Open access peer-reviewed chapter

Trajectory-Based, Probabilistic Risk Model for UAS Operations

Written By

Hector Usach, Juan A. Vila and Áurea Gallego

Submitted: October 15th, 2019 Reviewed: November 28th, 2019 Published: March 18th, 2020

DOI: 10.5772/intechopen.90688

Chapter metrics overview

678 Chapter Downloads

View Full Metrics


To enable the safe integration of Unmanned Aircraft System (UAS) into the civil airspace, the European Aviation Safety Agency (EASA) has elaborated a new regulatory framework that is operation-centric and risk-based. Based on this principle, gaining authorization to conduct certain types of operations depends on a safety risk assessment. To harmonize this process, the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) released a qualitative methodology called Specific Operation Risk Assessment (SORA). However, SORA is not a complete safety assessment tool since, in some cases, a quantitative risk analysis is still required. This work develops a probabilistic risk model that extends SORA to evaluate the ground risk and the air risk components along a specified UAS trajectory quantitatively. The proposed model is supplied with illustrative data and is validated in a representative UAS mission. In the future, the risk model will be exploited to develop a decision tool for determining the minimum-risk trajectory when multiple, alternative routes are available.


  • risk assessment
  • UAS
  • SORA
  • Bayesian networks
  • contingency management

1. Introduction

In order to harmonize the regulation of Unmanned Aircraft System (UAS) across the European Union and to foster the development of the UAS market, the European Aviation Safety Agency (EASA) is elaborating a new regulatory framework that relies on the Concept of Operation (ConOps) for drones [1]. According to this concept, UAS operations can be classified into three categories, named “open,” “specific,” and “certified,” as summarized in Table 1. Each of these categories has an associated regulatory regime that is proportionate to the risk of the operation. Operations within the open category do not require prior authorization by the competent authority. Operations within the specific category require authorization by the competent authority based on an operational risk assessment performed by the operator. Finally, operations within the certified category are subject to a full certification process based on the safety objectives in [2].

Open categorySpecific categoryCertified category
MTOWa < 25 kg; and height<120m; and in VLOSb; and Outside reserved areasMTOWa < 25; or height120m; or BVLOScRisks like manned aviation (size, complexity, kinetic energy)
No certificationSORAFull certification

Table 1.

EASA’s concept of operation for drones.

Maximum take-off weight.

Visual line of sight.

Beyond visual line of sight.

The task of performing an operational risk assessment to obtain authorization for operating a UAS is sensitive and complex. To facilitate and harmonize this process, the Working Group 6 of the Joint Authorities for Rulemaking on Unmanned Systems (JARUS) initiative developed the Specific Operation Risk Assessment (SORA) methodology [3]. The SORA is a qualitative process that basically particularizes the risk assessment steps in [4] to evaluate the risks involved with the operation of UASs of any class and size and for any type of operation; and ultimately to determine the corresponding mitigation measures. Although it is specially intended for UASs operating within the specific category, it may be used as an acceptable means of compliance with safety objectives for the certified category as well [3].

It is to be noted, however, that although the SORA analysis is qualitative in nature, a quantitative risk analysis is still required in some circumstances. For instance, Annex C to the SORA document encourages the use of quantitative data to support the qualitative assumptions and decisions regarding the strategic mitigations for the air risk. Even so, SORA does not prescribe any quantitative model from which these data should be obtained. There exist other shortcomings regarding the qualitative approach of the SORA process. As an example, the work in [5] identifies a number of inconsistencies that ought to be resolved.

Given all the above, this work proposes to complement the SORA process with a probabilistic risk model that evaluates the ground risk and the air risk components along a specified UAS trajectory quantitatively. The quantitative data provided by the model can be used to validate whether a particular operation (either specific or certified) reaches the Target Level of Safety (TLS) required by regulation. Moreover, the quantitative model can be exploited not only for risk assessment purposes, but also as a decision tool for determining the optimal trajectory in case of mission replanning.

Several works have already proposed quantitative models to assess the risk of UAS operations. A review of some of these models can be found in [6]. Other examples include the work in [7]. It provides both a qualitative and a quantitative risk analysis of UAS operations in integrated airspace: the qualitative analysis is actually a Failure Mode and Effect Analysis (FMEA), while the quantitative analysis is based on a Fault Tree Analysis (FTA). However, none of the previous approaches is consistent with the SORA framework. Conversely, the aforementioned work in [5] follows a similar approach than the one in this work: it identifies the inconsistencies of SORA and proposes to close these gaps through a complementary, mathematically based approach to risk assessment. In particular, it provides a simple, probabilistic formulation of a barrier-based safety model. The difference between [5] and the work in this chapter is that we exploit the Bayesian formulation to model how a threat can develop into a hazard (rather than a bow-tie representation); and, especially, that we are focused on estimating the risk along a specified flight trajectory (rather than on evaluating the effectiveness of the safety barriers). Other risk models in the literature will also be referenced along this work conveniently.

