1 Introduction

In recent years, the use of unmanned aerial systems (UAS) for different kinds of operation greatly increased. Primarily operations at low or medium altitudes enjoy great popularity. However, there is an increasing number of applications that require stationary platforms at high altitudes of around 20 km. These, High-Altitude Platforms (HAP) are meant to perform operations over a long time period with minimal interactions with regular manned air traffic. HAP operations often include continuous high-altitude observation of a certain area. Some examples of those earth observation operations are cargo ship emission measurements and glacier observations. Such HAPs are in competition with fast low-orbiting satellites. Due to their orbital paths, single satellites always have a delay in time if they are used to observe a specific area. To reduce that delay, several satellites can be used, but this comes with the disadvantage of much higher costs.

To cope with UAS and to integrate such systems into the modern air traffic management system, aviation authorities around the world had to introduce a new regulatory framework for unmanned systems. This framework has to take all different kinds of operation into account, both very-low-risk operations, such as small toy drones operated over fields, and operations of larger scale UAS operated over urban areas. Therefore, the European Aviation Safety Agency (EASA) introduced three new general categories of UAS operations in 2016 [1]. These three categories are now part of the unmanned civil aviation regulation [2, 3]. The categories address the risk that the different types of UAS operations pose to people on ground and manned air traffic. Operations that pose a minor risk to people, such as the aforementioned toy drones operated over unpopulated areas in visual line of sight (VLOS), are regulated in the ‘open’ category. Very-high-risk operations with a risk comparable to manned aviation, such as large-scale UAS operating over inhabited areas or unmanned transportation of people, are covered in the ‘certified’ category. All those operations whose risk lies in between the two examples fall into the ‘specific’ category.

The EASA released a Notice of Proposed Amendment (NPA) as ‘Introduction of a regulatory framework for the operation of drones’ in 2017 [4] as a form of consultation within the EASA rulemaking process and further introduced measures to mitigate the risk of operations in the ‘open’ and the ‘specific’ categories. This NPA was followed by Opinion No 01/2018 [5] that was intended to implement an operation-centric, risk- and performance-based regulatory framework for the ‘open’ and ‘specific’ categories. The rulemaking process was finished by the EASA in 2019 with release of the Commission Implementing Regulation (EU) 2019/947 [2] and Commission Delegated Regulation (EU) 2019/945 [3].

Insight in the ‘specific’ category’s regulatory framework and how to apply its safety assessment to UAS operations on the example of HAP operations is provided throughout this paper. Furthermore, we present approaches to integrate HAPs into existing Air Traffic Management (ATM) in a safe manner. We also discuss the operational challenges of such long-endurance, high-altitude operations the operator has to face.

2 Regulatory framework of the ‘specific’ category

Crucial part of the ‘specific’ category is the requirement to conduct a risk assessment of the intended UAS operation. A risk assessment methodology that is adopted by the EASA [5] is the Specific Operations Risk Assessment (SORA) developed by the Joint Authorities for Rulemaking of Unmanned Systems (JARUS) [6]. In this section a brief overview of the SORA methodology is given. A more detailed description of SORA and a comparison to an already existing safety assessment approach are given in [7].

The SORA (Fig. 1) is an iterative process to assess the intrinsic risk of a UAS operation, to incorporate risk mitigation strategies and establish the requirements that the operator has to meet to obtain an operation approval of the competent authority. The input to this process is a concept of operations document (ConOps) that contains a description of the intended operation, technical data of the UAS and information on the operator.

Fig. 1
figure 1

Simplified SORA process modified from [8]

With the ConOps information, initial Ground and Air Risk Classes are determined. These two classes take the population density and the air traffic density in the operational volume as well as adjacent to it into account. To lower the operational risk, mitigation strategies can be applied. The Ground Risk Class including applied mitigations can range from 0 to 7, while the Air Risk Class range from ARC-a for a-typical airspace to ARC-d for highly frequented airspace such as an airport environment. Ground and Air Risk Class combined with applied mitigation strategies result in a Specific Assurance and Integrity Level (SAIL). Tied to the SAIL are a number of Operational Safety Objectives (OSO), or in other words, requirements the operator has to meet. The OSO shall ensure a safe UAS operation; therefore, they address the technical and design capabilities of the UAS as well as the operator in form of operational, crew training and maintenance requirements. There are six levels with increasing rigor from SAIL I to SAIL VI. The required OSO and the operator’s solution to meet them are also an integral part of the ConOps. The complete ConOps has to be submitted to the national competent authority. A detailed description of the SORA process can be found in [6].

