Filters
Annex A to AMC1 to Article 11
ED Decision 2019/021/R
CONOPS: GUIDELINES ON COLLECTING AND PRESENTING SYSTEM AND OPERATIONAL INFORMATION FOR SPECIFIC UAS OPERATIONS
A.0General guidelines
This document must be original work completed and understood by the applicant (operator). Applicants must take responsibility for their own safety cases, whether the material originates from this template or otherwise.
A.0.1Document control
Applicants should include an amendment record at the beginning of the document to record changes and show how that the document is controlled.
Amendment/ Revision/ Issue Number | Date | Amended by | Signed |
a, b, c or 1, 2, 3 etc. | DDMMYYYY | Name of the person carrying out the amendment/ revision/ issue number | Signature of person carrying out the amendment/ revision/ issue number |
This section is critical to ensure appropriate document control.
Any significant changes to the ConOps may require further assessment and approval by the competent authority prior to further operations being conducted.
A.0.2References
(a)List all references (documents, URL, manuals, appendices) mentioned in the ConOps:
# | Title | Description | Amendment/ Revision/ Issue Number |
[1] | |||
[2] |
A.1Guidance for the collection and presentation of operationally relevant information
The template below provides section headings detailing the subject areas that should be addressed when producing the ConOps, for the purposes of demonstrating that a UAS operation can be conducted safely. The template layouts as presented are not prescriptive, but the subject areas detailed should be included in the ConOps documentation as required for the particular operation(s), in order to provide the minimum required information and evidence to perform the SORA.
A.1.1 Reserved
A.1.2 Organisation overview
(a)This section describes how the organisation is defined, to support safe operations. It should include:
(1)the structure of the organisation and its management, and
(2)the responsibilities and duties of the UAS operator.
A.1.2.1 Safety
(a)The ‘specific’ category covers operations where the operational risks are higher and therefore the management of safety is particularly important. The applicant should describe how safety is integrated in the organisation, and the safety management system that is in place, if applicable.
(b)Any additional safety-related information should be provided.
A.1.2.2 Design and production
(a)If the organisation is responsible for the design and/or production of the UAS, this section should describe the design and/or the production organisation.
(b)It should provide information on the manufacturer of the UAS to be used if the UAS is not manufactured or produced by the operator, i.e. by a third-party manufacturer.
(c)If required, information on the production organisation of the thirdparty organisation should be provided as evidence.
A.1.2.3 Training of staff involved in operations
This section should describe the training organisation or entity that qualifies all the staff involved in operations with respect to the ConOps.
A.1.2.4 Maintenance
This section should describe:
(a)the general maintenance philosophy of the UAS;
(b)the maintenance procedures for the UAS; and
(c)the maintenance organisation, if required.
A.1.2.5 Crew
This section should describe:
(a)the responsibilities and duties of personnel, including all the positions and people involved, for functions such as:
(1)the remote pilot (including the composition of the flight team according to the nature of the operation, its complexity, the type of UAS, etc.); and
(2)support personnel (e.g. visual observers (VOs), launch crew, and recovery crew);
(b)the procedure for multi-crew coordination if more than one person is directly involved in the flight operations;
(c)the operation of different types of UAS, including details of any limitations to the types of UAS that a remote pilot may operate, if appropriate; and
(d)details of the operator’s policy on crew health requirements, including any procedures, guidance or references to ensure that the flight team are appropriately fit, capable and able to conduct the planned operations.
A.1.2.6 UAS configuration management
This section should describe how the operator manages changes to the UAS configuration.
A.1.2.7 Other position(s) and other information
Any other position defined in the organisation, or any other relevant information, should be provided.
A.1.3Operations
A.1.3.1 Type of operations
(a)Detailed description of the ConOps: the applicant should describe what types of operations the UAS operator intends to carry out. The detailed description should contain all the information needed to obtain a detailed understanding of how, where and under which limitations or conditions the operations shall be performed. The operational volume, including the ground and air risk buffers, needs to be clearly defined. Relevant charts/diagrams, and any other information helpful to visualise and understand the intended operation(s) should be included in this section.
(b)The applicant should provide specific details on the type of operations (e.g. VLOS, BVLOS), the population density to be overflown (e.g. away from people, sparsely populated, assemblies of people) and the type of airspace to be used (e.g. a segregated area, fully integrated).
(c)The applicant should describe the level of involvement (LoI) of the crew and any automated or autonomous systems during each phase of the flight.
A.1.3.2 Normal operation strategy
(a)The normal operation strategy should contain all the safety measures, such as technical or procedural measures, crew training, etc. that are put in place to ensure that the UAS can fulfil the operation within the approved limitations, and so that the operation remains in control.
(b)Within this section, it should be assumed that all systems are working normally and as intended.
