator Override Capability if req'd if req'd apply apply apply
3.2.5.3.2 Command Signal Limiting if req'd if req'd apply apply apply
3.2.5.3.3 Noise Compatibility if req'd if req'd apply apply apply
3.2.5.3.4 Data Link if req'd if req'd apply apply apply
3.2.5.3.5 Automatic Approach and Landing (Land Based) N/A N/A if req'd if req'd if req'd
3.2.5.3.5.1 Glideslope Mode N/A N/A if req'd if req'd if req'd
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.2.5.3.5.2 Waveoff/Go-Around Mode N/A N/A if req'd if req'd if req'd

3.2.5.3.5.3 Pitch Performance For Go-Around N/A N/A if req'd if req'd if req'd
3.2.5.3.5.4 Lateral-Heading Go-Around Performance Standards N/A N/A if req'd if req'd if req'd
3.2.5.3.5.3.5 Minimum Go-Around Altitude N/A N/A if req'd if req'd if req'd
3.2.5.3.6 Automatic Landing System (ALS) N/A N/A if req'd if req'd if req'd
3.2.5.3.6.1 Typical System Performance Requirements if req'd if req'd apply apply apply
3.2.5.3.6.2 ALS Performance Standards - Variations of Aircraft and N/A N/A N/A N/A N/A
Airborne Equipment
3.2.5.3.6.3 ALS Performance Standards-Ground Based Equipment N/A N/A N/A N/A N/A
Variations
3.2.5.3.7 Automatic Terrain Following N/A N/A if req'd if req'd if req'd
3.2.5.3.8 Waypoint Navigation if req'd if req'd if req'd if req'd if req'd
3.2.5.3.9 Automatic Terrain Avoidance if req'd if req'd apply apply apply
3.2.5.4 Special VMS Performance Requirements for Fixed Wing if req'd if req'd if req'd if req'd if req'd
V/STOL
3.2.5.4.1 Attitude Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.4.2 Heading Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.4.3 Airspeed Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.4.4 Altitude Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.4.5 Coordinated Turn Capability if req'd if req'd if req'd if req'd if req'd
3.2.5.4.6 Automatic Approach Capability if req'd if req'd if req'd if req'd if req'd
3.2.5.4.7 Hover Hold and Hover Trim Control if req'd if req'd if req'd if req'd if req'd
3.2.5.4.8 Automatic Departure if req'd if req'd if req'd if req'd if req'd
3.2.5.4.9 Automatic Hovering if req'd if req'd if req'd if req'd if req'd
3.2.5.5 Special VMS Performance Requirements for Rotorcraft if req'd if req'd if req'd if req'd if req'd
3.2.5.5.1 Attitude Hold (Pitch, Rolls and Yaw) if req'd if req'd if req'd if req'd if req'd
3.2.5.5.2 Heading Hold and Heading Select if req'd if req'd if req'd if req'd if req'd
3.2.5.5.3 Altitude Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.5.3.1 Barometric Altitude Stabilization if req'd if req'd if req'd if req'd if req'd
3.2.5.5.3.2 Stabilization of Altitude Above the Terrain if req'd if req'd if req'd if req'd if req'd
3.2.5.5.4 Hover Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.5.5 Vernier Control for Hovering if req'd if req'd if req'd if req'd if req'd
3.2.5.5.6 Ground Speed Hold if req'd if req'd if req'd if req'd if req'd
3.2.5.5 Interfaces With UAS Functionality
3.2.5.6.1 Precision Ship Board Landing Function N/A N/A N/A if req'd if req'd
3.2.5.6.1.1 System Configuration N/A N/A N/A if req'd if req'd
3.2.5.6.1.2 Typical System Performance Requirements N/A N/A N/A N/A N/A
3.2.5.6.1.2.1 Boarding Rate N/A N/A N/A N/A N/A
3.2.5.6.1.2.2 Service Volume N/A N/A N/A N/A N/A
3.2.5.6.1.2.3 Deck Motion Compensation N/A N/A N/A N/A N/A
3.2.5.6.1.2.4 Ship Motion Sensor (SMS)/Data Link Latency N/A N/A N/A N/A N/A
3.2.5.6.1.2.5 Accuracy N/A N/A N/A N/A N/A
3.2.5.6.1.2.6 Touchdown Performance N/A N/A N/A N/A N/A
3.2.5.6.1.2.7 Integrity N/A N/A N/A N/A N/A
3.2.5.6.1.2.8 Continuity N/A N/A N/A N/A N/A
3.2.5.6.1.2.9 Waveoff Performance N/A N/A N/A N/A N/A
3.2.5.6.1.2.10 Bolter Performance N/A N/A N/A N/A N/A

