Drone Operations Surviving Disconnection

Regulatory Framework

The legal scaffolding around uncrewed aircraft is unusually dense for an emerging domain because regulators inherited a manned-aviation safety culture and grafted it onto remotely piloted systems before autonomy became the dominant mode of operation. FAA Part 107 codifies the small UAS regime in the United States, requiring a remote pilot in command, visual line of sight by default, daylight or civil-twilight operation absent waiver, and explicit waiver pathways for operations that exceed those defaults. The Part 108 Notice of Proposed Rulemaking extends this framework to routine beyond-visual-line-of-sight operations, introducing operational categories that depend on the aircraft's automated detect-and-avoid capability and on the operator's safety case. Part 89 imposes a Remote ID broadcast requirement so that any compliant aircraft can be located and attributed in real time by law enforcement and air traffic stakeholders. The pattern across these instruments is identical: the rule does not regulate the airframe in isolation but rather the relationship between the operator's authority, the aircraft's behavior, and the airspace stakeholders entitled to know what is overhead and why.

Internationally, ICAO Annex 2 establishes the rules of the air for remotely piloted aircraft, and the JARUS Specific Operations Risk Assessment provides a graduated methodology for evaluating ground risk, air risk, and the operational safety objectives that flow from each. SORA's grammar, intrinsic ground risk class, final ground risk class, residual air risk, and the corresponding operational safety objectives, has become the de facto international vocabulary for risk-proportionate UAS authorization. National authorities from the United Kingdom CAA to Transport Canada to CASA in Australia have adopted SORA either directly or through close adaptation, which means that an operator with a SORA-aligned safety case enjoys a roughly portable evidentiary posture across jurisdictions. EASA Regulation 2019/947 implements an analogous risk-based regime in Europe with Open, Specific, and Certified categories, and the U-space Regulation 2021/664 layers a UAS traffic management service architecture on top, requiring network identification, geo-awareness, traffic information services, and conformance monitoring for any aircraft operating in designated U-space airspace. For defense applications, DoD Directive 3000.09 governs autonomy in weapon systems, demanding appropriate levels of human judgment over the use of force, traceability of autonomous decisions, and rigorous verification and validation of the autonomous behaviors before fielding.

The convergence across these instruments deserves explicit naming. Whether the regulator is the FAA contemplating a Part 108 BVLOS operation, EASA evaluating a Specific Category authorization, a U-space service supplier ingesting telemetry from heterogeneous fleets, or a combatant command operating under the 3000.09 review process, the demand is the same: per-flight, per-aircraft, per-decision evidence that the operator's authority bounded the aircraft's behavior in real time. The frameworks differ in vocabulary but converge in their evidentiary expectations, and the convergence is what makes a single architectural answer feasible across them.

Across all of these instruments the regulator's working assumption is the same. The pilot in command, whether a human at a ground control station, a U-space service supplier, or a remote authority issuing a JADC2-aligned task order, retains continuous oversight of the aircraft and can intervene at any moment. The aircraft is treated as an extension of the operator's intent, and the legitimacy of any maneuver flows from the operator's contemporaneous awareness of and consent to that maneuver. The framework does not, however, specify the substrate on which that awareness must rest. Industry practice has filled the gap with the radio link, treating link availability as a proxy for authority. The proxy holds in fair weather and dense spectrum but fractures the moment either degrades, and the regulatory consequences of the fracture have been largely deferred by waiver narratives rather than addressed structurally. The drift from substantive authority to proxy authority has been quiet, incremental, and almost invisible in routine operations, which is precisely why it has gone uncorrected.

Architectural Requirement

The architectural consequence of this regulatory posture is severe. The aircraft must be able to demonstrate, after the fact, that every action it took during a flight, including actions taken while the link was degraded or absent, was within the operator's authority and the safety case approved by the regulator. It must also be able to demonstrate, in real time, that it is currently within its approved envelope. Both demonstrations require state, not just behavior. A drone that simply executes a control loop cannot answer the regulator's questions about why a particular waypoint was deviated from, which constraints were evaluated when the deviation occurred, and how the resulting trajectory remained within the SORA ground-risk envelope. The control loop produces motion; it does not produce evidence of governed motion.

The architectural requirement is therefore that the aircraft carry, on board, a structured representation of its mission authority, its operational limits, its accumulated observations, and the reasoning that connects them. That representation must be persistent across power cycles, immutable with respect to past entries, and accessible to ground review when the link returns. It must also be able to govern the aircraft's behavior in real time, refusing actions that would breach the envelope and recording the refusal as faithfully as it records permitted actions. Without such an on-board execution context the aircraft is, in regulatory terms, a black box whose flights are legitimate only insofar as the link held.

