INTEGRITY AND ASSURANCE LEVELS FOR THE MITIGATIONS USED TO REDUCE THE INTRINSIC GROUND RISK CLASS (GRC)
The following Table B-1 provides the basic principles to consider when using SORA Annex B.
|
|
Principle description |
Additional information |
|
#1 |
Annex B provides assessment criteria for the integrity (i.e. safety gain) and assurance (i.e. method of proof) of the applicantโs proposed mitigations. The proposed mitigations are intended to reduce the intrinsic ground risk class (GRC) associated with a given operation. |
The identification of mitigations is the responsibility of the applicant. |
|
#2 |
Annex B does not cover the LoI of the competent authority. The Lol is based on the competent authorityโs assessment of the applicantโs ability to perform the given operation. |
|
|
#3 |
A proposed mitigation may or may not have a positive effect in reducing the ground risk associated with a given operation. In the case where a mitigation is available but does not reduce the risk on the ground, its level of integrity should be considered equivalent to โNoneโ. |
|
|
#4 |
To achieve a given level of integrity/assurance, when more than one criterion exists for that level of integrity/assurance, all the applicable criteria need to be met. |
|
|
#5 |
Annex B intentionally uses non-prescriptive terms (e.g. suitable, reasonably practicable) to provide flexibility to both the applicant and the competent authorities. This does not constrain the applicant in proposing mitigations, nor the competent authority in evaluating what is needed on a case-by-case basis. |
|
|
#6 |
This annex in its entirety also applies to single-person organisations. |
|
Table B.1 โ Basic principles
B.2ย ย ย M1 โ Strategic
mitigations for ground risk
M1 mitigations are โstrategic mitigationsโ intended to reduce the number of people at risk on the ground. To assess the integrity levels of M1 mitigations, the following need to be considered:
(a)ย ย ย ย ย the definition of the ground risk buffer and the resulting ground footprint; and
(b)ย ย ย ย the evaluation of the people at risk.
With the exception of the specific case of a โtetherโ provided in the following paragraph (2), the generic criteria to assess the level of integrity (Table B.2) and level of assurance (Table B.3) of the M1 type ground risk mitigations are provided in following paragraph (1).
|
Level of integrity |
||||
|
Low |
Medium |
High |
||
|
M1 โ Strategic mitigations for ground risk |
Criterion #1 (Definition of the ground risk buffer) |
A ground risk buffer with at least a 1:1 rule1 or for rotary wing UA defined using a ballistic methodology approach acceptable to the competent authority. |
The ground risk buffer takes into consideration: (a) improbable2 single malfunctions or failures (including the projection of high energy parts such as rotors and propellers) which would lead to an operation outside the operational volume; (b) meteorological conditions (e.g. wind); (c) UAS latencies (e.g. latencies that affect the timely manoeuvrability of the UA); (d) UA behaviour when activating a technical containment measure; and (e) UA performance. |
Same as medium3 |
|
Comments |
1 If the UA is planned to
operate at an altitude of 150ย m, the ground risk buffer should be a
minimum of 150ย m. |
2 For the purpose of this
assessment, the term โimprobableโ should be interpreted in a qualitative way
as โUnlikely to occur in each UAS during its total life, but which may occur
several times when considering the total operational life of a number of UAS
of this typeโ. 3 The distinction between a
medium and a high level of robustness for this criterion is achieved through
the level of assurance (Table 3 below). |
||
|
Criterion #2 (Evaluation of people at risk) |
The applicant evaluates the area of operations by means of on-site inspections or appropriate appraisals to justify lowering the density of the people at risk (e.g. a residential area during daytime when some people may not be present or an industrial area at night time for the same reason). |
The applicant evaluates the area of operations by use of authoritative density data (e.g. data from the Uโspace data service provider) relevant for the proposed area and time of operation to substantiate a lower density of people at risk. If the applicant claims a reduction, due to a sheltered operational environment, the applicant: (a) uses a UA of less than 25ย kg and not flying above 174 knots4, and (b) demonstrates that although the operation is conducted in a populated environment, it is reasonable to consider that most of the non-involved persons will be located within a building5. |
Same as medium. |
|
|
Comments |
N/A |
4 as per MITRE presentation
given during the UAS Technical Analysis and Applications Center (TAAC)
conference in 2016 titled โUAS EXCOM Science and Research Panel (SARP) 2016
TAAC Updateโ - PRย 16โ3979 5 The consideration of this
mitigation may vary based on the local conditions. |
N/A |
|
Table B.2 โ Level of integrity
assessment criteria for ground risk of non-tethered M1 mitigations
|
Level of assurance |
||||
|
Low |
Medium |
High |
||
|
M1 โ Strategic mitigations for ground risk |
Criterion #1 (Definition of the ground risk buffer) |
The applicant declares that the required level of integrity is achieved1. |
The applicant has supporting evidence to claim that the required level of integrity has been achieved. This is typically done by means of testing, analysis, simulation2, inspection, design review or through operational experience. |
