SAIL IV: Flight controller means of compliance framework for SAIL IV certification

Drone operations are increasingly common in both civil and commercial environments. As missions grow in complexity and take place in shared or sensitive airspace, a structured approach to risk management becomes critical. The Specific Operations Risk Assessment (SORA) methodology, adopted by EASA under Regulation (EU) 2019/947, provides a scalable framework that ties operational risk to assurance levels known as SAIL (Specific Assurance and Integrity Levels).

SAIL IV marks the beginning of high-integrity requirements where design-related mitigation becomes essential. This level introduces stringent expectations for system robustness, redundancy and fault containment. Unlike lower SAILs, where procedural mitigations may suffice, SAIL IV demands a technical demonstration of compliance for multiple Operational Safety Objectives (OSOs).

According to EASA’s DVR Guidelines, a Design Verification Report (DVR) is mandatory for any UAS operating under SAIL IV, especially when enhanced containment or high robustness design features are claimed. The DVR serves as a formal validation that the UAS meets the applicable OSOs and supports national authorities in issuing operational approvals.

This whitepaper outlines how Veronte Autopilot supports SAIL IV flight approval through its certifiable avionics architecture and compliance-ready documentation. It provides an overview of the applicable MoCs, technical safety measures and design assurance activities based on EASA’s Special Condition Light UAS.

For the medium-risk level (SAIL IV), the UAS design must demonstrate compliance with safety, reliability and integrity requirements for critical systems, including the flight control system, C2 links and environmental qualification.

EASA requires that the design-related Operational Safety Objectives (OSOs) are demonstrated through a Design Verification Process, applying the Means of Compliance (MoCs) associated with the Special Condition (SCs) for flight control systems and their implications.

• Light-UAS.2510 – Systems, Equipment and Installation: Equipment must be designed to avoid loss of control and catastrophic failure. This includes:
  • Demonstrating protection from single-point failures (Light-UAS.2510(a)(2))
  • Providing development assurance aligned with ED-79B, DO-178C/DO-254 (Light-UAS.2510(a)(1), (3))
  • Ensuring alerting and fault detection mechanisms for failure management
• Light-UAS.2511 – Containment: Generally applied to SAIL IV unless an adequate justification allows lower robustness. Demonstrates system resilience via:
  • Geofencing and geocaging strategies
  • Emergency containment (e.g. independent FTS)
• Light-UAS.2512 – Mitigation Means Linked to Design: Includes FTS, redundancy architectures and autonomous control logic for fail-operational behavior.

The Design Verification Requirements (DVR Guidelines) consists of a full design verification application which must include:

• SORA with mapped OSOs and robustness levels
• Description of typical operations and environmental constraints
• Design verification basis (DVB) with compliance means
• Design Verification Programme (DVP) including MoCs, test methods and traceability

Veronte Autopilot extends its architecture and assurance processes to meet the technical demands of SAIL IV operations,  strengthening the architecture validated at lower SAIL levels. It is developed under a DO-178C and DO-254 framework with full Design Assurance Level (DAL) B support, providing the technical integrity required for mid-risk UAS missions. Available in multiple redundancy configurations, including 1x (sensor-redundancy), 4x (system-redundancy) and DRx (distributed-redundancy), Veronte enables scalable compliance aligned with the operational risk.

Its key features include:

• Redundant architecture: Veronte Autopilot offers both embedded and distributed redundancy schemes, depending on the selected configuration.
  The 4x architecture provides embedded redundancy within a single unit, integrating multiple cores, duplicated sensor interfaces and isolated power distribution. This design eliminates single points of failure and ensures continuity under fault conditions.
  The DRx (Distributed Redundancy) configuration distributes redundant components across independent physical modules, mitigating zonal failure risks such as localized fire or impact.
  Both architectures are designed to maintain control authority and data integrity in the event of partial system degradation, supporting compliance with OSO #5 and Light-UAS.2510.
• DO-178C/DO-254 aligned development: Software and hardware development strictly follow Design Assurance Level (DAL) B requirements. All critical systems are developed under the rigor defined in ED-12C (DO-178C) and ED-80 (DO-254), including traceability, configuration control, verification and quality assurance. These processes are regularly audited and validated to support medium-risk operations.
• Flight Termination System (FTS): Configurable with multiple actuation options, compliant with containment and enhanced containment expectations.
• Geofencing and geocaging: Real-time spatial awareness supported by GNSS and custom volume enforcement logic.
• Health monitoring and logging: Comprehensive data recording, alerting and failure prediction capabilities support MoCs for safety objectives.
• Design Verification Readiness: Embention can provide all required documentation for DVR application:
  • Detailed system architecture and interfaces
  • DVP and MoC plans
  • Test protocols and validation results
  • Declaration of Design and Performance (DDP), CoC and ATR
• Certification documentation package: Embention can generate a SAIL IV certification datapack tailored to the customer’s configuration. The Veronte Autopilot certification datapack is also available, including DO-178C and DO-254 certification artefacts such as PSACs, SDP, SVP, hardware plans, traceability matrices, source code listings and associated test reports. This comprehensive documentation is designed to meet EASA expectations for system and software assurance at DAL B.

• How to apply for a DVR under SORA for a drone?
  Begin by developing a SORA assessment that maps operational risk to SAIL IV, then submit a Design Verification Programme (DVP) and Means of Compliance (MoCs) to EASA with all supporting documentation.
• What kind of operations are classified as SAIL IV?
  Operations in medium-risk environments, often near populated areas, critical infrastructure or in shared airspace requiring formal design verification.
• What documents are needed to apply for SAIL IV flight approval?
  SORA, OSO mapping, MoCs per design objective, Design Verification Programme (DVP), architecture diagrams, test results and limitations.
• What is a Design Verification Report (DVR)?
  A DVR is a formal declaration from EASA that the UAS design meets technical requirements for the claimed SAIL level, based on submitted MoCs and testing.
• Can Veronte Autopilot support DVR-based approvals?
  Yes. It includes a full documentation package aligned with EASA MoCs, including DDP, CoC, ATR and system validation.
• What subsystems are evaluated for compliance at SAIL IV?
  Systems related to control, containment, communications, redundancy, failure management and environmental performance.

Veronte Autopilot enables UAS manufacturers to meet the robust compliance criteria of SAIL IV operations. Its architecture supports requirements across system integrity, failure management and environmental resilience—all of which are key to obtaining SAIL IV flight approval from EASA. With built-in redundancy, environmental resilience, fail-operational safety and documented development processes, it provides a certifiable baseline for mid-risk operations.

Embention supports its clients with a complete SAIL IV certification datapack, including support for EASA’s design verification process. The platform is also extensible to Certified Category with DAL A support and TSO pathways under development.

• Annex E to AMC1 to Article 11 of Regulation (EU) 2019/947 – OSO Mapping and MoC Guidance
• Commission Implementing Regulation (EU) 2019/947
• Special Condition Light UAS – Medium Risk
• MoC Light-UAS.2510-01 (EASA, 2024)
• DVR Guidelines Issue 3 (EASA, 2023)
• ED-79B, DO-178C, DO-254, AMC 20-152A

Embention is a leading provider of avionics and safety-critical components for unmanned systems, enabling advanced autonomous operations across various sectors. Since 2007, Embention’s solutions have been deployed in more than 70 countries and integrated into different platforms including UAVs, eVTOLs and high-altitude drones.

Veronte Autopilot is at the core of this ecosystem, offering certifiable flight control with support for DO-178C and DO-254, along with flexible I/O and mission-configurable logic.

All Embention processes follow ISO 9001, EN 9100 and ISO 27001 standards, ensuring quality, safety and cybersecurity. The company is also certified as APDOA and POA, reinforcing its role as a strategic enabler for certified UAS operations in the European market and beyond.