An important consideration is that risk models for UASs are in general highly dependent on the ConOps under consideration, and especially on the type of airspace where the operation takes places (e.g., airspace type and class, operating altitude, encounter rate, conflict management layers available, etc.). Due to the wide variety of ConOps that can be envisaged, it is difficult develop a model that captures the characteristics of all the possible operating environments. So considering the research interests of the authors, this work is focused on UASs operating in the Air Traffic Management (ATM) environment. This implies that the UAS must comply with existing rules and procedures for manned aviation (e.g., rules of the air or airspace structure). UASs operating in the UAS Traffic Management (UTM) environment (e.g., ConOps proposed by the CORUS project [8]) are therefore out of the scope of this work.

The rest of the chapter is organized as follows. Section 2 details the ConOps considered in this work, as well as the demonstration mission that will be used to validate the proposed risk model. Section 3 develops the probabilistic risk model for the proposed ConOps. Section 4 provides the validation results. Finally, Section 5 concludes the chapter and outlines future lines of research.


2. Proposed concept of operation

In order to provide a broad vision of the problem under study, this work is not focused on a particular type of operation. Rather, the proposed ConOps describes a wide range of flight profiles with the following general common features:

  • The UAS operation is to be performed Beyond Visual Line of Sight (BVLOS) of the operator.

  • The UAS operation is to be performed under Instrument Flight Rules (IFR). When airspace requirements impose compliance with Visual Flight Rules (VFR), airspace segregation will be necessary.

  • The UAS operation may enter in controlled airspace. The operation may also take-off or land at a controlled airport. Therefore, coordination with the corresponding Air Traffic Control (ATC) authority is compulsory. Additionally, the UAS can fly under non-conventional ATC services not included in controlled areas; for example, an ATC unit that acts specifically at the operations area, similar to the one used to coordinate the operations in a firefighting.

  • The UAS operation is to take place out of urban areas.

Due to the inherent complexity of the proposed ConOps, it is assumed that Unmanned Aircraft (UA) models capable of flying these missions will be comparable to manned aircraft in terms of size and complexity. A representative UA that will be used for demonstration purposes is the IAI Super Heron model. Furthermore, the UAS will be remotely piloted by an operator (called remote pilot); and the communication between the remote pilot and the UA will be conducted using a Command and Control (C2) data link. So, the UAS will actually be a Remotely Piloted Aircraft System (RPAS), which includes the Remotely Piloted Aircraft (RPA), the remote pilot station(s), and the C2 link.

2.1 Demonstration mission description

One among all the possible missions described by this, ConOps will be used to validate the probabilistic risk model discussed below. The proposed mission consists of a route from a departure airport to an operations area; a series of maneuvers within this area; and finally a route toward the destination airport. In particular, in the proposed demonstration mission, represented in Figure 1, the UAS must depart from the uncontrolled airport of Teruel (International Civil Aviation Organization (ICAO) code LETL) to perform some direct observations over the Albufera’s natural park in Spain; and then land at the controlled airport of Castellón (LECH). The operations area has well-specified limits (defined by perimeter F15B in Figure 1) which must be enforced using a geo-awareness system. In addition, given that this area is located within the Controlled Traffic Region (CTR) of the València Airport (ICAO code LEVC), the mission will require special permission from Air Traffic Service (ATS) authorities. To perform this mission, a route connecting the departure site, the operations area, and the arrival site must be specified. The proposed route is composed of 14 flight legs, which are structured into seven flight segments (described in Table 2), and which have been constructed in compliance with the Spanish Aeronautical Information Service (AIS) [9]. The risk assessment results of this mission will be presented in Section 4.

Figure 1.

Demonstration mission.

Segment #Segment typeWaypoint sequenceRemark
1DepartureLETL VWP1 MANDYUncontrolled airspace
2En-routeMANDY CLS RETBA MOPIR LASPOControlled airways R29 and M871
3IngressLASPO F15B2Uncontrolled airspace
4OperationsF15B2 VWP2 F15B2Uncontrolled airspace
5EgressF15B2 VLCVFR corridor
6En-routeVLC SOPETControlled airway B26
7ArrivalSOPET TATOS NIBEN LECHStandard arrival SOPET1S

Table 2.

Route specification for the demonstration mission.


3. Probabilistic risk model compliant with the SORA framework

In order to develop a probabilistic risk model that is consistent with the SORA framework, it is necessary to account with the Holistic Risk Model (HRM) behind the SORA methodology. In short, the HRM is focused on the occurrence of a single, generic hazard, named “UAS operation out of control,”1 an emergency condition with the potential to provoke three possible harms: fatal injuries to third parties on the ground, fatal injuries to third parties in the air or damage to critical infrastructures. At the same time, the out of control condition can originate from different threats, like a technical error, a human error, etc. Further details can be found on Version 1 of the SORA document [3].

