EASA’s concept of operation for drones.
To enable the safe integration of Unmanned Aircraft System (UAS) into the civil airspace, the European Aviation Safety Agency (EASA) has elaborated a new regulatory framework that is operation-centric and risk-based. Based on this principle, gaining authorization to conduct certain types of operations depends on a safety risk assessment. To harmonize this process, the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) released a qualitative methodology called Specific Operation Risk Assessment (SORA). However, SORA is not a complete safety assessment tool since, in some cases, a quantitative risk analysis is still required. This work develops a probabilistic risk model that extends SORA to evaluate the ground risk and the air risk components along a specified UAS trajectory quantitatively. The proposed model is supplied with illustrative data and is validated in a representative UAS mission. In the future, the risk model will be exploited to develop a decision tool for determining the minimum-risk trajectory when multiple, alternative routes are available.
- risk assessment
- Bayesian networks
- contingency management
In order to harmonize the regulation of Unmanned Aircraft System (UAS) across the European Union and to foster the development of the UAS market, the European Aviation Safety Agency (EASA) is elaborating a new regulatory framework that relies on the Concept of Operation (ConOps) for drones . According to this concept, UAS operations can be classified into three categories, named “open,” “specific,” and “certified,” as summarized in Table 1. Each of these categories has an associated regulatory regime that is proportionate to the risk of the operation. Operations within the open category do not require prior authorization by the competent authority. Operations within the specific category require authorization by the competent authority based on an operational risk assessment performed by the operator. Finally, operations within the certified category are subject to a full certification process based on the safety objectives in .
The task of performing an operational risk assessment to obtain authorization for operating a UAS is sensitive and complex. To facilitate and harmonize this process, the Working Group 6 of the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) initiative developed the Specific Operation Risk Assessment (SORA) methodology . The SORA is a qualitative process that basically particularizes the risk assessment steps in  to evaluate the risks involved with the operation of UASs of any class and size and for any type of operation; and ultimately to determine the corresponding mitigation measures. Although it is specially intended for UASs operating within the specific category, it may be used as an acceptable means of compliance with safety objectives for the certified category as well .
It is to be noted, however, that although the SORA analysis is qualitative in nature, a quantitative risk analysis is still required in some circumstances. For instance, Annex C to the SORA document encourages the use of quantitative data to support the qualitative assumptions and decisions regarding the strategic mitigations for the air risk. Even so, SORA does not prescribe any quantitative model from which these data should be obtained. There exist other shortcomings regarding the qualitative approach of the SORA process. As an example, the work in  identifies a number of inconsistencies that ought to be resolved.
Given all the above, this work proposes to complement the SORA process with a probabilistic risk model that evaluates the ground risk and the air risk components along a specified UAS trajectory quantitatively. The quantitative data provided by the model can be used to validate whether a particular operation (either specific or certified) reaches the Target Level of Safety (TLS) required by regulation. Moreover, the quantitative model can be exploited not only for risk assessment purposes, but also as a decision tool for determining the optimal trajectory in case of mission replanning.
Several works have already proposed quantitative models to assess the risk of UAS operations. A review of some of these models can be found in . Other examples include the work in . It provides both a qualitative and a quantitative risk analysis of UAS operations in integrated airspace: the qualitative analysis is actually a Failure Mode and Effect Analysis (FMEA), while the quantitative analysis is based on a Fault Tree Analysis (FTA). However, none of the previous approaches is consistent with the SORA framework. Conversely, the aforementioned work in  follows a similar approach than the one in this work: it identifies the inconsistencies of SORA and proposes to close these gaps through a complementary, mathematically based approach to risk assessment. In particular, it provides a simple, probabilistic formulation of a barrier-based safety model. The difference between  and the work in this chapter is that we exploit the Bayesian formulation to model how a threat can develop into a hazard (rather than a bow-tie representation); and, especially, that we are focused on estimating the risk along a specified flight trajectory (rather than on evaluating the effectiveness of the safety barriers). Other risk models in the literature will also be referenced along this work conveniently.
