AI STRESS-TESTCAA BVLOS UAS Swarm — Operational Authorisation

Add REQ007.1: 'DAA assurance case must include: (a) training dataset sheet (source, size, encounter types, sensor platforms, label accuracy metrics); (b) test-set composition and reservation for independent T&E; (c) bias analysis (coverage of cooperative/non-cooperative, rare encounter types, multi-aircraft scenarios); (d) failure modes analysis (what happens when sensors disagree, or encounter is outside training distribution); (e) drift-monitoring plan for model performance over trial lifetime.'

Add REQ008.1: 'Swarm decision-making assurance must include: (a) training data composition (simulation platform, real-world data sources, synthetic data generation method); (b) label provenance and accuracy (how emergent behaviours were classified, inter-rater agreement, dispute resolution); (c) class balance analysis and over/under-sampling rationale; (d) adversarial scenario testing (what if one aircraft sends false coordination data); (e) failure-mode analysis (what happens when swarm data is ambiguous or incomplete).'

Expand REQ012: '(a) MOR must record: all sensor feeds, AI model decisions/confidence, crew inputs, system state snapshots. Each recording must carry timestamp, data-quality flags, and classification (OUO/IP/GDPR-sensitive). (b) Bias audit: capture any crew re-labelling of AI outputs in-field, with rationale. (c) Post-incident: preserve recording for forensics; define access control (CAA only, or third-party T&E?). (d) DPIA must address: sensor/telemetry privacy risk, crew/civilian PII leakage, model-update frequency and its impact on model explainability and auditability. (e) Data retention and releasability: define what can be shared for independent T&E reproducibility (e.g., synthetic training data, anonymised incidents).'

AMLAS case must be supplemented with: (1) Explainability module mapping each model component (swarm consensus, DAA, geofence, etc.) to consumer + explanation style, (2) Model cards per model (accuracy, failure modes, uncertainty estimates), (3) Decision-log schema for MOR: timestamp, model inputs, inferred label, confidence, actual outcome, (4) Operator display mockups showing confidence thresholds and override options.

Human-oversight case must include: (1) Decision-responsibility matrix: which decisions are AI-sole, human-supervised, or human-sole? (2) Measurable override latency targets per decision type (e.g., 'formation change <2s, TDA breach <1s'), (3) Workload assessment: NASATASK or equivalent showing operator cognitive load remains <70% nominal, (4) Operator interface mockups showing AI confidence state and override buttons, (5) Take-over trial evidence from crew under high workload (simulated distractions).

Public engagement case (to be created) must include: (1) CAP 1616 consultation report showing community engagement and response handling, (2) Prior-notification protocol: SMS/email to registered property owners 24h before flight, (3) Media/press strategy: plain-language swarm brief, FAQ on safety/autonomy, contact for incident reporting, (4) Transparency report post-trial: incident summary, lessons learned, public website.

Dual-independent geofence: (1) Airborne L2: swarm-coordinator software (as-is), (2) Airborne L3: separate safety-critical module (hardened against corruption, GPS-spoofing resistant via multi-GNSS voting), (3) Ground-commanded L4: CAA/ATSU ground operator can remotely trigger geofence override, forcing all aircraft to level-flight descent at <2 m/s. Proof-of-concept: redundant geofence module on one aircraft, flight-test with GPS jitter/spoofing. Post-incident requirement: if any aircraft exits geofence, mandatory forensic unpack (why did L2 and L3 both fail?) before resumption. This is gate-keeper; absence forces NOT_SUITABLE.

Mandatory: (1) Calibration study: measure true-positive, false-negative rate at 10 confidence thresholds, plot empirical ROC, ensure selected threshold matches acceptable false-negative rate (e.g. <1e-5), (2) distributional-shift monitor: onboard sensor novelty detector (e.g. Mahalanobis distance to training distribution), alert crew if anomaly score exceeds threshold (e.g. 3-sigma), (3) adversarial robustness testing: introduce GPS, radar, IFF spoofing in simulation, measure DAA failure rate, (4) forensic audit trail: log all inputs (radar plots, IFF, ADS-B, GPS), all intermediate confidences, final decision, timestamped, cryptographically sealed post-flight, (5) high-confidence-wrong escalation: if DAA outputs high confidence but crew observes contradiction (e.g radar plots show intruder but DAA says clear), mandatory post-flight forensic review and model retraining gate before next flight. Absence of any element = NOT_SUITABLE.

ML assurance case must include forensic audit trail design: (1) Onboard logging: every input to DAA, swarm-decision, geofence module; every intermediate confidence/feature; every output and timestamp; recorded with redundancy (dual SD card, cloud upload post-flight), (2) Model manifest per-flight: serial number of DAA model, swarm model, training-data hash, commit ID if version-controlled, (3) Explainability-on-demand protocol: post-incident, investigator can request 'explain decision at 15:34:27 UTC,' system returns input, feature activation maps (saliency heatmaps), decision path, confidence scores, (4) Retraining gate: post-incident, frozen retrain period (e.g 1 week forensic analysis + crew re-certification), retraining does not resume until root-cause identified (e.g 'sensor saturation at high altitude' → retrain with synthetic high-altitude data), (5) Industry disclosure: critical incident with ML root-cause must be disclosed (anonymized) to CAA AI/ML working group for community learning. Absence of forensic audit trail = NOT_SUITABLE.

