System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Air Traffic Control System"] n1["subsystem<br>Surveillance Data Processing"] n2["subsystem<br>Flight Data Processing"] n3["subsystem<br>Controller Working Position"] n4["subsystem<br>Safety Net System"] n5["subsystem<br>Voice Communication System"] n6["subsystem<br>Recording and Replay System"] n7["subsystem<br>System Monitoring and Control"] n8["subsystem<br>Data Distribution Network"] n9["subsystem<br>Aeronautical Information Management"] n10["subsystem<br>Surveillance Data Processing"] n11["subsystem<br>Flight Data Processing"] n12["subsystem<br>Controller Working Position"] n13["subsystem<br>Safety Net System"] n14["subsystem<br>Voice Communication System"] n15["subsystem<br>Surveillance Data Processing"] n16["subsystem<br>Surveillance Data Processing"] n17["subsystem<br>Flight Data Processing"] n18["subsystem<br>Controller Working Position"] n19["subsystem<br>Safety Net System"] n20["subsystem<br>Voice Communication System"] n21["subsystem<br>Aeronautical Information Management"] n22["subsystem<br>Data Distribution Network"] n23["subsystem<br>System Monitoring and Control"] n24["subsystem<br>Recording and Replay System"] n16 -->|Correlated tracks| n17 n16 -->|Live track data| n19 n17 -->|Flight plan data| n18 n19 -->|Conflict alerts| n18 n20 -->|Voice channels| n18 n22 -->|Raw sensor data| n16
Air Traffic Control System — Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Aeronautical Information Management subsystem SHALL maintain a complete aeronautical database incorporating all AIRAC-cycle data (airways, waypoints, sector boundaries, prohibited areas, SIDs/STARs, and instrument approach procedures), with database updates applied within 2 hours of each AIRAC publication date and validated against EUROCONTROL AIXM 5.1 schema before activation. Rationale: Derived from STK-REQ-001: controllers depend on accurate aeronautical data for sector boundary awareness and procedural instruction. AIRAC cycle compliance (every 28 days) is mandated by ICAO Annex 15 to ensure all ANSPs operate from consistent data. Schema validation prevents corrupted data activations that could cause flight plan processing errors in FDP. | Inspection | |
| SUB-REQ-001 | The Surveillance Data Processing subsystem SHALL ingest surveillance data from a minimum of 4 independent sensor sources simultaneously (Primary Surveillance Radar, Secondary Surveillance Radar, ADS-B, and MLAT), maintaining correlated track output when at least 2 sensor sources are operational. Rationale: Single-sensor dependency creates a single point of failure that violates STK-REQ-002. Four sources provide N+2 redundancy at the sensor input layer. The 2-source minimum reflects the engineering judgement that multi-lateration requires at least 4 receivers but ADS-B plus PSR provide sufficient independent coverage for safe operations during degraded mode. This threshold drives the sensor fusion algorithm design. | Test | subsystem, surveillance, session-379 |
| SUB-REQ-002 | The Aeronautical Information Management subsystem SHALL respond to navigation data queries from the Flight Data Processing subsystem within 50 ms at 95th percentile under maximum operational load (5000 simultaneous active flight plans), using an in-memory database cache refreshed on each AIRAC cycle transition. Rationale: FDP requires rapid procedural waypoint lookups for trajectory prediction and clearance validation. A 50ms latency budget is derived from the FDP flight plan correlation time budget of 30 seconds (SUB-REQ-005) — database lookup must not be the bottleneck in the correlation chain. In-memory cache eliminates disk I/O latency on hot query paths. | Test | |
| SUB-REQ-002 | The Surveillance Data Processing subsystem SHALL produce a fused track update with position accuracy better than 250 m RMS (en-route) and 50 m RMS (terminal) within 500 ms of receiving the latest sensor input from any source. Rationale: Derived from SYS-REQ-001 and SYS-REQ-002: 4-second en-route track update rate with 500ms processing latency leaves 3.5 seconds for data propagation and display. Terminal operations require 1-second update rate; 500ms processing budget is therefore tight but achievable with dedicated FPGA-based sensor fusion. Exceeding 500ms degrades conflict prediction accuracy by increasing projected track uncertainty ellipses. | Test | subsystem, surveillance, session-379 |
| SUB-REQ-003 | When a NOTAM is received from the national ANSP feed, the Aeronautical Information Management subsystem SHALL distribute the NOTAM to all active Controller Working Positions within 60 seconds of receipt, categorised by affected sector and effective time window. Rationale: Controllers must be aware of temporary restrictions (NOTAM) affecting their sector before the effective time. 60-second distribution ensures controllers receive actionable information with adequate lead time to adjust sector operations. Categorisation by affected sector prevents information overload — controllers only see NOTAMs relevant to their current sector assignment. | Test | |
| SUB-REQ-003 | The Safety Net System SHALL evaluate all active track pairs for predicted minimum separation within a 5-minute lookahead window and SHALL generate a Short Term Conflict Alert (STCA) when predicted separation falls below 3 NM horizontal and 1000 ft vertical for en-route, or 2.5 NM horizontal and 500 ft vertical for terminal operations. Rationale: Derived from SYS-REQ-004: 120-second controller action time requires prediction at 5 minutes to allow alert, assessment, and instruction cycles. STCA thresholds are set at 150% of ICAO separation minima to provide a buffer margin while avoiding nuisance alerts that degrade controller trust. Terminal thresholds reflect tighter published separation standards at controlled airfields. These are EUROCONTROL-standardised values used across European ANSPs. | Test | subsystem, safety-net, session-379 |
| SUB-REQ-004 | The Data Distribution Network subsystem SHALL provide end-to-end message delivery latency not exceeding 10 ms at 99th percentile for safety-critical traffic (track updates, STCA and MSAW alerts) and not exceeding 100 ms for operational traffic (flight plan changes, configuration messages), using differentiated QoS queue priorities across a dual-redundant switched Ethernet fabric. Rationale: Derived from IFC-REQ-001 (200ms SDP-to-SNS budget): the DDN must consume no more than 10ms of this budget. Safety-critical QoS priority prevents track data being queued behind large flight plan batch updates — an uncontrolled burst of OLDI messages in a QoS-flat network could delay STCA alert delivery beyond the controller action time budget. | Test | |
| SUB-REQ-004 | The Safety Net System SHALL achieve a STCA missed detection probability not exceeding 10^-6 per conflict encounter and a false alert rate not exceeding 3 alerts per sector per hour at 80% sector capacity loading. Rationale: The 10^-6 missed detection target is derived from SYS-REQ-004 (10^-5 system-level) with a 10x safety factor to account for controller response failure probability. The 3 false alerts per sector per hour threshold is set at the boundary where controller trust in the safety net begins to erode — empirical EUROCONTROL studies show controllers begin to inhibit alerts above this rate, eliminating the safety net's effectiveness. | Analysis | subsystem, safety-net, session-379 |