An important consideration is that risk models for UASs are in general highly dependent on the ConOps under consideration, and especially on the type of airspace where the operation takes places (e.g., airspace type and class, operating altitude, encounter rate, conflict management layers available, etc.). Due to the wide variety of ConOps that can be envisaged, it is difficult develop a model that captures the characteristics of all the possible operating environments. So considering the research interests of the authors, this work is focused on UASs operating in the Air Traffic Management (ATM) environment. This implies that the UAS must comply with existing rules and procedures for manned aviation (e.g., rules of the air or airspace structure). UASs operating in the UAS Traffic Management (UTM) environment (e.g., ConOps proposed by the CORUS project ) are therefore out of the scope of this work.
The rest of the chapter is organized as follows. Section 2 details the ConOps considered in this work, as well as the demonstration mission that will be used to validate the proposed risk model. Section 3 develops the probabilistic risk model for the proposed ConOps. Section 4 provides the validation results. Finally, Section 5 concludes the chapter and outlines future lines of research.
2. Proposed concept of operation
In order to provide a broad vision of the problem under study, this work is not focused on a particular type of operation. Rather, the proposed ConOps describes a wide range of flight profiles with the following general common features:
The UAS operation is to be performed Beyond Visual Line of Sight (BVLOS) of the operator.
The UAS operation is to be performed under Instrument Flight Rules (IFR). When airspace requirements impose compliance with Visual Flight Rules (VFR), airspace segregation will be necessary.
The UAS operation may enter in controlled airspace. The operation may also take-off or land at a controlled airport. Therefore, coordination with the corresponding Air Traffic Control (ATC) authority is compulsory. Additionally, the UAS can fly under non-conventional ATC services not included in controlled areas; for example, an ATC unit that acts specifically at the operations area, similar to the one used to coordinate the operations in a firefighting.
The UAS operation is to take place out of urban areas.
Due to the inherent complexity of the proposed ConOps, it is assumed that Unmanned Aircraft (UA) models capable of flying these missions will be comparable to manned aircraft in terms of size and complexity. A representative UA that will be used for demonstration purposes is the IAI Super Heron model. Furthermore, the UAS will be remotely piloted by an operator (called remote pilot); and the communication between the remote pilot and the UA will be conducted using a Command and Control (C2) data link. So, the UAS will actually be a Remotely Piloted Aircraft System (RPAS), which includes the Remotely Piloted Aircraft (RPA), the remote pilot station(s), and the C2 link.
2.1 Demonstration mission description
One among all the possible missions described by this, ConOps will be used to validate the probabilistic risk model discussed below. The proposed mission consists of a route from a departure airport to an operations area; a series of maneuvers within this area; and finally a route toward the destination airport. In particular, in the proposed demonstration mission, represented in Figure 1, the UAS must depart from the uncontrolled airport of Teruel (International Civil Aviation Organization (ICAO) code LETL) to perform some direct observations over the Albufera’s natural park in Spain; and then land at the controlled airport of Castellón (LECH). The operations area has well-specified limits (defined by perimeter F15B in Figure 1) which must be enforced using a geo-awareness system. In addition, given that this area is located within the Controlled Traffic Region (CTR) of the València Airport (ICAO code LEVC), the mission will require special permission from Air Traffic Service (ATS) authorities. To perform this mission, a route connecting the departure site, the operations area, and the arrival site must be specified. The proposed route is composed of 14 flight legs, which are structured into seven flight segments (described in Table 2), and which have been constructed in compliance with the Spanish Aeronautical Information Service (AIS) . The risk assessment results of this mission will be presented in Section 4.
|Segment #||Segment type||Waypoint sequence||Remark|
|1||Departure||LETL VWP1 MANDY||Uncontrolled airspace|
|2||En-route||MANDY CLS RETBA MOPIR LASPO||Controlled airways R29 and M871|
|3||Ingress||LASPO F15B2||Uncontrolled airspace|
|4||Operations||F15B2 VWP2 F15B2||Uncontrolled airspace|
|5||Egress||F15B2 VLC||VFR corridor|
|6||En-route||VLC SOPET||Controlled airway B26|
|7||Arrival||SOPET TATOS NIBEN LECH||Standard arrival SOPET1S|
3. Probabilistic risk model compliant with the SORA framework
In order to develop a probabilistic risk model that is consistent with the SORA framework, it is necessary to account with the Holistic Risk Model (HRM) behind the SORA methodology. In short, the HRM is focused on the occurrence of a single, generic hazard, named “UAS operation out of control,”1 an emergency condition with the potential to provoke three possible harms: fatal injuries to third parties on the ground, fatal injuries to third parties in the air or damage to critical infrastructures. At the same time, the out of control condition can originate from different threats, like a technical error, a human error, etc. Further details can be found on Version 1 of the SORA document .