Flight termination is last line of defence; must be independent and assured: (1) Redundant termination channels: (a) RC receiver + software relay (pilot manual), (b) onboard hardware watchdog (timer-based, terminates if no valid heartbeat from swarm-coordinator in 5s), (c) ground-command backdoor (independent transceiver + hardened receiver logic, dedicated button at ATSU), (d) parachute/ballistic recovery (if time/altitude permits), (2) Testing: ground tests (verify each channel independently halts all motors within 1s), flight tests (test termination at 5 points in mission profile: hover, cruise, climb, descent, coordinated maneuver), measure variance, gate if 99.5% success rate not met, (3) Contingency matrix: documented 15-20 off-nominal scenarios (fire, structural failure, mid-air collision detected, geofence breach, swarm-consensus deadlock, C2 link loss >30s), for each: decision-maker (crew or ground AI?), termination trigger, expected aircraft survival, post-incident investigation priority. (4) ATSU protocol: signed MOU, authority limits (can ATSU terminate without crew consent?), voice procedure, logging. Absence of independent L3/L4 termination = NOT_SUITABLE.

Produce swarm-specific SORA evidence artefacts: (a) per-aircraft operational risks (as conventional SORA), (b) inter-aircraft coordinated-manoeuvre risks, (c) swarm-loss-of-cohesion recovery, (d) communication-loss formation holding, (e) quantified SAIL per aircraft and swarm separation minimum. Evidence must cite DO-178C + swarm-ops papers (e.g., ACAS Xu, airborne collision avoidance for multiple agents).

DAA/swarm de-confliction assurance: (a) DO-365 mapping matrix (each DO-365 obj → test case ID, test report section), (b) acceptance criteria table (detection range >X m, false-alarm rate <Y%, swarm collision avoidance success ≥Z%), (c) test design per cooperative (ADS-B/V2X) and non-cooperative (radar) targets, (d) swarm encounter scenarios (intruder at edge of formation, within formation, head-on 3-ship, cross-pattern), (e) simulation + live-trial test reports, both signed by independent T&E authority, (f) forensic data from trials to validate post-hoc.

AMLAS assurance case covering: (a) model inventory (each ML component, training dataset provenance, validation metrics AUROC/Precision/Recall), (b) data governance (train/test split ratios, class imbalance handling, ODD coverage in training data), (c) AMLAS technical sections (Safety Argument, Testing, Assurance Monitoring), (d) frozen-model manifest with hash/metadata, (e) re-evidence triggers (e.g., model retraining triggered after ≥100 flight hours or ≥5% performance drift), (f) drift-detection + monitoring dashboard post-deployment, (g) explainability report (e.g., SHAP for adversarial robustness, confusion matrices for ODD corner cases), (h) independent audit by CAA-approved ML assurance specialist.

Stakeholder engagement plan: (a) community impact assessment (identify nearby residents, businesses, schools, hospitals affected by trial), (b) consultation strategy (public notice, open house, feedback channels, complaint procedure), (c) media statement and FAQs (evidence-based risk communication), (d) landowner consent or compensation protocol (if flying over land), (e) evidence archive (notices issued, responses received, CAA/applicant sign-off on adequacy). This plan must be approved by CAA before trial start.

Security classification protocol: (a) joint CAA/MOD/Applicant classification review (which evidence is classified? at what level?), (b) redaction procedure (does CAA need full algorithms or only performance summary?), (c) independent verification channel (e.g., GCHQ security-cleared auditor provides abstracted findings to CAA), (d) signed agreement defining what CAA can/cannot publish post-trial, (e) precedent review (how have prior MOD-CAA regulatory programmes handled this?). Protocol must be approved before trial evidence submission.

CRITICAL: Add: '(a) Supplier is accountable for swarm architecture design and emergent-behaviour modelling limits; (b) Operator is accountable for real-time swarm override authority—explicitly named person must hold manual control to break swarm if emergent behaviour is detected off-nominal; (c) CAA is accountable for pre-trial audit of override timing and operator workload; (d) On incident, CAA investigator must reconstruct the swarm state and explain emergence post-hoc.' Add explicit role: Real-Time Swarm Safety Officer (operator crew) with exclusive authority to override all swarm decisions.

CRITICAL: Rewrite REQ015 as mandatory gate: 'GATE: Signed CAA/MAA Apportionment Agreement must be executed before trial authorisation, specifying: (a) Regulatory veto authority (e.g., MAA has veto over military-airspace or classified-data decisions); (b) Incident investigation authority (e.g., CAA leads unless MOD assets damaged); (c) Data classification handling (who is custodian of OFFICIAL-SENSITIVE evidence); (d) Post-trial knowledge dissemination (can CAA publish lessons learned or does MAA restrict?). Agreement must be signed by named CAA/MAA representatives with authority to commit their organisations.' Pre-trial, governance sign-off includes apportionment proof.

CRITICAL: Add REQ018 enforcement: 'Named role: Security Classification Custodian (MOD and CAA jointly). Pre-trial mandatory: (a) Classification guide produced specifying OFFICIAL/OFFICIAL-SENSITIVE/SECRET domains; (b) Sanitisation strategy: unclassified safety case extracted so CAA civil staff can review generic risk; (c) MOD Security Liaison (RAISO-equivalent) sits on CAA Safety Committee for classified-domain decisions (override veto on MOD airspace/data items); (d) Incident investigation protocol: if classified data involved, MOD and CAA jointly designate investigator (MOD if MOD assets/data, CAA if civil airspace/safety); (e) Post-trial publication: CAA can publish unclassified lessons learned; MOD classifies remaining findings. Apportionment must be signed by CAA and MOD pre-trial.'

Geofence architecture must specify: (1) hardware/firmware geofence layer independent of AI, (2) operator override latency (<1s target), (3) test evidence showing geofence holds under swarm-AI maximum velocity and acceleration, (4) post-incident geofence log forensics in MOR (REQ012).

