SORA: The Risk Framework Everyone Needs

Piyo looks confused. "SORA? Is that a person?"

What is SORA?

SORA = "Specific Operations Risk Assessment"

It's a framework to:

  1. Identify hazards (what could go wrong?)
  2. Assess severity (how bad if it happens?)
  3. Evaluate likelihood (how often would it happen?)
  4. Implement mitigation (how do we reduce risk?)
  5. Determine acceptability (is the risk acceptable?)

Developed by: Netherlands, with support from EASA, ICAO

SORA Framework Basics

Risk Matrix (Severity × Likelihood = Risk Level):

Low Likelihood Medium Likelihood High Likelihood
Catastrophic Medium Risk High Risk Unacceptable
Severe Low Risk Medium Risk High Risk
Moderate Low Risk Low Risk Medium Risk
Minor Low Risk Low Risk Low Risk

SORA Process:
  1. Baseline Risk: Assume no mitigations
  2. Mitigation Strategy: Add controls (barriers, training, equipment)
  3. Residual Risk: Risk after mitigations
  4. Approval Decision: Accept, require more mitigation, or deny

    5.

    9-Country SORA Approach

    🇬🇧 United Kingdom

    Feature Details
    Framework Adoption CAA uses EASA SORA guidelines; integrated into OpAuth process
    Methodology Structured risk assessment; documentation required
    Operator Responsibility Operator must conduct and document SORA
    Hazard Categories People, property, aircraft, environmental
    Mitigation Options Technical, operational, organizational controls
    Approval Authority CAA Special Flight Permission (SFP) review
    Common Mitigations Barriers, spotters, observer, RTK, insurance, training
    Documentation 5–15 page risk assessment typical
    ---

    🇩🇪 Germany

    Feature Details
    Framework Adoption LBA aligns with EASA SORA (strict interpretation)
    Methodology Detailed hazard analysis; engineering focus
    Operator Responsibility Operator documents risk; LBA reviews thoroughly
    Hazard Categories People, property, aircraft, airspace, environment
    Mitigation Options Technical preferred; operational as backup
    Approval Authority LBA with possible expert consultation
    Common Mitigations Parachute systems, redundant electronics, RTK, perimeter barriers
    Documentation 10–20 page assessment; engineering-level

    🇫🇷 France

    Feature Details
    Framework Adoption DGAC uses simplified SORA; less rigid than Germany
    Methodology Structured but flexible approach
    Operator Responsibility Operator submits risk assessment; DGAC verifies
    Hazard Categories People, property, aircraft, environment (standard)
    Mitigation Options Balanced: technical + operational acceptable
    Approval Authority DGAC can approve with reasonable mitigations
    Common Mitigations Spotters, barriers, insurance, training, modest tech
    Documentation 5–10 page assessment (typical)

    🇳🇱 Netherlands

    Feature Details
    Framework Adoption ILT developed SORA with EASA; original framework owner
    Methodology Structured; detailed quantitative risk analysis
    Operator Responsibility Operator conducts SORA; ILT facilitates
    Hazard Categories People, property, aircraft, airspace, environment
    Mitigation Options Technical, operational, organizational (all acceptable)
    Approval Authority ILT reviews; reasonable acceptance threshold
    Common Mitigations Comprehensive: barriers, RTK, observers, insurance, contingency
    Documentation 8–15 page assessment

    🇸🇪 Sweden

    Feature Details
    Framework Adoption Transportstyrelsen uses SORA; conservative interpretation
    Methodology Detailed; aerospace industry standard
    Operator Responsibility Operator documents; Transportstyrelsen scrutinizes deeply
    Hazard Categories People, property, aircraft, airspace, environmental, noise
    Mitigation Options Technical preferred; high bar for operational mitigations
    Approval Authority Transportstyrelsen (very selective approval)
    Common Mitigations Redundant systems, RTK, parachute, insurance, training
    Documentation 15–25 page detailed assessment

