System

Air Traffic Control System, {{entity:Air Traffic Control System}} — final validation pass on a project with 166 requirements across 6 documents, 182 trace links, and 77 verification entries. Prior sessions 532–538 built the VER layer from zero. This session audits the result end-to-end and resolves remaining gaps.

Verification Audit

Ten VER requirements sampled from the {{entity:Surveillance Data Processing}} through {{entity:Safety Net System}} chain. All use Test verification with quantified pass/fail criteria and specific test configurations (track counts, time bounds, equipment setup). The one deliberate use of Analysis — {{sub:VER-REQ-002}} for the 10⁻⁶ STCA missed-detection probability — is justified: statistical testing at that probability requires hundreds of millions of trials, making IEC 61508 fault tree analysis the only practical verification method. Belt-and-suspenders coverage is provided by {{sub:VER-REQ-013}}, a 1000-scenario adversarial replay test that validates the statistical FTA claim at the system integration level.

Six duplicate VER entries (VER-REQ-040, 042, 046, 048, 054, 056) identified from prior sessions and tagged duplicate-of their originals were confirmed redundant: each original already carries the same trace targets with identical or stronger acceptance criteria. All six deleted; SUB-REQ-030 coverage preserved via VER-REQ-038, which was carrying both SUB-REQ-029 and SUB-REQ-030 before the duplicate was created.

A ref-collision artefact was noted: requirements {{entity:Aeronautical Information Management}}, {{entity:Data Distribution Network}}, {{entity:System Monitoring and Control}}, and {{entity:Recording and Replay System}} were assigned IDs REQ-SEAIRTRAFFICCONTROL-001 through 012 and received the same human-readable refs as the original SUB-REQ-001 through 008 series. Trace integrity is intact — all links resolve to specific internal IDs, not refs — but the overlap creates ambiguity in trace tables. Logged; no correction possible without re-numbering the original series.

Scenario Validation

All five ConOps scenarios validated with complete STK→SYS→SUB/IFC→VER chains:

S-001 Loss of Separation Alert: {{stk:STK-REQ-001}} → {{sys:SYS-REQ-004}} → {{sub:SUB-REQ-003}} (STCA scan cycle), {{sub:SUB-REQ-004}} (missed-detection probability), {{sub:SUB-REQ-012}} (alert generation) → VER-REQ-023, VER-REQ-029, VER-REQ-002, VER-REQ-013, VER-REQ-035. Chain complete.

S-002 Power Grid Failure: {{stk:STK-REQ-002}} → {{sys:SYS-REQ-007}} → SUB-REQ-039 (ATS switchover), SUB-REQ-040 (diesel endurance) → VER-REQ-082, VER-REQ-083. VER-REQ-016 covers SYS-level dual-source switchover. Chain complete.

S-003 CAA Incident Investigation: {{stk:STK-REQ-007}} → {{sys:SYS-REQ-011}} → {{sub:SUB-REQ-008}} (continuous recording), {{sub:SUB-REQ-022}} (tamper-evident format) → VER-REQ-018, VER-REQ-034, VER-REQ-050. {{ifc:IFC-REQ-015}} (RRS→SMC interface) → VER-REQ-071. Chain complete.

S-004 Sector Boundary Handoff: {{stk:STK-REQ-005}} → {{sys:SYS-REQ-010}} → {{sub:SUB-REQ-035}} (OLDI ABI/ACT/REV/LAM) → VER-REQ-059. VER-REQ-019 covers CFMU acceptance environment interoperability. Chain complete.

S-005 Maintenance LRU Replacement: Gap identified. {{stk:STK-REQ-008}} requires LRU replacement without service interruption and 30-minute restoration — it linked only to {{sys:SYS-REQ-009}} (degraded mode continuity), which covers operational continuity during failure but does not address the maintenance interface protocol or restoration time bound. {{sys:SYS-REQ-013}} created with 30-minute restoration Test requirement, traced from STK-REQ-008 and supported by SYS-REQ-009. {{sub:VER-REQ-088}} created: live-load hot-swap test for all LRU types with pass criterion of zero service interruption and ≤30 minute restoration.

Mode Coverage

Normal operational mode: covered by capacity, accuracy, and update rate requirements. Degraded mode: {{sys:SYS-REQ-009}} plus SUB decompositions in {{entity:Surveillance Data Processing}} (SUB-REQ-023, 60% track continuity) and {{entity:System Monitoring and Control}} (SUB-REQ-006, 30s breach detection). Maintenance mode: gap closed this session via SYS-REQ-013. Training/simulation mode: not in scope for this ATC centre system — no simulator integration requirement identified in STK, consistent with separate simulation infrastructure being out of boundary.

Cross-Domain Findings

The {{entity:Computer-Based Interlocking}} (hex:{{hex:51F77A58}}, railway signalling, SIL 4) is the closest analog to the {{entity:Safety Net System}}. The CBI achieves SIL 4 through diverse software channels (different development teams, different compilers). The SNS targets SIL 3, which {{entity:ARC-REQ-002}} addresses via architectural independence (dedicated processing, independent power, separate comms path) rather than diversity — appropriate for the one-integrity-level difference. No gap: IEC 62061 Section 6.7 permits independence in lieu of diversity for SIL 3; diversity is only mandated at SIL 4 where random hardware failure rates must be further suppressed.

Gaps Closed

SYS-REQ-013: maintenance interface LRU hot-swap, 30-minute restoration. VER-REQ-088: live-load LRU swap test. Trace links: STK-REQ-008 → SYS-REQ-013 (derives), SYS-REQ-013 → SYS-REQ-009 (derives), VER-REQ-088 → SYS-REQ-013 (verifies). Six duplicate VER entries deleted: VER-REQ-040, 042, 046, 048, 054, 056.

Verdict

Pass. All five ConOps scenarios deliver complete STK→VER chains with Test-based acceptance criteria. The SIL-3 safety argument for the STCA function is closed: independent architecture verified by third-party SIL-3 assessment (VER-REQ-074) and confirmed by 1000-scenario adversarial replay (VER-REQ-013). The maintenance scenario, previously the only uncovered chain, now has a complete trace. Final state: 166 requirements, 182 trace links, baseline VALIDATED-SESSION-539 created.

flowchart TB
  n0["system - Air Traffic Control System"]
  n1["actor - Air Traffic Controller"]
  n2["actor - Adjacent ATC Centre"]
  n3["actor - Surveillance Sensors (Radar/ADS-B/MLAT)"]
  n4["actor - Airline Operations Centre"]
  n5["actor - Meteorological Service"]
  n6["actor - Aeronautical Information Service"]
  n1 -->|Control instructions, clearances| n0
  n0 -->|Track display, alerts, flight data| n1
  n3 -->|Radar plots, ADS-B reports, MLAT tracks| n0
  n2 -->|Coordination requests, handoff data| n0
  n0 -->|Handoff acceptance, coordination messages| n2
  n4 -->|Flight plans, slot allocations| n0
  n5 -->|METAR, TAF, SIGMET, wind data| n0
  n6 -->|NOTAM, airspace data, procedures| n0