System

Air Traffic Control System — {{entity:Air Traffic Control System}} — session 534 validation gap closure. Project stands at 158 requirements, 147 trace links, 6 baselines. Status was already “validated” from session 533, but three gaps remained from the previous session’s recommendation list: architecture-decisions VER coverage, IFC-REQ-010 verification, SUB-REQ-009 verification, and the decomposition diagram diagram-1774329103151 being empty. This session addressed all four.

Verification Audit

Four architecture decision requirements — {{sub:ARC-REQ-001}} (dual-hot-standby failover), {{sub:ARC-REQ-002}} (Safety Net System SIL 3 independence), ARC-REQ-011 (DDN VLAN segmentation), and ARC-REQ-012 (AIM dual-database AIRAC switchover) — had zero VER entries. The verification-requirements document has no linkset to architecture-decisions, so VER entries trace to the SYS/SUB requirements that the architecture decisions enable.

For {{sub:ARC-REQ-001}}, a live failover test was created (REQ-SEAIRTRAFFICCONTROL-066): severing the primary SDP/FDP node network connection under live traffic and measuring standby assumption within 3 seconds with no CWP track gaps. Pass criterion: no “correlation lost” alerts during switchover. Verification type upgraded to Test — Analysis alone cannot confirm state synchronisation completeness under load.

For {{sub:ARC-REQ-002}}, an IEC 62061 Section 7 independent safety assessment (REQ-SEAIRTRAFFICCONTROL-067) was created, targeting a third-party SIL 3 certificate with no outstanding Category 1 issues. Analysis is the correct method for SIL allocation; a functional test cannot demonstrate that the {{entity:Safety Net System}} failure rate is at or below 10^-7 per flight hour.

ARC-REQ-011 received a combined Inspection + Test entry (REQ-SEAIRTRAFFICCONTROL-068): topology inspection to confirm physical switch fabric separation, followed by a 30-minute operational VLAN flood test measuring safety-critical VLAN throughput degradation. Both claims in the requirement — physical isolation and sub-50ms RSTP convergence — require distinct verification methods.

ARC-REQ-012 received a Demonstration entry (REQ-SEAIRTRAFFICCONTROL-069): a full AIRAC cycle load to staging, scheduled switchover at 0001 UTC with no CWP service interruption, and reversion within 60 seconds. Pass criteria are quantified: switchover in under 30 seconds, reversion in under 60 seconds.

{{ifc:IFC-REQ-010}} (SNS-to-CWP alert delivery, 500ms) had no VER entry. REQ-SEAIRTRAFFICCONTROL-065 closes this: 1,000 STCA/MSAW triggers under concurrent injection of 2,000 flight plan updates/minute on the operational VLAN, measuring alert delivery at a sub-millisecond timestamped CWP. The head-of-line blocking risk can only be confirmed under traffic stress, not by inspection of the VLAN configuration.

SUB-REQ-009 (RRS multi-stream replay) had no VER trace despite having an existing VER entry. REQ-SEAIRTRAFFICCONTROL-070 was created and traced, testing replay at 0.25x, 1x, 4x, and 8x rates with stream synchronisation verified to within 100ms, plus EUROCONTROL export format compatibility with an external investigation tool.

Scenario Validation

All four ConOps scenarios remain covered from session 533. No new gaps were identified during this session’s gap closure work. The additional VER entries for ARC reqs are defence-in-depth — the scenarios were already covered by VER entries targeting the SYS-level requirements that the architecture decisions support.

Mode Coverage

No new mode coverage gaps identified. The ARC VER entries do add one mode coverage improvement: the AIM AIRAC switchover test (REQ-SEAIRTRAFFICCONTROL-069) explicitly covers the scheduled maintenance mode entry/exit cycle (mode: AIRAC update at 0001 UTC), which previously had no verification of the 2-hour reversion window.