The requirement decomposes into four properties. First, durability: the execution context must survive power loss, software faults, and radio outages without degrading. Second, governability: the context must encode the operator's authority and the regulator's approved envelope as predicates that gate every state transition, not as advisory hints applied after the fact. Third, lineage: every cycle of evaluation must produce a record that chains to its predecessor with cryptographic integrity, so a tampered or fabricated history is structurally evident on review. Fourth, separability: the governance object must be inspectable, testable, and certifiable independently of the airframe firmware, so the regulator's review surface is a structured artifact rather than a behavioral demonstration. These four properties together describe what aviation regulation has always implicitly demanded of the pilot in command and what the radio link has, until now, only intermittently provided.

It is worth observing that these properties also describe what manned aviation has, for decades, distributed across the cockpit, the flight data recorder, the operations manual, and the pilot's certificate. In manned operations, the pilot's training and currency embody the governance envelope; the aircraft's certification embodies its capability declaration; the FDR captures lineage; and the operations manual provides separability. The remotely piloted regime fragmented these substrates, placing the governance envelope in a procedure document at the operations center, the lineage in a ground server, and the in-flight authority in a radio link. The architectural requirement, viewed in this light, is to reintegrate on the airframe what manned aviation has always reintegrated in the cockpit. The integration is not a novelty; it is a restoration.

Why Procedural Compliance Fails

The dominant industry response to these requirements has been procedural. Operators publish concept-of-operations documents, file SORA evaluations, train remote pilots, log flights in operations management systems, and rely on link availability as the practical substrate for compliance. When the link is up, the ground control station's logs, the remote pilot's attestations, and the operations manual together construct a defensible narrative. When the link drops, the procedural apparatus reverts to a small set of pre-programmed contingencies, return to launch, hold position, terminate flight, that were defined before the mission encountered its actual conditions. The narrative becomes a fiction at the moment the link breaks and is reconstructed retrospectively from whatever telemetry survived.

This procedural posture fails in three structurally distinct ways. First, it conflates the link's availability with the operator's authority. A jammed link does not extinguish the operator's authorization for the mission, but the drone, having no on-board representation of that authorization, behaves as if it does. The aircraft's caution is not a virtue here; it is an admission that authority and connectivity were never properly separated. Second, the procedural model cannot adapt the contingency to the situation. A survey aircraft mapping a wildfire perimeter that loses its link does not gain regulatory legitimacy by holding position over the fire; it gains it only by continuing to execute within the approved envelope, which a static contingency cannot evaluate. The static contingency was authored against a generic disconnection, not against the specific operational state in which disconnection occurred. Third, the procedural record is incomplete. The ground logs end where the link ends, and the post-flight reconstruction depends on whatever telemetry the aircraft happened to cache. The regulator who asks "show me the decision sequence between 14:32 and 14:47" receives a gap, and the operator's narrative reconstruction is an artifact of what was retrievable rather than what actually happened.

Pre-programmed decision trees and onboard machine-learning models do not close the gap. A decision tree that enumerates ten anticipated scenarios cannot govern the eleventh; expanding the tree increases combinatorial complexity without changing the structural limitation. A learned policy may produce reasonable behavior in distribution but cannot articulate, in regulator-legible terms, why it produced that behavior, which constraints it weighed, or whether the resulting action remained within the SORA-approved envelope. Both approaches treat governance as something layered on top of execution rather than something integral to it, and both leave the regulator with a behavioral artifact rather than a decision lineage. They also create a procurement and certification problem: a learned policy whose behavior depends on training data composition resists the kind of independent verification that DoD Directive 3000.09 requires, and a decision tree whose coverage depends on the imagination of its authors resists the kind of risk-proportionate review that SORA contemplates.

A fourth structural failure deserves explicit naming. The procedural model places the burden of compliance evidence on the operator's narrative skill rather than on the artifact's intrinsic structure. When two operators with comparable safety records produce comparably exculpatory narratives after comparable incidents, the regulator's review becomes a literary exercise rather than an engineering one. This is not how aviation regulation was designed to work, and it is not what the safety culture inherited from manned aviation contemplates. The framework has been quietly drifting toward narrative compliance because the substrate that would support engineering compliance, an on-board, governed, lineage-producing execution context, has not been available at industrial scale.