The claimed level of integrity is validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
Comments |
1 Supporting evidence may or
may not be available. |
2 When simulation is used, the
validity of the targeted environment used in the simulation needs to be
justified. |
N/A |
|
|
Criterion #2 (Evaluation of people at risk) |
The applicant declares that the required level of integrity has been achieved3. |
The density data used for the claim of risk reduction is an average density map for the date/time of the operation from a static sourcing (e.g. census data for night time ops). In addition, for localised operations (e.g. intra-city delivery or infrastructure inspection), the applicant submits the proposed route/area of operation to the applicable authority (e.g. city police, office of civil protection, infrastructure owner etc.) to verify the claim of a reduced number of people at risk. |
Same as medium; however, the density data used for the claim of risk reduction is a near-real time density map from a dynamic sourcing (e.g. cellular user data) and applicable for the date/time of the operation. |
|
|
Comments |
3 Supporting evidence may or
may not be available |
N/A |
N/A |
|
Table B.3 โ Level of assurance
assessment criteria for ground risk of non-tethered M1 mitigations
(2)ย ย ย ย Specific criteria in case of use of a tether to reduce people at risk
When an applicant wants to take credit for a tether to justify a reduction in the number of people at risk:
(a)ย ย ย ย the tether needs to be considered part of the UAS and assessed based on the criteria below, and
(b)ย ย ย ย potential hazards created by the tether itself should be addressed through the OSOs defined in Annex E.
The level of integrity criteria for a tethered mitigation is found in Table B.4. The level of assurance for a tethered mitigation is found in Table B.5.
|
Level of integrity |
||||
|
Low |
Medium |
High |
||
|
M1 โ Tethered operation |
Criterion #1 (Technical design) |
Does not meet the โmediumโ level criteria |
(a) The length of the line is adequate to contain the UA in the operational volume and reduce the number of people at risk. (b) The strength of the line is compatible with the ultimate loads1 expected during the operation. (c) The strength of the attachment points is compatible with the ultimate loads1 expected during the operation. (d) The tether cannot be cut by the rotating propellers. |
Same as medium2 |
|
Comments |
N/A |
1 Ultimate
loads are identified as the maximum loads to be expected in service,
including all the possible nominal and failure scenarios multiplied by a 1.5
safety factor. 2 The
distinction between a medium and a high level of robustness for this
criterion is achieved through the level of assurance (Table B.5 below). |
||
|
Criterion #2 (Procedures) |
Does not meet the โmediumโ level criteria |
The applicant has procedures to install and periodically inspect the condition of the tether. |
Same as medium3 |
|
|
Comments |
N/A |
3
The distinction between a medium and a high level of robustness for this
criterion is achieved through the level of assurance (Table B.5 below). |
||
Table B.4 โ Level of integrity
assessment criteria for ground risk tethered M1 mitigations
|
|
Level of assurance |
|||
|
Low |
Medium |
High |
||
|
M1 โ Tethered operation |
Criterion #1 (Technical design) |
Does not meet the โmediumโ level criteria |
The applicant has supporting evidence (including the specifications of the tether material) to claim that the required level of integrity is achieved. (a) This is typically achieved through testing or operational experience. (b) Tests can be based on simulations; however, the validity of the target environment used in the simulation needs to be justified. |
The claimed level of integrity is validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
Comments |
N/A |
N/A |
N/A |
|
|
Criterion #2 (Procedures) |
(a) Procedures do not require validation against either a standard or a means of compliance considered adequate by the competent authority of the MS. (b) The adequacy of the procedures and checklists is declared. |
(a) Procedures are validated against standards considered adequate by the competent authority of the MS and/or in accordance with the means of compliance acceptable to that authority1. (b) The adequacy of the procedures is proven through: (1) dedicated flight tests; or (2) simulation, provided that the representativeness of the simulation means is proven to be valid for the intended purpose with positive results; or (3) any other means acceptable to the competent authority of the MS. |
Same as medium. In addition: (a) Flight tests performed to validate the procedures cover the complete flight envelope or are proven to be conservative. (b) The procedures, flight tests and simulations are validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
|
Comments |
N/A |
1 AMC2 UAS.SPEC.030(3)(e)
(Operational procedures for medium and high levels of robustness) is
considered an acceptable means of compliance. |
N/A |
|
Table B.5 โ Level of assurance
assessment criteria for ground risk tethered M1 mitigations
B.3ย ย ย M2 โ Effects of ground impact are reduced
M2 mitigations are intended to reduce the effect of ground impact once the control of the operation is lost. This is done by reducing the effect of the UA impact dynamics (i.e. the area, energy, impulse, transfer energy, etc.). One example would be the use of a parachute.