| SUB-REQ-005 | When a single network switch or inter-switch link fails, the Data Distribution Network subsystem SHALL complete automatic re-routing of all traffic flows within 50 ms, maintaining full capacity on all subsystem connections without operator intervention. Rationale: Derived from SYS-REQ-003 (99.9997% availability): the DDN is a potential single point of failure that could simultaneously disable all subsystem communications. 50ms re-routing ensures that a link failure does not interrupt track delivery cycles (4-second SDP cycle, 1-second terminal cycle). Dual-ring topology enables pre-computed protection switching without route recalculation. | Test | |
| SUB-REQ-005 | The Flight Data Processing subsystem SHALL maintain a flight plan record for every active, proposed, and filed flight within the controlled airspace and SHALL correlate each active flight plan with its corresponding surveillance track within 30 seconds of the aircraft entering the system's coverage area. Rationale: Flight plan-to-track correlation is the mechanism that links procedural and surveillance control. Uncorrelated tracks appear as 'unknown' aircraft to controllers, requiring manual identification that consumes workload and time. 30-second correlation is derived from an average transponder-activation-to-correlation time observed in operational ATCS systems and must be met to comply with STK-REQ-001 separation assurance at system entry points. | Test | subsystem, fdp, session-379 |
| SUB-REQ-006 | The System Monitoring and Control subsystem SHALL detect any subsystem health parameter breach (CPU utilisation >90%, memory utilisation >85%, network packet loss >0.01%, or disk write failure) within 5 seconds and SHALL deliver an alert to the System Controller position within a further 2 seconds, classified by subsystem and severity. Rationale: Early detection of resource exhaustion prevents cascading failures that could cause unplanned service loss. 5-second detection is the maximum permissible before a degrading subsystem begins to affect track processing latency — CPU saturation in SDP will begin dropping track fusion cycles if not detected and corrected within one processing generation. System Controller must receive the alert in time to initiate planned degradation procedures. | Test | |
| SUB-REQ-006 | The Controller Working Position subsystem SHALL present all track labels, alerts, and flight data at a minimum display refresh rate of 25 Hz and SHALL render track symbol position updates within 100 ms of receiving new track data from the processing layer. Rationale: 25 Hz display refresh eliminates visible flicker and ensures alert animations (STCA, MSAW) are immediately apparent without cognitive delay. The 100 ms end-to-end latency from track data receipt to display symbol update is derived from human factors research showing controller reaction time degrades when system latency exceeds 150 ms — 100 ms leaves 50 ms margin for controller interface responsiveness. This is an HMI safety-critical parameter that affects the controller's ability to assess developing conflicts. | Test | subsystem, cwp, session-379 |
| SUB-REQ-007 | The System Monitoring and Control subsystem SHALL provide a secure configuration management interface supporting controlled software updates with mandatory pre-activation health check validation, automatic rollback to the previous stable configuration within 60 seconds if post-activation health checks fail, and an audit log of all configuration changes retained for 12 months. Rationale: ATC system software updates are high-risk change events — a defective update deployed to a live system could simultaneously degrade multiple subsystems. Mandatory health check validation and automatic rollback reduce the exposure window for a failed update to <60 seconds. Audit log retention is required by EUROCONTROL ESARR 1 for safety case traceability and incident investigation. | Inspection | |
| SUB-REQ-007 | The Voice Communication System subsystem SHALL provide simultaneous independent voice channels for each active control sector, with channel switching latency not exceeding 150 ms and audio clarity meeting ICAO Annex 10 voice quality standards (speech intelligibility score greater than 0.75 using PESQ methodology). Rationale: Each sector requires a dedicated radio channel to prevent cross-sector interference; a controller transmitting on the wrong frequency is a well-documented error category in aviation safety reports. 150 ms switching latency matches the lower bound of detectable audio gaps — shorter gaps are imperceptible and longer gaps create the impression of dropped transmissions. PESQ 0.75 is the ICAOrequirement for ATC voice quality in Annex 10 Appendix S. | Test | subsystem, vcs, session-379 |
| SUB-REQ-008 | The Recording and Replay System SHALL continuously record all surveillance sensor inputs, processed track data, voice communications on all radio and telephone channels, and controller input events, timestamped to UTC with accuracy better than 1 ms, and SHALL retain all recordings for a minimum of 60 days on immediately accessible storage and 6 months on archival storage. Rationale: ICAO Annex 11 Section 6.4 and EUROCONTROL ESARR 5 mandate continuous recording for ATC incident investigation. 60-day immediate accessibility supports ANSP internal safety investigations; 6-month archival meets the maximum statutory retention period for judicial investigations in most ICAO Contracting States. Sub-millisecond timestamping enables reconstruction of event sequences during incident analysis. | Inspection | |
| SUB-REQ-008 | When the primary processing node fails, the Surveillance Data Processing subsystem SHALL complete automatic failover to a hot-standby processing node within 3 seconds, maintaining track continuity with position error not exceeding 500 m during the failover interval. Rationale: Derived from SYS-REQ-003 (99.9997% availability): a 3-second failover is the engineering optimum balancing switchover state synchronisation overhead against the risk of controllers losing track picture visibility. 3 seconds represents 0.75 track update cycles at 4-second update rate — track coasting algorithms can maintain position estimates within 500 m for this duration using last known velocity vectors. Longer failover would require controllers to initiate hold instructions for all sector traffic. | Test | subsystem, surveillance, degraded-mode, session-379 |
| SUB-REQ-009 | The Recording and Replay System SHALL support simultaneous replay of all recorded data streams at selectable playback rates from 0.25x to 8x real time, synchronised to a common timeline cursor, with the ability to extract and export defined time windows to EUROCONTROL standard replay format for external safety investigation tools. Rationale: Post-incident reconstruction requires the ability to replay the exact system state seen by controllers at the time of an event. Variable playback speeds support both detailed frame-by-frame analysis and rapid scanning of longer time periods. EUROCONTROL standard replay format (ASTERIX-based) ensures recordings are accessible to national CAA investigators using standard tooling, not only the ANSP's own replay application. | Test | |
