EASA’s concept of operation for drones.

## Abstract

To enable the safe integration of Unmanned Aircraft System (UAS) into the civil airspace, the European Aviation Safety Agency (EASA) has elaborated a new regulatory framework that is operation-centric and risk-based. Based on this principle, gaining authorization to conduct certain types of operations depends on a safety risk assessment. To harmonize this process, the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) released a qualitative methodology called Specific Operation Risk Assessment (SORA). However, SORA is not a complete safety assessment tool since, in some cases, a quantitative risk analysis is still required. This work develops a probabilistic risk model that extends SORA to evaluate the ground risk and the air risk components along a specified UAS trajectory quantitatively. The proposed model is supplied with illustrative data and is validated in a representative UAS mission. In the future, the risk model will be exploited to develop a decision tool for determining the minimum-risk trajectory when multiple, alternative routes are available.

### Keywords

- risk assessment
- UAS
- SORA
- Bayesian networks
- contingency management

## 1. Introduction

In order to harmonize the regulation of Unmanned Aircraft System (UAS) across the European Union and to foster the development of the UAS market, the European Aviation Safety Agency (EASA) is elaborating a new regulatory framework that relies on the Concept of Operation (ConOps) for drones [1]. According to this concept, UAS operations can be classified into three categories, named “open,” “specific,” and “certified,” as summarized in Table 1. Each of these categories has an associated regulatory regime that is proportionate to the risk of the operation. Operations within the open category do not require prior authorization by the competent authority. Operations within the specific category require authorization by the competent authority based on an operational risk assessment performed by the operator. Finally, operations within the certified category are subject to a full certification process based on the safety objectives in [2].

The task of performing an operational risk assessment to obtain authorization for operating a UAS is sensitive and complex. To facilitate and harmonize this process, the Working Group 6 of the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) initiative developed the Specific Operation Risk Assessment (SORA) methodology [3]. The SORA is a qualitative process that basically particularizes the risk assessment steps in [4] to evaluate the risks involved with the operation of UASs of any class and size and for any type of operation; and ultimately to determine the corresponding mitigation measures. Although it is specially intended for UASs operating within the specific category, it may be used as an acceptable means of compliance with safety objectives for the certified category as well [3].

It is to be noted, however, that although the SORA analysis is qualitative in nature, a quantitative risk analysis is still required in some circumstances. For instance, Annex C to the SORA document encourages the use of quantitative data to support the qualitative assumptions and decisions regarding the strategic mitigations for the air risk. Even so, SORA does not prescribe any quantitative model from which these data should be obtained. There exist other shortcomings regarding the qualitative approach of the SORA process. As an example, the work in [5] identifies a number of inconsistencies that ought to be resolved.

Given all the above, this work proposes to complement the SORA process with a probabilistic risk model that evaluates the ground risk and the air risk components along a specified UAS trajectory quantitatively. The quantitative data provided by the model can be used to validate whether a particular operation (either specific or certified) reaches the Target Level of Safety (TLS) required by regulation. Moreover, the quantitative model can be exploited not only for risk assessment purposes, but also as a decision tool for determining the optimal trajectory in case of mission replanning.

Several works have already proposed quantitative models to assess the risk of UAS operations. A review of some of these models can be found in [6]. Other examples include the work in [7]. It provides both a qualitative and a quantitative risk analysis of UAS operations in integrated airspace: the qualitative analysis is actually a Failure Mode and Effect Analysis (FMEA), while the quantitative analysis is based on a Fault Tree Analysis (FTA). However, none of the previous approaches is consistent with the SORA framework. Conversely, the aforementioned work in [5] follows a similar approach than the one in this work: it identifies the inconsistencies of SORA and proposes to close these gaps through a complementary, mathematically based approach to risk assessment. In particular, it provides a simple, probabilistic formulation of a barrier-based safety model. The difference between [5] and the work in this chapter is that we exploit the Bayesian formulation to model how a threat can develop into a hazard (rather than a bow-tie representation); and, especially, that we are focused on estimating the risk along a specified flight trajectory (rather than on evaluating the effectiveness of the safety barriers). Other risk models in the literature will also be referenced along this work conveniently.