(c)The intent of this chapter is to provide a clear understanding of how the operation takes place within the approved technical, environmental, and procedural limitations.
A.1.3.3 Standard operating procedures
This section should describe the standard operating procedures (SOP) applicable to all operations for which an approval is requested. A reference to the applicable operations manual (OM) is acceptable. Note: Checklists and SOP templates may be provided by the local competent authority or a qualified entity.
A.1.3.3.1 Normal operating procedures
This section should describe the normal operating procedures in place for the intended operations.
A.1.3.3.2 Contingency and emergency procedures
This section should describe the contingency procedures in place for any malfunction or abnormal operation, as well as an emergency.
A.1.3.3.3 Occurrence reporting procedures
UAS, like all aircraft, are subject to accident investigations and occurrence reporting schemes. Mandatory or voluntary reporting should be carried out using the reporting processes provided by the competent authorities. As a minimum, the SOP should contain:
(a)reporting procedures in case of:
(1)damage to property;
(2)a collision with another aircraft; or
(3)a serious or fatal injury (third parties and own personnel); and
(b)documentation and data logging procedures: describe how records and information are stored and made available, if required, to the accident investigation body, competent authority, and other government entities (e.g. police) as applicable.
A.1.3.4 Operational limits
This section should detail the specific operating limitations and conditions appropriate to the proposed operation(s); for example, operating heights, horizontal distances, weather conditions, the applicable flight performance envelope, times of operations (day and/or night) and any limitations for operating within the applicable class(es) of airspace, etc.
A.1.3.5 Emergency response plan (ERP)
The applicant should:
(a)define a response plan for use in the event of a loss of control of the operation;
(b)describe the procedures to limit the escalating effects of a crash; and
(c)describe the procedures for use in the event of a loss of containment.
A.1.4 Remote crew training
A.1.4.1 General information
This section describes the processes and procedures that the UAS operator uses to develop and maintain the necessary competence for the remote crew (i.e. any person involved in the UAS operation).
A.1.4.2 Initial training and qualification
This section describes the processes and procedures that the UAS operator uses to ensure that the remote crew is suitably competent, and how the qualification of the remote crew is carried out.
A.1.4.3 Procedures for maintenance of currency
This section describes the processes and procedures that the UAS operator uses to ensure that the remote crew acquire and maintain the required currency to execute the various types of duties.
A.1.4.4 Flight simulation training devices (FSTDs)
This section:
(a)describes the use of FSTDs for acquiring and maintaining the practical skills of the remote pilots (if applicable); and
(b)describes the conditions and restrictions in connection with such training (if applicable).
A.1.4.5 Training programme
This section provides a reference to the applicable training programme(s) for the remote crew.
A2Guidance for the collection and presentation of technical relevant information
The aim of this section is to collect all the necessary technical information about the UAS and its supporting systems. This information needs to be sufficient to address the required robustness levels of the mitigations and the OSOs of the SORA.
The list below is suggested guidance for items which may be relevant for this assessment, but the items may differ, depending on the specific UAS utilised in this ConOps.
A.2.1Reserved
A.2.2UAS description
A.2.2.1 Unmanned aircraft (UA) segment
A.2.2.1.1 Airframe
This section should include the following:
(a)A detailed description of the physical characteristics of the UA (mass, centreof-mass, dimensions, etc.), including photos, diagrams and schematics, if appropriate to support the description of the UA.
(1)Dimensions: for fixed-wing UA, the wingspan, fuselage length, body diameter etc.; for a rotorcraft, the length, width and height, propeller diameter, etc.;
(2)Mass: all the relevant masses such as the empty mass, MTOM, etc.; and
(3)Centre of gravity: the centre of gravity and limits if necessary.
(b)Materials: the main materials used and where they are used in the UA, highlighting in particular any new materials (new metal alloys or composites) or combinations of materials (composites ‘tailored’ to designs).
(c)Load limits: the capability of the airframe structure to withstand expected flight load limits.
(d)Sub-systems: any sub-systems such as a hydraulic system, environmental control system, parachute, brakes, etc.
A.2.2.1.2 UA performance characteristics
This section should include the following:
(a)the performance of the UA within the proposed flight envelope, specifically addressing at least the following items:
(1)Performance: the
(i)maximum altitude;
(ii)maximum endurance;
(iii)maximum range;
(iv)maximum rate of climb;
(v)maximum rate of descent;
(vi)maximum bank angle; and
(vii)turn rate limits.
(2)Airspeeds: the
(i)slowest speed attainable;
(ii)stall speed (if applicable);
(iii)nominal cruise speed;
(iv)max cruise speed; and
(v)never-exceed airspeed.