To estimate the likelihood of occurrence of each of the previous harm categories (here expressed as ), the Version 1 of the SORA document mentions a mathematical model that depends on three factors: the probability of being out of control (), the conditional probability of striking the entity of value (i.e., third parties on the ground or in the air, or critical infrastructures) once the operation is out of control (), and the conditional probability of causing the given harm if the strike has actually occurred ():
However, SORA does not further detail this model since SORA is a risk assessment methodology of a qualitative nature. This work will use Eq. (1) as the basis to develop a quantitative, probabilistic risk model for UAS operations. To do so, Eq. (1) will first be rearranged for convenience so that it is expressed as a function of the probability of impact () rather than the probability of being out of control. In the sequence of events of a UAS mishap, the “impact” event is an intermediate condition between the out of control event and the event of striking a third party, see Figure 2. Having this in mind, can be expressed as:
where is the conditional probability of having an impact given the out of control condition. Eq. (1) can thus be rewritten as follows with minor effort:
Note, however, that the likelihood of occurrence of an aircraft accident is usually expressed as the number of occurrences per flight hour, not as a probability. Therefore, Eq. (3) can be rewritten in terms of rate of occurrence as follows:
where is the rate at which the harm under analysis occurs (per flight hour), and is the rate at which the impact event is expected to occur (also per flight hour). In general, Eq. (4) expresses an instant risk as the different terms involved in this equation can vary along space and time. For example, the probability of striking a third party on the ground depends on the population density in the vicinity of the impact area. The aim of this work is to assess the risk posed by a UAS flying a given trajectory , where is a curve between two points and . Therefore, in order to compute the overall risk along a defined flight path, it is necessary to perform the line integral of Eq. (4) along the curve between and :
where is an elementary arc length. Note that Eq. (5) is expressed in terms of occurrences per hour of operation along a specified distance (using the International System of Units). Then, the average risk along this trajectory in terms of occurrences per flight hour is given by:
where is the length of the curve between and (i.e., the length of the planned trajectory). Next, Eq. (5) will be particularized to assess the risk of causing fatal injuries to third parties on the ground (hereinafter ground risk), and to third parties in the air (hereinafter air risk). Due to lack of data and time constraints, the risk of causing damage to critical infrastructures will not be assessed in this work.
3.1 Ground risk model
In order to derive the ground risk component (denoted as ) from Eq. (5), it is necessary to develop an impact model (term in Eq. (4)), a strike model (term ), and a harm model (). The proposed models for these terms are discussed next.
3.1.1 Impact model
The ground impact model provides the rate at which a ground impact occurs (). In the literature, this term is often assumed to be constant and is either estimated based on historical accident data, component failure data, and expert judgment [10, 11], or deduced from the TLS required by regulation [12, 13, 14]. By contrast, this work suggests modeling using Bayesian Belief Networks (BBNs), which provides two major advantages:
The model can be supplied with both qualitative and quantitative data simultaneously . This is specially useful in models with high degree of uncertainty, like in the problem under study.
Probabilistic inference can be used to replace an initial assumption regarding one model variable by a perceived evidence regarding this variable and then, the model automatically updates the remaining probabilities based on the presence of such evidence . In practice, this capability can be used to update the probability of a ground impact given the real-time state of the system (for instance, depending on whether the C2 link is loss or alive).