ARP94910 VMS TYPE

3.3 System Testability Recommendations ~nc nc nc nc nc
3.3.1 System Test and Monitoring Provisions N/A N/A apply apply apply
3.3.2 Built-In-Test Equipment N/A N/A apply apply apply
3.3.3 Maintenance BIT N/A N/A apply apply apply
3.3.4 Preflight or Pre-engage BIT N/A N/A apply apply apply
3.3.5 Preflight BIT Status Annunciation Support for CS N/A N/A apply apply apply
3.3.6 Portable Test Equipment N/A N/A apply apply apply
3.3.7 Ground Power Requirements for System Test N/A N/A apply apply apply
3.3.8 Protection Against Dormant Failures N/A N/A apply apply apply
3.4 System Design Recommended Requirements nc nc nc nc nc
3.4.1 System General Design Recommended Requirements nc nc nc nc nc
3.4.2 Mechanical VMS Design N/A N/A apply apply apply
3.4.2.1 Structural Integrity N/A N/A apply apply apply
3.4.2.1.1 Single-Point-Failure Points N/A N/A apply apply apply
3.4.2.1.2 Strength N/A N/A apply apply apply
3.4.2.1.3 Damage Tolerance N/A N/A apply apply apply
3.4.2.1.4 Load Capability of Dual-Load-Path Elements N/A N/A apply apply apply
3.4.2.1.5 Stiffness N/A N/A apply apply apply
3.4.2.1.6 Durability N/A N/A apply apply apply
3.4.2.1.7 Wear Life N/A N/A apply apply apply
3.4.3 Fixed Wing V/STOL Aircraft Requirements nc nc nc nc nc
3.4.3.1 Conversion Mechanisms if req'd if req'd if req'd if req'd if req'd
3.4.3.2 Transition if req'd if req'd if req'd if req'd if req'd
3.4.3.3 Interface of Powerplant and VMS if req'd if req'd if req'd if req'd if req'd
3.4.4 Rotorcraft Requirements nc nc nc nc nc
3.4.4.1 Jamming of Swashplate Power Actuators if req'd if req'd if req'd if req'd if req'd
3.4.4.2 Actuation Stiffness if req'd if req'd if req'd if req'd if req'd
3.4.4.3 Frequency Response if req'd if req'd if req'd if req'd if req'd
3.4.4.4 Blade Flapping if req'd if req'd if req'd if req'd if req'd
3.4.4.5 Fatigue Life Design if req'd if req'd if req'd if req'd if req'd
3.4.4.6 Engine-Out Requirement if req'd if req'd if req'd if req'd if req'd
3.4.5 Electrical VMS Design apply apply apply apply apply
3.4.5.1 Electrical Signal Transmission apply apply apply apply apply
3.4.5.2 Isolation and Protection of Redundant Electrical Circuits apply apply apply apply apply
3.4.5.3 Cable Assembly Design and Construction apply apply apply apply apply
3.4.5.3.1 Cable Assembly Construction apply apply apply apply apply
3.4.5.4 Wire Terminations apply apply apply apply apply
3.4.5.5 Inspection and Replacement of VMS Electrical Wiring apply apply apply apply apply
3.4.5.6 Water Intrusion apply apply apply apply apply
3.4.5.7 Electrical Power apply apply apply apply apply
3.4.5.7.1 Transient Power Effects apply apply apply apply apply
3.4.6 Computational Methods and Software apply apply apply apply apply
3.4.6.1 Analog Computation apply apply apply apply apply
3.4.6.2 Digital Computation apply apply apply apply apply
3.4.6.3 Computational Input/Output Growth Capability apply apply apply apply apply
3.4.6.4 Software Development and Support apply apply apply apply apply
3.4.6.5 Program Scaling apply apply apply apply apply
3.4.6.6 Memory Protection apply apply apply apply apply
3.4.6.7 Software Maintenance and Verifiability apply apply apply apply apply
3.4.6.8 Multiplexing Data Transmission apply apply apply apply apply
3.5 Subsystem Design Recommendations nc nc nc nc nc
3.5.1 Subsystem General Design Recommended Requirements nc nc nc nc nc
3.5.1.1 Power Subsystem Capacity apply apply apply apply apply
3.5.1.2 Power Subsystem Redundancy apply apply apply apply apply
3.5.1.3 Priority apply apply apply apply apply
3.5.2 Electrical Power Subsystems apply apply apply apply apply
3.5.2.1 Power Availability Protection
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
apply apply apply apply apply
3.5.2.1.1 Power Supply Interlocks apply apply apply apply apply

