Navigating EASA’s SORA: flight control strategies for SAIL III certification

Drone operations are becoming increasingly integral to industrial, commercial and governmental applications. As these platforms expand in complexity and frequency of use, ensuring their safe integration into civil airspace becomes a central regulatory concern. The European Union Aviation Safety Agency (EASA) addresses this challenge through the adoption of the Specific Operations Risk Assessment (SORA) methodology, formalized under EU Regulation 2019/947. SORA introduces the concept of Specific Assurance and Integrity Levels (SAIL), which define the rigour of safety and assurance requirements based on the operational risk.

SAIL III marks a transition from foundational procedural controls to the need for clearly defined technical mitigations. This level is typically assigned to operations conducted in sparsely populated areas, near sensitive zones or under moderate complexity, where failures may present increased risk to uninvolved persons or airspace users. SAIL III introduces formal Operational Safety Objectives (OSOs) that must be addressed through demonstrable Means of Compliance (MoCs).

This whitepaper outlines the OSOs triggered at SAIL III and provides guidance on applicable MoCs, referencing the standards and evidence required by Annex E to AMC1 of Regulation (EU) 2019/947. It also presents the technical solutions incorporated in Veronte Autopilot to address these requirements. The objective is to support UAS manufacturers and operators pursuing flight approval in SAIL III scenarios by clarifying regulatory expectations and providing a clear path to compliance.

As outlined in Annex E to AMC1 of EU Regulation 2019/947 and the official Means of Compliance published by EASA, SAIL III introduces several Operational Safety Objectives (OSOs) that require structured Means of Compliance (MoCs). These requirements reflect the medium-risk profile associated with SAIL III operations and focus on ensuring system safety, communication integrity, operational control and environmental robustness. Key OSOs related to the flight control unit and their implications include:

• OSO #5 – System safety and reliability: The UAS must be shown to meet reliability targets suitable for SAIL III. The MoC requires a documented process to perform a Functional Hazard Assessment (FHA), Fault Tree Analysis (FTA) and Failure Mode and Effects Analysis (FMEA). These must demonstrate that failure conditions do not lead to an uncontrolled situation. Mean Time Between Failures (MTBF) shall be substantiated through field data, testing or analysis. Redundancy strategies must be traceable to system safety objectives and the supporting evidence included in the certification documentation.
• OSO #6 – Communication integrity: This requirement ensures that the C2 link performance is adequate to safely conduct the intended operation. The MoC defines a structured process involving description of the C2 system, analysis of coverage, latency, continuity, availability, integrity and link protection. Specifically:
  • Coverage and maximum range must be assessed analytically and verified through testing.
  • Latency must be determined for the entire command loop and remain within acceptable limits for safe UA control.
  • Integrity should be ensured using CRC mechanisms such as CRC32 (Ethernet polynomial 0x04C11DB7) or equivalent.
  • Link protection should follow ASD-STAN prEN 4709-001 or EUROCAE ED-325 guidance.
  • External services (LTE, SATCOM) may be used but must be validated in testing and documented in the flight manual.
  • Pre-flight checks, continuous link monitoring and fallback behaviors (e.g. automatic return-to-home) must be defined and verifiable. These elements must be substantiated by the UAS designer using documented tests, analysis and inclusion in the flight manual.
• OSO #18 – Flight performance and control: Requires implementation of an automatic flight envelope protection system to prevent the remote pilot from exceeding design limits during manual operation. This includes defining the limit envelope, identifying protected parameters (e.g. speed, attitude, angular rates) and validating protection through test, analysis or simulation. The system must allow the pilot to regain appropriate control and be clearly documented. If the remote pilot does not have means to operate the UA outside its flight envelope, this OSO may not apply.
• OSO #6 and OSO #19 – Containment and termination: The UAS must remain within a defined operational volume. The Means of Compliance require that this is achieved through a combination of geofencing/geocaging, monitoring of deviation and pre-defined contingency procedures. Flight Termination Systems (FTS) must be integrated and tested to ensure safe mission abort in case of containment breach. Acceptable methods include parachute deployment, ground landing or system shutdown. Triggering mechanisms may be automatic or manually initiated by a dissimilar SuC. Compliance is demonstrated through test reports, simulations and procedural documentation referenced in the flight manual.
• OSO #24 – Environmental qualification: UAS must be designed and qualified to operate within defined environmental conditions. The environmental envelope must be specified in the flight manual and supported by evidence derived from laboratory, flight and/or ground tests. Minimum environmental parameters to be assessed include wind, temperature, pressure altitude, vibration and humidity. Optional conditions like rain, hail, snow, icing and HIRF may be addressed by testing or by imposing operational limitations. Compliance may be demonstrated using DO-160G or equivalent standards and supporting documentation must be provided.

These MoCs ensure that aircraft operating under SAIL III can demonstrate a controlled response to foreseeable failure conditions and maintain operational safety integrity.

Veronte Autopilot incorporates architecture and processes that directly address the technical  Means of Compliance (MoCs) associated with SAIL III, building upon the foundational safety features already validated for SAIL I and II. Many of the functions presented at lower SAIL levels, such as real-time geofencing, datalink redundancy and robust system supervision, remain fully relevant, but are now augmented by enhanced reliability, environmental resilience and active control strategies required to meet the increased assurance demands of SAIL III.