The proposed BBN describing the ground impact model is represented in Figure 3. As it can be observed, the model is described by a directed, acyclic graph where nodes represent variables and edges represent the conditional dependencies between these variables. Each node variable is associated with a Bayesian probability that is expressed with a Conditional Probability Table (CPT). In this case, the sink node represents the probability of a ground impact (), and the remaining nodes describe the sequence of events between the initiating factors and the expected outcome. Therefore, the probability of a “ground impact” depends on the combined likelihood of experiencing a “loss of control in-flight” and a “boundary violation” condition (i.e., exceeding the operational limits approved for the operation), see Figure 3. At the same time, these abnormal flight conditions can be caused by an “inappropriate guidance,” i.e., a guidance command that is not suitable for the current state of the aircraft (because it exceeds the flight envelope limits, because it is not consistent with the approved Mission Plan, etc.). In addition, the “boundary violation” can also result from a “navigation error” like the loss of the Global Navigation Satellite System (GNSS) signal. The “inappropriate guidance” is based on the combined effect of an “autopilot malfunction” (including loss of function and malfunction) and “pilot ineffectiveness.” The human pilot is considered to be “ineffective” when she or he takes a wrong guidance decision, or when a correct decision is badly executed (e.g., selection of an inappropriate control mode, poor piloting skills, etc.). The source of an “autopilot malfunction” or a “pilot ineffectiveness” condition may be the use of incorrect navigation information caused by a “navigation error.” Finally, the pilot may also be “ineffective” when she or he is not in the control loop due to the “C2 link loss.”
In order to obtain the output probability , it is necessary to define the CPTs of each of the events of the previous BBN. As it can be observed, these events basically include technical errors (e.g., “navigation error,” “autopilot malfunction,” etc.) and human errors (e.g., “pilot ineffective”). The CPT of an event cataloged as a technical error can be obtained from the technical specifications or can be deduced from system tests. By contrast, the CPT of an event cataloged as a human error depends on human factors like type of activity being carried out, workload, etc. Some authors have already attempted to develop human performance models for specific activities (e.g., ATC controllers  or pilots of manned aircraft ). However, the development of a detailed human performance model is a vast task that exceeds the scope of this work. For this reason, we will calibrate the proposed model using technical data when possible, and illustrative data from experts’ judgment otherwise, see the Appendix. The output data will be assumed to be representative of the case study, although it should be validated in a future stage using some of the approaches proposed in the literature (e.g., see [19, 20]).
Another important remark regarding the previous model is that it provides the probability of the occurrence of the ground impact event (), not the failure rate (). In order to derive from , it is necessary to assume a given probability distribution function. As in similar approaches in the literature (e.g., see [15, 21]), this work assumes that follows a Poisson distribution, so is given by:
3.1.2 Strike model
The strike model represents the conditional probability that an impact at a specific location strikes a person. To model this term, this work will use a widely accepted model in the literature [10, 11, 12, 13, 16, 22]:
where is the population density at the impact point, and is the lethal area of the airborne platform. Census data are often used to estimate [10, 14, 16, 23]. With respect to the lethal area, two crash modes are often considered in the literature: vertical free fall [10, 22, 23] and unpremeditated, gliding descent [10, 11, 13, 16]. For simplicity, this work assumes that the ground impact occurs following a vertical free fall so that the impact location is close to the point where the initiating failure has occurred. Therefore:
where is the UA wingspan, is the UA length, and is the radius of an average person. Note that is thus a constant parameter because none of these terms vary with the aircraft trajectory.
3.1.3 Harm model
The harm caused to a person after a strike depends on multiple factors, including type of UA (e.g., size, fragility, etc.), conditions at the point of impact (e.g., speed, position), or secondary effects like explosions, etc. . However, in compliance with the SORA approach, this work assumes the worst-case condition where: (1) there are no sheltering structures that mitigate the effect of a ground impact, and (2) any direct impact of a UA causes the instant death of the people involved in the accident. Therefore:
So, in summary, the proposed ground risk model is given by:
3.2 Air risk model
As in the case of the ground risk, deriving the air risk component (denoted as ) from Eq. (5) requires to develop an impact model (term in Eq. (4)), a strike model (term ), and a harm model (). The proposed approach to develop these terms is discussed next.