| SUB-REQ-010 | The Surveillance Data Processing subsystem SHALL assign a unique track identity (TN) to each correlated surveillance return and maintain track identity continuity across all surveillance sensor coverage gaps not exceeding 60 seconds. Rationale: ICAO Doc 4444 requires unambiguous track identity for separation assurance; identity loss forces controllers to reconfirm aircraft identity manually, increasing workload and loss-of-separation risk. 60s gap tolerance is derived from ATC handoff procedures. | Test | subsystem, surveillance, session-384, idempotency:sub-sdp-track-identity-384 |
| SUB-REQ-011 | The Surveillance Data Processing subsystem SHALL process ADS-B Mode S, Secondary Surveillance Radar (SSR), Primary Surveillance Radar (PSR), and MLAT inputs and produce a fused track using a weighted Kalman filter biased towards the highest-accuracy source available. Rationale: Multi-sensor fusion is mandated by EUROCONTROL MOPS for en-route ATC; preferring ADS-B in coverage areas reduces radar-only latency from 5s to <1s. Kalman-weighted fusion prevents degraded track quality when low-accuracy sensors are online. | Test | subsystem, surveillance, session-384, idempotency:sub-sdp-sensor-fusion-384 |
| SUB-REQ-012 | When a predicted loss of separation is detected within a 120-second look-ahead window, the Safety Net System SHALL generate a Short-Term Conflict Alert (STCA) with audio and visual indication at the Controller Working Position within 3 seconds. Rationale: EUROCONTROL STCA specification requires 2-minute look-ahead minimum; 3-second alert delivery ensures the controller has actionable warning before the 120s window closes. Audio plus visual alert is required by ICAO human factors guidance (Doc 9426). | Test | subsystem, safety-net, session-384, idempotency:sub-sns-stca-alert-384 |
| SUB-REQ-013 | When a track is predicted to violate terrain or obstacle clearance criteria, the Safety Net System SHALL generate a Minimum Safe Altitude Warning (MSAW) alert within 8 seconds, using the current aeronautical information database. Rationale: MSAW is mandated by ICAO Annex 11 for all en-route and approach ATC facilities. 8s delivery is derived from typical terrain-closure rates for GA aircraft in mountainous terrain and controller reaction time requirements. | Test | subsystem, safety-net, session-384, idempotency:sub-sns-msaw-384 |
| SUB-REQ-014 | The Safety Net System SHALL maintain a STCA nuisance alert rate not exceeding 2% of all STCA alerts generated during normal operations. Rationale: Controller studies (EUROCONTROL HUM.ET1.ST05.1000-REP-01) show nuisance rates above 5% cause controllers to disable safety nets; 2% is the NATS operational ceiling. Nuisance rate is measured as false positives divided by total alerts over a 6-month evaluation period. | Analysis | subsystem, safety-net, session-384, idempotency:sub-sns-nuisance-rate-384 |
| SUB-REQ-015 | The Flight Data Processing subsystem SHALL distribute updated flight plan data to all Controller Working Positions within 5 seconds of receiving a clearance input or OLDI coordination message. Rationale: Flight plan currency is critical for correct strip labelling; stale data drives incorrect controller clearances. 5s is derived from ICAO Doc 4444 coordination timescales for sector handoffs. | Test | subsystem, flight-data, session-384, idempotency:sub-fdp-distribution-latency-384 |
| SUB-REQ-016 | The Controller Working Position subsystem SHALL allow a controller to input a direct routing, level assignment, or speed constraint for any displayed track within 3 keystrokes or mouse clicks and confirm the clearance back to the controller within 2 seconds. Rationale: EUROCONTROL HMI guidance and cognitive load studies establish that clearance input time greater than 10s under moderate traffic correlates with clearance errors; 3-keystroke limit and 2s feedback are consistent with NATS CWP usability standards. | Demonstration | subsystem, cwp, session-384, idempotency:sub-cwp-clearance-input-384 |
| SUB-REQ-017 | The Voice Communication System subsystem SHALL provide at least one dedicated guard frequency receiver (121.5 MHz) at each working position, operational independently of the primary voice switching system. Rationale: ICAO Annex 10 Volume II mandates continuous guard frequency monitoring at all ATC facilities; independence from primary VCS ensures guard monitoring survives VCS failures. This is a regulatory non-negotiable. | Inspection | subsystem, voice-comms, session-384, idempotency:sub-vcs-guard-freq-384 |
| SUB-REQ-018 | The Aeronautical Information Management subsystem SHALL update all airspace boundary, procedure, and waypoint data in the live operational database within 2 hours of an AIRAC cycle activation. Rationale: ICAO mandates AIRAC 28-day cycle adherence; delayed activation risks controllers issuing clearances based on superseded procedures. 2h window accommodates automated import validation without manual intervention. | Test | subsystem, aim, session-384, idempotency:sub-aim-airac-update-384 |
| SUB-REQ-019 | The Aeronautical Information Management subsystem SHALL provide a terrain and obstacle database covering the entire FIR at a resolution of at least 100m horizontal and 10m vertical, updated at least annually. Rationale: MSAW accuracy is directly bounded by terrain database resolution; 100m/10m resolution is the EUROCONTROL MSAW specification minimum. Annual update cycle reflects SRTM and national survey update schedules. | Inspection | subsystem, aim, session-384, idempotency:sub-aim-terrain-db-384 |
| SUB-REQ-020 | The Data Distribution Network subsystem SHALL enforce Quality-of-Service (QoS) priority queuing that ensures safety-critical traffic (STCA alerts, MSAW alerts, track updates) is delivered before management and administrative traffic during any congestion condition. Rationale: Network congestion from administrative traffic must not delay safety-critical alerts; EUROCONTROL DDN specification requires absolute priority for alert traffic. QoS enforcement is the implementation mechanism for the safety-critical latency requirement. | Test | subsystem, ddn, session-384, idempotency:sub-ddn-qos-priority-384 |
| SUB-REQ-021 | The System Monitoring and Control subsystem SHALL provide real-time dashboard visibility of CPU utilisation, memory utilisation, network throughput, and application process health for all subsystem nodes, refreshed at 10-second intervals. Rationale: Proactive monitoring is required to pre-empt subsystem failures before they affect the operational picture; 10s refresh is derived from expected growth rates of resource utilisation faults (burst vs gradual failure modes). | Demonstration | subsystem, smc, session-384, idempotency:sub-smc-dashboard-384 |
| SUB-REQ-022 | The Recording and Replay System SHALL maintain continuous recordings of all surveillance tracks, flight plan events, voice communications, and controller inputs for a minimum of 30 days, with cryptographic integrity protection. Rationale: ICAO Annex 11 Section 6.4 requires ATC recording retention for at least 30 days. Cryptographic integrity protection is required by UK CAA CAP 670 to ensure recordings are admissible in incident investigations. | Test | subsystem, recording, session-384, idempotency:sub-rrs-retention-384 |