A fifth failure becomes visible when the operation involves contested or denied electromagnetic environments. GNSS spoofing, command-link jamming, and Remote ID interference are no longer hypothetical adversary capabilities; they are routine features of contested airspace and increasingly common in commercial environments near critical infrastructure or major events. A procedural posture that treats the link as the substrate for authority places the operator's compliance, and the aircraft's safety, at the mercy of any actor capable of degrading that link. The regulatory framework did not contemplate that an adversary's spectrum action could de-legitimize a mission that the operator was otherwise authorized to fly, and the procedural drift has produced exactly that consequence. Restoring authority to the aircraft is, in this sense, a hardening posture against an adversarial environment that the framework's authors anticipated only obliquely.

What AQ Primitive Provides

The Adaptive Query memory-resident execution primitive replaces the link-dependent compliance posture with a structural one. The drone carries its mission as a persistent semantic object that holds, in canonical form, the mission parameters, the current plan, the governance envelope derived from the operator's Part 107 waiver or SORA approval, the cumulative sensor observations, and the lineage of every prior execution cycle. This object is not a script and not a model. It is an execution context that evaluates itself against its governance on every cycle and advances only through transitions that the governance permits. The cycle is deterministic with respect to its inputs and its predicates, which makes it inspectable, testable, and reproducible in the way the regulatory framework has always implicitly assumed of a pilot's reasoning.

When the link degrades, the execution context continues its cycle without behavioral change. It assesses current sensor inputs against the mission parameters, proposes mutations to its plan when conditions warrant, and validates each mutation against the embedded governance before executing it. A proposed deviation that would carry the aircraft outside its SORA ground-risk envelope is refused at the governance evaluation step, and the refusal is recorded with the same fidelity as a permitted action. A proposed continuation that remains within the envelope is executed and recorded. The aircraft does not need to ask the ground for permission because the permission, in the form of the approved envelope, is already on board. The link's role is reduced to its proper one: a channel for supervisory oversight, advisory updates, and the eventual reconciliation of lineage with operator records, rather than a real-time control bus on which authority depends.

When the link restores, the lineage provides the complete decision sequence. Every cycle's inputs, every proposed mutation, every governance evaluation, and every resulting action are present in cryptographically chained form. The remote pilot in command can review the autonomous interval, attest to it, and incorporate it into the operations log. The U-space service supplier can ingest the position and intent history and reconcile it against its traffic information record. The regulator, in an audit or incident investigation, receives a continuous decision lineage rather than a link-bounded gap. Crucially, the lineage's chaining means that any post-hoc tampering is structurally evident: a cycle whose hash does not match its successor's predecessor field is visibly inconsistent, so the operator's evidentiary credibility rests on an artifact rather than on attestation.

The on-board governance also enables capabilities that the procedural model cannot offer. A drone whose envelope encodes a wildfire perimeter and a smoke-density gradient can adapt its survey pattern in flight, refusing transitions into untenable density while continuing within the approved volume. A drone whose envelope encodes a contested electromagnetic environment can downgrade its dependency on GNSS while continuing to satisfy its geo-awareness obligations through inertial and visual-odometry predicates. A drone whose envelope encodes a U-space dynamic geofence update can ingest the update through any available path and refuse incursions into the newly restricted volume from that cycle forward. None of these are scripted contingencies; each is the routine output of a context evaluating its situation against its embedded authority.

The primitive also reframes the human-machine teaming relationship. A remote pilot supervising an aircraft that carries its own governance is no longer a tele-operator at the end of a control loop; the pilot is a supervisor of an envelope, intervening when conditions arise that the envelope was not authored to cover and using each intervention as an input to envelope refinement. This is closer to how an instructor pilot relates to a student pilot than to how a tele-operator relates to a remotely controlled vehicle, and it is the relationship that scaling beyond-visual-line-of-sight commercial operations actually requires. A pilot who supervises one aircraft per shift cannot economically support widespread BVLOS commerce; a pilot who supervises an envelope class across a fleet can.

Compliance Mapping

Each regulatory instrument maps onto a specific structural feature of the primitive. FAA Part 107 and the Part 108 NPRM require that the operator demonstrate command authority and that the aircraft remain within its operational limitations; the on-board governance envelope encodes those limitations and refuses transitions that breach them, and the lineage substantiates the operator's command authority across the entire flight rather than only across the link-up intervals. Part 89 Remote ID requires continuous broadcast of identity and position; the execution context can drive the Remote ID transmitter from its own state without depending on the ground link, since both identity and position are intrinsic to the on-board object.