3 Use case scenarios and SORA analysis

In this section, some typical use cases for HAPs are described and analyzed with the SORA process in its latest edition [6]. The use cases are chosen to show the spectrum of possible HAP operations from a regulatory and operational effort point of view.

In case of the SORA analysis the mission examples can be classified by their initial ground risk. The SORA distinguishes the HAP-relevant scenarios to determine the initial ground risk class in flights beyond visual line of sight (BVLOS) in sparsely populated environments and in populated environments. Until now, there is no explanation provided by JARUS when to consider a sparsely populated and when a populated environment. It is plausible to assume that each national civil aviation authority has its own definition of sparsely and populated environment. However, regarding the possible operational areas shown in Fig. 2 and considering the operational altitude of a HAP, some assumptions can be made. It is relatively safe to assume that glaciers and snow surfaces observation, Northeast Passage icing observation, maritime surveillance over the Mediterranean Sea and animal tracking in South Africa will be considered sparsely populated. Flood and earthquake monitoring in Central or Southern Europe will be most likely considered populated. The ship emissions observation operation is planned to take place over the English Channel. While the sea itself might be considered sparsely populated, taking the HAP altitude of 20 km and the seaports of the relatively small English Channel into account, the operational area might have a populated environment rating.

Fig. 2
figure 2

Mission examples for HAP operations

As small summary, the classification of the HAP use case operations regarding their initial ground risk class (GRC) according to the SORA is shown in Table 1. This class takes the HAP’s characteristic dimension of over 8 m into account.

Table 1 Initial GRC classification of HAP use case operations

Within the SORA, it is essential to know that only operations with a GRC of less than seven are covered by this assessment. Operations with a GRC of more than seven are considered to be too dangerous and should not be performed in the ‘specific’ category. However, it is possible to reduce the initial GRC by means of mitigation. The SORA introduces three possible forms of mitigation that reduce the GRC when applied. The amount of reduction is defined by the integrity of a mitigation and its assurance. Integrity and assurance are combined in the term robustness. Within SORA there exist three levels of robustness: low, medium and high. A low level of assurance is typically achieved by declaration, a medium level of assurance is achieved by supporting evidence such as analyses and simulations and a high level of assurance requires competent third-party verification. Table 2 shows applicable mitigations and their effects on the GRC.

Table 2 Mitigations to reduce the GRC

M1 is a mitigation where an area around the area of operation is used to reduce the number of people at risk when the UAS leaves the operational volume. Within SORA this certain area is called ground risk buffer. The operator has to verify that the number of people at risk inside the ground risk buffer is less than in the buffer’s surrounding area, e.g. by means of population density maps. Depending on how much credit for the buffer shall be taken to reduce the ground risk, the buffer has to follow at least a 1-to-1 rule, meaning the buffer size depends on the UAS altitude. If the lowest requirement for the ground risk buffer is applied to a HAP, a flight altitude of 20 km would result in a ground risk buffer of 20 km around the area of operation. On higher robustness classes, starting at medium robustness, the buffer has to take weather conditions, aircraft performance such as the glide ratio and the occurrences of single failures, which would lead to operation outside of the operational volume, into account.

M2 shall significantly reduce the impact energy up to a level where it can be reasonably assumed that a fatality will not occur. This can be achieved by the use of additional equipment or by strategy, such as an emergency parachute.

M3 is an emergency response plan that shall limit the escalating effects of a UAS crash and define conditions to alert the responsible ATM. It shall handle situations where the operation is out of control.

It is up to the operator to decide if one or more mitigations are used to reduce the initial ground risk. However, when applied the mitigations must comply with the requirements given by SORA, depending on the level of robustness. As example in case of a HAP, the DLR aims for a low M1 robustness and a medium M2 and M3 robustness. The specific requirements to be able to claim low and medium robustness for M1 and M2 are shown in Annex B of the SORA Guidelines. Since this paper is focusing on the operational part of a HAP system, the mitigation of interest is M3. The requirements to claim medium robustness for M3 are that the ERP

  • Is suitable for the situation

  • Limits the escalating effects

  • Defines criteria to identify an emergency situation

  • Clearly delineates remote crew member(s) duties

To assure the effectiveness of the ERP it

  • Is developed to standards considered adequate by the competent authority and/or in accordance with means of compliance acceptable to that authority

  • Is validated through a representative table top exercise consistent with the ERP training syllabus

  • A record of the ERP training completed by the relevant staff is established and the record is kept up to date

Applying all those mitigations (M1–M3) will lower the initial GRC to 4 in case of operations over sparsely populated environments and to 8 in case of populated environments. A final GRC of 8 means that this operation cannot be performed in the ‘specific’ category. For operations with a final GRC of 8 either mitigations with a higher robustness have to be applied or the operator has to rely on a special permit. This might be the case after catastrophic events such as earthquakes where the country’s authority might wish to use a HAP to help save human lives.