ARP94910 VMS TYPE

3.5.2.2 Overload Protection apply apply apply apply apply
3.5.2.3 Phase Separation and Polarity Reversal Protection apply apply apply apply apply
3.5.3 Hydraulic Power Subsystems N/A N/A apply apply apply
3.5.4 Pneumatic Power Subsystems N/A N/A apply apply apply
3.5.5 Actuation Subsystems nc nc nc nc nc
3.5.5.1 Actuation Subsystems General Requirements nc nc nc nc nc
3.5.5.1.1 Control Surface Flutter and Buzz Protection N/A N/A apply apply apply
3.5.5.1.1.1 Actuation Impedance in Failed Modes of Operation N/A N/A apply apply apply
3.5.5.1.2 Control Surface Dampers N/A N/A apply apply apply
3.5.5.1.3 Synchronization of Redundant Actuation nc nc nc nc nc
3.5.5.1.3.1 Force Synchronization of Multiple Connected N/A N/A apply apply apply
Servoactuators
3.5.5.1.3.2 Synchronization of Multiple Commands Within an N/A N/A apply apply apply
Actuation Subsystem
3.5.5.1.4 Load Capability nc nc nc nc nc
3.5.5.1.4.1 Load Capability of Elements Driven by Power Actuators if req'd if req'd if req'd apply apply
3.5.5.1.5 Actuation Subsystem Dynamic Performance N/A N/A if req'd apply apply
3.5.5.1.5.1 Actuator Subsystem Stability Margins N/A N/A if req'd apply apply
3.5.5.1.6 Operational Temperature Range if req'd if req'd if req'd apply apply
3.5.5.1.7 Power Control Actuation Failure and Fail-Safe Provisions N/A N/A if req'd apply apply
3.5.5.2 Hydraulic Actuation Subsystems nc nc nc nc nc
3.5.5.2.1 Hydraulic Actuation Components N/A N/A if req'd apply apply
3.5.5.2.1.1 Wiring Within Hydraulic Components N/A N/A if req'd apply apply
3.5.5.2.2 Actuating Cylinders N/A N/A if req'd apply apply
3.5.5.2.3 Hydraulic Actuation Mode Control N/A N/A if req'd apply apply
3.5.5.2.4 Hydraulic Motors N/A N/A if req'd apply apply
3.5.5.2.5 Hydraulic Servoactuators N/A N/A if req'd apply apply
3.5.5.2.5.1 Hydraulic Servoactuator Electrical Loop Closure Circuitry N/A N/A if req'd apply apply
3.5.5.2.5.2 Force to Clear Jammed Control Valves in FBW N/A N/A if req'd apply apply
Servoactuators
3.5.5.2.5.3 Force to Clear Jammed Logic Valves in Servoactuators N/A N/A if req'd apply apply
3.5.5.2.5.4 Endurance Requirement for Hydraulic Servoactuators for apply apply apply apply apply
Rotary Wing UA
3.5.5.3 Electrical Actuation Subsystems N/A N/A if req'd apply apply
3.5.5.3.1 Electrohydrostatic Actuators (EHAs) N/A N/A if req'd apply apply
3.5.5.3.1.1 EHA Components N/A N/A if req'd apply apply
3.5.5.3.1.2 Wiring Within and To EHA Subsystems N/A N/A if req'd apply apply
3.5.5.3.1.3 EHA Actuating Cylinders N/A N/A N/A if req'd if req'd
3.5.5.3.1.4 EHA Closed Hydraulic System N/A N/A N/A if req'd if req'd
3.5.5.3.1.5 EHA Servoactuators N/A N/A N/A if req'd if req'd
3.5.5.3.1.5.1 EHA PDE N/A N/A N/A if req'd if req'd
3.5.5.3.1.5.2 EHA Loop Closure Circuitry N/A N/A N/A if req'd if req'd
3.5.5.3.1.6 EHA Endurance N/A N/A N/A if req'd if req'd
3.5.5.3.1.6.1 EHA Thermal Design Considerations N/A N/A N/A if req'd if req'd
3.5.5.3.1.6.2 EHA Thermal Analysis N/A N/A N/A if req'd if req'd
3.5.5.3.2 Integrated Actuation Package (IAP) N/A N/A N/A if req'd if req'd
3.5.5.3.2.1 IAP Components N/A N/A N/A if req'd if req'd
3.5.5.3.2.2 Wiring Within and To IAP Subsystems N/A N/A N/A if req'd if req'd
3.5.5.3.2.3 IAP Actuating Cylinders N/A N/A N/A if req'd if req'd
3.5.5.3.2.4 IAP Closed Hydraulic System N/A N/A N/A if req'd if req'd
3.5.5.3.2.5 IAP Servoactuators N/A N/A N/A if req'd if req'd
3.5.5.3.2.5.1 IAP Loop Closure Circuitry N/A N/A N/A if req'd if req'd
3.5.5.3.2.6 IAP Endurance N/A N/A N/A if req'd if req'd
3.5.5.3.2.6.1 IAP Thermal Design Considerations N/A N/A N/A if req'd if req'd
3.5.5.3.2.6.2 IAP Thermal Analysis N/A N/A N/A if req'd if req'd
3.5.5.3.3 Electromechanical Actuators (EMAs) apply apply apply apply apply
3.5.5.3.3.1 EMA Components apply apply apply apply apply
3.5.5.3.3.2 Wiring Within and To EMA Subsystems apply apply apply
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`--- apply apply