An important consideration is that risk models for UASs are in general highly dependent on the ConOps under consideration, and especially on the type of airspace where the operation takes places (e.g., airspace type and class, operating altitude, encounter rate, conflict management layers available, etc.). Due to the wide variety of ConOps that can be envisaged, it is difficult develop a model that captures the characteristics of all the possible operating environments. So considering the research interests of the authors, this work is focused on UASs operating in the Air Traffic Management (ATM) environment. This implies that the UAS must comply with existing rules and procedures for manned aviation (e.g., rules of the air or airspace structure). UASs operating in the UAS Traffic Management (UTM) environment (e.g., ConOps proposed by the CORUS project [8]) are therefore out of the scope of this work.

The rest of the chapter is organized as follows. Section 2 details the ConOps considered in this work, as well as the demonstration mission that will be used to validate the proposed risk model. Section 3 develops the probabilistic risk model for the proposed ConOps. Section 4 provides the validation results. Finally, Section 5 concludes the chapter and outlines future lines of research.

## 2. Proposed concept of operation

In order to provide a broad vision of the problem under study, this work is not focused on a particular type of operation. Rather, the proposed ConOps describes a wide range of flight profiles with the following general common features:

The UAS operation is to be performed Beyond Visual Line of Sight (BVLOS) of the operator.

The UAS operation is to be performed under Instrument Flight Rules (IFR). When airspace requirements impose compliance with Visual Flight Rules (VFR), airspace segregation will be necessary.

The UAS operation may enter in controlled airspace. The operation may also take-off or land at a controlled airport. Therefore, coordination with the corresponding Air Traffic Control (ATC) authority is compulsory. Additionally, the UAS can fly under non-conventional ATC services not included in controlled areas; for example, an ATC unit that acts specifically at the operations area, similar to the one used to coordinate the operations in a firefighting.

The UAS operation is to take place out of urban areas.

Due to the inherent complexity of the proposed ConOps, it is assumed that Unmanned Aircraft (UA) models capable of flying these missions will be comparable to manned aircraft in terms of size and complexity. A representative UA that will be used for demonstration purposes is the IAI Super Heron model. Furthermore, the UAS will be remotely piloted by an operator (called remote pilot); and the communication between the remote pilot and the UA will be conducted using a Command and Control (C2) data link. So, the UAS will actually be a Remotely Piloted Aircraft System (RPAS), which includes the Remotely Piloted Aircraft (RPA), the remote pilot station(s), and the C2 link.

### 2.1 Demonstration mission description

One among all the possible missions described by this, ConOps will be used to validate the probabilistic risk model discussed below. The proposed mission consists of a route from a departure airport to an operations area; a series of maneuvers within this area; and finally a route toward the destination airport. In particular, in the proposed demonstration mission, represented in Figure 1, the UAS must depart from the uncontrolled airport of Teruel (International Civil Aviation Organization (ICAO) code LETL) to perform some direct observations over the Albufera’s natural park in Spain; and then land at the controlled airport of Castellón (LECH). The operations area has well-specified limits (defined by perimeter F15B in Figure 1) which must be enforced using a geo-awareness system. In addition, given that this area is located within the Controlled Traffic Region (CTR) of the València Airport (ICAO code LEVC), the mission will require special permission from Air Traffic Service (ATS) authorities. To perform this mission, a route connecting the departure site, the operations area, and the arrival site must be specified. The proposed route is composed of 14 flight legs, which are structured into seven flight segments (described in Table 2), and which have been constructed in compliance with the Spanish Aeronautical Information Service (AIS) [9]. The risk assessment results of this mission will be presented in Section 4.