After the ground risk branch is completed, the air risk class (ARC) has to be determined. In general, the initial air risk class depends the air traffic density to be expected in the operational volume, respectively the expected encounter rate with manned aircraft. The aircraft encounter rate is based on the ICAO airspace classification. The air risk class ranges from ARC-a for an atypical airspace with an encounter rate of \({10}^{-6}\) per flight hour up to ARC-d for controlled civil airspace 500 ft above ground level. For the overall ARC determination, the operation’s highest ARC rating has to be considered. The ARC rating then has impact on the SAIL and additionally on “tactical mitigations” which are ARC-driven air risk-specific requirements for the aircraft and the operator. Annex D of the JARUS guidelines on SORA shows the specific performance requirements of the tactical mitigations for all air risk classes. The tactical mitigation performance assurance requirements (TMPR) vary from no requirements at all for ARC-a up to high requirements, which are based on aviation standards, for ARC-d. The integrity requirements of the general system that performs the tactical mitigations, called Tactical Mitigation System in SORA terms, range from less than one loss per 100 flight hours for ARC-a to less than one loss per 100,000 flight hours for ARC-d (Table 3).

Table 3 Tactical mitigation performance requirements

Within the SORA process, the general ARC rating for very-high-altitude flights above flight level 600, around 18 km, is ARC-b. However, a HAP will ascend and descend at least once right through all airspace categories from ground level to the HAP’s cruise altitude above the civil airspace. Therefore, the highest air risk class, ARC-d, applies for any HAP operation as initial ARC.

Similar to the ground risk classification, the operator is allowed to use the so-called “strategic mitigations”. To reduce the initial ARC, the operator is allowed to show that the actual encounter rate within the operational volume is less than the general classification and/or the time of exposure in a certain high-density airspace class is very low to justify a lower residual ARC.

Table 3 shows that it is always beneficial to try to reduce the initial ARC to ARC-b at least. The TMPR and qualitative criteria shown in Annex D of the JARUS Guidelines on SORA for ARC-b are much easier to achieve and to prove, compared to the other ARC TMPR requirements.

In the HAP use case scenarios, there are two occasions where ARC-b does not initially apply. Ascent and descent will be through all airspace classes and additionally the HAP will descend to 15.5 km at night time and, therefore, operates within controlled civil airspace. Potential strategic mitigations and operational concepts as an argument for an ARC-b or even ARC-a rating are given in chapter 4.

For the purpose of this paper, it is assumed that these strategic mitigations will result in an overall ARC-b. The reasoning for the ARC reduction is described in Sect. 4. The resulting SAIL is determined by the combination of GRC and ARC. However, it is the higher risk class that establishes the resulting SAIL. The interaction between GRC rating and residual ARC resulting in a SAIL classification can be seen in Table 4.

Table 4 SAIL determination

The final GRC of 4 for the BVLOS operations in sparsely populated environments together with the assumed ARC-b result in SAIL III.

As shown in Fig. 1, the SAIL expresses how each of the 24 operational safety objectives (OSO) required by the SORA has to be fulfilled. All OSO are described in Annex E of the JARUS guidelines on SORA.

The following chapter discusses an operational concept to integrate a HAP system in civil airspace and as mentioned above, the necessary reasoning for an air risk reduction to ARC-b level.

4 Operational concept to integrate a HAP system into civil airspace regarding the SORA requirements

Strategic mitigation measures reducing the ARC have to be categorized along the flight phases. A distinction is made between climb, cruise and descent.

To be able to reduce the risk level during the climb and descent phases, separation from the rest of the traffic is assumed for this part of the flight. This means that these flight phases are carried out within restricted airspaces. It should be noted that such measures reduce the specific risk, but that the establishment or activation of appropriate flight restriction areas, depending on the traffic load at the planned flight location, results in an impairment of air traffic. In addition to the location of the restricted area, its spatial characteristics and the duration of the required activation are decisive for the magnitude of the impact. It must, therefore, be the aim to keep these effects as low as possible while at the same time fulfilling the safety requirements.

During mission flight as well as in special transfer flight phases, the HAP concept considered here assumes the use of an altitude range between 15.5 km and about 25 km. A descent below 20 km during the night will be performed to save electrical energy by the use of its potential energy. This corresponds with entering ICAO class A or C airspaces.