DAA submission must include: (1) per-aircraft DO-365 evidence (single-vehicle), (2) multi-agent coordination model card (swarm consensus confidence, latency), (3) uncertainty bounds on swarm trajectory prediction for external de-confliction (e.g., '+/- 50m 3-sigma'), (4) MOR protocol for recording all DAA alerts, maneuvers, and inter-swarm messaging.

Swarm architecture case must include: (1) Deterministic consensus protocol with mathematical proof or >99.9% simulation confidence on stable formations, (2) Per-agent decision model cards + inter-agent messaging log, (3) Operator display showing current swarm confidence state and formation alternatives, (4) Forensic replay capability in MOR data (REQ012).

MOR case must include: (1) Extended data schema: per-agent model inputs/outputs, confidence scores, consensus messages, (2) Decision-replay capability: frozen model weights + MOR logs must reconstruct incident sequence, (3) DPIA supplement addressing on-board decision logging (is this surveillance? consent model?), (4) Forensic playback tool specification (who has access, under what conditions?).

Expand ODD with: (1) ML training-data bounds (distribution of aircraft density, speed, altitude, lighting, sensor noise), (2) DAA performance envelope (sensor latency, accuracy, false-alarm rate per scenario), (3) swarm consensus bounds (N-aircraft failure tolerance, minimum consensus threshold), (4) explicit scope-creep gates (crew must re-certify any mission deviating from original ODD; deviation triggers manual supervision). Operator manual: hard-rule examples of out-of-ODD signs (e.g 'if intruder closing speed >150 kts, revert to RC').

Mandatory swarm-assurance gates: (1) Simulator multi-agent stress test: run swarm decision algo against adversarial scenarios (one aircraft sensor failure, cascading conflict, GPS outlier, integrator wind-up), log decision divergence metric (e.g. variance of intended headings), gate if divergence exceeds 15 degrees, (2) Progressive trial build (REQ016): fly 2-aircraft shadowed by RC, log swarm-decision outputs every 100ms, flag anomalies (rapid consensus flip, persistent disagreement >5s), (3) Runtime swarm-health monitor onboard: compute real-time decision diversity (divergence of aircraft intents), alert crew if diversity spikes unexpectedly (sign of instability), (4) Post-flight swarm-decision forensics: replay recorded consensus votes, identify decision points where swarm diverged from nominal, classify as nominal/edge-case/failure, feed back to simulator, (5) Emergent-behaviour gate between N and N+2 aircraft: do not scale until decision diversity and robustness re-validated. Absence = NOT_SUITABLE for multi-aircraft release.

Swarm architecture assurance: (a) formal specification of decision-making (e.g., consensus algorithm, comms topology, loss-of-quorum rules), (b) FMEA of swarm failure modes (leader loss, link partition, member dropout), (c) acceptance criteria (state convergence time, formation recovery latency, deadlock-freedom proof or test evidence), (d) Monte Carlo or deterministic test design covering ODD + edge-of-envelope + multi-failure scenarios, (e) simulation report covering ≥10,000 virtual encounters, (f) live-trial data from phased gates validating sim correlation.

Phased gates protocol: (a) define phases: Phase 0 (sim only, ML validation), Phase 1 (supervised GNSS flight, manual override available), Phase 2 (shadow BVLOS, crew monitoring, no comms jamming), Phase 3 (autonomous BVLOS, full ODD), (b) per-phase success criteria tied to each REQ (e.g., Phase 1 exit: REQ007 DAA ≥95% success in 1000 encounters, REQ010 crew workload ≤6 NASA-TLX, REQ012 data integrity 100%), (c) go/no-go gate review (date, named CAA/MAA reviewers, decision criteria, documented), (d) trial evidence repository (locked after each gate for audit trail), (e) hold/pause trigger (if performance degrades, how is restart decided?).

CRITICAL: Add named human accountability: '(a) Supplier is accountable for geofence design and firmware assurance; (b) Operator is accountable for geofence deployment and test validation pre-trial; (c) CAA inspector is accountable for pre-trial audit of geofence test evidence; (d) If containment fails, CAA investigator will determine fault. All roles must be pre-assigned and understood.'

CRITICAL: Explicitly state: '(a) Human termination authority is exclusive—no AI shall auto-terminate the trial without explicit crew command; (b) Any AI recommendation to terminate must be logged and immediately escalated to crew for veto/override within 5 seconds; (c) Termination command is pilot-exclusive via hardwired circuit or secure C2 link; (d) Named role: Trial Safety Officer (crew) holds exclusive termination authority; (e) Contingency matrix must include: AI fails to execute pilot termination command—escalation to ATSU. Post-incident, Safety Officer is accountable for all termination decisions made or deferred.'

Require REQ009 to include: 'ML assurance case must document: (a) complete data provenance (sources, timestamps, versions, chain-of-custody for training/test splits); (b) label accuracy (metrics, inter-rater agreement, re-labelling procedures); (c) bias analysis across all identified vectors (sensor, platform, environmental, demographic if applicable); (d) performance acceptance criteria by safety-criticality level; (e) continuous drift monitoring plan (metrics, frequency, re-training triggers, fallback policy); (f) data retention and reproducibility plan for T&E forensics.'

Add REQ017 enforcement: 'Named role: Stakeholder Engagement Officer (CAA or operator delegate). Pre-trial mandatory: (a) CAP 1616 consultation document published; (b) Landowner notification sent with trial details and safety briefing; (c) Media relations plan approved by CAA (incident communication protocol); (d) GDPR data controller designated (operator or CAA) and privacy notice published; (e) Post-trial, lessons-learned summary sent to stakeholders. Operator is accountable for timely execution; CAA is accountable for approval.'

Add acceptance checklist to REQ001: 'Intake pack must include: (a) training data provenance sheet (source, size, sensors/labels used); (b) model manifest (architecture, hyperparameters, freezing timestamp); (c) independent test dataset statement; (d) bias/fairness analysis scope.'