    🇦🇺 Australia

    Feature Details
    Framework Adoption CASA developed similar framework (pre-SORA); now SORA-aligned
    Methodology Risk management approach; practical assessment
    Operator Responsibility Operator submits risk assessment; CASA reviews
    Hazard Categories People, property, aircraft, environment (standard)
    Mitigation Options Balanced: all mitigation types acceptable if justified
    Approval Authority CASA (industry-cooperative; reasonable approval threshold)
    Common Mitigations Spotters, barriers, insurance, RTK, training
    Documentation 5–10 page assessment (practical, not overly bureaucratic)

    🇳🇿 New Zealand

    Feature Details
    Framework Adoption CAA NZ uses SORA approach; accessible interpretation
    Methodology Structured; practical risk assessment
    Operator Responsibility Operator submits assessment; CAA reviews
    Hazard Categories People, property, aircraft, environment
    Mitigation Options All types acceptable if effectively justified
    Approval Authority CAA NZ (cooperative; reasonable approval threshold)
    Common Mitigations Spotters, barriers, insurance, RTK, contingency planning
    Documentation 5–10 page assessment
    ---

    🇨🇦 Canada

    Feature Details
    Framework Adoption Transport Canada moving toward SORA alignment
    Methodology Risk management; practical, outcome-focused
    Operator Responsibility Operator submits risk assessment; Transport Canada reviews
    Hazard Categories People, property, aircraft, environment
    Mitigation Options All types acceptable; practical focus
    Approval Authority Transport Canada (reasonable approval threshold)
    Common Mitigations Spotters, barriers, insurance, RTK, contingency
    Documentation 5–10 page assessment
    ---

    🇯🇵 Japan

    Feature Details
    Framework Adoption MLIT developing SORA-aligned framework
    Methodology Structured; beginning to use SORA terminology
    Operator Responsibility Operator submits via DIPS system; MLIT reviews
    Hazard Categories People, property, aircraft, environment
    Mitigation Options Technical preferred initially; operational growing
    Approval Authority MLIT (increasingly sophisticated review)
    Common Mitigations Spotters, barriers, insurance, RTK, training
    Documentation 5–10 page assessment (DIPS-formatted)
    ---

    SORA Assessment Comparison

    Country Rigidity Technical Bias Operational Mitigations Approval Threshold Doc Length
    🇸🇪 SE Very high Strong Discouraged Very high 15–25 pages
    🇩🇪 DE High Strong Accepted High 10–20 pages
    🇬🇧 UK High Moderate Accepted High 5–15 pages
    🇮🇪 NL Moderate Moderate Balanced Moderate 8–15 pages
    🇯🇵 JP Moderate Strong Growing Moderate 5–10 pages
    🇨🇦 CA Moderate Weak Strong Moderate 5–10 pages
    🇦🇺 AU Low Weak Strong Moderate 5–10 pages
    🇳🇿 NZ Low Weak Strong Moderate 5–10 pages
    🇫🇷 FR Low Moderate Strong Moderate 5–10 pages
    ---

    FAQ: SORA Risk Assessment

    Q1: Do I have to conduct a SORA assessment? Poppo: "It depends on your country and operation type:"

    Country Always Required Sometimes Never
    🇬🇧 UK OpAuth operations Exemptions possible Recreational only
    🇩🇪 DE Commercial operations Residential inspection Recreational only
    🇫🇷 FR Complex operations Simple visual Recreational only
    🇦🇺 AU Category 2+; over-people Category 1; simple ops Recreational < 2kg
    🇳🇿 NZ Category 2+; over-people Category 1; simple ops Recreational < 2kg
    🇨🇦 CA SFOC operations Exemptions Recreational
    🇯🇵 JP All commercial DIPS-waivered ops Recreational

    Q2: How do I write a SORA assessment? Poppo's 10-Step Process: Step 1: Define the Operation
    • Drone model & weight
    • Location & altitude
    • Duration & frequency
    • Environmental conditions
    • Operator experience

    Step 2: Identify Hazards
    • List all potential failures:
    • Loss of control
    • Battery failure
    • Signal loss
    • Propeller damage
    • Weather deterioration

    Step 3: Assess Severity (0–4 scale)
    • 0 = No injury
    • 1 = Minor injury (scrapes, small fractures)
    • 2 = Serious injury (lost limb equivalent)
    • 3 = Fatality or major property damage (€500K+)
    • 4 = Multiple fatalities or catastrophic (€5M+)