• System reliability & MTBF: Veronte Autopilot is offered in both 1x (sensor-redundant) and 4x (system-redundant) configurations. The 1x variant integrates redundant sensors and dissimilar safety micro controller, while the 4x provides full redundancy with cross-checking architecture. These systems have well-defined MTBF figures and are backed by structured safety analyses including FHA, FMEA and FTA, which are available in certification support documentation.
• Secure datalinks: Multiple datalink options are supported, including LOS, 4G and SATCOM, which can be configured redundantly. From firmware version 8.0, communications adheres to NATO STANAG 4586. Integrity checks such as CRC32 ensure that command and telemetry streams maintain the fidelity required by OSO #6.
• Flight envelope management: Veronte Autopilot implements automatic protection mechanisms to enforce flight envelope boundaries, adapting control laws dynamically during motor or actuator failures. Multiple envelopes can be assigned to different flight phases, supporting compliance with OSO #18.
• Environmental qualification: Units are tested under DO-160G standards for temperature, vibration, humidity and EMI/EMC. The environmental operating envelope is defined and documented in the DDP (Declaration of Design and Performance). Additional testing options include laboratory and flight tests as outlined in MoC OSO #24-01.
• FTS integration: The system supports multiple types of FTS including parachute deployment, autorotation landing and power cut-off. Activation can be manual or automatic via a dissimilar safety microcontroller (SuC), which operates on an independent power supply and monitors system health continuously.
• Containment strategies: Geofencing and geocaging mechanisms, compliant with ED-269 and ED-270 European regulatory standards, are embedded in the control logic to enforce operational boundaries in real-time. These strategies are supported by containment monitoring, loss-of-link routines and integrated triggers for FTS, aligning with the expectations of OSO #10.
• Health monitoring and logging: Continuous supervision of subsystems with high-frequency data logging enables operational traceability and supports failure investigation. These logs contribute to verifying compliance with OSO #12 and overall system reliability.
• Certification support tools: Embention can generate a dedicated SAIL III datapack, containing structured MoC templates, safety documentation, interface control documents (ICDs) and validation reports. Additionally, hardware units can be delivered with their corresponding Declaration of Design and Performance (DDP), Certificate of Conformance (CoC) and Acceptance Test Report (ATR). All documentation is aligned with Annex E to AMC1 of Regulation (EU) 2019/947 to streamline submission to the competent authority.

Veronte Autopilot provides certifiable features necessary to meet the expectations of SAIL III operations under SORA. Its modular, redundant architecture, certified development processes and robust integration of safety features enable platform developers to pursue operations involving higher risk with full regulatory alignment.

To streamline certification efforts, Embention offers a dedicated SAIL III datapack. This includes documentation covering MoCs, system reliability analyses, environmental test results and configuration support. It is tailored to facilitate the SORA compliance process and speed up flight approval under SAIL III. Whether applying for operations in controlled airspace or sparsely populated zones, the datapack provides a ready-to-submit framework aligned with Annex E to AMC1 of Regulation (EU) 2019/947.

Veronte Autopilot has been deployed globally and is already integrated into workflows seeking approval under EU Regulation 2019/947.

Thanks to the Veronte Autopilot compliance with the DO178C and DO254, the same platform can be upgraded to meet higher SAIL levels and even Certified Category requirements, optimizing development continuity.

Embention remains committed to evolving its technologies and documentation in line with customer needs, field feedback and regulatory updates.

• How to get flight approval under SAIL III?
  Conduct a SORA assessment, determine SAIL III and submit MoCs for each OSO to the competent authority.
• What documents are needed to certify under SAIL III?
  The typically needed documents are:  flight manual, safety case, MoCs per OSO, reliability, environmental testing and operational procedures.
• What operations typically fall under SAIL III?
  Missions in sparsely populated areas or controlled airspace, where the operational risk is moderate and requires active mitigation of failure conditions.
• What are the main OSOs triggered at this level for the autopilot system?
  System reliability, communication integrity, flight performance control and environmental resilience.
• Does Veronte Autopilot support SAIL III compliance?
  Yes. It addresses all key MoCs through its certified development, redundancy and containment features.
• Is a datapack available to support flight approval?
  Yes. Embention offers a SAIL III datapack tailored to regulatory submissions.

• Annex E to AMC1 to Article 11 of Regulation (EU) 2019/947
• JARUS SORA v2.0
• EU Regulation 2019/947 & 2019/945
• RTCA DO-160G, DO-178C, DO-254
• NATO STANAG 4586
• Embention Documentation

Embention is a leading provider of avionics and safety-critical components for unmanned systems, enabling advanced autonomous operations across various sectors. Since 2007, Embention’s solutions have been deployed in more than 70 countries and integrated into different platforms including UAVs, eVTOLs and high-altitude drones.

Veronte Autopilot is at the core of this ecosystem, offering certifiable flight control with support for DO-178C and DO-254, along with flexible I/O and mission-configurable logic.

All Embention processes follow ISO 9001, EN 9100 and ISO 27001 standards, ensuring quality, safety and cybersecurity. The company is also certified as APDOA and POA, reinforcing its role as a strategic enabler for certified UAS operations in the European market and beyond.