Contingency case must include: (1) Per-contingency responsibility assignment (AI vs. operator), (2) Confidence thresholds: e.g., 'RTB only if consensus confidence >90%, else emergency termination', (3) Independent hard-kill mechanism (firmware/hardware) verified independently of flight control, (4) ATSU pre-coordination script and swarm position replay for post-incident analysis.

Apportionment agreement must specify: (1) AI assurance responsibility: CAA or MOD? (2) Trust-transfer basis: which regulatory accreditations (AMLAS, SACE, DO-365) does CAA accept from MOD without independent re-review? (3) Classified-evidence protocol: redaction/summary rules for CAA review, (4) Incident-investigation responsibility: if swarm fails mid-trial, who owns the forensics?

Security-handling protocol must specify: (1) Classification level of each evidence component (e.g., model architecture: SECRET, training data: UNCLASSIFIED), (2) Sanitisation rules: what can be redacted for CAA review without losing assurance value? (3) Trust bridge: independent auditor (e.g., QinetiQ) assures MOD evidence and vouches to CAA? (4) Incident-investigation protocol: if classified model is involved in incident, how does MOR data stay classified while allowing CAA investigation?

Define an intake checklist with evidence artefacts required for each requirement (REQ002–REQ020). Each artefact must name the owner, sign-off role, and acceptance standard (e.g., 'AMLAS case by applicant', 'signed by CAA/MAA SQEP').

Environmental assurance: (a) baseline noise/species survey at trial location, (b) modelling of trial noise impact (e.g., ISO 3744 for aircraft noise, cumulative 4–8 hours/day during sensitive hours), (c) protected-species consultation (if near SPA/SAC, or migration routes, ecological report required), (d) hazardous-material risk (battery fire on ground, fuel spill, debris fall into water/vegetation), (e) mitigation measures (flight hour restrictions, season restrictions, emergency response plan), (f) post-trial monitoring (noise complaints log, species observation if applicable), (g) CAA + Natural England / Scottish Natural Heritage sign-off before trial start.

Post-trial assurance plan: (a) mandatory lessons-learned review (CAA + applicant + MAA + crew, within 4 weeks of trial end), (b) final safety case update incorporating trial outcomes, (c) evidence preservation and archival (trial data, incident reports, root-cause analyses, third-party audit findings stored in CAA-accessible repository for ≥7 years), (d) authorisation close-out checklist (all REQ001–020 satisfied? residual risks closed? regulatory obligations discharged?), (e) publication of non-confidential trial report (for regulatory precedent and industry learning), (f) formal CAA/MAA sign-off authorising end of trial and removal of airspace/operational restrictions.

Extend REQ009: '(a) Supplier must maintain version-controlled model registry with explainability artifacts (e.g., SHAP, attention maps) and commit hashes for all deployed versions; (b) Operator must log which model version was active during trial; (c) CAA must retain model snapshots for incident investigation; (d) Post-incident, a named ML Forensics Officer (CAA or delegated) is accountable for model-state reconstruction and explanation.' Add mandatory: 'Model explainability logs must be recorded at runtime and cross-referenced with incident timeline.'

Operationalise REQ010: '(a) Define meaningful human control as 'pre-decision veto authority'—human approval required before AI-informed swarm actions execute, except link-loss autonomy (which is pre-approved); (b) CAA human-factors inspector must test crew take-over timing under high-workload scenarios; (c) Automation-bias test mandate: simulate AI failure modes and measure crew detection/override rate; (d) Crew fitness assessment must include swarm-specific decision load (e.g., coordinating multi-aircraft de-confliction judgements).'

Add REQ019 enforcement: 'Named role: Environmental Compliance Officer (operator or CAA designate). Pre-trial mandatory: (a) Environmental Scoping Report produced (noise, species impact, waste hazards); (b) If dusk/night ops proposed, Ecological Impact Assessment required; (c) Battery hazard plan: storage, spill containment, disposal custodian named; (d) Noise Impact Assessment for ground crew and local residents; (e) Post-trial, environmental monitoring data (sound levels, wildlife observations) collected and reported to CAA. Operator is accountable for environmental compliance; CAA inspector audits evidence pre-trial.'

Add REQ020 enforcement: 'Named role: Post-Trial Assurance Officer (CAA). Pre-trial, trial closure protocol must be agreed: (a) Data stewardship: operator retains all trial data for 7 years; CAA retains safety findings indefinitely; (b) Lessons-learned synthesis: within 6 months post-trial, CAA publishes sanitised findings (excluding classified material); (c) Supplier notification: if trial identified model inadequacy or safety issue, supplier must issue advisory to all fleet operators; (d) Authorisation closure: CAA formally closes authorisation and notifies stakeholders; (e) Persistent risk: if post-trial analysis uncovers unresolved risk, CAA has authority to re-open investigation. Authorisation close-out cannot occur until lessons-learned are documented.'

Extend REQ002: 'SORA evidence must include: statement that each ML component's training data covers the claimed ODD (weather, airspace, encounter types, swarm sizes), with gaps and fallbacks documented.'

Require: 'Geofence enforcement must verify GPS freshness and consistency across swarm before containment decisions. Acceptance criteria: (a) detect GPS spoofing/anomalies within X seconds; (b) fall back to dead-reckoning if GPS becomes unavailable; (c) test performance in low-signal conditions (urban canyon, RF interference).'

Add REQ017: 'Public and stakeholder engagement must include: (a) DPIA supplement for engagement data (what PII, legal basis, retention, deletion); (b) consent/contact mechanism (opt-in preferred); (c) transparent communication about trial (risk, data use, privacy); (d) process for landowner objections; (e) data log of all external data collection and disposition.'