ARP94910 VMS TYPE

3.5.5.3.3.3 EMA Servoactuators apply apply apply apply apply
3.5.5.3.3.3.1 EMA PDE apply apply apply apply apply
3.5.5.3.3.3.2 EMA Loop Closure Circuitry apply apply apply apply apply
3.5.5.3.3.3.3 EMA Bottoming Loads apply apply apply apply apply
3.5.5.3.3.4 EMA Endurance apply apply apply apply apply
3.5.5.3.3.4.1 EMA Thermal Design Considerations apply apply apply apply apply
3.5.5.3.3.4.2 EMA Thermal Analysis apply apply apply apply apply
3.5.5.3.3.5 EMA Failure Modes if req'd if req'd apply apply apply
3.5.5.3.3.5.1 EMA Flutter Considerations if req'd if req'd apply apply apply
3.5.5.3.3.5.2 EMA Jam Failures if req'd if req'd apply apply apply
3.5.5.4 Mechanical Actuation Subsystems apply apply apply apply apply
3.5.5.4.1 Mechanical Force Transmitting Actuation apply apply apply apply apply
3.5.5.4.1.1 Force Transmitting Powerscrews apply apply apply apply apply
3.5.5.4.1.1.1 Sliding Contact Powerscrews apply apply apply apply apply
3.5.5.4.1.1.2 Rolling Contact Powerscrews apply apply apply apply apply
3.5.5.4.1.1.3 Horizontal Stabilizer Trim Actuators (HSTA) N/A N/A if req'd if req'd if req'd
3.5.5.4.2 Mechanical Torque Transmitting Actuation N/A N/A if req'd if req'd if req'd
3.5.5.4.2.1 Torque Tube Subsystems N/A N/A if req'd if req'd if req'd
3.5.5.4.2.1.1 Torque Tubes N/A N/A if req'd if req'd if req'd
3.5.5.4.2.1.2 Torque Tube End Fitting Attachment Methods N/A N/A if req'd if req'd if req'd
3.5.5.4.2.1.3 Torque Tube Slip Joints N/A N/A if req'd if req'd if req'd
3.5.5.4.2.1.4 Universal Joints N/A N/A if req'd if req'd if req'd
3.5.5.4.2.1.5 Bearing and Gearbox Loading N/A N/A if req'd if req'd if req'd
3.5.5.4.2.2 Gearing N/A N/A if req'd if req'd if req'd
3.5.5.4.2.3 Flexible Shafting N/A N/A if req'd if req'd if req'd
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.5.5.4.2.4 Helical Splines N/A N/A if req'd if req'd if req'd