|
Level of integrity |
||||
|
Low/None |
Medium |
High |
||
|
M2 โ Effects of UA impact dynamics are reduced (e.g. parachute) |
Criterion #1 (Technical design) |
Does not meet the โmediumโ level criterion |
(a) Effects of impact dynamics and post impact hazards1 are significantly reduced although it can be assumed that a fatality may still occur. (b) When applicable, in case of malfunctions, failures or any combinations thereof that may lead to a crash, the UAS contains all the elements required for the activation of the mitigation. (c) When applicable, any failure or malfunction of the proposed mitigation itself (e.g. inadvertent activation) does not adversely affect the safety of the operation. |
Same as medium. In addition: (a) When applicable, the activation of the mitigation is automated2. (b) The effects of impact dynamics and post impact hazards are reduced to a level where it can be reasonably assumed that a fatality will not occur3. |
|
Comments |
N/A |
1 Examples of post impact
hazards include fires and the release of high-energy parts. |
2 The applicant retains the
discretion to implement an additional manual activation function. 3 Emerging research and
upcoming industry standards will help applicants to substantiate compliance
with this integrity criterion. |
|
|
Criterion #2 (Procedures, if applicable) |
Any equipment used to reduce the effect of the UA impact dynamics is installed and maintained in accordance with the manufacturerโs instructions.4 |
|||
|
Comments / Notes |
4 The distinction between a
low, a medium and a high level of robustness for this criterion is achieved
through the level of assurance (Table B.7 below). |
|||
|
Criterion #3 (Training, if applicable) |
Personnel responsible for the installation and maintenance of the measures proposed to reduce the effect of the UA impact dynamics are identified and trained by the applicant.5 |
|||
|
Comments / Notes |
5 The distinction between a
low, a medium and a high level of robustness for this criterion is achieved
through the level of assurance (Table B.7 below). |
|||
Table B.6 โ Level of integrity
assessment criteria for M2 mitigations
|
M2 โ Effects of UA impact dynamics are reduced (e.g. parachute) |
|
Level of assurance |
||
|
Low/None |
Medium |
High |
||
|
Criterion #1 (Technical design) |
The applicant declares that the required level of integrity has been achieved1. |
The applicant has supporting evidence to claim that the required level of integrity is achieved. This is typically2 done by means of testing, analysis, simulation3, inspection, design review or through operational experience. The applicant may declare compliance with MoC to Light-UAS.25124 providing the supporting evidence defined in it. |
The competent authority should request the applicant to use a UAS for which EASA has verified the claimed integrity through a DVR. |
|
|
Comments |
1
Supporting evidence may or may not be available. |
2
The use of industry standards is encouraged when developing mitigations used
to reduce the effect of ground impact. 3
When simulation is used, the validity of the targeted environment used in
the simulation needs to be justified. |
|
|
|
Criterion #2 (Procedures, if applicable) |
(a) Procedures do not require validation against either a standard or a means of compliance considered adequate by the competent authority of the MS. (b) The adequacy of the procedures and checklists is declared. |
(a) Procedures are validated against standards considered adequate by the competent authority of the MS and/or in accordance with the means of compliance acceptable to that authority1. (b) The adequacy of the procedures is proven through: (1) dedicated flight tests; or (2) simulation, provided that the representativeness of the simulation means is proven to be valid for the intended purpose with positive results; or (3) any other means acceptable to the competent authority of the MS |
Same as medium. In addition: (a) Flight tests performed to validate the procedures cover the complete flight envelope or are proven to be conservative. (b) The procedures, flight tests and simulations are validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
|
Comments |
N/A |
1 AMC2 UAS.SPEC.030(3)(e)
(Operational procedures for medium and high levels of robustness) is
considered an acceptable means of compliance. |
N/A |
|
|
Criterion #3 (Training, if applicable) |
Training is self-declared (with evidence available) |
(a) Training syllabus is available. (b) The UAS operator provides competencyโbased, theoretical and practical training. |
(a) Training syllabus is validated by the competent authority of the MS or by an entity that is designated by the competent authority. (b) Remote crew competencies are verified by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
|
Comments |
N/A |
N/A |
N/A |
|
Table B.7 โ
Level of assurance assessment criteria for M2 mitigations
B.4ย ย ย M3 โ An ERP is in place, UAS operator validated and effective
An ERP should be defined by the applicant in the event of a loss of control of the operation (*). These are emergency situations where the operation is in an unrecoverable state and in which:
(a)ย ย ย ย ย the outcome of the situation relies highly on providence; or
(b)ย ย ย ย it could not be handled by a contingency procedure; or
(c)ย ย ย ย ย when there is a grave and imminent danger of fatalities.