To estimate the likelihood of occurrence of each of the previous harm categories (here expressed as Pharm), the Version 1 of the SORA document mentions a mathematical model that depends on three factors: the probability of being out of control (Pooc), the conditional probability of striking the entity of value (i.e., third parties on the ground or in the air, or critical infrastructures) once the operation is out of control (Pstrike/ooc), and the conditional probability of causing the given harm if the strike has actually occurred (Pharm/strike):


However, SORA does not further detail this model since SORA is a risk assessment methodology of a qualitative nature. This work will use Eq. (1) as the basis to develop a quantitative, probabilistic risk model for UAS operations. To do so, Eq. (1) will first be rearranged for convenience so that it is expressed as a function of the probability of impact (Pimpact) rather than the probability of being out of control. In the sequence of events of a UAS mishap, the “impact” event is an intermediate condition between the out of control event and the event of striking a third party, see Figure 2. Having this in mind, Pimpactcan be expressed as:

Figure 2.

Sequence of events of a UAS mishap.


where Pimpact/oocis the conditional probability of having an impact given the out of control condition. Eq. (1) can thus be rewritten as follows with minor effort:


Note, however, that the likelihood of occurrence of an aircraft accident is usually expressed as the number of occurrences per flight hour, not as a probability. Therefore, Eq. (3) can be rewritten in terms of rate of occurrence as follows:


where λharmis the rate at which the harm under analysis occurs (per flight hour), and λimpactis the rate at which the impact event is expected to occur (also per flight hour). In general, Eq. (4) expresses an instant risk as the different terms involved in this equation can vary along space and time. For example, the probability of striking a third party on the ground depends on the population density in the vicinity of the impact area. The aim of this work is to assess the risk posed by a UAS flying a given trajectory r=rt,tab,a<b, where rtis a curve Cbetween two points raand rb. Therefore, in order to compute the overall risk along a defined flight path, it is necessary to perform the line integral of Eq. (4) along the curve Cbetween raand rb:


where dsis an elementary arc length. Note that Eq. (5) is expressed in terms of occurrences per hour of operation along a specified distance (s1musing the International System of Units). Then, the average risk along this trajectory in terms of occurrences per flight hour is given by:


where LC=Cdsis the length of the curve Cbetween raand rb(i.e., the length of the planned trajectory). Next, Eq. (5) will be particularized to assess the risk of causing fatal injuries to third parties on the ground (hereinafter ground risk), and to third parties in the air (hereinafter air risk). Due to lack of data and time constraints, the risk of causing damage to critical infrastructures will not be assessed in this work.

3.1 Ground risk model

In order to derive the ground risk component (denoted as ΛG) from Eq. (5), it is necessary to develop an impact model (term λimpactin Eq. (4)), a strike model (term Pstrike/impact), and a harm model (Pharm/strike). The proposed models for these terms are discussed next.

3.1.1 Impact model

The ground impact model provides the rate at which a ground impact occurs (λimpact). In the literature, this term is often assumed to be constant and is either estimated based on historical accident data, component failure data, and expert judgment [10, 11], or deduced from the TLS required by regulation [12, 13, 14]. By contrast, this work suggests modeling λimpactusing Bayesian Belief Networks (BBNs), which provides two major advantages:

  1. The model can be supplied with both qualitative and quantitative data simultaneously [15]. This is specially useful in models with high degree of uncertainty, like in the problem under study.

  2. Probabilistic inference can be used to replace an initial assumption regarding one model variable by a perceived evidenceregarding this variable and then, the model automatically updates the remaining probabilities based on the presence of such evidence [16]. In practice, this capability can be used to update the probability of a ground impact given the real-time state of the system (for instance, depending on whether the C2 link is loss or alive).

The proposed BBN describing the ground impact model is represented in Figure 3. As it can be observed, the model is described by a directed, acyclic graph where nodes represent variables and edges represent the conditional dependencies between these variables. Each node variable is associated with a Bayesian probability that is expressed with a Conditional Probability Table (CPT). In this case, the sink node represents the probability of a ground impact (Pimpact), and the remaining nodes describe the sequence of events between the initiating factors and the expected outcome. Therefore, the probability of a “ground impact” depends on the combined likelihood of experiencing a “loss of control in-flight” and a “boundary violation” condition (i.e., exceeding the operational limits approved for the operation), see Figure 3. At the same time, these abnormal flight conditions can be caused by an “inappropriate guidance,” i.e., a guidance command that is not suitable for the current state of the aircraft (because it exceeds the flight envelope limits, because it is not consistent with the approved Mission Plan, etc.). In addition, the “boundary violation” can also result from a “navigation error” like the loss of the Global Navigation Satellite System (GNSS) signal. The “inappropriate guidance” is based on the combined effect of an “autopilot malfunction” (including loss of function and malfunction) and “pilot ineffectiveness.” The human pilot is considered to be “ineffective” when she or he takes a wrong guidance decision, or when a correct decision is badly executed (e.g., selection of an inappropriate control mode, poor piloting skills, etc.). The source of an “autopilot malfunction” or a “pilot ineffectiveness” condition may be the use of incorrect navigation information caused by a “navigation error.” Finally, the pilot may also be “ineffective” when she or he is not in the control loop due to the “C2 link loss.”

