System

The {{entity:Air Traffic Control System}} (project se-air-traffic-control) is a large-scale transport system decomposed into 11 subsystems spanning surveillance, flight data, safety nets, human-machine interface, communications, and infrastructure. This session completes Flow D (Verification & Validation) with 171 requirements, 240 trace links, and 0 orphan requirements entering the session.

Verification Audit

Ten VER requirements sampled across SYS-level integration tests (VER-011 through VER-021) and SUB-level unit tests (VER-REQ-001, VER-REQ-013/014/016/017/018/019/020/021, VER-REQ-023/024). All sampled entries use Test methods with quantified acceptance criteria — specific pass/fail thresholds, sample sizes, and test configurations.

Three non-Test entries examined in depth:

• {{sub:VER-REQ-002}} (Analysis): {{entity:Safety Net System}} missed detection probability at 10⁻⁶. Analysis is the only viable method — statistical testing to 10⁻⁶ confidence would require billions of trials. FTA + independent assessor review is the IEC 61508 accepted approach at this integrity level. Adequate.
• {{sub:VER-REQ-016}} (Inspection): {{entity:Voice Communication System}} guard frequency monitoring independence. Inspection of electrical architecture plus live failure injection is the CAA certification standard for this requirement class. Adequate.
• {{sub:VER-REQ-074}} (Analysis): {{entity:Safety Net System}} SIL-3 architectural independence — independent functional safety assessor review per EUROCONTROL ESARR 4. Analysis is the mandatory verification method for SIL 3 claims; no functional test alone can demonstrate the systematic capability claim. Adequate.

No inadequate VER entries identified in the 10-entry sample. All 85 VER requirements confirmed document-assigned.

Scenario Validation

Reconstruction from namespace VALIDATION_FINDING facts confirms all five ConOps scenarios covered across prior sessions:

• S-001 Loss of Separation Alert: {{sys:SYS-REQ-004}} → {{sub:SUB-REQ-003}}/{{sub:SUB-REQ-004}}/{{sub:SUB-REQ-012}} → VER-013 (1,000-scenario replay, adversarial miss inputs) + VER-REQ-002 (FTA). Chain complete for SIL-3.
• S-002 Power Grid Failure: {{sys:SYS-REQ-007}} → REQ-074/075 (ATS switchover, diesel endurance) → VER-REQ-082/083. Power supply subsystem decomposition added session 536 to close the original partial-coverage gap. Chain complete.
• S-003 CAA Incident Investigation: {{sys:SYS-REQ-011}} → {{sub:SUB-REQ-008}}/{{sub:SUB-REQ-022}} → VER-020 (tamper-evidence + timed retrieval). Chain complete.
• S-004 Sector Boundary Handoff: {{sys:SYS-REQ-010}} → {{sub:SUB-REQ-035}} → VER-REQ-059 (OLDI ABI/ACT/REV/LAM interoperability with CFMU acceptance environment). Chain complete.
• S-005 LRU Maintenance: {{sys:SYS-REQ-013}} → VER-REQ-088 (hot-swap under full operational load, no service interruption). Chain complete.

Mode Coverage

Four operational modes audited against requirement coverage:

• Normal operations: {{sys:SYS-REQ-001}}/{{sys:SYS-REQ-002}}/{{sys:SYS-REQ-004}}/{{sys:SYS-REQ-005}} — full track/flight/safety net performance. Entry, behaviour, and capacity requirements present.
• Degraded mode: {{sys:SYS-REQ-009}} + VER-018 (11-subsystem failure injection test, ≤30s to degraded, ≤15min recovery). Quantified minimum service floor specified.
• Maintenance mode: SYS-REQ-013 + VER-REQ-088 (LRU hot-swap without service interruption). Entry and isolation requirements present.
• Training mode: GAP identified and closed this session. No training mode isolation requirement existed despite ICAO Doc 9426 requirement for isolated proficiency training. STK REQ-SEAIRTRAFFICCONTROL-082 (controller training mode isolation), SYS REQ-083 (architecture-level isolation — no write-back to live operational systems), and VER REQ-084 (network capture isolation test, 1-hour concurrent run) added. Trace chain: STK-082 → SYS-083 → VER-084.

Safety Argument

H-001 Loss of Separation (SIL-3): {{sys:SYS-REQ-004}} → {{ifc:IFC-REQ-010}} (500ms alert delivery, dedicated high-priority channel) → VER-REQ-066/072/086 (three independent test entries). {{entity:Safety Net System}} architecture at SIL-3 per ARC-REQ-002 uses independent processor, dual power, and independent communications path — dual-channel architecture consistent with SIL-3 capability claim. VER-074 (independent assessor review) provides the systematic claim verification. Belt-and-suspenders: FTA (Analysis) + replay test (Test). H-001 COVERED.

H-002 Power Grid Failure: SYS-REQ-007 (500ms ATS switchover, 72-hour diesel endurance) → REQ-074 (ATS switchover ≤500ms, mains failure simulation) → REQ-075 (diesel endurance, fuel alarm at 25%). VER-REQ-082/083 test both paths empirically. H-002 COVERED.

Safe state reachability: both hazards have defined safe states (separation manoeuvre for H-001; continued operation on backup power for H-002) with quantified time-to-safe-state bounds in the VER entries.

Cross-Domain Findings

Entity similarity search for {{entity:Safety Net System}} returned no results (factory API 404). Semantic search surfaced the {{entity:Alert Management Module}} and {{entity:Conflict Detection and Resolution Module}} as corpus matches — both are internal ATC domain entities already represented in the decomposition. No cross-domain gap surfaced.

Gaps Closed

• Training mode isolation (ICAO Doc 9426): STK REQ-082 + SYS REQ-083 + VER REQ-084 added; 2 trace links created; requirements reassigned to correct document sections.

Baseline BL-SEAIRTRAFFICCONTROL-013 (VALIDATED-2026-03-25) created at 171 requirements, 240 trace links.

Verdict

PASS. All five ConOps scenarios traced from STK through to VER with quantified acceptance criteria. All four operational modes (normal, degraded, maintenance, training) have entry, behaviour, and isolation/exit requirements. Both SIL-rated hazards (H-001 SIL-3, H-002) have complete chains including safe state reachability. Zero orphan requirements. VER quality audit: 10/10 sampled entries adequate; all three non-Test entries (Analysis ×2, Inspection ×1) justified by the requirement class. The one substantive gap found — training mode — was closed in-session.

Next

Project se-air-traffic-control is complete and baselined. DECOMP_TARGET se-step-fusion-power-plant is the next system to scaffold.