Augment SORA submission with: (a) swarm-coordination confidence intervals (e.g., 'consensus achieved >99% in n=10k Monte Carlo trials'), (b) sensitivity analysis on ODD boundary violations, (c) explicit statement of OSO assumptions (e.g., 'assumes <10 concurrent non-cooperative encounters').

ConOps must include: (1) AI decision confidence thresholds for each swarm maneuver, (2) graceful degradation logic when confidence falls below threshold (e.g., 'return-to-base if consensus <85%'), (3) operator visibility into current AI confidence state.

TDA submission must include: (1) AI-driven boundary-crossing risk model (e.g., 'swarm position error 3-sigma bound <100m'), (2) coordination protocol with Airspace Change Proposal (ACP) trigger points, (3) operator workload to monitor and correct boundary incursions.

C2 assurance case must address: (1) maximum tolerable C2 loss duration before swarm enters safe-hold mode, (2) operator visibility into C2 link status and swarm autonomy mode, (3) inter-vehicle mesh protocol confidence bounds (e.g., 'mesh coordinates with >98% accuracy for <30s blackout').

Insurance submission must address: (1) AI failure carve-outs: list which AI-failure modes are covered vs. excluded, (2) Per-engagement risk tier linked to real-time ground monitoring (e.g., 'if new structures detected, mission suspended pending re-survey'), (3) Third-party notification protocol (pre-flight SMS to registered buildings).

Training syllabus must include: (1) Swarm consensus mechanics and failure modes (scenario-based), (2) AI confidence-state interpretation (what does 'confidence 63%' mean?), (3) Manual recovery from consensus failure (return-to-base override tests), (4) Model rollback procedures and expected behaviour changes.

Phased trial plan must include: (1) AI-specific gates: per-phase ML model validation (e.g., 'phase 2 gate: consensus confidence >95% in 100h of sim + 10h of 2-vehicle flight'), (2) Reversal triggers: objective metrics (e.g., 'if consensus drops <80% for >3 consecutive maneuvers, revert to phase N-1 + re-validate model'), (3) Model freeze points: at what phase is the ML model frozen for flight ops (no more online learning)?

Environmental assessment case must include: (1) Baseline noise survey (dB profile by location/time), (2) Pre-flight wildlife survey (nesting, migration), (3) Swarm noise model (projected dB vs. single aircraft), (4) Mitigation: flight-altitude limits, time-window restrictions, observer on-site, (5) Post-flight environmental monitoring plan and incident reporting.

Close-out case must include: (1) MOR data archival plan: who holds the data, for how long, under what access controls? (2) Lessons-learned report: per-phase summary of evidence gaps, model failures, crew feedback, (3) Regulatory precedent: formal CAA-MOD debrief documenting which assurance artifacts (AMLAS case, model cards, MOR schema) were most valuable for future trials, (4) Trust-transfer statement: explicit clearance for future trials to reference this precedent.

Add AI-specific intake checklist: (1) frozen ML model manifest with training data hash, (2) DAA test coverage map (ODD scenarios), (3) ML failure-mode register (false +/-ve thresholds, mitigation), (4) swarm simulator scenario library, (5) forensic audit-trail design (inputs, confidences, decisions logged per flight). Reject intake if any missing.

Extend SORA to include AI-failure row: map each DAA/swarm-decision failure mode to SAIL/OSO impact (e.g. false-neg DAA = mid-air collision = SAIL reduce airspace, OSO require continuous radar overlay). Assign pilot/sensor/AI-assurance mitigation credit only if forensic explainability and runtime detection are contractual.

TDA approval contingent on independent low-level geofence enforcement (REQ005 critical). TDA document must include: (1) swarm failure-response procedure (if any aircraft exits TDA boundary, force entire swarm descent to 50ft AGL and hover), (2) radar plot verification during trial setup (confirm GPS-derived position matches ground radar), (3) ATSU alert protocol if swarm detected approaching boundary (ATSU triggers ground-command geofence override).

C2 assurance must include: (1) link-loss scenario matrix (loss during ascent, cruise, descent, coordinated maneuver), (2) onboard fallback FSM (state machine for each scenario, including timeout to auto-descent if link not restored in 60s), (3) field test: deliberately drop C2 link at 10 points in mission profile, verify swarm behaviour matches fallback FSM, (4) pilot training on manual recovery from link loss, (5) post-flight log analysis to detect confidence-degradation signs during link-loss.

Human-oversight assurance must include: (1) Takeover protocol: explicit decision tree (if crew commands descent, does AI obey or second-guess?), onboard control authority matrix (crew can always assert: emergency descent, link-loss fallback, single-aircraft isolation), (2) Override testing: field validation (crew commands 10 emergency maneuvers under representative workload, measure response time, verify AI releases control within <500ms), (3) Contradiction detection training: scenario-based sim before trial (crew practices detecting/resolving AI-sensor contradictions, e.g DAA clear but visual intruder, radar plot shows conflict), (4) Workload cap: empirical measurement during trial build-up (log crew inputs, response latencies, missed alarms), gate expansion if workload metric exceeds threshold, (5) Crew briefing on AI limitations: documented examples of DAA false scenarios (sensor glint, cooperative aircraft without IFF, weather radar clutter), so crew expects and recognizes anomalies.