JARUS SORA requires that the operational safety objectives be met under the specific conditions of the operation; the governance envelope is the executable form of those objectives, evaluated in real time against the actual conditions the aircraft encounters. The intrinsic and final ground risk classes that SORA assigns to the operation become predicates that the envelope evaluates on every cycle, so a drift in actual ground risk, a population that gathered along a route, a lateral excursion that approached a populated area, produces a governance refusal rather than a procedural deviation. EASA 2019/947 and the U-space regulation require network identification, geo-awareness, and conformance to authorized volumes; the execution context's geo-awareness is an integral predicate of every governance evaluation, so the aircraft cannot drift into an unauthorized volume without producing a recorded refusal. ICAO Annex 2's rules of the air, including right-of-way and separation, are similarly encoded as governance predicates that gate every proposed maneuver.

For DoD Directive 3000.09, the directive's requirement for appropriate human judgment over autonomous behavior is satisfied by the operator's authorship of the governance envelope and by the post-flight reviewability of the lineage. The aircraft does not act outside the human-authored envelope, and every action it takes within the envelope is reconstructible. The verification and validation regime that the directive requires is grounded in the canonical structure of the governance object, which can be tested and certified independently of the platform that executes it. Because the envelope is a structured artifact rather than a learned policy, it admits formal analysis and exhaustive predicate testing in a way that supports the directive's demand for rigorous V&V before fielding.

The compliance mapping extends to incident investigation, which is where regulatory frameworks meet their hardest test. NTSB-style investigations of unmanned incidents have repeatedly run aground on the absence of continuous decision lineage; investigators have been forced to reason from telemetry traces and operator interviews to a hypothesized decision sequence that may or may not reflect what the aircraft actually evaluated. A memory-resident lineage transforms this from forensic reconstruction into evidentiary extraction. The investigator asks for the cycle records covering the period of interest and receives them, with their predicate evaluations and governance dispositions intact, and the question of what the aircraft was reasoning about at the moment of the event becomes a matter of reading the record rather than inferring it.

Adoption Pathway

Adoption proceeds in stages that align with how operators already engage their regulators. The first stage is shadow deployment. The execution context runs alongside the existing flight management system, recording its lineage but not yet governing the aircraft. Operators compare the lineage against their ground logs, validate that the on-board governance evaluations match the dispositions their remote pilots would have made, and use the comparison as evidence in their next SORA submission or Part 108 waiver package. The shadow stage produces empirical justification for the structural claim, and it does so without disturbing the operator's existing certification posture.

The second stage is governed contingency. The execution context takes authority for the link-loss interval, replacing the static contingency behaviors with governed self-evaluation. The operator's SORA or waiver is amended to describe the on-board governance envelope and the lineage retention regime, and the regulator evaluates the amendment under the existing risk-based framework. Because the envelope is a structured object rather than a narrative, the regulator's review is grounded in artifacts that can be tested rather than only in operator attestations. This stage is where the procedural and structural models begin to diverge in practice: the operator's contingency posture stops being a list of behaviors and becomes a governed predicate set.

The third stage is primary authority. The execution context becomes the aircraft's primary decision substrate, with the ground link serving as a high-bandwidth supervisory channel rather than a real-time control bus. The remote pilot in command supervises a fleet of aircraft each carrying its own governance, intervenes when the lineage indicates a condition the envelope was not authored to cover, and uses the lineage as the basis for incremental envelope refinement. At this stage the aircraft's compliance posture is structural rather than procedural, and the regulator's audit surface is the canonical lineage rather than the operator's narrative reconstruction. The supervisory ratio shifts from one pilot per aircraft to one pilot per envelope class, which is the scaling regime that beyond-visual-line-of-sight commercial UAS economics require.

Across all three stages the operator retains the regulatory relationship and the command authority that the framework demands. What changes is the substrate on which that relationship rests. A link-dependent substrate places the operator's compliance at the mercy of the radio environment. A memory-resident substrate places it on the aircraft itself, where the regulatory framework, since its inception, has implicitly required it to live. The transition is not a relaxation of regulation; it is the alignment of practice with what the regulation has been waiting for industry to deliver. Operators who make the transition early acquire two strategic advantages that compound over time. The first is regulatory credibility: a firm whose safety case is grounded in structured artifacts rather than narrative attestation accumulates trust with regulators that translates directly into broader operational authorizations. The second is operational reach: a fleet that can fly through degraded electromagnetic environments without forfeiting its compliance posture can address mission profiles, infrastructure inspection in RF-cluttered urban canyons, post-disaster survey before terrestrial infrastructure is restored, maritime and offshore work beyond cellular coverage, that link-dependent fleets must decline. The combination of regulatory credibility and operational reach is what determines which operators scale and which remain pinned to line-of-sight envelopes.