| SUB-REQ-023 | The Surveillance Data Processing subsystem SHALL continue to produce fused track updates for at least 60% of active tracks at the nominal update rate when 2 of 4 surveillance sensor inputs are unavailable. Rationale: Degraded-mode requirement: dual sensor failure is a credible scenario (simultaneous PSR+SSR outage). 60% track retention ensures adequate separation assurance for high-priority flights; derived from minimum sector coverage requirements in NATS operations manuals. | Test | subsystem, surveillance, degraded, session-384, idempotency:sub-sdp-degraded-mode-384 |
| SUB-REQ-024 | The Controller Working Position subsystem SHALL support a configurable sector ownership display that shows all sectors within the FIR, current owner, and any pending transfers, updated within 5 seconds of any sector ownership change. Rationale: Sector ownership situational awareness is required to prevent clearance authority errors during sector splits and combines; 5s latency is the maximum acceptable delay for sector boundary changes per NATS operational procedures. | Test | subsystem, cwp, session-384, idempotency:sub-cwp-sector-display-384 |
| SUB-REQ-025 | The Controller Pilot Data Link Communications subsystem SHALL deliver uplinked clearances from ATC to suitably equipped aircraft within 10 seconds of controller transmission, and surface a delivery confirmation at the Controller Working Position within 60 seconds. Rationale: ICAO Doc 9694 CPDLC manual specifies 10s uplink latency as the maximum for operational acceptability; 60s response confirmation is the FANS-1/A protocol maximum for ATC Clearance category messages in oceanic operations. | Test | subsystem, cpdlc, session-384, idempotency:sub-cpdlc-uplink-latency-384 |
| SUB-REQ-026 | The Approach Sequencing and Metering subsystem SHALL compute an optimised landing sequence and associated speed/level advisories for all aircraft within 250nm of the destination airport, updating the sequence within 30 seconds of any new flight activation or estimated time revision. Rationale: AMAN planning horizon of 250nm provides 40-50 minute advisory lead time needed for trans-oceanic arrival sequencing; 30s update on plan change ensures the sequence reflects current traffic without creating controller confusion from excessive replanning. | Test | subsystem, aman, session-384, idempotency:sub-aman-sequence-compute-384 |
| SUB-REQ-027 | The Controller Pilot Data Link Communications subsystem SHALL authenticate all CPDLC uplink and downlink messages using ATN B1 or FANS-1/A+ digital signature mechanisms, rejecting any message that fails authentication within 2 seconds of receipt. Rationale: CPDLC messages carry legally binding ATC clearances. Message spoofing or replay attacks on datalink are a documented threat vector (ICAO EUR Doc 015); authentication is mandated by EUROCAE ED-110B for ATN B1 implementations and failure to reject forged messages could result in aircraft receiving unauthorized clearances. | Test | subsystem, cpdlc, session-385 |
| SUB-REQ-028 | The Controller Pilot Data Link Communications subsystem SHALL authenticate all CPDLC uplink and downlink messages using ATN B1 or FANS-1/A+ digital signature mechanisms, rejecting any message failing authentication within 2 seconds of receipt. Rationale: CPDLC messages carry legally binding ATC clearances. Message spoofing or replay attacks on datalink are documented in ICAO EUR Doc 015; authentication is mandated by EUROCAE ED-110B for ATN B1 implementations. Failure to reject forged messages could result in aircraft receiving unauthorized clearances. | Test | subsystem, cpdlc, session-385 |
| SUB-REQ-029 | When the primary VHF ACARS datalink path is unavailable, the Controller Pilot Data Link Communications subsystem SHALL automatically reroute pending CPDLC messages via the secondary SATCOM channel within 30 seconds, maintaining datalink connectivity for all active flights. Rationale: VHF ACARS coverage is limited to approximately FL240 and below within continental coverage areas. Oceanic and high-altitude operations require SATCOM backup. The 30-second switchover bound is derived from ICAO DOC 9694 CPDLC message timeout thresholds, which require retransmission within 60 seconds; failover must complete before the first retry expires. | Test | subsystem, cpdlc, session-385 |
| SUB-REQ-030 | When the primary VHF ACARS datalink path is unavailable, the Controller Pilot Data Link Communications subsystem SHALL automatically reroute pending CPDLC messages via the secondary SATCOM channel within 30 seconds, maintaining datalink connectivity for all active flights. Rationale: VHF ACARS coverage is limited at high altitudes and oceanic airspace. The 30-second switchover bound is derived from ICAO DOC 9694 CPDLC message timeout thresholds: retransmission is required within 60 seconds, so failover must complete before the first retry expires to avoid message loss. | Test | subsystem, cpdlc, session-385 |
| SUB-REQ-031 | The Controller Pilot Data Link Communications subsystem SHALL log all CPDLC message exchanges, including sender identity, timestamp, message content, delivery status, and acknowledgement time, retaining records for a minimum of 30 days in tamper-evident storage. Rationale: ICAO Annex 11 and EU Regulation 2017/373 require ATC service providers to retain all controller-pilot communications for incident investigation. Tamper-evident storage is required to preserve chain of evidence. 30 days aligns with the minimum statutory retention period for ATS communications. | Inspection | subsystem, cpdlc, session-385 |
| SUB-REQ-032 | The Approach Sequencing and Metering subsystem SHALL recompute the inbound landing sequence and all associated scheduled times of arrival within 15 seconds of any flight plan amendment, ATC intervention, or meteorological update that affects sequence order. Rationale: Sequence optimisation becomes stale within minutes of plan changes in busy terminal airspace. The 15-second recomputation bound is derived from controller operational practice: a sector controller takes approximately 20-30 seconds to implement a revised sequence instruction, requiring the system to provide updated guidance before the controller acts on stale data. | Test | subsystem, aman, sequencing, session-385 |
| SUB-REQ-033 | The Approach Sequencing and Metering subsystem SHALL generate separate and simultaneously valid landing sequences for up to 4 active runway configurations, allowing controllers to switch the active configuration without sequence discontinuity. Rationale: Large airports routinely operate parallel runways and change configurations for crosswind, noise abatement, or capacity reasons. Simultaneous 4-configuration support reflects the upper bound of real-world airport runway configurations; configuration switching during peak traffic without sequence discontinuity is essential to avoid missed approach scenarios from abrupt sequencing changes. | Test | subsystem, aman, session-385 |
