How rail operators manage drone contractor compliance

Rail operators do not, for the most part, run their own drone inspection programs end to end. The flying is outsourced. Specialist contractors with the right equipment, the right Part 107 currency, the right insurance, and the right experience working near track handle most of the work. The asset owner sets the scope, the schedule, and the standards. The contractors fly.

This model works until something happens. A near-miss with a passing train. A contractor pilot whose certification quietly lapsed three months ago. An inspection report that goes missing when a subcontractor's accountant changes platforms. The rail program then has to demonstrate, to internal safety, to insurers, sometimes to a regulator, that the work was being done under proper compliance discipline. The answer to that demonstration is the contractor compliance program. Below is what the discipline actually looks like.

What "contractor compliance" covers in a rail drone program

Contractor compliance for drone work touches five layers, and a serious program covers all five rather than treating any one of them as the whole picture.

Corporate credentials. Is the contractor company in good standing, insured at the levels the asset owner requires, indemnifying the rail operator the way the contract requires, and current on whatever third-party safety qualification systems (ISNetworld, Avetta, others) the operator uses for its broader contractor base?

Pilot credentials. Are the specific pilots flying for the contractor on rail property current Part 107 holders with recurrent training within the last 24 months? Do they have the medical clearances, the rail-specific safety training, the right-of-way orientation, and any operator-specific qualifications the rail program requires?

Equipment credentials. Are the drones in use registered, properly identified, and within the airframe-hour windows the program permits? Are the controllers running approved firmware? Is the contractor maintaining the equipment registry that an asset owner can ask to see?

Operational authorization. For each specific flight, is there a documented authorization tying the flight to a permit or roadway worker protection arrangement, a specific asset to be inspected, and a defined scope of work? Or is the contractor flying on an open-ended scope that no one is actively bounding?

Records discipline. Is the contractor producing dated, attributed, and complete records of each flight, each finding, and each incident? Are those records reaching the asset owner's operational record, or are they staying in the contractor's system?

A program that handles three of these well and ignores two has a gap that will surface in a safety review.

The certification stack and what to actually verify

Rail-specific contractor compliance usually layers on top of the operator's broader contractor management system. The drone-specific pieces include current Part 107 certification, recurrent training within the FAA's 24-month window, the company's commercial drone registration status, and any operator-imposed requirements (background checks, drug testing, rail safety training certificates).

Verification is the part programs get wrong. Asking the contractor "are your pilots current?" once per year is not verification. The pilot has to provide evidence (certificate copy, training completion record, medical statement) into the operational platform, with a defined renewal date that triggers a re-verification. When a certification lapses, the system should know before the next flight is assigned.

This sounds bureaucratic, and it is. The alternative is the lapsed-certificate scenario, where the contractor pilot has been flying for three months on an expired credential, the asset owner did not know, and the audit catches it after a near-miss. The bureaucratic version is the cheaper version.

Scoping contractor access to actual work

The other discipline that separates rail contractor compliance programs that work from ones that do not is access scoping. A contractor working on the bridge program does not need to see the inspection schedule for the tunnel program, the incident reports from the yard, or the contractor list for the rest of the operator's vendor base.

We have written about why pilots should only see the jobs they are assigned to. The same principle holds at the contractor company level. Each contractor sees the jobs assigned to them, the assets in scope for those jobs, the pilots they have assigned, and the records they have produced. The asset owner sees everything.

Scoped access protects the asset owner against confidentiality leakage between competing contractors, against accidental data exposure when a contractor's account is compromised, and against the kind of scope-creep where a contractor starts logging flights against assets that were never in their contract.

Insurance, indemnification, and the records they require

Most rail drone contracts require contractors to carry specific levels of aviation liability insurance, with the operator named as additional insured, and to indemnify the operator for certain categories of liability. The contract terms are real and enforceable. What programs miss is that enforcement depends on records.

If a contractor's drone strikes a track signal and a train is delayed, the operator's insurer is going to ask: was the contractor in compliance with the contract terms at the time of the incident? That question lands on the records. Was the pilot certified and current? Was the equipment registered? Was the flight within the authorized scope? Was the inspection logged before the incident, or written up after the fact?

Programs that maintain the operational record in real time can answer those questions. Programs that reconstruct the record after the incident usually cannot answer all of them, and the gap shifts liability back onto the operator.

Common mistakes

Letting contractor compliance live in procurement. Procurement teams handle contractor onboarding and contract terms. They are not set up to maintain the ongoing operational currency of pilot certifications and equipment registrations across active contracts. Drone-specific compliance needs to live in operations, with procurement integrated rather than owning the file.

Trusting annual self-attestation. Asking the contractor to confirm once a year that everyone is current is not a compliance program. The system should hold the actual evidence (certificate copies, training records, insurance certificates), with renewal dates that trigger re-verification before the next flight.

Treating the contractor's records as the program's records. A contractor's inspection report is one input into the operational record. The asset owner needs the underlying flight context, pilot identity, equipment, and finding to live in a system the operator controls.

FAQ

What pilot credentials should rail operators verify for contractor flights?

Current Part 107 remote pilot certificate with recurrent training completed within the last 24 months, individual drone registration where Part 107 requires it, and any operator-specific qualifications (rail safety training, right-of-way orientation, background check). Evidence should sit in the operational platform, not in a procurement folder updated annually.

Who is responsible if a contractor drone causes a rail incident?

That depends on the contract, the insurance arrangement, and what the records show about compliance at the time. Standard rail drone contracts require contractor aviation liability insurance with the operator as additional insured, plus indemnification for certain categories. Records of pilot currency, equipment registration, and flight authorization determine how clean the indemnification claim actually is.

How often should rail operators audit drone contractor compliance?

Continuously through the operational record (currency expirations should trigger automatically), with a formal compliance review at contract renewal and after any significant incident. Annual reviews on their own miss lapses that happen during the year, and lapses during the year are when most compliance gaps actually occur.

Should contractor flight records live in the operator's platform or the contractor's?

The operator's. Contractors produce inspection deliverables (reports, image sets, findings), but the operational record of which assets were flown, when, by whom, with what authorization, and what was found belongs to the asset owner. If the contract ends or the contractor relationship dissolves, the asset owner still has the records.

What is the minimum acceptable insurance level for rail drone contractors?

Operator policy varies, and the answer is whatever the operator's risk management group has set as the floor for the specific scope of work. Higher-risk work near active track and over electrified rail typically requires higher limits. The point is that the level should be defined in the contract, evidence of the policy should be in the operational platform, and the policy should be checked for currency on the same cadence as pilot certifications.

Compliance is the program

Rail drone contractor compliance is not a procurement exercise. It is an operational discipline that runs continuously across every contractor, every pilot, every piece of equipment, and every flight. Programs that treat it that way produce records that hold up to safety review. Programs that treat it as a once-a-year procurement form do not.

If you are running a rail drone program with multiple contractors, FlybyOps was built for the operational record problem at the center of contractor compliance. Project and job-scoped access for contractors, an equipment and pilot registry with currency tracking, document vault for certifications and insurance evidence, and an append-only audit log are all part of how the platform supports the governance side of a contractor-heavy program.