Crew training curriculum expansion: (1) AI-failure scenario module: 5-10 scripted scenarios (DAA false-negative, swarm consensus deadlock, geofence malfunction, C2 link loss + DAA distrust), crew response measured (detection time, decision quality, manual recovery time), gate if all scenarios not successfully completed, (2) Override protocol drills: crew trains on forcing manual control in each flight phase (hover, cruise, coordinated maneuver), verifies AI release <500ms, practices recovery from AI-resisting-override scenario, (3) Contradiction detection: crew briefed on scenarios where AI output contradicts sensor (radar conflict, IFF dropout, GPS outlier), trained to recognize and escalate, (4) Competency re-certification post-incident: if crew makes misjudgment during trial (e.g trusts false DAA output), mandatory retraining + sim check before resumption. Certification doc must detail AI failure scenarios covered.

ConOps must include: (a) ODD boundary table (all continuous and discrete operating parameters), (b) off-nominal tier (degraded sensors, partial link loss, single-aircraft failure), (c) failure-mode FMEA linked to V&V test cases, (d) swarm reconfiguration strategy (e.g., can 3-ship formation continue as 2-ship?), (e) evidence artefacts (FMEA, test design, simulation report).

TDA coordination package must include: (a) residual air-traffic risk assessment (known VFR, glider, commercial paths in TDA), (b) separation enforcement architecture (geofence tolerances, ADS-B publishing, TDA radar/ATSU monitoring), (c) swarm boundary validation test (e.g., 'aircraft constrained to ±X m lateral, ±Y ft altitude in GPS-denied scenario'), (d) contingency link-loss egress plan, (e) ATSU escalation thresholds.

Geofence assurance case must include: (a) architectural description and failsafe design, (b) acceptance criteria (breach tolerance ≤X m, recovery time ≤T s), (c) unit + integration test report (signed), (d) swarm-specific test: all N aircraft breach-tested concurrently; no cascading failure, (e) failure-mode matrix (GPS loss → hardcoded safe altitude egress; GCS comms loss → pre-loaded fence holds), (f) SQEP independent review.

C2 assurance case: (a) link specification document (latency, PER, bandwidth per aircraft), (b) loss-of-link holding test (N aircraft, T-second GNSS-only flight, zero separation violation), (c) spectrum clearance and interference survey (OFCOM certification + applicant test report), (d) swarm-link interdependencies (e.g., can one aircraft's link loss trigger cascading failure? test evidence required), (e) independent RF and systems validation.

Human factors assurance: (a) operational concept for crew role (supervisory, monitoring frequency, veto authority), (b) HMI design with usability testing (≥X subjects, task success rate ≥Y%), (c) workload study (NASA-TLX or equivalent during all phases), (d) takeover test matrix (nominal, one-member loss, link degradation, intruder alert; takeover latency ≤T s for each), (e) crew training plan with competency sign-off by CAA HF specialist, (f) continuous workload monitoring during trial with red-line thresholds for pausing operations.

Contingency assurance: (a) detailed contingency decision tree (trigger → action → outcome for each ODD scenario), (b) flight termination design per aircraft + swarm behaviour (do all terminate simultaneously? coordinated sequence?), (c) acceptance criteria (descent rate <X ft/s, landing dispersal ≤Y m, zero secondary hazards), (d) test report: simulation covering contingency in ≥50 ODD scenarios, (e) live trials in phased gates (virtual-only first, shadow BVLOS later), (f) ATSU coordination protocol with worked example, (g) independent review by CAA flight ops specialist.

Data assurance case: (a) detailed data dictionary (telemetry, ML inputs/outputs, decision logs, comms records, resolution, frequency), (b) recording architecture diagram with redundancy (on-board + ground + cloud backup), (c) failure-mode → data-requirement matrix (e.g., 'if collision risk suspected, require image buffer ± 30 s + ML confidence traces'), (d) data retention and governance policy (post-trial archive duration, deletion criteria), (e) DPIA compliance report signed by DPO, (f) incident investigation protocol with test evidence (e.g., mock incident investigation on trial data sample), (g) independent audit by CAA data specialist.

Crew assurance: (a) training syllabus covering swarm ops, HMI, contingencies, loss-of-link, emergency takeover (simulator + theory), (b) assessment plan with practical and knowledge tests, (c) signing-off process by CAA-approved examiner or operator PIC with CAA oversight, (d) competency records (dates, assessor, scores) retained post-trial, (e) continuous monitoring during phased gates (pass/fail per phase), (f) supplementary training triggered by performance issues or trial phase advancement.

Add: 'For each autonomous link-loss behaviour, name the human accountable: (a) Supplier designs autonomy; (b) Operator approves autonomy limits pre-trial; (c) CAA certifies autonomy is safe. Post-incident, operator is accountable for decision to deploy that autonomy.'

Refactor REQ007 to separate: (a) Detection performance (sensor evidence); (b) AI de-confliction logic (frozen model registry, explainability); (c) Avoidance action authority (human override or AI-autonomous?). Name accountable role for each.

Extend REQ016: 'Each gate decision shall be made by a named CAA Safety Committee (programme manager + lead inspector + legal/risk officer). Gate criteria must be objective and measurable. If AI assists gate assessment, it must be explainable; final gate decision is human-exclusive. Gate reversion policy must be pre-trial defined and signed. Failure to meet gate criteria triggers review; if review is inconclusive, trial is paused pending additional evidence.'

Add to REQ006: 'C2/inter-vehicle links must carry: message timestamps, sequence numbers, checksums/CRC. Acceptance criteria: bit-error rate <1e-6, latency jitter <50ms, lost-message rate detectable and logged. Swarm coordination must include data-freshness checks.'

Add REQ018: 'Security classification protocol must define: (a) classified evidence assessment (what cannot be disclosed, why); (b) open-equivalent substitute (can unclassified proxy data be provided); (c) CAA-only access protocols for classified evidence; (d) third-party T&E on open-equivalent data, with CAA verification on classified subset; (e) MOD/CAA/Industry data-sharing agreement (who, what, when, how).'