Segment # | Segment type | Waypoint sequence | Remark |
---|---|---|---|

1 | Departure | LETL | Uncontrolled airspace |

2 | En-route | MANDY | Controlled airways R29 and M871 |

3 | Ingress | LASPO | Uncontrolled airspace |

4 | Operations | F15B2 | Uncontrolled airspace |

5 | Egress | F15B2 | VFR corridor |

6 | En-route | VLC | Controlled airway B26 |

7 | Arrival | SOPET | Standard arrival SOPET1S |

## 3. Probabilistic risk model compliant with the SORA framework

In order to develop a probabilistic risk model that is consistent with the SORA framework, it is necessary to account with the Holistic Risk Model (HRM) behind the SORA methodology. In short, the HRM is focused on the occurrence of a single, generic *hazard*, named “UAS operation out of control,”^{1} an emergency condition with the potential to provoke three possible *harms*: fatal injuries to third parties on the ground, fatal injuries to third parties in the air or damage to critical infrastructures. At the same time, the out of control condition can originate from different *threats*, like a technical error, a human error, etc. Further details can be found on Version 1 of the SORA document [3].

To estimate the likelihood of occurrence of each of the previous harm categories (here expressed as

However, SORA does not further detail this model since SORA is a risk assessment methodology of a qualitative nature. This work will use Eq. (1) as the basis to develop a quantitative, probabilistic risk model for UAS operations. To do so, Eq. (1) will first be rearranged for convenience so that it is expressed as a function of the probability of impact (

where

Note, however, that the likelihood of occurrence of an aircraft accident is usually expressed as the number of occurrences per flight hour, not as a probability. Therefore, Eq. (3) can be rewritten in terms of rate of occurrence as follows:

where

where

where *ground risk*), and to third parties in the air (hereinafter *air risk*). Due to lack of data and time constraints, the risk of causing damage to critical infrastructures will not be assessed in this work.

### 3.1 Ground risk model

In order to derive the ground risk component (denoted as

#### 3.1.1 Impact model

The ground impact model provides the rate at which a ground impact occurs (

The model can be supplied with both qualitative and quantitative data simultaneously [15]. This is specially useful in models with high degree of uncertainty, like in the problem under study.

Probabilistic inference can be used to replace an initial assumption regarding one model variable by a perceived

*evidence*regarding this variable and then, the model automatically updates the remaining probabilities based on the presence of such evidence [16]. In practice, this capability can be used to update the probability of a ground impact given the real-time state of the system (for instance, depending on whether the C2 link is loss or alive).

The proposed BBN describing the ground impact model is represented in Figure 3. As it can be observed, the model is described by a directed, acyclic graph where nodes represent variables and edges represent the conditional dependencies between these variables. Each node variable is associated with a Bayesian probability that is expressed with a Conditional Probability Table (CPT). In this case, the sink node represents the probability of a ground impact (

In order to obtain the output probability

Another important remark regarding the previous model is that it provides the probability of the occurrence of the ground impact event (

#### 3.1.2 Strike model

The strike model represents the conditional probability that an impact at a specific location strikes a person. To model this term, this work will use a widely accepted model in the literature [10, 11, 12, 13, 16, 22]:

where

where

#### 3.1.3 Harm model

The harm caused to a person after a strike depends on multiple factors, including type of UA (e.g., size, fragility, etc.), conditions at the point of impact (e.g., speed, position), or secondary effects like explosions, etc. [24]. However, in compliance with the SORA approach, this work assumes the worst-case condition where: (1) there are no sheltering structures that mitigate the effect of a ground impact, and (2) any direct impact of a UA causes the instant death of the people involved in the accident. Therefore:

So, in summary, the proposed ground risk model is given by:

### 3.2 Air risk model

As in the case of the ground risk, deriving the air risk component (denoted as

#### 3.2.1 Impact model

The air impact model provides the rate at which a Mid-Air Collision (MAC) between two aircraft occurs (

#### 3.2.1.1 Mid-air collision model for segments performed in controlled airspace

The proposed mid-air collision BBN model for flight segments performed in controlled airspace is represented in Figure 5. The output node of this model is the “MAC” node which has an associated probability ^{2} in the area. “Inappropriate guidance” refers to conditions where the ATC clearance is not correctly executed by the remote pilot. Note that the probability of experiencing an “inappropriate guidance” depends on the same sequence of events than in the ground impact BBN model described in Section 3.1.1.