Figure 3.

Ground impact BBN model.

In order to obtain the output probability Pimpact, it is necessary to define the CPTs of each of the events of the previous BBN. As it can be observed, these events basically include technical errors (e.g., “navigation error,” “autopilot malfunction,” etc.) and human errors (e.g., “pilot ineffective”). The CPT of an event cataloged as a technical error can be obtained from the technical specifications or can be deduced from system tests. By contrast, the CPT of an event cataloged as a human error depends on human factors like type of activity being carried out, workload, etc. Some authors have already attempted to develop human performance models for specific activities (e.g., ATC controllers [17] or pilots of manned aircraft [18]). However, the development of a detailed human performance model is a vast task that exceeds the scope of this work. For this reason, we will calibrate the proposed model using technical data when possible, and illustrative data from experts’ judgment otherwise, see the Appendix. The output data will be assumed to be representative of the case study, although it should be validated in a future stage using some of the approaches proposed in the literature (e.g., see [19, 20]).

Another important remark regarding the previous model is that it provides the probability of the occurrence of the ground impact event (Pimpact), not the failure rate (λimpact). In order to derive λimpactfrom Pimpact, it is necessary to assume a given probability distribution function. As in similar approaches in the literature (e.g., see [15, 21]), this work assumes that Pimpactfollows a Poisson distribution, so λimpactis given by:


3.1.2 Strike model

The strike model represents the conditional probability that an impact at a specific location strikes a person. To model this term, this work will use a widely accepted model in the literature [10, 11, 12, 13, 16, 22]:


where ρGris the population density at the impact point, and LAis the lethal area of the airborne platform. Census data are often used to estimate ρGr[10, 14, 16, 23]. With respect to the lethal area, two crash modes are often considered in the literature: vertical free fall [10, 22, 23] and unpremeditated, gliding descent [10, 11, 13, 16]. For simplicity, this work assumes that the ground impact occurs following a vertical free fall so that the impact location is close to the point where the initiating failure has occurred. Therefore:


where wuais the UA wingspan, Luais the UA length, and Rpis the radius of an average person. Note that LAis thus a constant parameter because none of these terms vary with the aircraft trajectory.

3.1.3 Harm model

The harm caused to a person after a strike depends on multiple factors, including type of UA (e.g., size, fragility, etc.), conditions at the point of impact (e.g., speed, position), or secondary effects like explosions, etc. [24]. However, in compliance with the SORA approach, this work assumes the worst-case condition where: (1) there are no sheltering structures that mitigate the effect of a ground impact, and (2) any direct impact of a UA causes the instant death of the people involved in the accident. Therefore:


So, in summary, the proposed ground risk model is given by:


3.2 Air risk model

As in the case of the ground risk, deriving the air risk component (denoted as ΛA) from Eq. (5) requires to develop an impact model (term λimpactin Eq. (4)), a strike model (term Pstrike/impact), and a harm model (Pharm/strike). The proposed approach to develop these terms is discussed next.

3.2.1 Impact model

The air impact model provides the rate at which a Mid-Air Collision (MAC) between two aircraft occurs (λimpact). In the literature, this term is often modeled using the Maxwell molecule formulation [21, 23, 25], which assumes that the air traffic behaves randomly in airspace, and thus that the rate at which a MAC occurs is proportional to the traffic density in the operational volume. However, this theory does not contemplate the conflict management layers available in the airspace [26], schematized in Figure 4; and, for this reason, it does not adequately represent traffics operating in the ATM framework. To overcome this, this work proposes to develop the air impact model following the same approach than in the ground impact: using BBNs. In particular, two BBNs will be developed: one for segments performed in controlled airspace and other for uncontrolled airspace.

Figure 4.

Conflict management layers in UAS. Credit: Drone icon by Anthony Lui from the Noun Project. Mid-air collision model for segments performed in controlled airspace

The proposed mid-air collision BBN model for flight segments performed in controlled airspace is represented in Figure 5. The output node of this model is the “MAC” node which has an associated probability Pimpact. The sequence of events leading to this flight condition depends on two major events: the “separation error” and the “collision avoidance error.” As it is shown in Figure 4, the “separation error” occurs when both “strategic separation” and “tactical separation” fail. “Strategic separation error” basically refers to the failure of the procedural separation mechanism, while “tactical separation error” involves the ATC surveillance capability. The “tactical separation error” node probability depends on the combined likelihood of the corresponding ATC unit being “ineffective” and the remote pilot performing an “inappropriate guidance.” ATC is ineffective when a possible conflict is not detected, or when ATC provides an incorrect clearance. This node probability certainly depends on the “traffic density”2 in the area. “Inappropriate guidance” refers to conditions where the ATC clearance is not correctly executed by the remote pilot. Note that the probability of experiencing an “inappropriate guidance” depends on the same sequence of events than in the ground impact BBN model described in Section 3.1.1.

