Onboarding Operators and Pilots
1. Operator Registration
An operator is a legal entity responsible for flight operations under regulations such as FAA Part 91, Part 135, or Part 137. Registration produces an Operator Org Certificate — annual, revocable, chained under the Operator Credentialing CA.
| Step | What It Establishes |
|---|---|
| Corporate identity verification | Legal entity exists and is in good standing |
| Regulatory standing | Operator holds the certificates and authorizations relevant to its operating profile (Part 135 air carrier certificate, etc.) |
| Insurance | Operator carries the liability coverage required by its regulatory category and customer contracts |
| Org cert issuance | Operator Credentialing CA issues the Operator Org Certificate |
2. Pilot Enrollment
A pilot is an individual human who carries direct regulatory responsibility for a flight. In the ATOMx organization model, a pilot is the sole member of a single-person org of type Pilot and is affiliated with one or more operators.
sequenceDiagram
autonumber
participant Op as Operator Org
participant ATOMx
participant Pilot as Pilot User
Op->>ATOMx: Invite pilot user
Pilot->>ATOMx: Identity proofing (login.gov / PIV / passport-grade KYC)
ATOMx->>ATOMx: Verify training, medical, FTN against IACRA
ATOMx-->>Pilot: Pilot Certificate
Pilot->>Op: Accept affiliation
Op->>ATOMx: Confirm pilot-to-operator affiliation
ATOMx->>ATOMx: Record signed affiliation in audit ledger
Identity proofing channels
Pilot identity is proven through one of the channels documented in Pilot Identity §5. The trust ladder cell the pilot ultimately occupies depends on the channel — login.gov / PIV / CAC reach Strongly Verified; FTN-only is Weakly Verified and must be paired with a stronger channel for any flight that targets L4 or L5.
What the pilot certificate proves
The Pilot Certificate is annual, revocable, and bound to the individual — not to the operator the pilot is currently affiliated with. The pilot’s regulatory responsibility travels with the pilot.
3. Pilot-to-Operator Affiliation
A pilot is always affiliated with one or more operators. The pilot org is the unit of personal responsibility; the operator org is the unit of organizational responsibility. ATOMx will not issue an authorization for a pilot who is not currently affiliated with an active operator unless the pilot’s regulatory category permits self-operation (e.g., Part 107).
The affiliation event is signed by both parties (the operator and the pilot) and recorded in the ATOMx audit ledger. Revoking the affiliation is also a signed event.
4. Aircraft Binding
Once an operator is registered and pilots are enrolled, the operator binds airframe serials to its org and grants pilots operating rights to specific airframes. This is the bridge into the aircraft lifecycle — see Onboarding Aircraft §4 and §5.
5. Operating-Category Distinctions
The operating category an operator is registered under shapes onboarding and ongoing requirements. ATOMx does not invent these distinctions — they reflect existing FAA structure — but the operator profile carries them so authorization workflows can apply the right rules.
| Category | What It Covers | ATOMx Onboarding Implications |
|---|---|---|
| Part 107 (Recreational + Commercial sUAS) | Small UAS under 55 lb, operated under standardized rules | Pilot may self-operate without an operator org; single-person Pilot org is sufficient; FAA Remote Pilot Certificate required |
| Part 91 (General Operations) | General aviation operations including some UAS work | Full operator org required; standard insurance and regulatory standing |
| Part 135 (Commercial Air Carrier) | For-hire passenger / cargo carriage | Operator must hold an active Part 135 certificate; OpSpecs document attached to operator profile; LODA and waivers may apply |
| Part 137 (Agricultural) | Agricultural aircraft operations | Part 137 operator certificate required; treatment-area patterns commonly registered as blanket-authorization profiles |
| Part 108 (BVLOS, expected) | Beyond Visual Line of Sight, when rule finalizes | Operator profile will admit Part 108 certification; ATOMx is designed to admit it without rework |
| Public Aircraft Operations (PAO) | Federal, state, local, tribal government operations under their own rules | Operator profile carries the operating authority’s documentation; trust ladder may use government-issued credentials directly |
| Foreign / ICAO | Operators based outside US airspace | Bilateral / ICAO frameworks tracked as roadmap; today, foreign operators flying in US airspace typically operate under sponsorship from a US-credentialed operator |
5.1 Sole-Proprietor and Single-Person Operations
When the same individual is the legal entity and the only pilot, the Pilot org and Operator org collapse into a single single-person operator profile. ATOMx records both org-types under one user, with internal references that preserve the distinction (the audit ledger still treats org-level decisions as operator events and individual flight responsibility as pilot events).
