Refuse to Fly

Designed to refuse unsafe conditions more than it allows flight.

Deterministic by Design

Explicit State Machines

Every vehicle state and every state transition is defined. There is no "else" branch. If the system encounters a condition it doesn't recognize, it refuses to fly.

No Undefined Behavior

Every sensor reading has a valid range. Every input has an expected format. Anything outside specification triggers a safe response, not a best guess.

Full Replay

Every flight is recorded at full fidelity. Every decision the system made can be replayed, inspected, and audited. If something goes wrong, we know exactly why.

Fail Safe, Not Fail Smart

When something fails, the system doesn't try to be clever. It executes pre-determined safe responses: land at the nearest pad, hold position, or refuse to launch.

Five Layers of Independent Safety

1

Physics Envelope

What it does

Defines the absolute limits of flight: weight, wind, temperature, battery.

How it fails safe

If any physical parameter is outside the envelope, flight is not permitted.

2

Hardware Safety MCU

What it does

A separate microcontroller, on a separate power supply, running separate firmware. It monitors the flight computer and has physical authority to cut motor power. Not connected to the flight computer. Not overridable by software.

How it fails safe

If the MCU detects an anomaly the flight computer hasn't addressed, it kills the motors and triggers controlled descent. No software command can override this. The hardware has the final vote.

3

Flight Control State Machine + Physical E-Stop

What it does

Manages all flight states with explicit transitions and guard conditions. A hardware E-stop switch cuts motor power with no software in the loop — physics-enforced.

How it fails safe

Unknown state or failed guard condition triggers immediate transition to SAFE_LAND or HOLD. E-stop is available to passengers but cannot override autonomous routing.

4

Chairlift OS Mission Manager

What it does

Manages the full mission lifecycle from pre-flight to post-landing.

How it fails safe

Aborts mission and returns to nearest pad if any mission parameter is violated.

5

Fleet-Level Weather Gating

What it does

Monitors weather across all corridors and gates fleet operations.

How it fails safe

Grounds all vehicles in affected corridors. No vehicle can override fleet-level weather holds.

5,000 Hours Before the First Passenger

Phase 1

Tethered Testing

Vehicle secured to ground. Full flight envelope exploration under controlled conditions.

Phase 2

Uncrewed Flight

Free flight along corridors with no passengers. Full autonomous operation. Thousands of hours.

Phase 3

Cargo Operations

Carrying cargo for real operators. Revenue-generating. Building operational history.

Phase 4

Passenger Operations

Only after 5,000+ autonomous hours with zero unresolved safety events.

We don't rush to carry people. We earn the right to carry people by proving the system works — thousands of times — without them on board.

Quiet. Electric. Minimal Impact.

Zero Direct Emissions

100% battery-electric propulsion. No fuel. No exhaust. No emissions at point of operation.

Low Noise

Electric motors at low altitude produce significantly less noise than helicopters. Operations designed to minimize acoustic impact on wildlife and wilderness areas.

Minimal Footprint

Pads are engineered to minimize ground disturbance. Corridors are aerial — no trail cutting, no road building, no permanent terrain modification.

We operate in some of the most beautiful landscapes on earth. We take that responsibility seriously.

Questions about our safety approach? We welcome the conversation.

Contact Us