(b)Any performance limitations due to environmental and meteorological conditions, specifically addressing the following items:
(1)wind speed limitations (headwind, crosswind, gusts);
(2)turbulence restrictions;
(3)rain, hail, snow, ash resistance or sensitivities;
(4)the minimum visibility conditions, if applicable;
(5)outside air temperature (OAT) limits; and
(6)in-flight icing:
(i)whether the proposed operating environment includes operations in icing conditions;
(ii)whether the system has an icing detection capability, and if so, what indications, if any, the system provides to the remote pilot, and/or how the system responds; and
(iii)any icing protection capability of the UA, including any test data that demonstrates the performance of the icing protection system.
A.2.2.1.3 Propulsion system
This section should include the following:
(a)Principle
A description of the propulsion system and its ability to provide reliable and sufficient power to take off, climb, and maintain flight at the expected mission altitudes.
(b)Fuel-powered propulsion systems
(1)The type (manufacturer organisation and model) of engine that is used;
(2)How many engines are installed;
(3)The type and the capacity of fuel that is used;
(4)How the engine performance is monitored;
(5)The status indicators, alerts (such as warning, caution and advisory), messages that are provided to the remote pilot;
(6)A description of the most critical propulsion-related failure modes/conditions and their impact on the operation of the system;
(7)How the UA responds, and the safeguards that are in place to mitigate the risk of a loss of engine power for each of the following:
(i)fuel starvation;
(ii)fuel contamination;
(iii)failed signal input from the remote pilot station (RPS); and
(iv)engine controller failure;
(8)The in-flight restart capabilities of the engine, if applicable, and if so, a description of the manual and/or automatic features of this capability;
(9)The fuel system and how it allows for adequate control of the fuel delivery to the engine, and provides for aircrew determination of the fuel remaining. This includes a system level diagram showing the location of the system in the UA and the fuel flow path; and
(10)How the fuel system is designed in terms of safety (fire detection and extinguishing, reduction of risk in case of impact, leak prevention, etc.).
(c)Electric-powered propulsion systems
(1)A high-level description of the electrical distribution architecture, including items such as regulators, switches, buses, and converters, as necessary;
(2)The type of motor that is used;
(3)The number of motors that are installed;
(4)The maximum continuous power output of the motor in watts;
(5)The maximum peak power output of the motor in watts;
(6)The current range of the motor in amps;
(7)Whether the propulsion system has a separate electrical source, and if not, how the power is managed with respect to the other systems of the UA;
(8)A description of the electrical system and how it distributes adequate power to meet the requirements of the receiving systems. This should include a system level diagram showing the electrical power distribution throughout the UA;
(9)How power is generated on board the UA (for example, generators, alternators, batteries).
(10)If a limited life power source such as batteries is used, the useful life of the power source during normal and emergency conditions, and how this was determined;
(11)How information on the battery status and the remaining battery capacity is provided to the remote pilot or the watchdog system;
(12)If available, a description of the source(s) of backup power for use in the event of a loss of the primary power source. This should include:
(i)the systems that are powered during backup power operation;
(ii)a description of any automatic or manual load shedding; and
(iii)how much operational time the backup power source provides, including the assumptions used to make this determination;
(13)How the performance of the propulsion system is monitored;
(14)The status indicators and alert (such as warning, caution and advisory) messages that are provided to the remote pilot;
(15)A description of the most critical propulsion-related failure modes/conditions and their impact on system operation;
(16)How the UA responds, and the safeguards that are in place to mitigate the risk of a propulsion system loss for each of the following:
(i)Low battery charge;
(ii)A failed signal input from the RPS; and
(iii)A motor controller failure;
(17)If the motor has in-flight reset capabilities, a description of the manual and/or automatic features of this capability.
(d)Other propulsion systems
A description of these systems to a level of detail equivalent to the fuel and electrical propulsions sections above.
A.2.2.1.4 Flight control surfaces and actuators
This section should include the following:
(a)A description of the design and operation of the flight control surfaces and servos/actuators, including a diagram showing the location of the control surfaces and the servos/actuators;
(b)A description of any potential failure modes and the corresponding mitigations;
(c)How the system responds to a servo/actuator failure; and
(d)How the remote-pilot or watchdog system is alerted of a servo/actuator malfunction.
A.2.2.1.5 Sensors
This section should describe the non-payload sensor equipment on board the UA and its role.
A.2.2.1.6 Payloads
This section should describe the payload equipment on board the UA, including all the payload configurations that significantly change the weight and balance, electrical loads, or flight dynamics.
A.2.3 UAS control segment
This section should include the following:
A.2.3.1 General
An overall system architecture diagram of the avionics architecture, including the location of all air data sensors, antennas, radios, and navigation equipment. A description of any redundant systems, if available.