3.5.5.4.2.5 Rotary Mechanical Actuators N/A N/A if req'd if req'd if req'd
3.5.5.4.2.6 Torque Limiters N/A N/A if req'd if req'd if req'd
3.5.5.4.2.7 No-Back Brakes N/A N/A if req'd if req'd if req'd
3.5.5.5 Pneumatic Actuation N/A N/A if req'd if req'd if req'd
3.5.5.6 Interfaces Between Actuation Subsystems, Support nc nc nc nc nc
Structure and Control Surfaces
3.5.5.6.1 Control Surface Stops apply apply apply apply apply
3.5.5.6.1.1 Stops for Linear Actuation apply apply apply apply apply
3.5.5.6.1.2 Stops for Rotary Actuation apply apply apply apply apply
3.5.5.6.1.3 Adjustable Stops apply apply apply apply apply
3.5.5.6.2 Control Surface Ground Gust Protection apply apply apply apply apply
3.5.5.6.2.1 Control Surface Locks apply apply apply apply apply
3.5.5.6.2.2 Protection Against Inflight Engagement of Control Surface apply apply apply apply apply
Locks
3.5.6 Display and Annunciation apply apply apply apply apply
3.5.6.1 In-flight Monitoring apply apply apply apply apply
3.5.6.2 VMS Warning and Status Information apply apply apply apply apply
3.5.6.3 Failure Status apply apply apply apply apply
3.5.7 Sensors apply apply apply apply apply
3.5.7.1 Motion Sensor Subsystems apply apply apply apply apply
3.6 Component Design and Fabrication Recommendations nc nc nc nc nc
Requirements
3.6.1 General Component Recommended Requirements nc nc nc nc nc
3.6.1.1 Choice of Components N/A? if req'd apply apply apply
3.6.1.2 Standardization N/A? if req'd apply apply apply
3.6.1.3 Interchangeability N/A? if req'd apply apply apply
3.6.1.4 Selection of Specifications and Standards N/A? if req'd apply apply apply
3.6.1.5 Identification of Product N/A? if req'd apply apply apply
3.6.1.5.1 Inspection Seals N/A? if req'd apply apply apply
3.6.1.6 Workmanship N/A? if req'd apply apply apply
3.6.1.7 Foolproof Protection N/A? if req'd apply apply apply
3.6.1.8 Ground Operation N/A? if req'd apply apply apply

