After a lengthy preparation, the so-called AMC amendment containing SORA 2.5 was published on the European Aviation Safety Agency’s (EASA) website on September 29. The renewed AMC (Acceptable Means of Compliance) describes the new methodology for mandatory risk analysis in the special operation category, which must be applied uniformly throughout the European Union. Applications for new operational authorisations should now be submitted in accordance with SORA 2.5, while incumbent operational authorisations (including the documentation of LUC holders) must be brought into line with SORA 2.5 within two years, as per the EASA decision. In our series of articles, we will review the most significant changes affecting the methodology.
The SORA methodology has retained the 10-step structure even after the announcement of version 2.5, in which the 10th step, i.e., the development of a comprehensive safety portfolio (CSP), is rarely discussed in detail.
However, the renewed methodology tries to provide more instructions about CSP. Another important factor is that various digital solutions (e.g., electronic, software-based registration systems) are playing an increasingly important role in drone operations (similar to other branches of aviation).
In the case of LUC holders, the legislation explicitly requires that the safety risks associated with services or products provided by subcontractors be assessed and mitigated as part of the aviation safety management system. Various software (e.g., Google Docs, MS Teams, etc.) are typically such services that must be taken into account in the so-called hazard register (during the registration of hazards) and managed appropriately. This includes ensuring that the operator provides adequate back-up, e.g., on paper or digitally, or that the service contract provides backup.
SORA 2.5 requires all special categories of operators, not just LUC holders, that if external services are used, the CSP must include a reference to the agreements defining the responsibilities between the service provider and the operator (SLA – Service Level Agreement). It must also detail the functionality, limitations, and performance of the external services.The outage of Amazon Web Services, or Office 365, led to the temporary shutdown of numerous other internet services worldwide. That is, it also affected those who are not or are not directly connected to these cloud providers. Therefore, in the future, in addition to cybersecurity, UAS operators will also have to pay attention to internet and software resilience and redundancy, already under the SORA.