3.2.1 Impact model
The air impact model provides the rate at which a Mid-Air Collision (MAC) between two aircraft occurs (). In the literature, this term is often modeled using the Maxwell molecule formulation [21, 23, 25], which assumes that the air traffic behaves randomly in airspace, and thus that the rate at which a MAC occurs is proportional to the traffic density in the operational volume. However, this theory does not contemplate the conflict management layers available in the airspace , schematized in Figure 4; and, for this reason, it does not adequately represent traffics operating in the ATM framework. To overcome this, this work proposes to develop the air impact model following the same approach than in the ground impact: using BBNs. In particular, two BBNs will be developed: one for segments performed in controlled airspace and other for uncontrolled airspace.
22.214.171.124 Mid-air collision model for segments performed in controlled airspace
The proposed mid-air collision BBN model for flight segments performed in controlled airspace is represented in Figure 5. The output node of this model is the “MAC” node which has an associated probability . The sequence of events leading to this flight condition depends on two major events: the “separation error” and the “collision avoidance error.” As it is shown in Figure 4, the “separation error” occurs when both “strategic separation” and “tactical separation” fail. “Strategic separation error” basically refers to the failure of the procedural separation mechanism, while “tactical separation error” involves the ATC surveillance capability. The “tactical separation error” node probability depends on the combined likelihood of the corresponding ATC unit being “ineffective” and the remote pilot performing an “inappropriate guidance.” ATC is ineffective when a possible conflict is not detected, or when ATC provides an incorrect clearance. This node probability certainly depends on the “traffic density”2 in the area. “Inappropriate guidance” refers to conditions where the ATC clearance is not correctly executed by the remote pilot. Note that the probability of experiencing an “inappropriate guidance” depends on the same sequence of events than in the ground impact BBN model described in Section 3.1.1.
Once the “separation error” occurs, collision avoidance layers can still prevent the MAC from occurring. In controlled airspace, it is assumed that aircraft will be equipped with a transponder. Therefore, collision avoidance can be performed at two levels with a different time horizon. At a first level, Traffic alert and Collision Avoidance System (TCAS) can trigger a traffic alert/resolution advisory. The effectiveness of this layer depends on the remote pilot because it is assumed that she or he must still approve or reject the resolution advisory. If the TCAS alert results “ineffective,” then the Near Mid-Air Collision (NMAC) condition will occur. After this happens, a second collision avoidance mechanism can still reduce the probability of a MAC impact by performing an evasion maneuver seconds after the point of closest approach. This maneuver may be either a See and Avoid (SAA)-based maneuver performed by the remote pilot, or a Detect and Avoid (DAA)-based maneuver performed by the automatic system (if a DAA system is equipped onboard the UAS). A “DAA error” may occur if the onboard sensors are unable to detect the conflicting traffic. SAA may be “ineffective” when the remote pilot has a reduced situational awareness, or when the pilot is not in the control loop due to the “C2 link loss.” Finally, as in the ground impact model, this work assumes that the MAC event follows a Poisson distribution so can be deduced from using Eq. (7).
126.96.36.199 Mid-air collision model for segments performed in uncontrolled airspace
The proposed mid-air collision BBN model for flight segments performed in uncontrolled airspace is represented in Figure 6. As in the BBN model for controlled airspace, the output node is the “MAC” node which has an associated probability . However, as it can be observed in the figure, the sequence of events leading to this flight condition differs when flying in uncontrolled airspace. To start with, separation provision is independent of the ATC service. In this case, the main separation mechanism is the definition of the mission boundaries and the use of geofencing to enforce these boundaries. However, a “boundary violation” may occur due to “inappropriate guidance” or because of a “navigation error.” Once the “boundary violation” occurs, the likelihood of experiencing a “separation error” increases with the “traffic density” in the area.
Even if the UAS flies within the specified boundaries, other traffics may also be encountered in the same operational volume. For this reason, the remote pilot is required to “remain well clear” of other aircraft at all times. However, the remote pilot may fail at remaining well clear because she or he performs an “inappropriate guidance.” The proposed model assumes that the likelihood of the remote pilot failing at remaining well clear increases with the “traffic density” because of the increased pilot workload.