A.2.3.2 Navigation
(a)How the UAS determines its location;
(b)How the UAS navigates to its intended destination;
(c)How the remote pilot responds to instructions from:
(1)air traffic control;
(2)UA observers or VOs (if applicable); and
(3)other crew members (if applicable);
(d)The procedures to test the altimeter navigation system (position, altitude);
(e)How the system identifies and responds to a loss of the primary means of navigation;
(f)A description of any backup means of navigation; and
(g)How the system responds to a loss of the secondary means of navigation, if available.
A.2.3.3 Autopilot
(a)How the autopilot system was developed, and the industry or regulatory standards that were used in the development process.
(b)If the autopilot is a commercial off-the-shelf (COTS) product, the type/design and the production organisation, with the criteria that were used in selecting the COTS autopilot.
(c)The procedures used to install the autopilot and how its correct installation is verified, with references to any documents or procedures provided by the manufacturer’s organisation and/or developed by the UAS operator’s organisation.
(d)If the autopilot employs input limit parameters to keep the aircraft within defined limits (structural, performance, flight envelope, etc.), a list of those limits and a description of how these limits were defined and validated.
(e)The type of testing and validation that was performed (software-in-the-loop (SITL) and hardware-in-the-loop (HITL) simulations).
A.2.3.4 Flight control system
(a)How the control surfaces (if any) respond to commands from the flight control computer/autopilot.
(b)A description of the flight modes (i.e. manual, artificial-stability, automatic, autonomous).
(c)Flight control computer/autopilot:
(1)If there are any auxiliary controls, how the flight control computer interfaces with the auxiliary controls, and how they are protected against unintended activation.
(2)A description of the flight control computer interfaces required to determine the flight status and to issue appropriate commands.
(3)The operating system on which the flight controls are based.
A.2.3.5 Remote pilot station (RPS)
(a)A description or a diagram of the RPS configuration, including screen captures of the control station displays.
(b)How accurately the remote pilot can determine the attitude, altitude (or height) and position of the UA.
(c)The accuracy of the transmission of critical parameters to other airspace users/air traffic control (ATC).
(d)The critical commands that are safeguarded from inadvertent activation and how that is achieved (for example, is there a two-step process to command ‘switch the engine off’). The kinds of inadvertent input that the remote pilot could enter to cause an undesirable outcome (for example, accidentally hitting the ‘kill engine’ control in flight).
(e)Any other programmes that run concurrently on the ground control computer, and if there are any, the precautionary measures that are used to ensure that flightcritical processing will not be adversely affected.
(f)The provisions that are made against an RPS display or interface lockup.
(g)The alerts (such as warning, caution and advisory) that the system provides to the remote pilot (e.g. low fuel or battery level, failure of critical systems, or operation out of control).
(h)A description of the means to provide power to the RPS, and redundancies, if any.
A.2.3.6 Detect and avoid (DAA) system
(a)Aircraft conflict avoidance
(1)A description of the system/equipment that is installed for collaborative conflict avoidance (e.g. SSR, TCAS, ADS-B, FLARM, etc.).
(2)If the equipment is qualified, details of the detailed qualification to the respective standard.
(3)If the equipment is not qualified, the criteria that were used in selecting the system.
(b)Non-collaborative conflict avoidance:
A description of the equipment that is installed (e.g. vision-based, PSR data, LIDAR, etc.).
(c)Obstacle conflict avoidance
A description of the system/equipment that is installed, if any, for obstacle collision avoidance.
(d)Avoidance of adverse weather conditions
A description of the system/equipment that is installed, if any, for the avoidance of adverse weather conditions.
(e)Standard
(1)If the equipment is qualified, a list of the detailed qualification to the respective standard.
(2)If the equipment is not qualified, the criteria that were used in selecting the system.
(f)A description of any interface between the conflict avoidance system and the flight control computer.
(g)A description of the principles that govern the installed DAA system
(h)A description of the role of the remote pilot or any other remote crew in the DAA system.
(i)A description of the known limitations of the DAA system.
A.2.4Containment system
(a)A description of the principles of the system/equipment used to perform containment functions for:
(1)avoidance of specific area(s) or volume(s); or
(2)confinement in a given area or volume.
(b)The system information and, if applicable, supporting evidence that demonstrates the reliability of the containment system.
A.2.5 Ground support equipment (GSE) segment
(a)A description of all the support equipment that is used on the ground, such as launch or recovery systems, generators, and power supplies.
(b)A description of the standard equipment available, and the backup or emergency equipment.
(c)A description of how the UAS is transported on the ground.
A.2.6 Command and control (C2) link segment
(a)The standard(s) with which the system is compliant.
(b)A detailed diagram that shows the system architecture of the C2 link, including informational or data flows and the performance of the subsystem, and values for the data rates and latencies, if known.