| SUB-REQ-034 | The Approach Sequencing and Metering subsystem SHALL maintain an inbound sequence planning horizon of at least 40 minutes, providing preliminary scheduled times of arrival to en-route controllers for aircraft entering the terminal area manoeuvre horizon. Rationale: A 40-minute horizon allows en-route controllers to begin speed adjustments while aircraft are still 300+ NM from the terminal area, absorbing delay-at-cruise before the more fuel-expensive and operationally disruptive delay-in-holding pattern. EUROCONTROL AMAN operational guidance specifies minimum 30-minute horizon; 40 minutes is consistent with SESAR ER-AMAN implementations at Heathrow and Frankfurt. | Test | subsystem, aman, session-385 |
| SUB-REQ-035 | The Flight Data Processing subsystem SHALL process incoming and outgoing OLDI ABI, ACT, REV, and LAM message types for all adjacent ANSP boundary crossings, completing boundary coordination and acknowledgement within 30 seconds of receiving an ABI message. Rationale: OLDI (On-Line Data Interchange) is the mandatory ICAO-specified protocol for coordination of flights crossing FIR boundaries. The 30-second coordination window is derived from ICAO Doc 4444 sector boundary notification requirements, which specify minimum notification times of typically 2-5 minutes before boundary crossing. Late coordination triggers voice fallback, increasing controller workload and introducing coordination errors. | Test | subsystem, fdp, oldi, session-385 |
| SUB-REQ-036 | The Flight Data Processing subsystem SHALL provide trajectory prediction for all active and proposed flight plans over a look-ahead window of at least 20 minutes, with position prediction accuracy of better than 2 NM RMS at the 20-minute horizon for non-manoeuvring aircraft. Rationale: Trajectory prediction feeds conflict detection (safety net) and AMAN. The 20-minute horizon covers the 15-minute conflict probe window plus margin. The 2 NM RMS accuracy at 20 minutes is derived from published SESAR trajectory prediction performance studies: prediction errors beyond 5 NM at 20 minutes degrade conflict detection to below operational acceptance thresholds for separation standards of 5 NM. | Test | subsystem, fdp, trajectory, session-385 |
| SUB-REQ-037 | The Controller Working Position subsystem SHALL provide an electronic flight strip bay displaying all flights in the controller's sector, sorted by estimated time at the next significant point, with automated highlighting of flights within 5 minutes of sector boundary transfer. Rationale: Electronic flight strips replace paper strips at modern ATC facilities. Automatic boundary highlighting is a safety-critical feature: missed sector transfer is one of the top 5 causes of near-miss incidents in en-route ATC per EUROCONTROL ESARR 2 data. The 5-minute highlight threshold gives controllers adequate time to initiate transfer procedures. | Test | subsystem, cwp, efs, session-385 |
| SUB-REQ-038 | The Voice Communication System subsystem SHALL support conferencing of up to 6 radio frequencies and telephone lines simultaneously on a single controller position, with automatic squelch and mixing latency not exceeding 40 ms end-to-end from microphone input to loudspeaker output. Rationale: Multi-frequency conferencing is essential for cross-sector and cross-facility coordination during transition events. 40 ms total delay is the ITU-T G.114 recommendation for conversational voice quality; exceeding this introduces noticeable echo and degrades controller comprehension, which is safety-critical during high-workload coordination tasks. | Test | subsystem, vcs, conferencing, session-385 |
| SUB-REQ-039 | The facility power supply system SHALL provide two independent AC power feeds to all ATC subsystems: mains grid feed and a dedicated diesel generator capable of sustaining 100% of ATC operational load, with automatic transfer switch completing switchover within 500 ms of mains failure detection without loss of any running subsystem state. Rationale: SYS-REQ-007 mandates two independent power sources and ≤500ms switchover — this SUB requirement decomposes the facility power infrastructure obligation, specifying the ATS timing and load coverage needed to achieve the system-level availability claim. Without a SUB-level power supply requirement, SYS-REQ-007 has no implementation target and the S-002 power grid failure scenario trace chain is incomplete. | Test | subsystem, power-supply, session-536, idempotency:sub-power-supply-ats-536 |
| SUB-REQ-040 | The facility power supply system SHALL sustain all ATC subsystems at full operational load on diesel generator power alone for a minimum of 72 hours from a full fuel tank, with a low-fuel alarm at 8 hours remaining and a critical alarm at 2 hours remaining presented on the SMC workstation. Rationale: SYS-REQ-007 specifies 72-hour backup endurance. This SUB requirement adds operational monitoring obligations — staged fuel alarms at 8-hour and 2-hour thresholds — necessary for safe fuel management during extended mains outages. Without these thresholds, operators cannot coordinate refuelling before generator failure; the 8-hour trigger allows one standard maintenance cycle for refuelling. | Test | subsystem, power-supply, session-536, idempotency:sub-power-supply-endurance-536 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between Surveillance Data Processing and Safety Net System SHALL deliver a complete fused track update for all active tracks to the Safety Net System within 200 ms of the track fusion cycle completing, using a publish-subscribe message bus with guaranteed delivery semantics. Rationale: The Safety Net System's 5-minute lookahead computation depends on receiving current track positions; a 200ms delivery budget is allocated from the 500ms end-to-end SDP processing budget (SUB-REQ-002), leaving 300ms for SDP internal processing. Publish-subscribe with guaranteed delivery prevents track data loss that would create undetected track gaps in safety net coverage. | Test | interface, session-379 |
| IFC-REQ-002 | The interface between Surveillance Data Processing and Flight Data Processing SHALL use a standardised ASTERIX Category 062 track message format for correlated track output, with message rate matching the SDP fusion cycle rate and including all mandatory data items for SSRCODE, MODE_C_ALT, and TRACK_STATUS. Rationale: ASTERIX Cat 062 is the EUROCONTROL standard for processed track data exchange between ATCS subsystems. Standardisation ensures interoperability with third-party subsystem replacements during system life extension programmes — ATC systems have 15-25 year operational lives and subsystem vendors change. Mandatory SSRCODE and MODE_C_ALT items are required for flight plan correlation in FDP. | Test | interface, session-379 |
| IFC-REQ-003 | The OLDI messaging interface between Flight Data Processing and Adjacent ATC Centres SHALL implement the full EUROCONTROL OLDI message set (ABI, ACT, MAC, REJ, LAM, CDN, ACP, TOC, AOC) and SHALL complete message round-trip transactions within 5 seconds for boundary coordination actions. Rationale: Derived from STK-REQ-005: OLDI automation eliminates manual telephone coordination. Full message set compliance is required to handle all coordination scenarios including boundary crossings with non-standard flight profiles. 5-second round-trip is the threshold above which controller workflow is disrupted — beyond this time, controllers revert to telephone backup which negates the automation benefit. | Test | interface, session-379 |