For class A airspaces, only Instrument Flight Rules (IFR) flights are permitted. All flights are provided with air traffic control service and are separated from each other. Class C airspace permits Instrument Flight Rules (IFR) and Visual Flight Rules (VFR) flights, all flights are provided with air traffic control service and IFR flights are separated from other IFR flights and from VFR flights. VFR flights are separated from IFR flights and receive traffic information in respect of other VFR flights [9].

When a HAP has to descend to ICAO class A or class C airspaces, it has to comply with either IFR or VFR. However, it is obvious that a UAS cannot fly under VFR and IFR addressing UAS have yet to be developed. Nevertheless, focusing only on existing minimum equipment lists for IFR even they become quite a challenge for HAP. Main reason is the aircraft’s limited mass budget because of the very high operational altitude among other limiting factors such as available solar energy and battery technology. Considering especially the general operational concept of an unmanned HAP, for practical reasons carrying certain equipment elements does not seem to make sense, e.g. the integration of a Very-High-Frequency Omni-Directional Range (VOR) radio navigation system, Instrument Landing System (ILS) and other navigation systems required on manned civil aircraft. Another prerequisite is the ability to communicate directly with air traffic control (ATC) via Very-High-Frequency (VHF) radio. Usually, redundant VHF devices are provided for this purpose. Deviating from this requirement, alternative solutions would seem to make sense in which only one VHF device is integrated and a telephone connection to the controller is set up as a second communication channel. Following this approach the situational awareness of the ATC could be held on an equal level without coming into conflict with the initial purpose of the redundant ATC communication. This approach also assumes that the remote pilot is in contact with the ATC at any time during the HAP mission. Even if HAP long-endurance missions are heavily automated, we expect that a remote pilot has to be aware of the HAP current status and its environment. Considering necessary shift work it seems plausible to have ATC communication availability comparable to civil manned aviation. This might be possible if operating procedures have been agreed with the relevant national authorities in the near future in favor of our approach to make it possible to dispense with a further on-board radio system.

For the time the HAP flies in an altitude range above 20 km or FL600 (depending on the definition of the upper airspace limit; in some states above 22 km or FL660), it operates within a zone without clearly defined regulations. This altitude zone above 20 km is addressed as “Higher Airspace”, or “Near Space”—depending on whether it is seen from the aviation or space domain. Although controlled airspace in most states is defined up to an altitude of 20 km (FL600) or 22 km (FL660), technically the sovereignty of states over their airspace does not end there. As there is no defined delimitation of air and space, higher airspace theoretically stretches up to very high altitudes and currently represents a region of ambiguous regulation.

This near space is seeing increased interest not only by HAP but also by the expansion of commercial space flight activities (including suborbital flights) and the emergence of new high-speed concepts for passenger transport. The variety of potential operating modes represents a particular challenge, as the higher airspace will get populated by very different users who might want to persistently stay or transit vertically and horizontally through it at vastly different speeds.

Despite this expected development, however, it can be assumed at the present time that only a low volume of air traffic prevails in altitudes above 15.5 km. The operational altitude of some business jets reaches up to this altitude limit, airliners fly up to a maximum altitude of just under 14 km. Larger altitudes have so far been used primarily by military aircraft. Military aircraft in high altitudes could be a problem considering limited detectability. To avoid possible conflicts, care must be taken to ensure that at least the HAP can be detected with sufficient reliability, e.g. by the transponder carried and by ATC awareness. Even if ATC is not directly available in some cases, information that a HAP is going to operate in high altitudes useful to reduce conflict potential with military aircraft. To sum it up, the overall low volume of traffic in the operational altitude band should make a significant contribution to reducing the ARC.

An aspect not covered by the SORA ARC is the case of emergency descents into lower airspaces that may become necessary due to system failures. There are at least two points that need to be considered here. Even without a type certification, a fully operable HAP has to be developed with a strong focus on reliability. Long-endurance operations require hundreds and thousands of continuous operating hours without any maintenance. As an example, a long-endurance operation of 100 days will add 2400 flight hours without maintenance to the HAP. To be able to survive such a mission with a decent likelihood, the HAP aircraft needs to have a failure rate of at least \({10}^{-4}\) per flight hour or even less. That is not quite civil manned aviation standard but it is not a bad reliability either. The second point that needs to be considered is the emergency descent procedure. This procedure is strongly linked to manned aviation. The key factors are situational awareness of the pilots and ATC communication. In manned aviation, the pilot will have to detect the failure or the source of the problem at least and then inform the ATC about the emergency descent he has to perform. The handling in case of a HAP can be quite similar. We proclaimed before that the remote pilot and the remote crew as a whole need to have awareness of the aircrafts status and environment at any time during the mission. This awareness shall also include detection of behavior that requires an emergency descent. The ATC will be informed of the emergency together with additional information on, for example, altitude as well as heading and expected descent corridor.