(c)A description of the control link(s) connecting the UA to the RPS and any other ground systems or infrastructures, if applicable, specifically addressing the following items:
(1)The spectrum that will be used for the control link and how the use of this spectrum has been coordinated. If approval of the spectrum is not required, the regulation that was used to authorise the frequency.
(2)The type of signal processing and/or link security (i.e. encryption) that is employed.
(3)The datalink margin in terms of the overall link bandwidth at the maximum anticipated distance from the RPS, and how it was determined.
(4)If there is a radio signal strength and/or health indicator or similar display to the remote pilot, how the signal strength and health values were determined, and the threshold values that represent a critically degraded signal.
(5)If the system employs redundant and/or independent control links, how different the design is, and the likely common failure modes.
(6)For satellite links, an estimate of the latencies associated with using the satellite link for aircraft control and for air traffic control communications.
(7)The design characteristics that prevent or mitigate the loss of the datalink due to the following:
(i)RF or other interference;
(ii)flight beyond the communications range;
(iii)antenna masking (during turns and/or at high attitude angles);
(iv)a loss of functionality of the RPS;
(v)a loss of functionality of the UA; and
(vi)atmospheric attenuation, including precipitation.
A.2.7C2 link degradation
A description of the system functions in case of a C2 link degradation:
(a)Whether the C2 link degradation status is available and in what form (e.g. degraded, critical, automatic messages).
(b)How the status of the C2 link degradation is announced to the remote pilot (e.g. visual, haptic, or sound).
A description of the associated contingency procedures.
(c)Other.
A.2.8C2 link loss
(a)The conditions that could lead to a loss of the C2 link.
(b)The measures in case of a loss of the C2 link.
(c)A description of the clear and distinct aural and visual alerts to the remote pilot for any case of a lost link.
(d)A description of the established lost link strategy presented in the UAS operating manual, taking into account the emergency recovery capability.
(e)A description of how the geo-awareness or geo-fencing system is used in this case, if available.
(f)The lost link strategy, and, if incorporated, the re-acquisition process in order to try to re-establish the link in a reasonably short time.
A.2.9. Safety features
(a)A description of the single failure modes and their recovery mode(s), if any.
(b)A description of the emergency recovery capability to prevent risks to third-parties. This typically consists of:
(1)a flight termination system (FTS), procedure or function that aims to immediately end the flight; or
(2)an automatic recovery system (ARS) that is implemented through UAS crew command or by the on board systems. This may include an automatic preprogrammed course of action to reach a predefined and unpopulated forced landing area; or
(3)any combination of the above, or other methods.
(c)The applicant should provide both a functional and physical diagram of the global UA system with a clear depiction of its constituent components, and, where applicable, an indication of its peculiar features (e.g. independent power supplies, redundancies, etc.)
Annex B to AMC1 to Article 11
ED Decision 2023/012/R
INTEGRITY AND ASSURANCE LEVELS FOR THE MITIGATIONS USED TO REDUCE THE INTRINSIC GROUND RISK CLASS (GRC)
B.1How to use Annex B
The following Table B-1 provides the basic principles to consider when using SORA Annex B.
Principle description | Additional information | |
#1 | Annex B provides assessment criteria for the integrity (i.e. safety gain) and assurance (i.e. method of proof) of the applicant’s proposed mitigations. The proposed mitigations are intended to reduce the intrinsic ground risk class (GRC) associated with a given operation. | The identification of mitigations is the responsibility of the applicant. |
#2 | Annex B does not cover the LoI of the competent authority. The Lol is based on the competent authority’s assessment of the applicant’s ability to perform the given operation. | |
#3 | A proposed mitigation may or may not have a positive effect in reducing the ground risk associated with a given operation. In the case where a mitigation is available but does not reduce the risk on the ground, its level of integrity should be considered equivalent to ‘None’. | |
#4 | To achieve a given level of integrity/assurance, when more than one criterion exists for that level of integrity/assurance, all the applicable criteria need to be met. | |
#5 | Annex B intentionally uses non-prescriptive terms (e.g. suitable, reasonably practicable) to provide flexibility to both the applicant and the competent authorities. This does not constrain the applicant in proposing mitigations, nor the competent authority in evaluating what is needed on a case-by-case basis. | |
#6 | This annex in its entirety also applies to single-person organisations. |
Table B.1 – Basic principles
B.2M1 — Strategic mitigations for ground risk
M1 mitigations are ‘strategic mitigations’ intended to reduce the number of people at risk on the ground. To assess the integrity levels of M1 mitigations, the following need to be considered:
(a)the definition of the ground risk buffer and the resulting ground footprint; and
(b)the evaluation of the people at risk.
With the exception of the specific case of a ‘tether’ provided in the following paragraph (2), the generic criteria to assess the level of integrity (Table B.2) and level of assurance (Table B.3) of the M1 type ground risk mitigations are provided in following paragraph (1).
