14 CFR Part 135 Commercial Aviation Operations

Regulatory Context: Part 135 and the Air Carrier Certification Framework

14 CFR Part 135 codifies the operating requirements for commuter and on-demand operations, distinguishing scheduled commuter service from on-demand charter, air taxi, and air ambulance work. Each Part 135 certificate holder must complete the FAA's five-phase Air Carrier Certification process and obtain Operations Specifications (Op Specs), which authorize specific aircraft, routes, training programs, and equipment configurations under 14 CFR Part 119. Op Specs are not boilerplate: they encode authorizations such as ETOPS for extended over-water operations, RVSM for flight in the FL290-FL410 vertical-separation band, ADS-B Out compliance under 14 CFR 91.225, EFB Class 1/2 authorizations under AC 120-76D, and Part 135 single-pilot or two-pilot crew configurations. Together, these authorizations form a per-operator envelope that is far narrower than the regulatory text alone implies.

Part 135 also imposes parallel programmatic obligations that cut across daily operations. Operators must maintain an FAA-approved maintenance program under Subpart J, a training program under Subpart H, and a Drug and Alcohol Testing program under 14 CFR Part 120 covering safety-sensitive crew, dispatch, and maintenance personnel. Recordkeeping under 135.63, fatigue and flight-time limits under Subpart F, and Operational Control responsibilities under 135.77 create a continuous compliance surface, not a one-time certification event. For emerging eVTOL operators pursuing Part 135 certification under the FAA's Powered-Lift Special Federal Aviation Regulation (SFAR), the same envelope applies, with additional considerations for transition-flight regimes, vertiport operations, and remote pilot supervision models that the existing rule text only partially anticipates.

Architectural Requirement

Part 135 operations demand a control architecture in which every actuation, whether a takeoff release, an in-flight diversion, or a maintenance deferral, is bounded by the operator's specific authorizations and current airworthiness state. The architecture must enforce phase-decomposed flight: taxi, takeoff, climb, cruise, approach, and landing each carry distinct rule sets, equipment requirements, and abort criteria. It must compose authority across the pilot-in-command, the operational control function, dispatch (where applicable), and the maintenance release, so that a flight cannot depart under conditions that any single authority has refused. And it must produce reconstructible records that satisfy both routine FAA surveillance and post-incident NTSB review.

For eVTOL and UAM, the architectural bar rises further. High-tempo vertiport operations, battery-state-dependent range envelopes, and contingency-landing-zone planning compress decision cycles below what human-only operational control can sustain. The control system must be able to refuse, defer, or partially execute a commanded action when authorization conditions degrade in flight, and to do so in a way that is auditable against the certificate holder's Op Specs.

Why Procedural Compliance Fails

Most Part 135 compliance today lives in paper systems: General Operations Manuals, Maintenance Manuals, training records, and dispatch checklists. These artifacts are reviewed by FAA Principal Operations Inspectors and Principal Maintenance Inspectors during surveillance, but they are not connected to the actual control loop of the aircraft. A pilot can in principle launch a flight that violates RVSM equipment requirements, exceeds duty-time limits, or departs from a runway not authorized in Op Specs, and the violation is detected only after the fact, through self-disclosure under the FAA's Aviation Safety Action Program (ASAP) or through ramp inspections.

The fragmentation extends to equipment authorizations. An RVSM-authorized aircraft that loses an air-data computer mid-flight transitions out of the RVSM envelope at the moment of failure, but the operator's procedural response, contact ATC, request a non-RVSM altitude, log the deviation, depends on the pilot recognizing the equipment loss and remembering the procedural chain. Similarly, an EFB authorization that depends on a current chart database under AC 120-76D is procedurally enforced through the pilot's pre-flight check, with no system-level guarantee that an out-of-cycle database is detected before departure. Each of these gaps is a known surveillance finding, and each is a place where procedural compliance has been asked to do work that only structural enforcement can sustainably perform.

Procedural compliance also fragments under multi-authority operations. When operational control, maintenance release, and pilot-in-command authority are held by different individuals, sometimes at different organizations under wet-lease or code-share arrangements, the "current authorization state" of a flight becomes a question of document reconciliation rather than system state. Incident reconstruction inherits this fragmentation: NTSB investigators routinely spend months assembling a timeline from disparate logs, voice recordings, and interviewees, because the operating system of the operation does not itself produce a coherent record.