Figure 5.

Mid-air collision BBN model in controlled airspace.

Once the “separation error” occurs, collision avoidance layers can still prevent the MAC from occurring. In controlled airspace, it is assumed that aircraft will be equipped with a transponder. Therefore, collision avoidance can be performed at two levels with a different time horizon. At a first level, Traffic alert and Collision Avoidance System (TCAS) can trigger a traffic alert/resolution advisory. The effectiveness of this layer depends on the remote pilot because it is assumed that she or he must still approve or reject the resolution advisory. If the TCAS alert results “ineffective,” then the Near Mid-Air Collision (NMAC) condition will occur. After this happens, a second collision avoidance mechanism can still reduce the probability of a MAC impact by performing an evasion maneuver seconds after the point of closest approach. This maneuver may be either a See and Avoid (SAA)-based maneuver performed by the remote pilot, or a Detect and Avoid (DAA)-based maneuver performed by the automatic system (if a DAA system is equipped onboard the UAS). A “DAA error” may occur if the onboard sensors are unable to detect the conflicting traffic. SAA may be “ineffective” when the remote pilot has a reduced situational awareness, or when the pilot is not in the control loop due to the “C2 link loss.” Finally, as in the ground impact model, this work assumes that the MAC event follows a Poisson distribution so λimpactcan be deduced from Pimpactusing Eq. (7). Mid-air collision model for segments performed in uncontrolled airspace

The proposed mid-air collision BBN model for flight segments performed in uncontrolled airspace is represented in Figure 6. As in the BBN model for controlled airspace, the output node is the “MAC” node which has an associated probability Pimpact. However, as it can be observed in the figure, the sequence of events leading to this flight condition differs when flying in uncontrolled airspace. To start with, separation provision is independent of the ATC service. In this case, the main separation mechanism is the definition of the mission boundaries and the use of geofencing to enforce these boundaries. However, a “boundary violation” may occur due to “inappropriate guidance” or because of a “navigation error.” Once the “boundary violation” occurs, the likelihood of experiencing a “separation error” increases with the “traffic density” in the area.

Figure 6.

Mid-air collision BBN model for uncontrolled airspace.

Even if the UAS flies within the specified boundaries, other traffics may also be encountered in the same operational volume. For this reason, the remote pilot is required to “remain well clear” of other aircraft at all times. However, the remote pilot may fail at remaining well clear because she or he performs an “inappropriate guidance.” The proposed model assumes that the likelihood of the remote pilot failing at remaining well clear increases with the “traffic density” because of the increased pilot workload.

The other key difference when operating in uncontrolled airspace is that aircraft are not required to be equipped with a transponder. Therefore, one cannot assume that an intruder aircraft will be a cooperative traffic, what makes the TCAS layer inoperative. As a result, after a “separation error” occurs, the “NMAC” condition is assumed to happen, and the only feasible collision avoidance mechanism is the SAA or DAA maneuver. This is one of the factors that certainly increases the operational risk when flying in uncontrolled airspace.

3.2.2 Strike model

The strike model represents the conditional probability that an impact between two aircraft strikes a person in the air. In the case of a UAS operation, an impact is expected to cause a strike only if the transient aircraft is a manned aircraft. Therefore, the strike model should account for the ratio between manned and unmanned aircraft in the vicinity of the operating area. For simplicity, this work assumes that all mid-air collisions involve a manned aircraft as long as the UAS is not performing a formation flight with other UAs. This way, all impacts are supposed to result in a strike:


where ρAris the number of people onboard the collided aircraft. In order to estimate this term, it is necessary to characterize the aircraft flying in the airspace volume where the operation takes place. For example, it is possible to assume that most aircraft flying a controlled airway will be airliners, while most aircraft flying in uncontrolled airspace will be general aviation aircraft.

3.2.3 Harm model

The harm model determines the likelihood of causing fatal injuries to people onboard the collided aircraft once the strike between the UAS and the manned aircraft has occurred. As in the case of the ground risk model, this work assumes the worst-case condition where all strikes result in a casualty:


So, in summary, the proposed air risk model is given by:


4. Validation results

The probabilistic risk model in Section 3 has been implemented in Matlab and has been supplied with the illustrative data in the Appendix. To validate this model, a risk assessment will be performed for the demonstration mission in Section 2.1. In particular, the risk assessment will be performed considering six different operational conditions of the UAS (named as OC1to OC6), described in Table 3. The results obtained are shown in Figure 7, where each subfigure shows the ground risk component and the air risk component along each flight leg of the demonstration mission, considering a specific operational condition.