The other key difference when operating in uncontrolled airspace is that aircraft are not required to be equipped with a transponder. Therefore, one cannot assume that an intruder aircraft will be a cooperative traffic, what makes the TCAS layer inoperative. As a result, after a “separation error” occurs, the “NMAC” condition is assumed to happen, and the only feasible collision avoidance mechanism is the SAA or DAA maneuver. This is one of the factors that certainly increases the operational risk when flying in uncontrolled airspace.
3.2.2 Strike model
The strike model represents the conditional probability that an impact between two aircraft strikes a person in the air. In the case of a UAS operation, an impact is expected to cause a strike only if the transient aircraft is a manned aircraft. Therefore, the strike model should account for the ratio between manned and unmanned aircraft in the vicinity of the operating area. For simplicity, this work assumes that all mid-air collisions involve a manned aircraft as long as the UAS is not performing a formation flight with other UAs. This way, all impacts are supposed to result in a strike:
where is the number of people onboard the collided aircraft. In order to estimate this term, it is necessary to characterize the aircraft flying in the airspace volume where the operation takes place. For example, it is possible to assume that most aircraft flying a controlled airway will be airliners, while most aircraft flying in uncontrolled airspace will be general aviation aircraft.
3.2.3 Harm model
The harm model determines the likelihood of causing fatal injuries to people onboard the collided aircraft once the strike between the UAS and the manned aircraft has occurred. As in the case of the ground risk model, this work assumes the worst-case condition where all strikes result in a casualty:
So, in summary, the proposed air risk model is given by:
4. Validation results
The probabilistic risk model in Section 3 has been implemented in Matlab and has been supplied with the illustrative data in the Appendix. To validate this model, a risk assessment will be performed for the demonstration mission in Section 2.1. In particular, the risk assessment will be performed considering six different operational conditions of the UAS (named as OC1 to OC6), described in Table 3. The results obtained are shown in Figure 7, where each subfigure shows the ground risk component and the air risk component along each flight leg of the demonstration mission, considering a specific operational condition.
|ID||Operational condition||DAA equipped|
|OC2||Autonomous condition (C2 link loss)||None|
|OC3||Degraded navigation condition (GNSS signal loss)||None|
|OC4||Nominal condition||RTCA SC-228 compliant|
|OC5||Autonomous condition (C2 link loss)||RTCA SC-228 compliant|
|OC6||Degraded navigation condition (GNSS signal loss)||RTCA SC-228 compliant|
As it can be observed, the air risk component is the main contribution to the total risk whenever a DAA system is not equipped onboard the UAS (Figure 7a–c). However, this risk component can be almost entirely removed if a DAA system is equipped and it complies with the Minimum Operational Performance Standards (MOPS) of RTCA SC-228  (the most stringent requirements required by SORA, almost an ideal DAA). When it comes to the ground risk component, it becomes a determining factor specially when overflying high population density areas like the metropolitan area of València (corresponding to flight legs 8 to 11, see Figure 1).
Another interesting result that can be deduced from Figure 7 is that the loss of the C2 link has a greater impact on the air risk than on the ground risk (what is in line with the results in ). This is due to the fact that, during this abnormal flight condition, the remote pilot is unable to intervene in the operation; and consequently tactical separation, TCAS and SAA conflict management layers are not effective. Conversely, the results obtained indicate that the loss of the GNSS signal is slightly more critical when it comes to the ground risk than to the air risk.
Finally, Table 4 shows the cumulative risk when considering the entire demonstration mission. Note that the cumulative risk is computed by adding the ground risk component and the air risk component along all the flight legs of the planned trajectory; while the average risk is computed from using Eq. (6). As an example, the cumulative risk when the UAS operates in OC1 is ; although it can be reduced down to by means of the DAA capability (OC4). Considering that the estimated path length for this route is , the average risk in these conditions is and , respectively.
Current regulatory framework for the operation of UAS in Europe is operation-centric and risk-based. Based on this framework, the authorization for conducting a specific mission is given on the basis of an operational risk assessment performed by the operator. In order to facilitate and harmonize this process, EASA established a qualitative risk assessment methodology called SORA. However, SORA is not a complete safety assessment tool because quantitative results are still required to demonstrate that a specific operation can be conducted safely.