| IFC-REQ-010 | The interface between the Safety Net System and the Controller Working Position SHALL deliver STCA and MSAW alerts to the display within 500 ms of the Safety Net System detecting the alert condition, using a dedicated high-priority alert channel on the Data Distribution Network that cannot be blocked or delayed by non-safety-critical traffic. Rationale: Derived from SYS-REQ-004 (120-second conflict resolution time): the alert delivery chain must complete rapidly to preserve controller response time. 500ms alert delivery budget is derived from a 4-second track update cycle — one full scan cycle plus 500ms provides adequate time for the SNS to compute, raise, and deliver the alert before the next cycle. Dedicated alert channel prevents head-of-line blocking by flight plan updates. | Test | |
| IFC-REQ-011 | The interface between the Aeronautical Information Management subsystem and Surveillance Data Processing SHALL deliver terrain and airspace boundary data updates to the safety net geofencing database within 30 seconds of an AIRAC activation event. Rationale: MSAW and airspace infringement alerts derive from AIM data; any lag between AIRAC activation and safety net database update creates a window where alerts may be suppressed or falsely generated. 30s is derived from EUROCONTROL MSAW system design guidance. | Test | interface, aim, sdp, session-384, idempotency:ifc-aim-sdp-terrain-384 |
| IFC-REQ-012 | The interface between the Flight Data Processing subsystem and Controller Working Position SHALL transmit electronic flight strip data as an XML-encoded message conforming to ICAO/EUROCONTROL IFPS format, with end-to-end delivery latency not exceeding 2 seconds. Rationale: Flight strip display currency is required for controller situational awareness during handoffs; 2s end-to-end latency is the operational maximum to avoid strip display showing a superseded clearance during active ATC interaction. | Test | interface, fdp, cwp, session-384, idempotency:ifc-fdp-cwp-strips-384 |
| IFC-REQ-013 | The interface between the Voice Communication System and Controller Working Position SHALL allow a controller to select, monitor, transmit on, and record any licensed ATC frequency within 1 second of a frequency selection action. Rationale: Frequency selection latency directly impacts controller response times; 1s is the maximum tolerable delay for ATC communications per EUROCONTROL VCS human factors standards (HRS/HSP-005-GUI-01). | Test | interface, vcs, cwp, session-384, idempotency:ifc-vcs-cwp-frequency-384 |
| IFC-REQ-014 | The interface between the System Monitoring and Control subsystem and all other subsystems SHALL use SNMP v3 with AES-256 encryption for health telemetry, and deliver heartbeat messages at 5-second intervals. Rationale: SNMP v3 with AES-256 is required to prevent spoofed health telemetry that could mask a genuine subsystem failure; 5s heartbeat ensures SMC detects a subsystem silence within one monitoring cycle before the 10s dashboard refresh. | Inspection | interface, smc, monitoring, session-384, idempotency:ifc-smc-subsystems-snmp-384 |
| IFC-REQ-015 | The interface between the Recording and Replay System and the Data Distribution Network SHALL capture a bitstream copy of all safety-critical multicast groups in real time with no dropped packets during normal operation, and no more than 0.001% packet loss during single link failure conditions. Rationale: Incomplete recordings invalidate incident investigation and may result in regulatory non-compliance; 0.001% packet loss threshold under failure is derived from ICAO Annex 11 recording completeness requirements and the DDN redundancy design. | Test | interface, rrs, ddn, session-384, idempotency:ifc-rrs-ddn-capture-384 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | The ATCS SHALL implement a dual-hot-standby processing architecture for Surveillance Data Processing and Flight Data Processing, with state synchronisation over a dedicated 10 Gbps synchronisation fabric, such that either node can assume full primary processing responsibility within 3 seconds without operator intervention. Rationale: Hot-standby architecture with a dedicated sync fabric is preferred over active-active load sharing because active-active introduces complexity in resolving conflicting track updates from two independent fused pictures. The 3-second failover with synchronised state allows track continuity — no controller is aware of the switchover. Alternative considered: cold standby. Rejected: cold standby requires full re-correlation of flight plans and tracks, taking 30-60 seconds and requiring ATC supervisor notification and traffic hold instructions. | Analysis | implements-SYS-REQ-003, implements-SYS-REQ-009, arc-validated-session-533 |
| ARC-REQ-002 | The ATCS SHALL implement the Safety Net System as a safety-instrumented function independent of the operational processing path, with its own dedicated processing nodes, independent power supply, and separate communication path from the surveillance sensor network, achieving SIL 3 per IEC 62061. Rationale: Safety net independence from operational processing is a fundamental EUROCONTROL ESARR 4 architectural principle. If the Safety Net shared compute resources with operational processing (SDP, FDP), a software fault causing operational processing overload could simultaneously degrade or disable the safety net — removing the last barrier before a mid-air collision. SIL 3 target is derived from ESARR 4 severity apportionment: safety net failure contributes to Severity Class 1 (accident) and must achieve a probability less than 10^-7/flight hour. | Analysis | implements-SYS-REQ-004, sil-3-architecture, arc-validated-session-533 |
| ARC-REQ-011 | The Data Distribution Network SHALL use VLAN segmentation to isolate safety-critical traffic (track data, STCA/MSAW alerts) from operational traffic (flight plan updates, OLDI messages, system management). Safety-critical VLANs SHALL be physically implemented on a dedicated network segment with no Layer-2 bridging to the operational VLAN. Dual-ring topology with rapid spanning tree protocol SHALL be used for sub-50ms link failure recovery. Rationale: VLAN isolation prevents a broadcast storm or traffic burst on the operational network from consuming bandwidth on the safety-critical segment. Physical isolation (separate switch fabric, not just VLAN tags) provides defence in depth against misconfiguration errors — a mislabeled packet cannot enter the safety-critical VLAN even if VLAN tagging is incorrectly configured. This was the primary driver for dedicated DDN hardware rather than a shared enterprise network. | Analysis | implements-SYS-REQ-006, arc-validated-session-533 |
| ARC-REQ-012 | The Aeronautical Information Management subsystem SHALL implement a dual-database architecture with a live active database and a staging database. AIRAC cycle updates SHALL be loaded and validated in staging while the live database remains in production service. Switchover to the updated database SHALL occur at the AIRAC effective time (0001 UTC) with the ability to revert to the previous cycle database within 2 hours if validation or operational issues are detected post-activation. Rationale: AIRAC updates are high-risk change events — an incorrect database activation could introduce wrong sector boundaries or invalid procedures into live operations. Staging allows full pre-activation validation without impacting live operations. The 2-hour reversion window allows operations management to identify procedural discrepancies before the next major traffic peak. A single-database design with in-place update would require service interruption for AIRAC loading — unacceptable for a 24/7 system. | Analysis | implements-SYS-REQ-001, implements-SYS-REQ-009, arc-validated-session-533 |
