(a) A permittee must identify and characterize each of the hazards and assess the risk to public health and safety and the safety of property resulting from each permitted flight. This hazard analysis must—
(1) Identify and describe hazards, including but not limited to each of those that result from—
(i) Component, subsystem, or system failures or faults;
(ii) Software errors;
(iii) Environmental conditions;
(iv) Human errors;
(v) Design inadequacies; or
(vi) Procedural deficiencies.
(2) Determine the likelihood of occurrence and consequence for each hazard before risk elimination or mitigation.
(3) Ensure that the likelihood and consequence of each hazard meet the following criteria through risk elimination and mitigation measures:
(i) The likelihood of any hazardous condition that may cause death or serious injury to the public must be extremely remote.
(ii) The likelihood of any hazardous condition that may cause major property damage to the public, major safety-critical system damage or reduced capability, a significant reduction in safety margins, or a significant increase in crew workload must be remote.
(4) Identify and describe the risk elimination and mitigation measures required to satisfy paragraph (a)(3) of this section. The measures must include one or more of the following:
(i) Designing for minimum risk,
(ii) Incorporating safety devices,
(iii) Providing warning devices, or
(iv) Implementing procedures and training.
(5) Demonstrate that the risk elimination and mitigation measures achieve the risk levels of paragraph (a)(3)(i) of this section through validation and verification. Verification includes:
(i) Test data,
(ii) Inspection results, or
(b) A permittee must carry out the risk elimination and mitigation measures derived from its hazard analysis.
(c) A permittee must ensure the continued accuracy and validity of its hazard analysis throughout the term of its permit.