In this chapter, a probabilistic risk model for UAS operations is proposed. The proposed model estimates the likelihood of occurrence of a catastrophic accident when a UAS flies a specified trajectory. One of the main novelties of the proposed model is that it is consistent with the HRM of SORA. Therefore, the probabilistic model can be used to support the qualitative assumptions and decisions taken by the SORA applicant.
The risk model must be supplied with a number of input parameters such as aircraft model, population density or traffic density, among others. The degree of uncertainty about these parameters will determine the trustworthiness of the results obtained. In this work, illustrative data is used to validate the model in a demonstration mission for different operational conditions. Results show that the C2 link loss event is more critical to the air risk that to the ground risk. Conversely, the loss of the GNSS signal has a greater impact on the probability of experiencing a ground impact than a MAC, according to the results.
Future work is to make use of Bayesian inference to update the state of knowledge about the system parameters and provide confidence in the approach. Another line of research is to adapt or extend the risk model to account for future Very Low Level (VLL), high density airspace like the UTM/U-space, where an encounter between two UA is more likely to occur than one with a manned aircraft. Finally, the risk model will be used to determine the minimum-risk trajectory when multiple, alternative routes are available (e.g., after an in-flight contingency occurs).
Conflict of interest
The authors declare no conflict of interest.
A.1. Ground risk model data
The model parameters of Eq. (11) are , , and . To estimate the lethal area , it is necessary to specify the UA dimensions and the average person model. In this case, it is assumed that the intended mission will be performed using the IAI Super Heron model, which has a wingspan and length of and , respectively . An average person is usually modeled as a cylinder of height and radius . To estimate the ground impact event rate from the BBN model, it is necessary to specify the CPT for all the nodes in Figure 3. As an example, the CPT used for the “C2 link loss” node is shown in Table 5 (which assumes that the corresponding Mean Time Between Failure (MTBF) is ); while the CPT for the “Inappropriate guidance” node is shown in Table 6. The remaining tables can be found in , but are here omitted for brevity. Finally, to compute the population distribution , we have accessed the Spanish census data provided by Instituto Nacional de Estadística (Spanish Statistics Institute) (INE) in , and we have processed it using the ArcGis software. The resulting data has been converted to a raster image with a cell size of (represented in Figure 8) and has been exported to Matlab.
|C2 link loss|
|Autopilot malfunc.||Pilot ineffective||Inappropriate guidance|
A.2. Air risk model data
The model parameters of Eq. (14) are and . In this proposal, varies along the aircraft trajectory as a function of the airspace class where the operation takes place (basically on whether it is controlled or not) and the aircraft density in each operational volume. The airspace class is an evidence for this model, since it is implicit in the route specification (see Table 2). To obtain the traffic density, this work has exploited the Network Strategic Modeling Tool (NEST) software by European Organization for the Safety of Air Navigation (Eurocontrol), which provides a dataset comprising 31.626 real cooperative flights operated in Europe during AIRAC cycle 1307, see Figure 9. Then, the CPTs for all the event nodes in Figures 5 and 6 are specified considering the possible traffic densities in the mission; see  for further details. Finally, to estimate the number of people onboard the manned aircraft involved in the MAC (), this work assumes that the most probable intruder aircraft when flying in controlled airspace is a short-to-medium-range airliner like a Boeing 737 or an Airbus A320 (two of the world’s most successful commercial airliners), with an estimated capacity of passengers. When flying in uncontrolled airspace, the intruder aircraft is assumed to be a general aviation aircraft like a Cessna 172 or a Piper PA-28 Cherokee, with an estimated capacity of passengers.
- In Version 2 of the SORA document, the SORA hazard was renamed as “loss of control.” However, this work retains the original name of the hazard to better differentiate it from the “loss of control in-flight” condition, which refers to the aircraft stall.
- Note that, in Figure 5, the “traffic density” node has a rectangular shape instead of an ellipse. This notation emphasizes that this node is not a probabilistic node, but a decision node, i.e., a node representing an input variable of the model. In other words, the traffic density is considered to be known at a given airspace volume.