Once the “separation error” occurs, collision avoidance layers can still prevent the MAC from occurring. In controlled airspace, it is assumed that aircraft will be equipped with a transponder. Therefore, collision avoidance can be performed at two levels with a different time horizon. At a first level, Traffic alert and Collision Avoidance System (TCAS) can trigger a traffic alert/resolution advisory. The effectiveness of this layer depends on the remote pilot because it is assumed that she or he must still approve or reject the resolution advisory. If the TCAS alert results “ineffective,” then the Near Mid-Air Collision (NMAC) condition will occur. After this happens, a second collision avoidance mechanism can still reduce the probability of a MAC impact by performing an evasion maneuver seconds after the point of closest approach. This maneuver may be either a See and Avoid (SAA)-based maneuver performed by the remote pilot, or a Detect and Avoid (DAA)-based maneuver performed by the automatic system (if a DAA system is equipped onboard the UAS). A “DAA error” may occur if the onboard sensors are unable to detect the conflicting traffic. SAA may be “ineffective” when the remote pilot has a reduced situational awareness, or when the pilot is not in the control loop due to the “C2 link loss.” Finally, as in the ground impact model, this work assumes that the MAC event follows a Poisson distribution so

#### 3.2.1.2 Mid-air collision model for segments performed in uncontrolled airspace

The proposed mid-air collision BBN model for flight segments performed in uncontrolled airspace is represented in Figure 6. As in the BBN model for controlled airspace, the output node is the “MAC” node which has an associated probability

Even if the UAS flies within the specified boundaries, other traffics may also be encountered in the same operational volume. For this reason, the remote pilot is required to “remain well clear” of other aircraft at all times. However, the remote pilot may fail at remaining well clear because she or he performs an “inappropriate guidance.” The proposed model assumes that the likelihood of the remote pilot failing at remaining well clear increases with the “traffic density” because of the increased pilot workload.

The other key difference when operating in uncontrolled airspace is that aircraft are not required to be equipped with a transponder. Therefore, one cannot assume that an intruder aircraft will be a cooperative traffic, what makes the TCAS layer inoperative. As a result, after a “separation error” occurs, the “NMAC” condition is assumed to happen, and the only feasible collision avoidance mechanism is the SAA or DAA maneuver. This is one of the factors that certainly increases the operational risk when flying in uncontrolled airspace.

#### 3.2.2 Strike model

The strike model represents the conditional probability that an impact between two aircraft strikes a person in the air. In the case of a UAS operation, an impact is expected to cause a strike only if the transient aircraft is a manned aircraft. Therefore, the strike model should account for the ratio between manned and unmanned aircraft in the vicinity of the operating area. For simplicity, this work assumes that all mid-air collisions involve a manned aircraft as long as the UAS is not performing a formation flight with other UAs. This way, all impacts are supposed to result in a strike:

where

#### 3.2.3 Harm model

The harm model determines the likelihood of causing fatal injuries to people onboard the collided aircraft once the strike between the UAS and the manned aircraft has occurred. As in the case of the ground risk model, this work assumes the worst-case condition where all strikes result in a casualty:

So, in summary, the proposed air risk model is given by:

## 4. Validation results

The probabilistic risk model in Section 3 has been implemented in Matlab and has been supplied with the illustrative data in the Appendix. To validate this model, a risk assessment will be performed for the demonstration mission in Section 2.1. In particular, the risk assessment will be performed considering six different operational conditions of the UAS (named as **OC1** to **OC6**), described in Table 3. The results obtained are shown in Figure 7, where each subfigure shows the ground risk component and the air risk component along each flight leg of the demonstration mission, considering a specific operational condition.

ID | Operational condition | DAA equipped |
---|---|---|

OC1 | Nominal condition | None |

OC2 | Autonomous condition (C2 link loss) | None |

OC3 | Degraded navigation condition (GNSS signal loss) | None |

OC4 | Nominal condition | RTCA SC-228 compliant |

OC5 | Autonomous condition (C2 link loss) | RTCA SC-228 compliant |

OC6 | Degraded navigation condition (GNSS signal loss) | RTCA SC-228 compliant |

As it can be observed, the air risk component is the main contribution to the total risk whenever a DAA system is not equipped onboard the UAS (Figure 7a–c). However, this risk component can be almost entirely removed if a DAA system is equipped and it complies with the Minimum Operational Performance Standards (MOPS) of RTCA SC-228 [27] (the most stringent requirements required by SORA, almost an ideal DAA). When it comes to the ground risk component, it becomes a determining factor specially when overflying high population density areas like the metropolitan area of València (corresponding to flight legs 8 to 11, see Figure 1).