IDOperational conditionDAA equipped
OC1Nominal conditionNone
OC2Autonomous condition (C2 link loss)None
OC3Degraded navigation condition (GNSS signal loss)None
OC4Nominal conditionRTCA SC-228 compliant
OC5Autonomous condition (C2 link loss)RTCA SC-228 compliant
OC6Degraded navigation condition (GNSS signal loss)RTCA SC-228 compliant

Table 3.

Operational conditions evaluated in the risk assessment.

Figure 7.

Risk assessment results: Ground risk and air risk components in each flight leg of the demonstration mission. (a) Operational condition OC1. (b) Operational condition OC2. (c) Operational condition OC3. (d) Operational condition OC4. (e) Operational condition OC5. (f) Operational condition OC6.

As it can be observed, the air risk component is the main contribution to the total risk whenever a DAA system is not equipped onboard the UAS (Figure 7ac). However, this risk component can be almost entirely removed if a DAA system is equipped and it complies with the Minimum Operational Performance Standards (MOPS) of RTCA SC-228 [27] (the most stringent requirements required by SORA, almost an ideal DAA). When it comes to the ground risk component, it becomes a determining factor specially when overflying high population density areas like the metropolitan area of València (corresponding to flight legs 8 to 11, see Figure 1).

Another interesting result that can be deduced from Figure 7 is that the loss of the C2 link has a greater impact on the air risk than on the ground risk (what is in line with the results in [7]). This is due to the fact that, during this abnormal flight condition, the remote pilot is unable to intervene in the operation; and consequently tactical separation, TCAS and SAA conflict management layers are not effective. Conversely, the results obtained indicate that the loss of the GNSS signal is slightly more critical when it comes to the ground risk than to the air risk.

Finally, Table 4 shows the cumulative risk when considering the entire demonstration mission. Note that the cumulative risk Λis computed by adding the ground risk component and the air risk component along all the flight legs of the planned trajectory; while the average risk λ¯is computed from Λusing Eq. (6). As an example, the cumulative risk when the UAS operates in OC1is Λ=9.29102h1NM; although it can be reduced down to Λ=1.04102h1NMby means of the DAA capability (OC4). Considering that the estimated path length for this route is L=199NM, the average risk in these conditions is λ¯=4.67104h1and λ¯=5.23105h1, respectively.

Operational conditionΛh1NMλ¯h1

Table 4.

Cumulative risk and average risk when the UAS flies the demonstration mission in different operational conditions.


5. Conclusions

Current regulatory framework for the operation of UAS in Europe is operation-centric and risk-based. Based on this framework, the authorization for conducting a specific mission is given on the basis of an operational risk assessment performed by the operator. In order to facilitate and harmonize this process, EASA established a qualitative risk assessment methodology called SORA. However, SORA is not a complete safety assessment tool because quantitative results are still required to demonstrate that a specific operation can be conducted safely.

In this chapter, a probabilistic risk model for UAS operations is proposed. The proposed model estimates the likelihood of occurrence of a catastrophic accident when a UAS flies a specified trajectory. One of the main novelties of the proposed model is that it is consistent with the HRM of SORA. Therefore, the probabilistic model can be used to support the qualitative assumptions and decisions taken by the SORA applicant.

The risk model must be supplied with a number of input parameters such as aircraft model, population density or traffic density, among others. The degree of uncertainty about these parameters will determine the trustworthiness of the results obtained. In this work, illustrative data is used to validate the model in a demonstration mission for different operational conditions. Results show that the C2 link loss event is more critical to the air risk that to the ground risk. Conversely, the loss of the GNSS signal has a greater impact on the probability of experiencing a ground impact than a MAC, according to the results.

Future work is to make use of Bayesian inference to update the state of knowledge about the system parameters and provide confidence in the approach. Another line of research is to adapt or extend the risk model to account for future Very Low Level (VLL), high density airspace like the UTM/U-space, where an encounter between two UA is more likely to occur than one with a manned aircraft. Finally, the risk model will be used to determine the minimum-risk trajectory when multiple, alternative routes are available (e.g., after an in-flight contingency occurs).


Conflict of interest

The authors declare no conflict of interest.


This appendix provides the illustrative data used to estimate the ground risk and the air risk from Eqs. (11) and (14), respectively.


A.1. Ground risk model data

The model parameters of Eq. (11) are LA, λimpact, and ρG. To estimate the lethal area LA, it is necessary to specify the UA dimensions and the average person model. In this case, it is assumed that the intended mission will be performed using the IAI Super Heron model, which has a wingspan and length of 16.6and 8.5m, respectively [28]. An average person is usually modeled as a cylinder of height Hp=1.75mand radius Rp=0.25m[23]. To estimate the ground impact event rate λimpactfrom the BBN model, it is necessary to specify the CPT for all the nodes in Figure 3. As an example, the CPT used for the “C2 link loss” node is shown in Table 5 (which assumes that the corresponding Mean Time Between Failure (MTBF) is 1h); while the CPT for the “Inappropriate guidance” node is shown in Table 6. The remaining tables can be found in [29], but are here omitted for brevity. Finally, to compute the population distribution ρG, we have accessed the Spanish census data provided by Instituto Nacional de Estadística (Spanish Statistics Institute) (INE) in [30], and we have processed it using the ArcGis software. The resulting data has been converted to a raster image with a cell size of 1×1km(represented in Figure 8) and has been exported to Matlab.