    Step 4: Assess Likelihood (1–5 scale)
    • 1 = Extremely unlikely (< 1 in 1M chance)
    • 2 = Unlikely (1 in 100K–1M)
    • 3 = Moderate (1 in 1K–100K)
    • 4 = Likely (1 in 100–1K)
    • 5 = Very likely (> 1 in 100)

    Step 5: Calculate Initial Risk
    • Risk = Severity × Likelihood
    • 16–20 = Unacceptable (redesign required)
    • 12–15 = High (mitigations mandatory)
    • 6–11 = Medium (mitigations recommended)
    • < 6 = Low (acceptable as-is)

    Step 6: Identify Mitigations

    For each hazard, list controls:

    • Technical: Redundant systems, parachutes, RTK, lights
    • Operational: Spotters, barriers, distance rules, weather limits
    • Organizational: Training, insurance, contingency plans

    Step 7: Assess Mitigation Effectiveness

    For each mitigation, estimate risk reduction:

    • Remove 50% of risk?
    • Remove 75%?
    • Remove 90%?

    Step 8: Calculate Residual Risk
    • Apply mitigation effectiveness
    • New risk = Original risk × (1 – effectiveness)
    • Target: Residual risk < 6 (low/acceptable)

    Step 9: Determine Acceptability
    • Residual < 4: Acceptable (low risk)
    • 4–6: Acceptable with conditions (insurance, training)
    • 6–8: Marginal (more mitigations needed)
    • > 8: Unacceptable (operation redesign required)

    Step 10: Document Everything
    • Write 5–15 page report
    • Include:
    • Operation description
    • Hazard matrix
    • Mitigation strategies
    • Residual risk calculation
    • Approval authority information

    Tools Available:
    • EASA Concept Paper (free): https://www.easa.europa.eu/
    • Netherlands SORA Tool (free): https://www.nl-sora.org/ (original)
    • Consultants: €500–€2,000 to write assessment for you

      •

      Q3: What's the difference between "baseline risk" and "residual risk"? Poppo's Explanation: Baseline Risk = Risk without any mitigations
      • Assume drone will fail at some point
      • Assume people could be in path
      • Worst-case scenario assessment

      Example: Rooftop inspection baseline = High Risk
      • Drone could lose control
      • Could hit people below
      • Could damage property
      • No mitigations assumed

      Residual Risk = Risk after all mitigations applied
      • Assume spotters in place
      • Assume people warned away
      • Assume RTK backup
      • Assume insurance

      Example: Same rooftop with mitigations = Low Risk
      • Spotters watch for hazards
      • Barriers keep people back
      • RTK reduces control loss chance by 95%
      • Insurance covers remaining risk

      Q4: What mitigations does each country prefer? Poppo's Country Breakdown: Technical Mitigations (Preferred in Germany, Sweden):
      • Parachute systems (active or ballistic)
      • Redundant propulsion/batteries
      • RTK/GNSS backup systems
      • Electronic geofencing
      • Advanced obstacle detection
      • Failsafe automatic landing

      Cost: +€2,000–€10,000 per mitigation Operational Mitigations (Preferred in Australia, New Zealand, Canada):
      • Spotters/observers
      • Physical barriers/distance rules
      • Weather limits (wind speed, visibility)
      • Airspace coordination
      • Training requirements
      • Contingency planning

      Cost: +€500–€2,000 (mostly labor) Organizational Mitigations (Universally Required):
      • Insurance (€1,000–€5,000/year)
      • Training/certification (€500–€1,500)
      • Risk assessment documentation (€200–€2,000)
      • Emergency procedures manual (€100–€500)

      Regional Preference Matrix:

      Region 1st Choice 2nd Choice 3rd Choice
      🇪🇺 EU Technical Organizational Operational
      🇦🇺🇳🇿 Operational Technical Organizational
      🇨🇦 Operational Technical Organizational
      🇯🇵 Technical Operational Organizational
      ---

      Q5: What's a good residual risk target? Poppo's Guidance: Risk Acceptance Levels (by operation type):

      Operation Target Residual Risk Example
      Recreational (private) < 4 (low) Back-garden flying
      Professional (simple) < 6 (low–moderate) Aerial photography, roof inspection
      Professional (complex) < 8 (moderate) Event filming, delivery trial
      Critical infrastructure < 4 (low) Power line inspection, emergency response
      Over populated areas < 3 (very low) Urban delivery pilots