Another interesting result that can be deduced from Figure 7 is that the loss of the C2 link has a greater impact on the air risk than on the ground risk (what is in line with the results in [7]). This is due to the fact that, during this abnormal flight condition, the remote pilot is unable to intervene in the operation; and consequently tactical separation, TCAS and SAA conflict management layers are not effective. Conversely, the results obtained indicate that the loss of the GNSS signal is slightly more critical when it comes to the ground risk than to the air risk.

Finally, Table 4 shows the cumulative risk when considering the entire demonstration mission. Note that the cumulative risk **OC1** is **OC4**). Considering that the estimated path length for this route is

Operational condition | ||
---|---|---|

OC1 | 9.29e-02 | 4.67e-04 |

OC2 | 1.47e-01 | 7.39e-04 |

OC3 | 1.09e-01 | 5.48e-04 |

OC4 | 1.04e-02 | 5.23e-05 |

OC5 | 1.64e-02 | 8.24e-05 |

OC6 | 1.82e-02 | 9.15e-05 |

## 5. Conclusions

Current regulatory framework for the operation of UAS in Europe is operation-centric and risk-based. Based on this framework, the authorization for conducting a specific mission is given on the basis of an operational risk assessment performed by the operator. In order to facilitate and harmonize this process, EASA established a qualitative risk assessment methodology called SORA. However, SORA is not a complete safety assessment tool because quantitative results are still required to demonstrate that a specific operation can be conducted safely.

In this chapter, a probabilistic risk model for UAS operations is proposed. The proposed model estimates the likelihood of occurrence of a catastrophic accident when a UAS flies a specified trajectory. One of the main novelties of the proposed model is that it is consistent with the HRM of SORA. Therefore, the probabilistic model can be used to support the qualitative assumptions and decisions taken by the SORA applicant.

The risk model must be supplied with a number of input parameters such as aircraft model, population density or traffic density, among others. The degree of uncertainty about these parameters will determine the trustworthiness of the results obtained. In this work, illustrative data is used to validate the model in a demonstration mission for different operational conditions. Results show that the C2 link loss event is more critical to the air risk that to the ground risk. Conversely, the loss of the GNSS signal has a greater impact on the probability of experiencing a ground impact than a MAC, according to the results.

Future work is to make use of Bayesian inference to update the state of knowledge about the system parameters and provide confidence in the approach. Another line of research is to adapt or extend the risk model to account for future Very Low Level (VLL), high density airspace like the UTM/U-space, where an encounter between two UA is more likely to occur than one with a manned aircraft. Finally, the risk model will be used to determine the minimum-risk trajectory when multiple, alternative routes are available (e.g., after an in-flight contingency occurs).

## Conflict of interest

The authors declare no conflict of interest.

This appendix provides the illustrative data used to estimate the ground risk and the air risk from Eqs. (11) and (14), respectively.

## A.1. Ground risk model data

The model parameters of Eq. (11) are

C2 link loss | |
---|---|

F | T |

3.6788e-01 | 6.3212e-01 |

Autopilot malfunc. | Pilot ineffective | Inappropriate guidance | |
---|---|---|---|

F | T | ||

F | F | 1 | 0 |

F | T | 0 | 1 |

T | F | 0 | 1 |

T | T | 0 | 1 |

## A.2. Air risk model data

The model parameters of Eq. (14) are

## Notes

- In Version 2 of the SORA document, the SORA hazard was renamed as “loss of control.” However, this work retains the original name of the hazard to better differentiate it from the “loss of control in-flight” condition, which refers to the aircraft stall.
- Note that, in Figure 5, the “traffic density” node has a rectangular shape instead of an ellipse. This notation emphasizes that this node is not a probabilistic node, but a decision node, i.e., a node representing an input variable of the model. In other words, the traffic density is considered to be known at a given airspace volume.