SAIL I & II: Operational SORA Framework for SAIL I–II autopilot compliance

Drone operations are rapidly expanding across sectors, requiring structured risk management. The SORA framework, defined by JARUS and adopted in EU Regulation 2019/947, introduces Specific Assurance and Integrity Levels (SAIL) to align safety requirements with operational risk.

SAIL I and II typically correspond to low-risk missions such as flights over controlled areas, operations in segregated airspace or deployments of lightweight drones in sparsely populated zones. These scenarios still demand containment strategies, reliable communications and traceable decision-making to ensure public and airspace safety.

SAIL I and II represent the lower end of the risk spectrum in the SORA framework. These levels introduce a limited number of Operational Safety Objectives (OSOs) as defined in SORA documentation. These OSOs are safety requirements or objectives that an operator must meet to manage the risks associated with a drone operation, requiring appropriate guidelines related to command and control reliability, containment and operational procedures.

This whitepaper outlines the applicable recommendations to SAIL I and II operations, highlighting how common safety architectures and embedded system capabilities align with the regulatory expectations established by JARUS and formalized in EU Regulation 2019/947.

According to the JARUS SORA framework and ED-336 guidance for SAIL I and II, main OSOs applicable to the flight controller and their implications regard:

• Operational containment: The UAS must remain within a predefined volume of airspace. This can be achieved through geofencing, geocaging or pilot discipline, ensuring the aircraft does not pose a hazard to uninvolved persons or manned traffic.
• Command and control link integrity: The remote pilot must maintain continuous control of the aircraft. The system must be resilient to link loss or degradation, with predefined procedures or mechanisms (e.g. lost-link routines or flight termination) in place to handle such events.
• Flight termination: While not mandatory at these levels, inclusion of a Flight Termination System (FTS) or equivalent mechanism is considered a strong mitigation to avoid uncontrolled flight in case of system failure.
• Basic redundancy and monitoring: Though not a formal requirement, the use of health monitoring, status logging and basic redundancy (e.g. power supply, communication paths) is recommended to ensure operational traceability and increase reliability, allowing early detection of failures and safe recovery in case of technical issues.
• Procedural mitigations: Operators are expected to implement robust checklists, pre-flight inspections and mission planning protocols to ensure safe conduct under low-risk scenarios.

These directions are intended to demonstrate that UAS operations under SAIL I and II remain safe and controllable even with limited technical mitigations, relying primarily on procedural and containment-based strategies in compliance with EU Regulation 2019/947 and JARUS SORA methodology.

Veronte Autopilot is engineered to  meet safety and certification objectives across all UAS categories, including low-risk SAIL I and II operations, directly meeting OSOs #6 and #10. While these levels do not demand complex mitigations, Veronte Autopilot embeds advanced architectural safeguards that align with current regulatory expectations and enable seamless scalability.

• Geofencing and geocaging: Veronte Autopilot incorporates built-in geofencing and geocaging functionalities compliant with the ED-269 and ED-270 European regulatory standards, including Commission Implementing Regulation (EU) 2019/947. These tools restrict the operational area of the aircraft in real time, supporting containment strategies and helping ensure compliance with airspace integration requirements.
• Dissimilar safety microcontroller (SuC): A key feature in Veronte Autopilot is the integration of a dissimilar microcontroller, which continuously monitors the health of the main system. It can independently activate a Flight Termination System (FTS) in response to critical failures or upon operator request. The SuC includes an independent power input, ensuring its operation even in the event of a total system failure and serves as a robust containment mechanism when the primary control is compromised.
• Modular redundancy and MTBF: Veronte Autopilot is available in both single (1x) and redundant (4x) configurations. The 1x version already incorporates sensor redundancy to enhance fault tolerance, while the 4x variant adds independent computing elements, diverse sensor fusion paths and power source separation. These architectural choices improve system availability and reduce the likelihood of critical failures. MTBF values are fully characterized and available for both variants.
• Direct and configurable FTS integration: Veronte Autopilot supports various FTS mechanisms, such as parachute deployment, power cutoff or autorotation. These are fully programmable using Veronte PDI Builder, allowing mission-specific behavior and automated intervention scenarios.
• Compliance with DO standards: Veronte Autopilot software is developed under DO-178C processes and its hardware follows DO-254 design assurance principles (currently up to Level B). This ensures robust traceability, configuration management and failure handling even in low-risk applications, supporting compliance with OSO #10.
• Health monitoring and data logging: Continuous internal monitoring and detailed logging provide traceability across all flight phases. This allows post-flight validation and supports incident investigation and regulatory audits.
• Support for regulatory documentation: Embention offers comprehensive support materials on demand, including Interface Control Documents (ICDs), requirement traceability matrices, safety analysis and templates to provide compliance with SORA. In addition, hardware units are delivered with their corresponding Declaration of Design and Performance (DDP), Certificate of Conformance (CoC) and Acceptance Test Report (ATR), ensuring full traceability  and production compliance.

Together, these capabilities position Veronte Autopilot as a strong foundation for platform developers addressing SAIL I and II, while providing headroom for future regulatory escalation without hardware changes.

Veronte Autopilot delivers a robust set of features and safety mechanisms that exceed the baseline expectations of SAIL I and II. It is an ideal system for manufacturers and operators seeking flight approval under SORA, especially for low-risk operations in SAIL I and II. Through a dissimilar safety microcontroller, integrated containment and rigorous assurance processes, Veronte Autopilot enables platform developers to meet compliance objectives efficiently.

To support regulatory submissions, Embention can provide a dedicated SAIL I & II datapack, including documentation and verification artifacts to operate under SORA.

The same platform, without hardware changes, can be adapted to meet higher SAIL levels, reducing development costs and simplifying certification pathways throughout the UAS lifecycle.

Future developments at Embention include expanded flight envelope protections, DO-178C & DO-254 Level A, ETSO certification and continuous improvements based on customer feedback, operational experience and evolving regulatory requirements.

• What operations qualify for SAIL I and II?
  Low-risk missions such as flights over controlled areas or in sparsely populated zones.
• Is a Flight Termination System mandatory for SAIL I?
  Not required, but recommended as a strong mitigation strategy.
• Does Veronte Autopilot meet SORA compliance for SAIL I and II?
  Yes. It includes geofencing, FTS integration and full documentation support.
• How do I get flight approval under EU 2019/947 for SAIL I/II?
  By completing a SORA analysis and submitting relevant documentation to the competent authority. Embention’s datapack supports this process.
• Can SAIL I & II platforms be upgraded to higher SAIL levels later?
  Yes. Veronte Autopilot supports scaling from SAIL I up to Certified Category without hardware changes.

• EASA Easy Access Rules: EU 2019/947 & 2019/945
• JARUS SORA v2.0
• ED-269, ED-270
• RTCA DO-178C, DO-254, DO-160G 
• ED-336 Guidelines for SAIL II application of SORA
• Embention Product Manuals and Certification Guides
• ISO 9001, EN 9100, ISO 27001 Standards

Embention is a leading provider of avionics and safety-critical components for unmanned systems, enabling advanced autonomous operations across various sectors. Since 2007, Embention’s solutions have been deployed in more than 70 countries and integrated into different platforms including UAVs, eVTOLs and high-altitude drones.

Veronte Autopilot is at the core of this ecosystem, offering certifiable flight control with support for DO-178C and DO-254, along with flexible I/O and mission-configurable logic.

All Embention processes follow ISO 9001, EN 9100 and ISO 27001 standards, ensuring quality, safety and cybersecurity. The company is also certified as APDOA and POA, reinforcing its role as a strategic enabler for certified UAS operations in the European market and beyond.