The ERP proposed by an applicant is different from the emergency procedures. The ERP is expected to cover:
(1)ย ย ย ย a plan to limit the escalating effect of a crash (e.g. to notify first responders), and
(2)ย ย ย ย the conditions to alert ATM.
(*) Refer to the SORA semantic model (Figure 1) in the main body.
|
|
Level of integrity |
|||
|
Low/None |
Medium |
High |
||
|
M3 โ An ERP is in place, UAS operator validated and effective |
Criteria |
No ERP is available, or the ERP does not cover the elements identified to meet a โmediumโ or โhighโ level of integrity |
The ERP: (a) is suitable for the situation; (b) limits the escalating effects; (c) defines criteria to identify an emergency situation; (d) is practical to use; (e) clearly delineates the duties of remote crew member(s). |
Same as medium. In addition, in case of a loss of control of the operation, the ERP is shown to significantly reduce the number of people at risk, although it can be assumed that a fatality may still occur. |
|
Comments |
N/A |
N/A |
N/A |
|
Table B.8 โ Level of integrity
assessment criteria for M3 mitigations
|
Level of assurance |
||||
|
Low/None |
Medium |
High |
||
|
M3 โ An ERP is in place, UAS operator validated and effective |
Criterion #1 (Procedures) |
(a) Procedures do not require validation against either a standard or a means of compliance considered adequate by the competent authority of the MS. (b) The adequacy of the procedures and checklists is declared. |
(a) The ERP is developed to standards considered adequate by the competent authority of the MS and/or in accordance with means of compliance acceptable to that authority1. (b) The ERP is validated through a representative tabletop exercise2 consistent with the ERP training syllabus. |
Same as medium. In addition: (a) The ERP and the effectiveness of the plan with respect to limiting the number of people at risk are validated by the competent authority of the MS or by an entity that is designated by the competent authority. (b) The applicant has coordinated and agreed the ERP with all third parties identified in the plan. (c) The representativeness of the tabletop exercise is validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
Comments |
N/A |
1
AMC3 UAS.SPEC.030(3)(e) (ERP for medium and high level of robustness) is
considered an acceptable means of compliance. 2 The tabletop exercise may or
may not involve all third parties identified in the ERP. |
N/A |
|
|
Criterion #2 (Training) |
Does not meet the โmediumโ level criterion |
(a) An ERP training syllabus is available. (b) A record of the ERP training completed by the relevant staff is established and kept up to date. |
Same as medium. In addition, the competencies of the relevant staff are verified by the competent authority of the MS or by an entity that is designated by the competent authority. |
|
|
Comments |
N/A |
N/A |
N/A |
|
Table B.9 โ
Level of assurance assessment criteria for M3 mitigations
EASA regulations define integrity and assurance levels for drone ground risk mitigations. Strategic mitigations (M1) reduce people at risk using ground buffers and tethering. Impact reduction (M2) minimizes harm via technical design and procedures. Emergency Response Plans (M3) limit crash escalation, validated through exercises and training.
* Summary by Aviation.Bot - Always consult the original document for the most accurate information.
Loading collections...