ARP94910 VMS TYPE

3.6.2 Mechanical Components N/A? if req'd apply apply apply
3.6.2.1 Structural Fittings N/A? if req'd apply apply apply
3.6.2.1.1 Fail-Safe N/A? if req'd apply apply apply
3.6.2.2 Moisture Pockets N/A? if req'd apply apply apply
3.6.2.3 Temperature Range of Mechanical Components N/A? if req'd apply apply apply
3.6.2.4 Lubrication N/A? if req'd apply apply apply
3.6.2.5 Wear Life N/A? if req'd apply apply apply
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---
3.6.3 Electrical and Electronic Components N/A? N/A? apply apply apply
3.6.3.1 General If req’d If req’d apply apply apply
3.6.3.2 Component Ratings If req’d If req’d apply apply apply
3.6.3.3 Avoiding Premature Obsolescence If req’d If req’d apply apply apply
3.6.3.4 Growth If req’d If req’d apply apply apply
3.6.3.5 Solderless Wrap Wiring N/A? N/A? apply apply apply
3.6.3.6 Insulation System Design N/A? N/A? apply apply apply
3.6.3.6.1 Dielectric Strength N/A? N/A? apply apply apply
3.6.3.6.2 Insulation Resistance N/A? N/A? apply apply apply
3.6.3.7 Burn-In N/A? N/A? apply apply apply
3.6.3.8 Position Sensors nc nc nc nc nc
3.6.3.8.1 Potentiometers N/A? N/A? apply apply apply
3.6.3.8.2 Linear Variable Differential Transformers (LVDT) and N/A? N/A? apply apply apply
Rotary Differential Transformers (RVDT)
3.6.3.8.3 Alternative Transducer Types If req’d If req’d If req’d If req’d If req’d
3.6.3.9 Electrical Tape N/A? N/A? apply apply apply
3.6.3.10 Switches N/A? N/A? apply apply apply
3.6.3.11 Thermal Design of Electrical and Electronic Components N/A? N/A? apply apply apply
3.6.4 Assembly Design nc nc nc nc nc
3.6.4.1 Mechanical Joining N/A? N/A? apply apply apply
3.6.4.1.1 Joining with Removable Fasteners N/A? N/A? apply apply apply
3.6.4.1.2 Joining with Rivets N/A? N/A? apply apply apply
3.6.4.1.3 Threaded Joints N/A? N/A? apply apply apply
3.6.4.1.4 Joint Retention N/A? N/A? apply apply apply
3.6.4.1.5 Retention of Threaded Joints N/A? N/A? apply apply apply
3.6.4.1.6 Retention of Removable Fasteners N/A? N/A? apply apply apply
3.6.4.1.7 Use of Retainer Rings N/A? N/A? apply apply apply
3.6.4.2 Assembly of Electronic Components nc nc nc nc nc
3.6.4.2.1 Electrical and Electronic Parts Mounting N/A? N/A? apply apply apply
3.6.4.2.2 Shielding and Bonding on Finished Surfaces N/A? N/A? apply apply apply
3.6.4.2.3 Isolation of Redundant Circuits N/A? N/A? apply apply apply
3.6.4.2.4 Electrical Connector Installation N/A? N/A? apply apply apply
3.6.4.2.5 Cleaning of Electrical Assemblies N/A? N/A? apply apply apply
3.6.5 Component Installation nc nc nc nc nc
3.6.5.1 Basic Requirements N/A? N/A? apply apply apply
3.6.5.2 Locating Components N/A? N/A? apply apply apply
3.6.5.3 Installation in Fuel System Areas N/A? N/A? apply apply apply
3.6.5.4 Electrical and Electronic Component Installation N/A? N/A? apply apply apply
3.6.5.5 Electrical and Electronic Equipment Cooling N/A? N/A? apply apply apply
3.6.6 Component Fabrication N/A? N/A? apply apply apply
3.6.6.1 Materials N/A? N/A? apply apply apply
3.6.6.1.1 Metals N/A? N/A? apply apply apply
3.6.6.1.2 Nonmetallic Materials N/A? N/A? apply apply apply
3.6.6.1.3 Electric Wire and Cable N/A? N/A? apply apply apply
3.6.6.2 Processes nc nc nc nc nc
3.6.6.2.1 Construction Processes N/A? N/A? apply apply apply
3.6.6.2.2 Corrosion Protection N/A? N/A? apply apply apply
3.6.6.2.3 Fabrication of Electrical and Electronic Components N/A? N/A? apply apply apply
3.6.6.3 Identification N/A? N/A? apply apply apply
4 VERIFICATION AND VALIDATION nc nc nc nc nc
4.1 General Recommendations nc nc nc nc nc

