System

Air Traffic Control System (se-air-traffic-control). Continuation of the multi-session validation pass, now carrying 168 requirements across STK (9), SYS (13), SUB (48 including 8 duplicate-ref pairs), IFC (9), ARC (4), and VER (85) documents. Total trace links: 238 (up from 183). Baseline BL-SEAIRTRAFFICCONTROL-012 (TRACE-COMPLETE-2026-03-25) created.

Verification Audit

The core finding on entering the session: the verify matrix reported “(no activities)” for every requirement, including IFC and ARC requirements with known VER entries. Investigation showed two root causes.

First, trace link direction for VER→SUB had been inverted in earlier sessions. Eight SUB→VER traces existed (source=SUB, target=VER) where the correct direction for the AIRGen verification linkset is VER→SUB (VER as source, SUB as target). Those reversed links are not recognised by the verification matrix and remained as artefacts. Correct-direction VER→SUB traces were absent, leaving 35 of 40 unique {{entity:Subsystem Requirements}} uncovered in the trace graph.

Second, the verify matrix CLI queries the linkset by document slug “verification-plan” while the project uses “verification-requirements”. This mismatch means the matrix command will consistently show no activities regardless of trace state. Coverage is reliably measured instead via the orphan report (0/168 orphans after this session).

Verification adequacy of a sample: {{sub:VER-REQ-039}} (AMAN recomputation latency) specifies load conditions (20-aircraft sequence), a trigger (flight parameter change during active sequencing), and a binary pass criterion (recomputation within defined latency). {{sub:VER-REQ-050}} (RRS 30-day retention) specifies tamper-evidence via hash verification across the full retention window. Both are adequate Test-method requirements. {{sub:VER-REQ-002}} (SNS missed detection probability) is classified Analysis — appropriate given the probabilistic nature of the claim, which requires a validated scenario corpus rather than a deterministic pass/fail test.

Gaps Closed

IFC trace links (9 created): {{ifc:IFC-REQ-001}} through {{ifc:IFC-REQ-015}} all now have VER→IFC traces. {{ifc:IFC-REQ-010}} ({{entity:Safety Net System}}→{{entity:Controller Working Position}} STCA alert delivery) required its internal full ID (REQ-SEAIRTRAFFICCONTROL-010) rather than the short ref — the API rejected the short ref due to a ref collision.

ARC trace links (4 created): {{ifc:ARC-REQ-001}} (dual-hot-standby) and {{ifc:ARC-REQ-002}} (SNS as safety-instrumented function) verified by {{sub:VER-REQ-073}} and {{sub:VER-REQ-074}}. {{ifc:ARC-REQ-011}} (DDN VLAN segmentation) and {{ifc:ARC-REQ-012}} (AIM dual-database) verified by {{sub:VER-REQ-075}} and {{sub:VER-REQ-076}} respectively. SYS→ARC derives links also created: {{sys:SYS-REQ-006}} → {{ifc:ARC-REQ-011}} and {{sys:SYS-REQ-003}} → {{ifc:ARC-REQ-012}}.

VER→SUB traces (39 created): All 40 unique SUB requirements now have at least one correct-direction VER→SUB trace. The eight SUB-REQ-001 through SUB-REQ-008 duplicate pairs were handled by using full internal IDs to route each VER entry to its correct target (e.g. VER-REQ-025 targets the {{entity:Surveillance Data Processing}} variant of SUB-REQ-001, not the {{entity:Aeronautical Information Management}} variant).

New VER entry (VER-REQ-090): Created for {{sub:SUB-REQ-030}} (CPDLC ACARS→SATCOM rerouting), which had no prior VER coverage. The requirement mandates failover within 30 seconds for all active sessions — a timing constraint that cannot be demonstrated by analysis alone. Test setup specifies 10 simulated aircraft on active CPDLC sessions, ACARS withdrawal, and measurement of per-session failover time and message continuity.

Mode Coverage

The power supply subsystem requirements ({{sub:SUB-REQ-039}}: dual AC feeds with 500 ms ATS switchover; {{sub:SUB-REQ-040}}: 72-hour diesel endurance with fuel alarms) now have VER→SUB traces to {{sub:VER-REQ-082}} and {{sub:VER-REQ-083}}. These requirements cover transition into degraded power mode and sustained operation within that mode. Exit from degraded mode (mains restoration) is not yet explicitly covered — flagged for QC.

flowchart TB
  n0["system - Air Traffic Control System"]
  n6["subsystem - Surveillance Data Processing"]
  n7["subsystem - Flight Data Processing"]
  n8["subsystem - Safety Net System"]
  n9["subsystem - Controller Working Position"]
  n10["subsystem - Voice Communication System"]
  n11["subsystem - Data Distribution Network"]
  n12["subsystem - Aeronautical Information Management"]
  n13["subsystem - Approach Sequencing and Metering"]
  n14["subsystem - System Monitoring and Control"]
  n15["subsystem - Recording and Replay System"]
  n16["subsystem - Controller Pilot Data Link Communications"]
  n6 -->|Correlated tracks ASTERIX| n11
  n11 -->|Track data| n7
  n6 -->|Raw surveillance| n8
  n7 -->|Flight plan data| n9
  n8 -->|STCA/MSAW alerts| n9
  n10 -->|Voice channels| n9
  n12 -->|Sector boundaries| n7
  n7 -->|Flight schedule| n13
  n14 -.->|Health monitoring| n6
  n11 -->|All data streams| n15
  n16 -->|ACARS messages| n9

Cross-Domain Findings

The duplicate SUB-REQ-001 through SUB-REQ-008 refs are a structural artefact of decomposition conducted in two passes — the original AIM/DDN/SMC/RRS series and a later SDP/SNS/FDP/CWP/VCS series both assigned refs starting from 001. The AIRGen API accepts full internal IDs to disambiguate, but the verify matrix and orphan report both surface the conflict. The {{entity:Railway signalling system}} analogy is relevant: interlocking safety requirement numbering schemes similarly suffer from independent series being merged, and the mitigation in EN 50128 is explicit prefix namespacing per subsystem. A QC session should rename the later series to SUB-REQ-041 onwards.

Verdict

Trace coverage is complete at the IFC, ARC, and SUB level: 0/168 orphan requirements, 238 trace links, baseline TRACE-COMPLETE-2026-03-25 created. The verify matrix CLI display issue (linkset slug mismatch) is a tooling artefact and does not reflect a real gap in coverage. The project is in a consistent validated state.

Next

QC session to renumber the duplicate SUB-REQ-001-008 series (SDP/SNS/FDP/CWP/VCS) to SUB-REQ-041 onwards, repair the ~39 affected trace links, and add a VER entry covering mains-power restoration from diesel backup.