C2 link loss

Table 5.

CPT for “C2 link loss” node.

Autopilot malfunc.Pilot ineffectiveInappropriate guidance

Table 6.

CPT for “inappropriate guidance” node.

Figure 8.

Population density in Spain (excluding the Canary Islands) based on census data from INE.


A.2. Air risk model data

The model parameters of Eq. (14) are λimpactand ρA. In this proposal, λimpactvaries along the aircraft trajectory rtas a function of the airspace class where the operation takes place (basically on whether it is controlled or not) and the aircraft density in each operational volume. The airspace class is an evidence for this model, since it is implicit in the route specification (see Table 2). To obtain the traffic density, this work has exploited the Network Strategic Modeling Tool (NEST) software by European Organization for the Safety of Air Navigation (Eurocontrol), which provides a dataset comprising 31.626 real cooperative flights operated in Europe during AIRAC cycle 1307, see Figure 9. Then, the CPTs for all the event nodes in Figures 5 and 6 are specified considering the possible traffic densities in the mission; see [29] for further details. Finally, to estimate the number of people onboard the manned aircraft involved in the MAC (ρA), this work assumes that the most probable intruder aircraft when flying in controlled airspace is a short-to-medium-range airliner like a Boeing 737 or an Airbus A320 (two of the world’s most successful commercial airliners), with an estimated capacity of ρA=180passengers. When flying in uncontrolled airspace, the intruder aircraft is assumed to be a general aviation aircraft like a Cessna 172 or a Piper PA-28 Cherokee, with an estimated capacity of ρA=4passengers.

Figure 9.

NEST screenshot showing traffics flying over waypoint SOPET on July 18, 2013.