ARP94910 VMS TYPE

4.1.1 Methods for Demonstration of Compliance apply apply apply apply apply
4.1.1.1 Analysis apply apply apply apply apply
4.1.1.2 Inspection apply apply apply apply apply
4.1.1.3 Demonstration apply apply apply apply apply
4.1.1.4 Tests apply apply apply apply apply
4.1.1.5 Similarity apply apply apply apply apply
4.2 Analysis Recommendations apply apply apply apply apply
4.2.1 Simulations apply apply apply apply apply
4.2.2 Reliability and Failure Mode Effects and Criticality Analysis apply apply apply apply apply
4.2.3 Vulnerability Analysis N/A N/A if requ'd apply apply
4.2.4 Maintainability Analysis N/A N/A if requ'd apply apply
4.2.5 System Safety Analysis N/A N/A if requ'd apply apply
4.2.5.1 Assessment of Average Risk of Hazard for Autonomous N/A N/A if requ'd apply apply
Landing
4.2.5.2 Assessment of Specific Risk for Autonomous Landing N/A N/A if requ'd apply apply
4.2.6 Operation in Turbulence Analysis N/A N/A if requ'd apply apply
4.2.7 Stability Analysis apply apply apply apply apply
4.2.8 Nuclear Survivability Analysis N/A N/A apply apply apply
4.3 Software and Firmware Verification apply apply apply apply apply
4.4 Test Recommendations nc nc nc nc nc
4.4.1 General Test Recommended Requirements nc nc nc nc nc
4.4.1.1 Test Witness apply apply apply apply apply
4.4.1.2 Acceptance Tests apply apply apply apply apply
4.4.1.3 Instrumentation apply apply apply apply apply
4.4.1.4 Test Conditions apply apply apply apply apply
4.4.1.5 Test Tolerances apply apply apply apply apply
4.4.1.6 Retesting Failed Components apply apply apply apply apply
4.4.2 Laboratory Tests nc nc nc nc nc
4.4.2.1 Component Tests apply apply apply apply apply
4.4.2.2 Component Interface Tests apply apply apply apply apply
4.4.2.3 Functional Mockup and Simulator Tests N/A N/A apply apply apply
4.4.2.4 Safety-of-Flight (SOF) Tests N/A N/A apply apply apply
4.4.2.4.1 Component SOF Tests N/A N/A apply apply apply
4.4.2.4.2 System SOF Tests N/A N/A apply apply apply
4.4.3 Aircraft Ground Tests apply apply apply apply apply
4.4.3.1 Integrity of Test Instrumentation apply apply apply apply apply
4.4.4 Aircraft Flight Tests apply apply apply apply apply
4.5 Qualification (Preproduction) Tests apply apply apply apply apply
4.5.1 Reliability Development Tests N/A N/A if requ'd apply apply
4.5.2 Maintainability Demonstration N/A N/A if requ'd apply apply
4.5.2.1 Maintainability Tests N/A N/A if requ'd apply apply
4.5.3 Human Factors Engineering Verification Tests N/A N/A if requ'd apply apply
4.5.4 Production/Acceptance Testing apply apply apply apply apply
4.6 Documentation apply apply apply apply apply
4.6.1 VMS Development Plan apply apply apply apply apply
4.6.2 VMS Specification apply apply apply apply apply
4.6.3 Design and Test Data Requirements apply apply apply apply apply
4.6.3.1 VMS Design and Analysis Report apply apply apply apply apply
4.6.3.2 VMS Qualification and Inspection Report apply apply apply apply apply
4.6.3.3 VMS Test Report apply apply apply apply apply
4.6.3.4 Interface Control Document (ICD) apply apply apply apply apply
4.6.4 Software Documentation apply apply apply apply apply
--`,`,,``````,,`,`,```,,`,`,``,-`-`,,`,,`,`,,`---