Data recording and MOR expansion: (1) AI-forensic data mandate: all AI subsystem logs (DAA, swarm, geofence, ML confidence scores) recorded at 10 Hz minimum, dual-redundant storage, (2) Retention policy: all logs retained for 2 years post-incident (or 5 years if no incident), encrypted, access controlled via MOU between operator, CAA, insurance, (3) DPIA: explicitly scope crew performance data (reaction time, override rate) as potentially sensitive, anonymize before sharing with third parties, (4) Post-incident analysis protocol: incident investigator has SLA access to forensic extract within 12 hours, forensic report due within 1 week, includes root-cause (was it AI failure, operator error, sensor glitch, systematic issue?), learning (how to retrain/redesign to prevent recurrence?), (5) MOR closure loop: post-incident finding feeds back to REQ009 ML retraining gate; cannot resume until closure confirmed.

Insurance assurance: (1) Obtain Errors & Omissions or Cyber policy explicitly covering autonomous flight-control and swarm-coordination failures; exclude 'loss of control' general exclusion, (2) Insurance underwriter to review ML assurance case (REQ009), AI failure mode register, geofence/termination design (REQ005, REQ011); underwriter approval required before trial, (3) Claims protocol: insurer to cooperate with CAA MOR (REQ012) without delay; claim settlement contingent on root-cause disclosure, (4) Ground survey extended: include GPS spoofing risk zones, RF interference sources, secondary impact zones if swarm exits primary TDA by design-failure distance (e.g 200m).

Phased trial gates with AI-specific evidence requirements: (1) Gate 0 (RC + ground sim): DAA simulator performance validated (ROC curve, false-alarm <1%, false-miss <1e-5), swarm-decision consensus tested on 20+ scenarios, geofence boundary tested (GPS jitter ±10m, altitude ±5m, confirm containment), (2) Gate 1 (1-aircraft autonomous DAA): 10 flight hours, log all DAA decisions, zero false-negatives acceptable (if any close encounter not detected, investigate and retrain), confidence calibration validated (high-confidence output matches true-positive rate), (3) Gate 2 (2-aircraft swarm consensus shadowed by RC): 10 flight hours, log consensus votes, measure decision diversity, analyze edge cases (GPS dropout, one-aircraft sensor loss), (4) Gate 3 (4-aircraft swarm autonomous, DAA + consensus live): 20 flight hours, forensic analysis of all decisions (post-flight, classify each decision as nominal/edge-case/anomaly), anomaly count <5%, (5) Gate 4 (8-aircraft swarm autonomous): post-Gate 3 forensic analysis accepted, CAA/MAA sign-off. Each gate failure triggers investigative freeze + redesign/retrain cycle. This prevents scope creep into autonomous release.

Post-trial assurance and close-out: (1) Forensic close-out report (within 6 weeks of trial end): all AI subsystem logs analyzed, anomalies classified (nominal / edge-case / unexplained), false-positive/negative rates computed, swarm-decision diversity trends examined, geofence boundary-condition robustness summary, (2) Lessons-learned package: critical findings (e.g 'DAA false-alarm rate 1.2% under GPS-challenged conditions') published anonymized to CAA AI/ML working group, (3) Model retraining decision gate: if trial revealed distributional shift or model weakness, retraining mandatory + re-qualification before commercialization, if no significant findings, model can be released, (4) Regulatory authorization close-out: CAA issues formal trial completion certificate, specifies: findings accepted, no further investigation needed, trial data preserved for 2 years, future BVLOS swarm trials can reference this trial evidence + lessons.

Insurance & environmental assurance: (a) detailed ground survey (critical infrastructure, dwelling density, vehicle traffic, water, wildlife sensitivity, at trial location + 1 km buffer), (b) residual risk assessment per ConOps (probability of uncontrolled impact × impact consequence = residual risk), (c) insurance policy review with broker confirmation of swarm-ops coverage and limits, (d) third-party risk analysis per CAP 722H (shadow model or QRA) linking residual hazards to insurance adequacy, (e) survey report signed by competent surveyor, (f) CAA validation that risk is acceptable or mitigations sufficient.

Apportionment document must include: (a) functional apportionment table (each requirement → CAA owner, MOD owner, or shared), (b) evidence ownership per requirement (who produces? who signs? who validates?), (c) interface control (e.g., 'MOD provides sworn classified test report; CAA reviews redacted summary'), (d) escalation path (named CAA/MAA technical contacts for disputes), (e) joint signature by CAA and MAA technical authorities.

Add: 'The CAA case officer remains accountable for case validity; AI completeness assistance must be auditable and override-able without penalty.'

Add: 'The SORA assessor must demonstrate independent review of all AI-synthesised evidence before SAIL/OSO approval; syntheses must be explainable and challengeable.'

Add: 'CAA reviewer must certify that ODD was independently validated; AI-generated scenarios must be segregated and explicitly accepted by human sign-off.'

Add: 'If AI assists ground-environment survey or risk assessment, the CAA authorisation officer remains accountable for survey accuracy and must independently validate all AI recommendations. AI-assisted risk models must be explainable and challengeable.'

Add to REQ003 ConOps narrative: 'Worst-credible cases must include sensor data failures (GPS loss, camera blind spots, swarm comms delay >X ms). For each, describe AI fallback (e.g. reduced swarm autonomy, return-to-home)'.

Add: 'Contingency procedures must define: (a) minimum-data termination mode (what if GPS/comms lost); (b) termination decision logic with explicit data inputs and validity checks; (c) acceptance criteria (latency, success rate in simulation/field test); (d) training data for crew on contingency scenarios.'