  1. 1. European Aviation Safety Agency. Concept of Operations for Drones: A Risk Based Approach to Regulation of Unmanned Aircraft. Cologne, Germany: EASA; 2015
  2. 2. Joint Authorities for Rulemaking of Unmanned Systems Working Group 6. AMC RPAS.1309: Safety Assessment of Remotely Piloted Aircraft Systems. Brussels, Belgium: JARUS; 2015
  3. 3. Joint Authorities for Rulemaking of Unmanned Systems Working Group 6. JARUS Guidelines on Specific Operations Risk Assessment (SORA). Brussels, Belgium: JARUS; 2017
  4. 4. International Civil Aviation Organization. Doc. 9859, AN/474: Safety Management Manual (SMM). Montréal, Canada: ICAO; 2013
  5. 5. Denney E, Pai G, Johnson M. Towards a rigorous basis for specific operations risk assessment of UAS. In: 37th Digital Avionics Systems Conference (DASC). London, England: IEEE/AIAA; 2018. pp. 1-10. DOI: 10.1109/DASC.2018.8569475
  6. 6. Cour-Harbo Al. The value of step-by-step risk assessment for unmanned aircraft. In: International Conference on Unmanned Aircraft Systems (ICUAS). Dallas, Texas: IEEE; 2018. pp. 149-157. DOI: 10.1109/ICUAS.2018.8453411
  7. 7. Ferreira RB, Baum DM, Neto ECP, Martins MR, Almeida JR, Cugnasca PS, et al. A risk analysis of unmanned aircraft systems (UAS) integration into non-segregate airspace. In: International Conference on Unmanned Aircraft Systems (ICUAS). Dallas, Texas: IEEE; 2018. pp. 42-51. DOI: 10.1109/ICUAS.2018.8453455
  8. 8. CORUS Consortium. Intermediate Concept of Operations for U-Space. Brussels, Belgium: SESAR Joint Undertaking; 2019
  9. 9. Enaire. AIP España: Servicio de Información Aeronáutica [Online]; 2019. Available from: [Accessed: June 2019]
  10. 10. Clothier RA, Walker RA, Fulton N, Campbell DA. A casualty risk analysis for unmanned aerial system (UAS) operations over inhabited areas. In: 12th Australian International Aerospace Congress (AIAC12). Melbourne, Australia; 2007. pp. 1-15
  11. 11. Lum C, Gauksheim K, Deseure C, Vagners J, McGeer T. Assessing and estimating risk of operating unmanned aerial systems in populated areas. In: 11th AIAA Aviation Technology, Integration, and Operations (ATIO) Conference. Virginia Beach, Virginia: AIAA; 2011. p. 6918. DOI: 10.2514/6.2011-6918
  12. 12. Burke DA. System Level Airworthiness Tool: A Comprehensive Approach to Small Unmanned Aircraft System Airworthiness. Raleigh, North Carolina: North Carolina State University; 2010
  13. 13. Grimsley F. Equivalent safety analysis using casualty expectation approach. In: AIAA 3rd Unmanned Unlimited Technical Conference, Workshop and Exhibit. Chicago, Illinois: AIAA; 2004. p. 6428. DOI: 10.2514/6.2004-6428
  14. 14. Weibel RE. Safety considerations for operation of unmanned aerial vehicles in the National Airspace System [MSc thesis]. Cambridge, Massachusetts: Massachusetts Institute of Technology; 2005
  15. 15. Barr LC, Newman RL, Ancel E, Belcastro CM, Foster JV, Evans J, et al. Preliminary risk assessment for small unmanned aircraft systems. In: 17th AIAA Aviation Technology, Integration, and Operations (ATIO) Conference. Denver, Colorado: AIAA; 2017. p. 3272. DOI: 10.2514/6.2017-3272
  16. 16. Ancel E, Capristan FM, Foster JV, Condotta RC. Real-time risk assessment framework for unmanned aircraft system (UAS) traffic management (UTM). In: 17th AIAA Aviation Technology, Integration, and Operations (ATIO) Conference. Denver, Colorado: AIAA; 2017. p. 3273. DOI: 10.2514/6.2017-3273
  17. 17. Jha PD, Bisantz AM, Parasuraman R, Drury CG. Air traffic controllers’ performance in advance air traffic management system: Part I—Performance results. The International Journal of Aviation Psychology. 2011;21(3):283-305. DOI: 10.1080/10508414.2011.582456
  18. 18. Foyle DC, Hooey BL, Byrne MD, Corker KM, Deutsch S, Lebiere C, et al. Human performance models of pilot behavior. Proceedings of the Human Factors and Ergonomics Society Annual Meeting. 2005;49(12):1109-1113. DOI: 10.1177/154193120504901202
  19. 19. Arnaldo Valdés RM, Liang Cheng SZ, Gómez Comendador VF, Sáez Nieto FJ. Application of Bayesian networks and information theory to estimate the occurrence of mid-air collisions based on accident precursors. Entropy. 2018;20(12):969. DOI: 10.3390/e20120969
  20. 20. Pitchforth J, Mengersen K. A proposed validation framework for expert elicited Bayesian networks. Expert Systems with Applications. 2013;40(1):162-167. DOI: 10.1016/j.eswa.2012.07.026
  21. 21. McGeer T, Newcome LR, Vagners J. Quantitative risk management as a regulatory approach to civil UAVs. In: International Workshop on UAV Certification. Paris, France; 1999. pp. 1-11
  22. 22. Shelley AV. A model of human harm from a falling unmanned aircraft: Implications for UAS regulation. International Journal of Aviation, Aeronautics, and Aerospace. 2016;3(3):1. DOI: 10.15394/ijaaa.2016.1120
  23. 23. Lum C, Waggoner B. A risk based paradigm and model for unmanned aerial systems in the national airspace. In: AIAA Infotech @ Aerospace. St. Louis, Missouri: AIAA; 2011. p. 1424. DOI: 10.2514/6.2011-1424
  24. 24. Washington A, Clothier RA, Almeida da Silva J. A review of unmanned aircraft system ground risk models. Progress in Aerospace Science. 2017;95:24-44. DOI: 10.1016/j.paerosci.2017.10.001
  25. 25. Anno JN. Estimate of human control over mid-air collisions. Journal of Aircraft. 1982;19(1):86-88
  26. 26. International Civil Aviation Organization. Doc. 9859, AN/458: Global Air Traffic Management Operational Concept. Montréal, Canada: ICAO; 2005
  27. 27. Radio Technical Commission for Aeronautics. SC-228 Minimum Operational Performance Standards for Unmanned Aircraft Systems. Washington, D.C.: RTCA; 2011
  28. 28. Israel Aerospace Industries Ltd. Heron: Strategic & Tactical Missions MALE UAV System [Online]. 2019. Available from:[Accessed: November 2019]
  29. 29. Usach H. Automated contingency management in unmanned aircraft systems [PhD thesis]. València, Spain: Universitat Politècnica de València; 2019. DOI: 10.4995/Thesis/10251/130202
  30. 30. Instituto Nacional de Estadística. Censos de Población y Viviendas 2011 [Online]. 2018. Available from: [Accessed: October 2018]


  • In Version 2 of the SORA document, the SORA hazard was renamed as “loss of control.” However, this work retains the original name of the hazard to better differentiate it from the “loss of control in-flight” condition, which refers to the aircraft stall.
  • Note that, in Figure 5, the “traffic density” node has a rectangular shape instead of an ellipse. This notation emphasizes that this node is not a probabilistic node, but a decision node, i.e., a node representing an input variable of the model. In other words, the traffic density is considered to be known at a given airspace volume.

Written By

Hector Usach, Juan A. Vila and Áurea Gallego

Submitted: October 15th, 2019 Reviewed: November 28th, 2019 Published: March 18th, 2020