TSO-C153 IMA Hardware Element

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

TSO-C153 IMA Hardware Element

Încărcat de

Drepturi de autor:

Formate disponibile

AEROSPACE ARP94910

This document is published for the following reasons:

2.3.6 Document Definitions .................................................................................................................................. 21

3.4.3 Fixed Wing V/STOL Aircraft Requirements ................................................................................................ 63

4. VERIFICATION AND VALIDATION ............................................................................................................ 94

4.2 Analysis Recommendations........................................................................................................................ 95

Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

4.2.4 Maintainability Analysis ............................................................................................................................... 96

5. NOTES ...................................................................................................................................................... 105

APPENDIX A RECOMMENDATION APPLICABILITY BY VMS TYPE........................................................................... 106

FIGURE 1 UA SYSTEM FUNCTIONAL ARCHITECTURE .......................................................................................... 18

TABLE 1 UNMANNED AIRCRAFT CATEGORIES ................................................................................................... 13

Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

1.1 Vehicle Management Systems

1.2 Document Coverage

1.3 Document Exclusions

1.4 Related Document

Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

1.5 Best Practices and Procuring Activity Approval

2.1 Applicable Documents

2.1.1 SAE Publications

ARP490 Electrohydraulic Servovalves

ARP988 Electrohydraulic Mechanical Feedback Servoactuators

ARP4058 Actuators: Mechanical, Geared Rotary, General Specification For

ARP4493 Aerospace - Direct Drive Servovalves

AS7997 Motor, Aircraft Hydraulic, Constant Displacement, General Specification For

AS35411 Fittings, Lubrication

AS50881 Wiring Aerospace Vehicle

Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

2.1.2 ASME Publications

2.1.3 ASTM Publications

ASTM F 2395 - 07 Standard Terminology for Unmanned Aircraft Systems

ASTM F 2501- 06 Standard Practices for Unmanned Aircraft System Airworthiness

2.1.4 FAA Publications

2.1.5 IEEE Publications

2.1.6 ISO Publications

ISO 22072 Aerospace - Electrohydrostatic actuator (EHA) - Characteristics to be defined in procurement

2.1.7 ICAO Publications

Annex 11 to the Convention on International Civil Aviation, ‘Air Traffic Services’

2.1.8 NAS Publications

NAS 516 Fitting, Lubrication - 1/8 Inch Drive, Flush Type

NASM24665 Pin, Cotter (Split)

Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

NASM33540 Safety Wiring And Cotter Pinning

2.1.9 RTCA Publications

DO-178 Software Considerations in Airborne Syatems and Equipment Certification

DO-254 Design Assurance Guidance for Airborne Electronic Hardware

DO-304 Guidance Material & Considerations for Unmanned Aircraft Systems

2.1.10 U.S. Government Publications

MIL-A-8860 Airplane Strength and Rigidity, General Specification

MIL-A-8861 Airplane Strength and Rigidity, Flight Loads

MIL-A-8865 Airplane Strength and Rigidity, Miscellaneous Loads

MIL-A-8867 Airplane Strength and Rigidity, Ground Tests

MIL-A-87229 Auxiliary Power Systems, Airborne

MIL-DTL-781 Terminal, Wire Rope Swaging, General Specification for

MIL-I-8500 Interchangeability and Replacementability of Component Parts

MIL-PRF-5503 Actuators: Aeronautical Linear Utility, Hydraulic, General Specification for

MIL-PRF-7958 Push-Pull Controls, Flexible and Rigid

Provided by IHS Licensee=Bogazici University/5964815002, User=albert, sam

MIL-STD-130 Identification Marking of US Military Property

MIL-STD-202 Test Method Standard, Electronic and Electrical Component Parts

MIL-STD-461 Electromagnetic Interference Characteristics

MIL-STD-464 Electromagnetic Environmental Effects Requirements for Systems

MIL-STD-704 Aircraft Electric Power Characteristics