System

The {{entity:Air Traffic Control System}} is an en-route and terminal area ATCS managing controlled airspace for civil aviation. The project entered this session with 9 subsystems classified and 28 requirements — a credible top-level scaffold but with four subsystems ({{entity:Aeronautical Information Management}}, {{entity:Data Distribution Network}}, {{entity:ATC System Monitoring and Control Subsystem}}, {{entity:Recording and Replay System}}) carrying zero requirements. The session focused on two things in parallel: component-level decomposition of the two highest-risk subsystems, and plugging the zero-coverage gap for the four underspecified subsystems.

Decomposition

Eight new components were classified. For the {{entity:Safety Net System}} ({{hex:51F77B59}}), the internal architecture resolves to three functional modules: the {{entity:Conflict Detection Processor}} ({{hex:51F73218}}), which runs the pairwise closest-point-of-approach algorithm over all active tracks within a 5-minute lookahead window; the {{entity:Minimum Safe Altitude Warning Module}} ({{hex:50F77818}}), which cross-checks Mode C altitude against a 3D terrain model; and the {{entity:Alert Management Module}} ({{hex:41F77918}}), which filters, prioritises, and routes alerts to the correct Controller Working Position without exceeding the 3-false-alerts/sector/hour nuisance threshold. All three run on dedicated SIL 3 hardware isolated from the operational processing path.

For the {{entity:Surveillance Data Processing}} subsystem ({{hex:50F73319}}), two components were classified: the {{entity:Multi-Sensor Fusion Engine}} ({{hex:51F73319}}) and the {{entity:Track Quality Monitor}} ({{hex:51F77308}}). The Fusion Engine ingests PSR, SSR, ADS-B, and MLAT simultaneously using a Kalman-filter approach and must produce fused output within 500 ms at <250 m RMS. The {{entity:Track-Plan Correlator}} ({{hex:40B53308}}) was added to Flight Data Processing as the component that binds surveillance tracks to flight plans within the 30-second correlation target.

PART_OF relationships were stored for all six new components.

flowchart TB
  SNS["Safety Net System hex:51F77B59"]
  CDP["Conflict Detection Processor hex:51F73218"]
  AMM["Alert Management Module hex:41F77918"]
  MSAW["MSAW Module hex:50F77818"]
  SDP["Surveillance Data Processing hex:50F73319"]
  MSF["Multi-Sensor Fusion Engine hex:51F73319"]
  TQM["Track Quality Monitor hex:51F77308"]
  FDP["Flight Data Processing hex:40B57B58"]
  TPC["Track-Plan Correlator hex:40B53308"]
  SDP --> MSF
  SDP --> TQM
  SDP -->|Fused tracks| SNS
  SNS --> CDP
  SNS --> AMM
  SNS --> MSAW
  FDP --> TPC
  SDP -->|ASTERIX Cat 062| FDP

Analysis

The {{entity:Multi-Sensor Fusion Engine}} at {{hex:51F73319}} is an exact trait match with the Sensor Fusion Engine found in the autonomous vehicle corpus — the same 32 traits, identical hex. Both ingest heterogeneous positional sensor streams, apply statistical fusion, and produce a unified spatial state picture for downstream safety consumers. The structural parallel extends to failure modes: in both domains, sensor drop-out triggers coasting (last-known-velocity extrapolation) and the fusion engine must propagate uncertainty growth to consumers before accuracy exceeds the safety threshold.

The {{entity:Conflict Detection Processor}} ({{hex:51F73218}}) is one bit from the LiDAR Processing Unit ({{hex:51F73219}}) used in autonomous vehicles — both perform real-time geometric separation computation for safety-critical avoidance. The ATC variant operates at the 5-minute lookahead scale; the LiDAR unit at sub-second. The Fire Control Computer in naval CMS shares the same computational structure: predict intercept geometry, apply safety envelope thresholds, generate actionable alerts.

Requirements

Fourteen requirements were added. The four previously zero-coverage subsystems now have substantive specifications: AIM has three requirements covering AIRAC database currency (ICAO Annex 15 compliance, 28-day cycle), 50 ms query latency to FDP, and 60-second NOTAM distribution. DDN received two requirements — 10 ms latency for safety-critical traffic with QoS isolation, and 50 ms failover on link failure (derived from SYS-REQ-003). SMC received health monitoring detection within 5 seconds and a configuration management requirement with automatic rollback. RRS received continuous recording with 1 ms timestamp accuracy and variable-speed replay for incident investigation.

A new interface requirement ({{ifc:IFC-REQ-010}}) was created for the SNS-to-CWP alert delivery path: 500 ms delivery on a dedicated high-priority DDN channel, directly derived from {{sys:SYS-REQ-004}}. Architecture decisions cover DDN VLAN isolation (physical segmentation of safety-critical traffic, not just tagged VLANs) and AIM dual-database design (live plus staging, 2-hour rollback window on AIRAC activation). Two new verification entries address DDN latency by synthetic injection test and CWP display performance by high-speed camera measurement.

Nine new trace links were created, extending the STK→SYS→SUB chain for separation assurance, availability, and conflict detection. The project now has 42 requirements and 33 trace links.

Next

The three SNS component requirements are missing — CDP, AMM, and MSAW each need quantified performance bounds and trace links to SUB-REQ-003/004. The ATC Data Distribution Network entity was classified ({{hex:40A57018}}) but the component-level decomposition of its redundant ring topology has not been done. The five remaining subsystem pairs with no interface requirements (FDP↔AIM, SDP↔DDN, SMC↔all, RRS↔DDN) need IFC entries. VER coverage is at 5/42 — a QC pass will be needed once the decomposition reaches first-pass complete, targeting ≥50% VER coverage of SUB+IFC requirements.