flowchart TB n0["system<br>Air Traffic Control System"] n1["subsystem<br>Surveillance Data Processing"] n2["subsystem<br>Flight Data Processing"] n3["subsystem<br>Safety Net System"] n4["subsystem<br>Controller Working Position"] n5["system<br>Air Traffic Control System"] n6["subsystem<br>Surveillance Data Processing"] n7["subsystem<br>Flight Data Processing"] n8["subsystem<br>Safety Net System"] n9["subsystem<br>Controller Working Position"] n10["subsystem<br>Voice Communication System"] n11["subsystem<br>Data Distribution Network"] n12["subsystem<br>Aeronautical Information Management"] n13["subsystem<br>Approach Sequencing and Metering"] n14["subsystem<br>System Monitoring and Control"] n15["subsystem<br>Recording and Replay System"] n16["subsystem<br>Controller Pilot Data Link Communications"] n6 -->|Correlated tracks ASTERIX| n11 n11 -->|Track data| n7 n6 -->|Raw surveillance| n8 n7 -->|Flight plan data| n9 n8 -->|STCA/MSAW alerts| n9 n10 -->|Voice channels| n9 n12 -->|Sector boundaries| n7 n7 -->|Flight schedule| n13 n14 -.->|Health monitoring| n6 n11 -->|All data streams| n15 n16 -->|ACARS messages| n9
ATC System Decomposition
| Entity | Hex Code | Description |
|---|---|---|
| Aeronautical Information Management | 40B53B59 | Subsystem of an Air Traffic Control system maintaining the aeronautical database that underpins all route computation, airspace display, and safety net terrain models. Ingests AIXM data from national AIS providers, manages AIRAC cycle updates (28-day publication cycle), stores airspace boundaries, published procedures (SIDs/STARs), navigation aids, obstacle data, and terrain elevation models. Validates data integrity before activation. A corrupt airspace boundary or missing obstacle can directly cause a safety net false negative — data quality is safety-critical. |
| Aeronautical Information Management System | 40B57B58 | Subsystem of the Air Traffic Control System maintaining the authoritative aeronautical database used by all operational subsystems. Stores and distributes AIRAC-cycle navigation data including airways, waypoints, prohibited areas, sector boundaries, SIDs/STARs, and instrument approach procedures. Updates are ingested from national ANSP NOTAM feeds and applied on AIRAC publication dates (every 28 days). Provides query API to Flight Data Processing for procedure lookups and real-time NOTAM delivery to Controller Working Positions. |
| Air Traffic Control System | 51F57BD9 | An en-route and terminal area air traffic control system managing controlled airspace for civil aviation. Integrates primary and secondary surveillance radar, ADS-B, multilateration, and flight data processing to maintain safe separation of aircraft. Operates in a 24/7 high-availability environment with ESARR/EUROCAE safety targets (SIL 4 for separation assurance). Handles 2000+ simultaneous tracks, provides conflict detection and resolution advisories, manages sector capacity, and interfaces with adjacent ATC centres, airline operations, meteorological services, and aeronautical information systems. Regulatory framework: ICAO Annex 11, EUROCONTROL standards, national CAA oversight. |
| Alert Management Module | 41F77918 | Software module within the Safety Net System responsible for filtering, prioritising, and delivering conflict alerts to Controller Working Positions. Receives raw STCA and MSAW triggers from the Conflict Detection Processor, applies alert suppression logic to prevent duplicate or cascading false alerts, assigns urgency levels, and routes formatted alerts to the correct CWP sector display. Must suppress nuisance alerts below 3/sector/hour threshold while maintaining 10^-6 missed detection probability. |
| Approach Sequencing and Metering | 40B73B18 | Arrival Manager (AMAN) subsystem computing optimised landing sequences and speed profiles for arriving aircraft in the terminal manoeuvring area (TMA). Processes flight plan ETAs, runway throughput constraints, and wake turbulence separation to generate ordered sequence lists at typically 45-60nm from runway threshold. Interfaces with FDP and CWP. |
| ATC Data Distribution Network | 40A57018 | The internal communication backbone of the Air Traffic Control System that carries all inter-subsystem data traffic. Provides publish-subscribe messaging with differentiated Quality of Service for safety-critical messages (STCA alerts, track updates) versus operational messages (flight plan changes, configuration commands). Uses dual-redundant ring topology with automatic failover. Must achieve <10ms end-to-end latency for safety-critical messages and support 500 Mbps aggregate throughput across all subsystem connections. |
| ATC System Monitoring and Control Subsystem | 51B57318 | Central health monitoring and remote management subsystem of the Air Traffic Control System. Continuously monitors CPU load, memory utilisation, network latency, and availability of all subsystems. Provides alert escalation to the System Controller position for subsystem failures. Manages configuration versioning and controlled deployment of software updates with roll-back capability. Provides the interface for maintenance technicians to perform diagnostics without interrupting live operations. All monitoring is non-intrusive to safety-critical data paths. |
| Conflict Detection Processor | 51F73218 | Dedicated processing module within the Safety Net System that computes predicted minimum separation between all active track pairs using 5-minute lookahead trajectory projection. Receives fused track data at 4Hz from SDP, runs pairwise closest-point-of-approach algorithms using aircraft kinematic models, generates STCA alerts when predicted separation falls below 3 NM horizontal / 1000 ft vertical en-route. Runs on SIL 3 certified hardware, independent of operational processing. Must complete evaluation cycle for 2500 tracks within 500ms. |
| Controller Pilot Data Link Communications | 50E57B58 | CPDLC subsystem providing text-based data link communication between ATC and aircraft transponder-equipped aircraft above FL285. Transmits clearances, requests, and advisories over VHF digital link VDL Mode 2 or SATCOM. Reduces voice frequency congestion in high-density oceanic and upper airspace. Interfaces with ICAO FANS-1/A and ATN B1 protocols. |
| Controller Working Position | 50ED5218 | Subsystem of an Air Traffic Control system providing the human-machine interface for air traffic controllers. Comprises situation display (plan view, vertical view, timeline), electronic flight strip system, input devices (trackball, keyboard, touch), and alert presentation. Displays fused track data, flight labels, safety net alerts, weather overlay, and airspace boundaries. Supports sector configuration (split/merge), assumed/transferred flight ownership, and direct controller-pilot datalink (CPDLC). Must render full situation display at 60fps with <100ms input-to-display latency. |