What Governed Actuation Provides

Governed actuation reframes flight operations as a sequence of bounded, evaluated commitments rather than an open-loop chain of human decisions. Each proposed actuation, takeoff release, climb clearance acceptance, route amendment, approach commitment, is evaluated against the live authorization envelope and resolved into one of four graduated modes: continue, defer, refuse, or partial. A continue mode permits full execution; defer holds the action pending a missing precondition (a maintenance signoff, a weather update, a duty-time reset); refuse blocks the action with a structured reason; partial executes a reduced-scope variant, such as a non-RVSM altitude assignment when RVSM equipment is degraded.

Three further properties make the primitive load-bearing for Part 135. Harm minimization evaluates each candidate mode against the operational consequences of refusal as well as continuation, recognizing that refusing to land is rarely safer than landing. Post-actuation verification confirms that the executed action matched the authorized envelope, producing the signed record that surveillance and incident reconstruction depend on. Reversibility evaluation distinguishes commitments that can be unwound, such as a taxi clearance, from those that cannot, such as a committed approach past the missed-approach point, and tightens the evaluation threshold accordingly.

Compliance Mapping

The primitive maps directly onto Part 135's structural obligations. Operational Control under 135.77 becomes a continuously evaluated authorization envelope rather than a pre-flight checklist, with Op Spec authorizations (ETOPS, RVSM, ADS-B Out, EFB usage) encoded as live constraints on the actuation evaluator. Maintenance program compliance under Subpart J binds to refuse and defer modes through the airworthiness release: a deferred Minimum Equipment List (MEL) item that has aged past its category interval generates a refuse on the affected flight phase rather than a paper discrepancy.

Crew duty and rest limits under Subpart F, training currency under Subpart H, and Drug and Alcohol program status under Part 120 each become inputs to the composite authorization, so that a crew member whose currency lapses mid-trip cannot be assigned to the next leg without an explicit, recorded override. Post-actuation verification produces the signed lineage that satisfies recordkeeping under 135.63 and provides FAA inspectors and NTSB investigators with a single authoritative timeline rather than a reconstructed one. For SFAR-governed powered-lift operations, the same mapping accommodates vertiport-specific authorizations and battery-state envelopes without requiring a parallel compliance system.

Adoption Pathway

Operators do not adopt governed actuation by replacing their flight-control or dispatch systems. The realistic pathway begins with the operational control surface: encoding Op Specs and MEL state as a live authorization envelope, then routing dispatch release and maintenance release decisions through the evaluator. This produces immediate value in surveillance preparation and ASAP submissions, without touching certified avionics. From there, EFB-mediated decisions, route amendments, weather diversions, fuel reserve commitments, can be brought under the same evaluator, again without changing certified equipment.

Deeper integration follows at the eVTOL and UAM layer, where the actuation evaluator can be embedded in the vehicle management computer's command-arbitration path and certified under the applicable means-of-compliance for the powered-lift category. Certificate holders pursuing initial Part 135 authorization for eVTOL operations have the strongest incentive to adopt the architecture early, because it gives the FAA a structural answer to operational-control questions that the rule text was not written to address. The adoption pathway is incremental, auditable, and compatible with the existing certification basis, which is the practical precondition for any change to a Part 135 operation.

The architectural primitives described above are disclosed in U.S. Provisional Application No. 64/049,409, which sets out the four-mode actuation evaluator (continue, defer, refuse, partial), harm-minimization weighting across refusal and continuation outcomes, post-actuation verification producing signed lineage, and reversibility-tightened evaluation thresholds. The provisional treats Part 135 operational control as an instance of the broader governed-actuation framework, so an operator's adoption of the primitive against Op Specs, MEL state, and crew currency inherits the evaluator's general properties without being scoped only to aviation.

A practical first-year deployment for a mid-size on-demand operator typically scopes to dispatch release, MEL state binding, and crew-currency enforcement, leaving certified avionics untouched and producing measurable surveillance benefit within a single FAA Continuous Analysis and Surveillance System (CASS) cycle. Operators with helicopter air ambulance (HAA) authorizations under Subpart L gain additional value, because Subpart L's risk-assessment requirements under 135.617 map naturally onto the harm-minimization weighting that the evaluator already performs. Code-share and wet-lease arrangements, which historically expose seams in operational control, are reconciled by routing both certificate holders' authorization envelopes through a single evaluator instance, with the lineage record showing which authority approved which actuation. The cumulative effect, after a full surveillance cycle, is that the operator's General Operations Manual stops being a static document reviewed annually and starts being an executable specification reviewed every flight.