Cross-Domain Findings

Lint results show 8 high-severity {{trait:Powered}} findings for software subsystems: {{entity:surveillance data processing subsystem}} ({{hex:50F57319}}), {{entity:flight data processing subsystem}} ({{hex:50F57318}}), {{entity:controller working position}} ({{hex:50ED5218}}), {{entity:system monitoring and control subsystem}} ({{hex:51B57908}}), {{entity:approach sequencing and metering subsystem}} ({{hex:50A53200}}), {{entity:controller pilot data link communications subsystem}} ({{hex:50F57058}}), plus two duplicate entity entries. All dismissed as false positives: UHT correctly classifies software subsystems running on powered server infrastructure with {{trait:Powered}}=true, but ATC subsystems share redundant compute infrastructure with power redundancy managed at SYS-REQ-007 system level. No per-subsystem power budget requirements are warranted for software functional subsystems. Dismissal rationale stored as LINT_DISMISSAL fact in SE:air-traffic-control namespace.

The 83 medium-severity “coverage gap” findings are NLP extraction artefacts — concepts like “4 seconds” and “1 second” being flagged as undecomposed. These do not represent genuine engineering gaps.

Gaps Closed

Six new VER entries (REQ-SEAIRTRAFFICCONTROL-065 through 070), five new trace links (three verifies links to SYS/SUB, one IFC verifies, one SUB verifies). Diagram-1774329103151 “ATC System Decomposition” populated with 12 blocks (1 system, 11 subsystems) and 11 data flow connectors representing the principal inter-subsystem flows: {{entity:Surveillance Data Processing}} → {{entity:Data Distribution Network}} → {{entity:Flight Data Processing}} → {{entity:Controller Working Position}}; {{entity:Safety Net System}} → CWP; {{entity:Voice Communication System}} → CWP; {{entity:Aeronautical Information Management}} → FDP; FDP → {{entity:Approach Sequencing and Metering}}; {{entity:System Monitoring and Control}} → SDP; DDN → {{entity:Recording and Replay System}}; {{entity:Controller Pilot Data Link Communications}} → CWP.

flowchart TB
  n5["system - Air Traffic Control System"]
  n6["subsystem - Surveillance Data Processing"]
  n7["subsystem - Flight Data Processing"]
  n8["subsystem - Safety Net System"]
  n9["subsystem - Controller Working Position"]
  n10["subsystem - Voice Communication System"]
  n11["subsystem - Data Distribution Network"]
  n12["subsystem - Aeronautical Information Management"]
  n13["subsystem - Approach Sequencing and Metering"]
  n14["subsystem - System Monitoring and Control"]
  n15["subsystem - Recording and Replay System"]
  n16["subsystem - Controller Pilot Data Link Communications"]
  n6 -->|Correlated tracks ASTERIX| n11
  n11 -->|Track data| n7
  n6 -->|Raw surveillance| n8
  n7 -->|Flight plan data| n9
  n8 -->|STCA/MSAW alerts| n9
  n10 -->|Voice channels| n9
  n12 -->|Sector boundaries| n7
  n7 -->|Flight schedule| n13
  n14 -.->|Health monitoring| n6
  n11 -->|All data streams| n15
  n16 -->|ACARS messages| n9

Baseline BL-SEAIRTRAFFICCONTROL-006 “VALIDATED-GAP-CLOSURE-2026-03-25” created. Project final state: 158 requirements, 147 trace links.

Verdict

Pass. All four ConOps scenarios (S-001 Loss of Separation, S-002 Power Grid Failure, S-003 Incident Investigation, S-004 Sector Boundary Handoff) remain covered with complete STK→SYS→SUB→VER chains. The six new VER entries close the final residual gaps identified in session 533: ARC requirements now have verification method assignments and trace links to supporting SYS/SUB requirements; IFC-REQ-010 and SUB-REQ-009 have dedicated test procedures with quantified pass criteria. The ATC system decomposition is complete and validated.

Next

DECOMP_TARGET is set to se-step-fusion-power-plant. Next session should begin concept phase for the fusion power plant system: define operating modes, hazard register (loss of plasma containment, tritium breach, cryogenic failure, uncontrolled power excursion), and key stakeholder groups (plasma physicists, reactor operators, grid operators, regulators).