| Data Distribution Network | 40A57018 | Subsystem of an Air Traffic Control system providing the communication backbone between all processing subsystems, controller positions, and external interfaces. Implements dual-redundant switched Ethernet with deterministic latency (IEEE 802.1Qbv time-sensitive networking). Carries surveillance tracks, flight data, voice streams, and system management traffic on segregated VLANs. Must achieve <1ms inter-subsystem latency, 99.9999% availability through path redundancy, and support 10Gbps aggregate throughput. Includes hardware security modules for data-in-transit encryption. |
| Flight Data Processing | 40B57B58 | Subsystem of an Air Traffic Control system managing the lifecycle of flight plans from filing through activation, correlation with surveillance tracks, and closure. Receives ICAO FPL messages via AFTN/AMHS, performs route validation against airspace structure and published procedures, computes 4D trajectory predictions, and distributes flight data to controller positions. Supports flight plan amendments, re-routing, and ATFM slot management. Interfaces with adjacent centres for coordination and handoff. Manages system flight plan store for 5000+ active plans. |
| Minimum Safe Altitude Warning Module | 50F77818 | Terrain and obstacle proximity warning module within the Safety Net System. Computes predicted aircraft-to-terrain clearance using 3D terrain elevation model and aircraft trajectory projection. Generates MSAW alert when predicted clearance falls below safe separation margins. Must independently verify altitude data from Mode C transponder against terrain database for each active track. Operates as SIL 3 function co-located with STCA on dedicated SNS processing hardware. |
| Multi-Sensor Fusion Engine | 51F73319 | Core processing component of the Surveillance Data Processing subsystem. Ingests raw sensor reports from PSR, SSR, ADS-B, and MLAT simultaneously using a Kalman-filter-based track fusion algorithm. Correlates returns from multiple sensors to the same aircraft, resolves conflicts between sensor sources using confidence weighting, and maintains a single consistent track picture. Must achieve <250m RMS accuracy en-route and <50m terminal at 4Hz output rate processing up to 2500 simultaneous tracks. |
| Recording and Replay System | 50853B59 | Subsystem of an Air Traffic Control system providing continuous recording of all surveillance data, voice communications, system events, and controller actions for post-incident investigation, legal compliance, and training. Records at full fidelity with cryptographic timestamping. Supports time-synchronised replay across all data streams with variable-speed playback. Must retain 30 days online, 5 years archived. Complies with EUROCONTROL recording standards and ICAO Annex 10 voice recording requirements. Recording integrity is legally mandated — any gap is a reportable incident. |
| Safety Net System | 51F77B59 | Subsystem of an Air Traffic Control system providing automated conflict detection and resolution advisories. Implements STCA (Short-Term Conflict Alert) predicting loss of separation 2 minutes ahead, MSAW (Minimum Safe Altitude Warning) checking terrain clearance, APW (Area Proximity Warning) detecting unauthorized airspace penetration, and CLAM (Cleared Level Adherence Monitor). Safety-critical SIL 4 function: false negative rate <10^-5 per flight hour, false positive rate <1 per controller hour. Must operate on predicted trajectories accounting for aircraft performance models and wind. |
| Surveillance Data Processing | 50F73319 | Subsystem of an Air Traffic Control system responsible for ingesting, correlating, and fusing surveillance data from primary surveillance radar (PSR), secondary surveillance radar (SSR/Mode-S), ADS-B receivers, and multilateration (MLAT) sensors. Produces a unified multi-sensor track picture at 4-second update rate for en-route and 1-second for terminal. Handles track initiation, smoothing, coast prediction, and duplicate elimination across overlapping sensor coverage. Must process 2000+ simultaneous tracks with <500ms processing latency. Critical safety function: track integrity directly determines separation assurance. |
| System Monitoring and Control | 51B77B18 | Subsystem of an Air Traffic Control system supervising the health, configuration, and failover of all other subsystems. Monitors hardware status, software process health, data quality metrics, and capacity thresholds. Manages automatic failover between redundant processing chains (hot standby). Provides system administrator interface for configuration changes, software updates, and maintenance scheduling. Implements SNMP and custom monitoring protocols. Must detect subsystem failure within 2 seconds and complete automatic switchover within 5 seconds. |
| Track Quality Monitor | 51F77308 | Monitoring component within Surveillance Data Processing that continuously assesses the quality and reliability of each tracked aircraft. Monitors sensor coverage gaps, transponder coasting (last known position extrapolation), track-to-track ambiguity, and velocity consistency. Flags tracks with degraded quality to the Controller Working Position via track quality indicators and generates NOTAM-equivalent alerts when coverage zones experience sensor loss. Operates at 4Hz track update rate for all active tracks. |
| Track-Plan Correlator | 40B53308 | Component of the Flight Data Processing subsystem that links each active surveillance track to its corresponding filed flight plan. Uses SSR squawk code, Mode C altitude, and trajectory correlation to associate tracks with flight plans. Maintains correlation state throughout the flight lifecycle, resolving correlation conflicts when multiple aircraft have similar transponder codes. Must achieve correlation within 30 seconds of airspace entry and maintain correlation through transponder changes and temporary coverage loss. |
| Voice Communication System | 54F57358 | Subsystem of an Air Traffic Control system providing air-ground radio and ground-ground telephony for controller operations. Manages VHF/UHF frequency allocation across sectors, supports frequency coupling for extended coverage, provides instant-access telephony between controller positions and adjacent centres. Implements ED-137 VoIP protocol for digital voice distribution. Must achieve voice latency <150ms, availability 99.999%, and support simultaneous transmission detection. Includes cockpit voice recording interface. |
| Component | Belongs To |
|---|---|
| Surveillance Data Processing | Air Traffic Control System |
| Flight Data Processing | Air Traffic Control System |
| Controller Working Position | Air Traffic Control System |
| Safety Net System | Air Traffic Control System |
| Voice Communication System | Air Traffic Control System |
| Recording and Replay System | Air Traffic Control System |
| System Monitoring and Control | Air Traffic Control System |
| Data Distribution Network | Air Traffic Control System |
| Aeronautical Information Management | Air Traffic Control System |
| Controller Pilot Data Link Communications | Air Traffic Control System |
| Approach Sequencing and Metering | Air Traffic Control System |