      Regulatory Thresholds:
      • 🇦🇺 AU: Accepts up to ~8 (risk-tolerant)
      • 🇫🇷 FR: Accepts up to ~7 (permissive)
      • 🇬🇧 UK: Targets < 6 (moderate caution)
      • 🇩🇪 DE: Targets < 5 (cautious)
      • 🇸🇪 SE: Targets < 4 (very cautious)

      Q6: Can I use someone else's SORA assessment as a template? Poppo: "Not directly, but it helps:" What You Can't Do:
      • Copy another operator's assessment verbatim
      • Submit same assessment for different operation
      • Claim someone else's mitigations as your own

      What You Can Do:
      • Use structure/format as template
      • Reference similar operations
      • Cite published mitigations (e.g., EASA guidance)
      • Quote best practices from other assessments
      • Work with consultant who reviews multiple cases

      Reality: Most SORA assessments are 70–80% similar in structure. Differences are:
      • Specific hazards to your location
      • Your mitigation strategy
      • Your operator experience/training
      • Your equipment specs

      Q7: How often do I need to update my SORA assessment? Update Triggers:

      Trigger Frequency Action
      Regulatory change Annual check Update risk categories if rules change
      Incident/near-miss As-needed Revise mitigation; resubmit
      Equipment change Per change Update technical mitigations
      Location change Per location New assessment for different area
      Operator change Per change Update experience/training level
      Risk evidence If emerging data Revise severity/likelihood if needed

      General Rule: Review annually; update if operation changes significantly.

      Q8: What happens if my SORA is rejected? Poppo's Recovery Path: Rejection Reasons (typical):
      1. Insufficient mitigations (risk still too high)
      2. Unrealistic mitigations (claimed effectiveness not supported)
      3. Missing documentation (hazards not identified)
      4. Non-compliance with local rules (operation violates airspace restrictions)
      5. Operator experience (insufficient training documented)

      Recovery Steps:
      1. Contact Regulator: Get specific feedback on rejection
      2. Analyze Feedback: Understand specific concerns
      3. Enhance Mitigations: Add technical or operational controls
      4. Rewrite Assessment: Incorporate new mitigations with evidence
      5. Resubmit: Include cover letter explaining changes
      6. Follow Up: Expect approval in 2–4 weeks (typically)

      Approval Rate: ~70–80% on first submission (with consultant help: ~90%)

      Q9: Can I operate while SORA is pending approval? Poppo: "No. Here's why:" Legal Status:
      • SORA Approved: You have authority to operate (with conditions)
      • SORA Pending: You do NOT have authority to operate
      • SORA Rejected: You cannot operate (redesign required)

      Exception: If regulator grants interim permission (rare; typically for emergency response only) Timeline Impact: Must plan 4–8 weeks approval time before intended operation date.

      Q10: Is SORA required if I'm using exemptions? Poppo: "Usually yes; here's the breakdown:"

      Scenario SORA Required
      Full commercial authorization Yes (mandatory)
      Exemption (low-risk operations) Maybe (depends on country)
      Exemption (over-people ops) Yes (typically)
      Exemption (airspace waiver) Yes (typically)
      Recreational < 2kg, no payment No (exempt)
      Emergency response (government) Maybe (often waived)

      Key Takeaway: SORA is Risk Insurance

      Piyo's Final Question: "So SORA is just paperwork?" Poppo's Answer:

      "No. SORA forces you to think through every failure scenario and how you'll prevent it. It's the difference between 'hoping nothing goes wrong' and 'proving nothing bad can happen.' Regulators love it because it shows professionalism."

      SORA's Real Value:

      Systematically identifies hazards (what you missed) Quantifies risk (so you know your actual exposure) Mandates mitigations (prevents wishful thinking) Documents decisions (protects you legally if incident occurs) Builds confidence (regulators, clients, insurers, yourself)

      MmowW Support:

      Last Updated: April 2026 Accuracy: Based on latest EASA SORA guidance and country-specific implementations SORA continues evolving. Check EASA and your regulator's latest guidance annually.