(1)Generic criteria
Level of integrity | ||||
Low | Medium | High | ||
M1 — Strategic mitigations for ground risk | Criterion #1 (Definition of the ground risk buffer) | A ground risk buffer with at least a 1:1 rule1 or for rotary wing UA defined using a ballistic methodology approach acceptable to the competent authority. | The ground risk buffer takes into consideration: (a) improbable2 single malfunctions or failures (including the projection of high energy parts such as rotors and propellers) which would lead to an operation outside the operational volume; (b) meteorological conditions (e.g. wind); (c) UAS latencies (e.g. latencies that affect the timely manoeuvrability of the UA); (d) UA behaviour when activating a technical containment measure; and (e) UA performance. | Same as medium3 |
Comments | 1 If the UA is planned to operate at an altitude of 150 m, the ground risk buffer should be a minimum of 150 m. | 2 For the purpose of this assessment, the term ‘improbable’ should be interpreted in a qualitative way as ‘Unlikely to occur in each UAS during its total life, but which may occur several times when considering the total operational life of a number of UAS of this type’. 3 The distinction between a medium and a high level of robustness for this criterion is achieved through the level of assurance (Table 3 below). | ||
Criterion #2 (Evaluation of people at risk) | The applicant evaluates the area of operations by means of on-site inspections or appropriate appraisals to justify lowering the density of the people at risk (e.g. a residential area during daytime when some people may not be present or an industrial area at night time for the same reason). | The applicant evaluates the area of operations by use of authoritative density data (e.g. data from the Uspace data service provider) relevant for the proposed area and time of operation to substantiate a lower density of people at risk. If the applicant claims a reduction, due to a sheltered operational environment, the applicant: (a) uses a UA of less than 25 kg and not flying above 174 knots4, and (b) demonstrates that although the operation is conducted in a populated environment, it is reasonable to consider that most of the non-involved persons will be located within a building5. | Same as medium. | |
Comments | N/A | 4 as per MITRE presentation given during the UAS Technical Analysis and Applications Center (TAAC) conference in 2016 titled ‘UAS EXCOM Science and Research Panel (SARP) 2016 TAAC Update’ - PR 163979 5 The consideration of this mitigation may vary based on the local conditions. | N/A | |
Table B.2 — Level of integrity assessment criteria for ground risk of non-tethered M1 mitigations
Level of assurance | ||||
Low | Medium | High | ||
M1 — Strategic mitigations for ground risk | Criterion #1 (Definition of the ground risk buffer) | The applicant declares that the required level of integrity is achieved1. | The applicant has supporting evidence to claim that the required level of integrity has been achieved. This is typically done by means of testing, analysis, simulation2, inspection, design review or through operational experience. | The claimed level of integrity is validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
Comments | 1 Supporting evidence may or may not be available. | 2 When simulation is used, the validity of the targeted environment used in the simulation needs to be justified. | N/A | |
Criterion #2 (Evaluation of people at risk) | The applicant declares that the required level of integrity has been achieved3. | The density data used for the claim of risk reduction is an average density map for the date/time of the operation from a static sourcing (e.g. census data for night time ops). In addition, for localised operations (e.g. intra-city delivery or infrastructure inspection), the applicant submits the proposed route/area of operation to the applicable authority (e.g. city police, office of civil protection, infrastructure owner etc.) to verify the claim of a reduced number of people at risk. | Same as medium; however, the density data used for the claim of risk reduction is a near-real time density map from a dynamic sourcing (e.g. cellular user data) and applicable for the date/time of the operation. | |
Comments | 3 Supporting evidence may or may not be available | N/A | N/A | |
Table B.3 — Level of assurance assessment criteria for ground risk of non-tethered M1 mitigations
(2)Specific criteria in case of use of a tether to reduce people at risk
When an applicant wants to take credit for a tether to justify a reduction in the number of people at risk:
(a)the tether needs to be considered part of the UAS and assessed based on the criteria below, and
(b)potential hazards created by the tether itself should be addressed through the OSOs defined in Annex E.
The level of integrity criteria for a tethered mitigation is found in Table B.4. The level of assurance for a tethered mitigation is found in Table B.5.