5.2 Autonomous Aircraft and the RPIC Question
Some operations are autonomous to the point that no human is at the controls during the flight — but FAA still requires a designated Remote Pilot in Command (RPIC) who is regulatorily responsible. ATOMx models this by allowing the pilot identity bound into an Authorization Package to be the RPIC, even if no human input is happening during flight. The pilot identity is the responsibility carrier, not necessarily the active operator.
For fully-autonomous future operations under Part 108, ATOMx may bind an operator-system identity (a software actor with its own credentials) instead of a human pilot, with a human RPIC named at the operator level. The substrate for this is in place; the regulatory path is not yet finalized.
5.3 Multi-Affiliation and Conflict Resolution
A pilot affiliated with multiple operators may submit flight plans under any of them. Conflicts (two operators trying to assign the same pilot to overlapping flights) are surfaced at submission; the pilot accepts one and rejects the other. ATOMx does not silently prefer one operator’s claim.
6. Renewal and Revocation
| Credential | Validity | Renewal Trigger | Revocation Triggers |
|---|---|---|---|
| Operator Org Certificate | Annual | Re-attestation of corporate identity, regulatory standing, insurance | Loss of certificate, regulatory action, security event |
| Pilot Certificate | Annual | Re-attestation of identity proofing, training, medical | Loss of medical, regulatory action, identity-proofing failure |
| Pilot-Operator Affiliation | Bound by both certs | n/a | Either party revokes; one party’s credential lapses |
7. Cross-References
- The non-repudiation properties of pilot identity: Pilot Identity §4
- How operator and pilot identities are bound into a flight: Authorization Package
- The org-type model this fits into: Disconnected Operations §2.1
Implementation Readiness — Open Questions
Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.
| # | Question | Owner | ADR? | Blocking? |
|---|---|---|---|---|
| 1 | Which identity-proofing vendor(s) per channel (in-person notary, remote IAL2, knowledge-based)? Single vendor or pluggable adapter? | Product + Engineering | Yes — ADR: Identity-Proofing Vendor Selection and Adapter Pattern | Yes |
| 2 | FTN-to-IACRA integration mechanics: real-time API, batch attestation, or operator-mediated upload? Does FAA expose a machine-readable endpoint we can rely on? | Engineering + External (FAA) | Yes — ADR: FTN/IACRA Verification Channel | Yes |
| 3 | Part 135 OpSpecs ingestion: PDF parse, structured operator-supplied JSON, or third-party feed? Source-of-truth and re-verification cadence? | Product + Legal | Yes — ADR: Part 135 OpSpecs Ingestion and Trust Model | Yes |
| 4 | Part 137 blanket-authorization profile schema: how do we represent county-level / standing-authorization scope as a verifiable credential claim? | Engineering + Product | Yes — ADR: Part 137 Authorization Profile Schema | No |
| 5 | Autonomous-aircraft RPIC binding under Part 108: how do we model a non-human operator-system identity given the rule is not yet final? Stub now or defer? | Product + Legal | Yes — ADR: Autonomous RPIC Binding (Part 108 Provisional) | No |
| 6 | Foreign-pilot sponsorship workflow: who acts as sponsor, what evidence is required, and how is reciprocity handled across jurisdictions? | Legal + Product | Yes — ADR: Foreign-Pilot Sponsorship and Reciprocity | No |
| 7 | Sole-proprietor org-collapse data model: same entity, two cert chains, or a single dual-role cert? Affects revocation and audit semantics. | Engineering | Yes — ADR: Sole-Proprietor Identity Collapse | Yes |
| 8 | Multi-affiliation arbitration: are conflicts resolved purely at submission time, or do we need a priority/preference model per pilot? | Product | No — design note sufficient | No |
| 9 | Medical / BasicMed source-of-truth: pull live from FAA, or attest-and-cache with periodic re-verification? Privacy and ITAR implications. | Legal + Engineering | Yes — ADR: Medical Certificate Source-of-Truth and Caching | Yes |
| 10 | Training-currency tracking, minor-pilot age verification, proof-of-insurance attestation, and operator-admin RBAC matrix — single combined “operator policy pack” ADR, or split? | Product + Legal | Yes — ADR: Operator Policy Pack (Training, Age, Insurance, RBAC) | No |