Add: 'Crew competency evidence must include: (a) training scenario database (coverage of ODD, swarm sizes, off-nominal events); (b) pass/fail criteria linked to incident-free flight; (c) recurrent training schedule and performance tracking.'

Define gate criteria explicitly: 'Each phase gate must verify: (a) AI model performance on holdout test data meets acceptance criteria; (b) no data drift detected in prior phase (confidence scores, misclassification rates stable); (c) MOR data complete and correctly classified; (d) crew training up-to-date on observed off-nominal swarm behaviours.'

Add REQ020: 'Post-trial close-out must include: (a) data archive (MOR, models, test data) with metadata and classification; (b) access-control policy (CAA, operators, third-party T&E); (c) lessons-learned report (data quality issues, AI surprises, bias observations, crew feedback); (d) recommendations for future trials (data governance, model update frequency, monitoring baselines); (e) authorisation close-out sign-off.'

Public engagement with AI transparency: (1) Community leaflet explaining trial scope: 'This trial includes AI-based collision detection and autonomous swarm coordination. Safety measures include redundant geofence, flight termination, and crew oversight. If an incident occurs, it will be investigated and findings disclosed,' (2) Pre-trial landowner consultation: notify within 1km radius, offer open-day to observe setup and meet crew, Q&A on AI safety, (3) Incident communication plan: if incident occurs, operator to publish preliminary findings within 7 days, final report within 4 weeks, root-cause determination (was it AI, sensor, operator, environment?), lessons learned shared with industry, (4) Opt-in monitoring: offer residents who consent ability to view trial progress (number of flights, no incident count, etc) on public dashboard.

Add: 'CAA must name the coordination point and veto authority for TDA overlaps; inter-regulator apportionment for airspace breach accountability must be signed.'

Extend REQ014: 'CAA licensing inspector must validate swarm-specific competencies: (a) Crew can recognise and override AI-recommended de-confliction if unintended; (b) Crew understand emergent swarm behaviour limits and can detect off-nominal emergence; (c) Crew can execute trial termination under high workload. Swarm-specific competency test must include AI failure scenarios.' Add: 'Trainer is accountable for ensuring crew meets swarm-specific competency gates.'

Add to REQ004: 'TDA package must define: data sources for live airspace updates, latency SLAs, fallback behaviour if data feed is lost or stale, and validation checks on incoming airspace-use data.'

Add: 'Crew oversight must include: (a) real-time AI explanation fidelity acceptance criteria; (b) training scenario data covering nominal and off-nominal swarm states; (c) human-factors study of crew decision-making when AI confidence is low or contradictory; (d) procedure for crew to query AI reasoning (explainability SLA).'

Add: 'Ground survey must include: (a) recency stamp (survey date, planned refresh); (b) live-update mechanism for high-change areas (e.g., construction, temporary structures); (c) data-quality assurance (confidence bounds on obstacle positions, population density).'

Add data-governance annex: 'CAA/MAA data sharing must define: (a) what data flows in each direction (incident reports, sensor logs, model performance metrics); (b) classification handling (OUO, IP, national-security material); (c) SLA for data exchange; (d) secure data channels and audit logging.'

Add environmental-monitoring requirement: 'Trial must include: (a) baseline environmental survey (noise, species presence/activity, ground conditions); (b) monitoring protocol (noise loggers, wildlife observers, ground inspection) during trial; (c) incident-reporting SOP (fire, spill, wildlife harm); (d) remediation plan if thresholds exceeded.'

Apportionment agreement to explicitly include AI accountability: (1) DAA failure: MAA responsible for model qualification and retraining proposal, CAA approves retraining before resumption, (2) Swarm-decision failure: operator responsible for scenario build-up and operator training, MAA responsible for algorithm robustness, CAA approves edge-case resolution, (3) Geofence/termination failure: MAA responsible for independent assurance (L2/L3/L4 design), CAA approves before trial, (4) Post-incident: joint CAA/MAA forensic investigation, root-cause report due within 2 weeks, decision on resumption within 1 week post-closure, (5) Disclosure: critical AI-failure findings disclosed to industry via CAA AI/ML working group (anonymized).

Security protocol: (1) MOD and CAA to sign Security Protocol Agreement pre-trial, defining: review location (MOD secure facility or CAA cleared space?), assessor clearance requirement (SC or equivalent), permitted note-taking (sanitized findings only, no classification details in CAA file), (2) Alternative: MOD provides unclassified redacted summary of DAA assurance case; MOD retains classified AI logs, provides them to CAA investigator only post-incident under DPA/Official Secrets Act, (3) Post-incident access: MOU signed pre-trial governing investigator access to classified logs, investigation report (unclassified) published within 8 weeks.

Environmental assessment: (1) Noise survey: baseline measurements, trial noise profile during mission phases (ascent, cruise, descent), impact on adjacent residential/sensitive zones, mitigation (altitude/routing restrictions), (2) Species survey: ornithologist to assess dusk/night disturbance risk if trial extends to low-light ops, (3) Battery/fire risk: swarm landing procedure (automated safe landing or manual recovery?) if geofence enforces containment descent, confirm landing zone clear of high-fire-risk vegetation, post-landing battery inspection protocol, (4) Environmental incident protocol: if AI malfunction causes unplanned landing in sensitive area, operator must notify local authority + wildlife agency within 4 hours.

Minor: Add: 'Operator is data custodian and accountable for data integrity for 7 years post-trial; CAA-designated investigator has authority to seize data and forensic logs at any time. Data retention timeline and custodian roles must be pre-trial signed.'

Ensure the intake checklist explicitly references REQ009 (AMLAS case) and REQ012 (MOR data) completeness as mandatory gates. Do not proceed to SORA assessment (REQ002) until ML assurance evidence is certified complete.