Level of integrity | ||||
Low | Medium | High | ||
M1 — Tethered operation | Criterion #1 (Technical design) | Does not meet the ‘medium’ level criteria | (a) The length of the line is adequate to contain the UA in the operational volume and reduce the number of people at risk. (b) The strength of the line is compatible with the ultimate loads1 expected during the operation. (c) The strength of the attachment points is compatible with the ultimate loads1 expected during the operation. (d) The tether cannot be cut by the rotating propellers. | Same as medium2 |
Comments | N/A | 1 Ultimate loads are identified as the maximum loads to be expected in service, including all the possible nominal and failure scenarios multiplied by a 1.5 safety factor. 2 The distinction between a medium and a high level of robustness for this criterion is achieved through the level of assurance (Table B.5 below). | ||
Criterion #2 (Procedures) | Does not meet the ‘medium’ level criteria | The applicant has procedures to install and periodically inspect the condition of the tether. | Same as medium3 | |
Comments | N/A | 3 The distinction between a medium and a high level of robustness for this criterion is achieved through the level of assurance (Table B.5 below). | ||
Table B.4 — Level of integrity assessment criteria for ground risk tethered M1 mitigations
Level of assurance | ||||
Low | Medium | High | ||
M1 — Tethered operation | Criterion #1 (Technical design) | Does not meet the ‘medium’ level criteria | The applicant has supporting evidence (including the specifications of the tether material) to claim that the required level of integrity is achieved. (a) This is typically achieved through testing or operational experience. (b) Tests can be based on simulations; however, the validity of the target environment used in the simulation needs to be justified. | The claimed level of integrity is validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
Comments | N/A | N/A | N/A | |
Criterion #2 (Procedures) | (a) Procedures do not require validation against either a standard or a means of compliance considered adequate by the competent authority of the MS. (b) The adequacy of the procedures and checklists is declared. | (a) Procedures are validated against standards considered adequate by the competent authority of the MS and/or in accordance with the means of compliance acceptable to that authority1. (b) The adequacy of the procedures is proven through: (1) dedicated flight tests; or (2) simulation, provided that the representativeness of the simulation means is proven to be valid for the intended purpose with positive results; or (3) any other means acceptable to the competent authority of the MS. | Same as medium. In addition: (a) Flight tests performed to validate the procedures cover the complete flight envelope or are proven to be conservative. (b) The procedures, flight tests and simulations are validated by the competent authority of the MS or by an entity that is designated by the competent authority. | |
Comments | N/A | 1 AMC2 UAS.SPEC.030(3)(e) (Operational procedures for medium and high levels of robustness) is considered an acceptable means of compliance. | N/A | |
Table B.5 — Level of assurance assessment criteria for ground risk tethered M1 mitigations
B.3M2 — Effects of ground impact are reduced
M2 mitigations are intended to reduce the effect of ground impact once the control of the operation is lost. This is done by reducing the effect of the UA impact dynamics (i.e. the area, energy, impulse, transfer energy, etc.). One example would be the use of a parachute.
Level of integrity | ||||
Low/None | Medium | High | ||
M2 — Effects of UA impact dynamics are reduced (e.g. parachute) | Criterion #1 (Technical design) | Does not meet the ‘medium’ level criterion | (a) Effects of impact dynamics and post impact hazards1 are significantly reduced although it can be assumed that a fatality may still occur. (b) When applicable, in case of malfunctions, failures or any combinations thereof that may lead to a crash, the UAS contains all the elements required for the activation of the mitigation. (c) When applicable, any failure or malfunction of the proposed mitigation itself (e.g. inadvertent activation) does not adversely affect the safety of the operation. | Same as medium. In addition: (a) When applicable, the activation of the mitigation is automated2. (b) The effects of impact dynamics and post impact hazards are reduced to a level where it can be reasonably assumed that a fatality will not occur3. |
Comments | N/A | 1 Examples of post impact hazards include fires and the release of high-energy parts. | 2 The applicant retains the discretion to implement an additional manual activation function. 3 Emerging research and upcoming industry standards will help applicants to substantiate compliance with this integrity criterion. | |
Criterion #2 (Procedures, if applicable) | Any equipment used to reduce the effect of the UA impact dynamics is installed and maintained in accordance with the manufacturer’s instructions.4 | |||
Comments / Notes | 4 The distinction between a low, a medium and a high level of robustness for this criterion is achieved through the level of assurance (Table B.7 below). | |||
Criterion #3 (Training, if applicable) | Personnel responsible for the installation and maintenance of the measures proposed to reduce the effect of the UA impact dynamics are identified and trained by the applicant.5 | |||
Comments / Notes | 5 The distinction between a low, a medium and a high level of robustness for this criterion is achieved through the level of assurance (Table B.7 below). | |||
Table B.6 — Level of integrity assessment criteria for M2 mitigations
M2 — Effects of UA impact dynamics are reduced (e.g. parachute) | Level of assurance | |||
Low/None | Medium | High | ||