5 Future work

To perform UAS operations within the ‘specific’ category, a risk assessment prior to the operation is necessary. EASA Opinion No 1/2018 [5] mentions the SORA as an acceptable means of compliance. However, [2] and [3] do not explicitly mention the SORA. It remains to be seen whether SORA will be used widely as risk assessment in the ‘specific’ category. One important aspect is the applicability to the UAS type and the type of operation. HAPs, for example, are a very special type of UAS with unique properties and operational scenarios. When applied to a HAP, it seems that SORA is written with common UAS types in mind, such as small- and medium-size fixed-wing UAS or multi-rotor UAS. Even mitigations for air risk and ground risk do not seem to be designed for those ultra-lightweight high-altitude UAS. We showed that the application on a HAP rely on assumptions and guessing on more than one occasion and thus, is difficult to apply. That may be supported by the fact that until now, no HAP operation is performed in civil airspace or with SORA applied. There might be many more cases where the applicability of the SORA might be questionable. However, we recommend is to use SORA as a basis in research projects such as DLR’s HAP and to comment and justify amendments to the general SORA requirements in dialogue with the competent aviation authorities. Nevertheless, compared to the whole certification process of the manufacturer and the aircraft itself, SORA is relatively easy to use and might be a good starting point for manufacturers, operators and authorities to get a feeling on how HAP need to be handled.

When focusing on the ‘specific’ category and SORA, the ‘certified’ category, whose regulatory content has yet to be developed, has to be considered as well. It seems plausible, regarding the different certification specifications for manned aircraft which differ depending on aircraft size and purpose, that corresponding UAS certification specifications will also distinguish between different types of UAS. In fact, JARUS published a certification specification for UAS at the end of October 2019 [10]. This document is meant as guidance material to develop airworthiness design standards and can be used in combination with other acceptable standards for specific UAS types. As an example, there might be a unique certification specification for each type, e.g. very large UAS for transport purposes, UAS for passenger transport purposes and lightweight UAS that are still considered certified. Since SORA is designed to cover all potential operations between the ‘open’ category and the ‘certified’ category, it is likely that the “high-end” SORA SAIL will interfere with “low end” UAS certification specifications such as a certification specification for lightweight UAS. In this case, it is expected that most UAS operators and manufacturers will aim for the certification specification to get a type certification and be allowed to fly everywhere, in contrast to an approval in the ‘specific’ category which allows the operator to use the UAS for a defined operation in a defined location. In conclusion, it is still open if the ‘specific’ category with SORA, or a similar risk assessment, will be the favored option in the future or a newly developed certification specification, especially for lightweight UAS such as HAP.

Anyway, with respect to the increased interest in using higher airspace, it has already been recognized on an international level by states, industry and institutions—including ICAO—that this development will require actions regarding a common and interoperable concept of operation. There is a need “to ensure the interoperability of operations and standardization of processes … for the purpose of higher airspace operations and at the interface with controlled airspace below FL600” [11]. A possible approach to such a concept of operation for the higher airspace and near space regions has been presented in [12]. Considering the larger speed differences between operating vehicles in higher airspace, the outlined concept recognizes the requirements for traffic control which vary considerably from regular airspace. Tactical control, meaning short term commands for traffic control and conflict avoidance by the ATM, becomes ineffective and maintaining safe separation via preplanned flight trajectories becomes mandatory. This requires planning operations ahead in time to remain conflict free during their execution. Therefore, the so-called 4D operating zones get attached to each vehicle, which then might be managed by a system under supervision of an appropriate entity or driven by the operators themselves. Developments in the currently discussed concepts for management of unmanned systems can also be taken into account here, like UTM (Unmanned Traffic Management) or U-Space [13, 14], which intend to support a safe, efficient and secure access to airspace for large numbers of drones by providing a set of new services and specific procedures. The monitoring of compliance with the planned flight trajectories in the described environment poses a significant challenge, as the expected diverse operating modes might not be commonly equipped and the current surveillance infrastructure has not been designed to cover the respected area of operation sufficiently. This will require an approach using a multi-source surveillance system which also includes operators to provide their vehicle state vectors as well as intended flight plans.

The approach described above is not an explicit solution to the applicability of SORA to HAP operations, nor for certification requirements of HAP. However, we think we described a way to help to enable future high-altitude operations and help to further improve ‘specific’ and ‘certified’ category operations. 4D-operational zones along with UTM/U-Space services could be a promising answer to the problems we faced when we assessed the SORA air risk including possible strategic and necessary tactical mitigations. The approach will be further researched as the DLRs own high-altitude platform project evolves.