Criterion #1 (Technical design) | The applicant declares that the required level of integrity has been achieved1. | The applicant has supporting evidence to claim that the required level of integrity is achieved. This is typically2 done by means of testing, analysis, simulation3, inspection, design review or through operational experience. The applicant may declare compliance with MoC to Light-UAS.25124 providing the supporting evidence defined in it. | The competent authority should request the applicant to use a UAS for which EASA has verified the claimed integrity through a DVR. | |
Comments | 1 Supporting evidence may or may not be available. | 2 The use of industry standards is encouraged when developing mitigations used to reduce the effect of ground impact. 3 When simulation is used, the validity of the targeted environment used in the simulation needs to be justified. | ||
Criterion #2 (Procedures, if applicable) | (a) Procedures do not require validation against either a standard or a means of compliance considered adequate by the competent authority of the MS. (b) The adequacy of the procedures and checklists is declared. | (a) Procedures are validated against standards considered adequate by the competent authority of the MS and/or in accordance with the means of compliance acceptable to that authority1. (b) The adequacy of the procedures is proven through: (1) dedicated flight tests; or (2) simulation, provided that the representativeness of the simulation means is proven to be valid for the intended purpose with positive results; or (3) any other means acceptable to the competent authority of the MS | Same as medium. In addition: (a) Flight tests performed to validate the procedures cover the complete flight envelope or are proven to be conservative. (b) The procedures, flight tests and simulations are validated by the competent authority of the MS or by an entity that is designated by the competent authority. | |
Comments | N/A | 1 AMC2 UAS.SPEC.030(3)(e) (Operational procedures for medium and high levels of robustness) is considered an acceptable means of compliance. | N/A | |
Criterion #3 (Training, if applicable) | Training is self-declared (with evidence available) | (a) Training syllabus is available. (b) The UAS operator provides competencybased, theoretical and practical training. | (a) Training syllabus is validated by the competent authority of the MS or by an entity that is designated by the competent authority. (b) Remote crew competencies are verified by the competent authority of the MS or by an entity that is designated by the competent authority. | |
Comments | N/A | N/A | N/A | |
Table B.7 — Level of assurance assessment criteria for M2 mitigations
B.4M3 — An ERP is in place, UAS operator validated and effective
An ERP should be defined by the applicant in the event of a loss of control of the operation (*). These are emergency situations where the operation is in an unrecoverable state and in which:
(a)the outcome of the situation relies highly on providence; or
(b)it could not be handled by a contingency procedure; or
(c)when there is a grave and imminent danger of fatalities.
The ERP proposed by an applicant is different from the emergency procedures. The ERP is expected to cover:
(1)a plan to limit the escalating effect of a crash (e.g. to notify first responders), and
(2)the conditions to alert ATM.
(*) Refer to the SORA semantic model (Figure 1) in the main body.
Level of integrity | ||||
Low/None | Medium | High | ||
M3 — An ERP is in place, UAS operator validated and effective | Criteria | No ERP is available, or the ERP does not cover the elements identified to meet a ‘medium’ or ‘high’ level of integrity | The ERP: (a) is suitable for the situation; (b) limits the escalating effects; (c) defines criteria to identify an emergency situation; (d) is practical to use; (e) clearly delineates the duties of remote crew member(s). | Same as medium. In addition, in case of a loss of control of the operation, the ERP is shown to significantly reduce the number of people at risk, although it can be assumed that a fatality may still occur. |
Comments | N/A | N/A | N/A | |
Table B.8 — Level of integrity assessment criteria for M3 mitigations
Level of assurance | ||||
Low/None | Medium | High | ||
M3 — An ERP is in place, UAS operator validated and effective | Criterion #1 (Procedures) | (a) Procedures do not require validation against either a standard or a means of compliance considered adequate by the competent authority of the MS. (b) The adequacy of the procedures and checklists is declared. | (a) The ERP is developed to standards considered adequate by the competent authority of the MS and/or in accordance with means of compliance acceptable to that authority1. (b) The ERP is validated through a representative tabletop exercise2 consistent with the ERP training syllabus. | Same as medium. In addition: (a) The ERP and the effectiveness of the plan with respect to limiting the number of people at risk are validated by the competent authority of the MS or by an entity that is designated by the competent authority. (b) The applicant has coordinated and agreed the ERP with all third parties identified in the plan. (c) The representativeness of the tabletop exercise is validated by the competent authority of the MS or by an entity that is designated by the competent authority. |
Comments | N/A | 1 AMC3 UAS.SPEC.030(3)(e) (ERP for medium and high level of robustness) is considered an acceptable means of compliance. 2 The tabletop exercise may or may not involve all third parties identified in the ERP. | N/A | |
Criterion #2 (Training) | Does not meet the ‘medium’ level criterion | (a) An ERP training syllabus is available. (b) A record of the ERP training completed by the relevant staff is established and kept up to date. | Same as medium. In addition, the competencies of the relevant staff are verified by the competent authority of the MS or by an entity that is designated by the competent authority. | |
Comments | N/A | N/A | N/A | |
Table B.9 — Level of assurance assessment criteria for M3 mitigations