Air Traffic Control System

Rationale: SYS-REQ-001 is a system-level performance requirement spanning SDP, DDN, and CWP — component-level tests verify individual contributions but cannot confirm end-to-end fused accuracy through the full processing chain. A reference transponder test at surveyed positions provides ground truth that simulation cannot replicate, per EUROCONTROL ESARR 4 integration verification requirements.

Rationale: SYS-REQ-002 sets an end-to-end latency budget from sensor to display — verifying sub-systems in isolation does not confirm that the full pipeline (sensor ingestion → SDP fusion → FDP correlation → CWP render) meets the composite deadline. The 4s/1s thresholds are derived from ICAO Doc 4444 track update requirements for radar display systems; deviation would cause track history symbols to mislead controllers about aircraft position.

Rationale: STCA is the last automated safety barrier before a mid-air collision — IEC 61508 SIL 3 requires missed detection probability ≤10^-5. Statistical test coverage of 1000 scenarios with adversarial inputs (garbling, spoofing) is required because analytical methods alone cannot account for multi-sensor fusion failure modes. EUROCONTROL ESARR 4 requires test-based validation for SIL 3 functions.

Rationale: Capacity under concurrent load is an emergent property that cannot be confirmed by testing SDP and FDP in isolation — resource contention on the Data Distribution Network and shared processing nodes only manifests under full-system load. The 2500/5000 limits represent the declared FIR maximum; exceeding them would require flow restrictions on all traffic.

Rationale: Network isolation against external threats cannot be verified by inspection of configuration alone — misconfigurations, firmware vulnerabilities, and VLAN hop techniques require active testing. EUROCONTROL ESARR 5 requires independent security assessment for ATM systems connected to external networks. The data diode hardware provides a physical one-way enforcement mechanism whose correctness must be validated by attempted bypass.

Rationale: Power continuity is a life-safety requirement — if the 500ms switchover target is not met, SDP and CWP displays may blank during handover, presenting controllers with an unannounced loss of traffic picture. The 72-hour endurance requirement addresses extended grid outage scenarios (weather events, national grid fault). These cannot be verified by analysis alone because generator load characteristics and battery buffer decay are system-specific.

Rationale: The 20-minute advance warning is the controller planning horizon for conflict resolution at cruise altitudes — insufficient advance notice forces last-minute vector solutions that increase controller workload and may be infeasible in congested airspace. False positives (notification of non-conflicts) degrade controller trust and lead to alert suppression. Geometric injection testing at boundary values is required to confirm algorithm correctness at the 20-minute threshold.

Rationale: SYS-REQ-009 is the primary availability/resilience requirement — it must be tested by actual failure injection, not by analysis of redundancy architecture. Each subsystem has different failover mechanisms (hot standby SDP/FDP, passive VCS backup, RRS fallback) and recovery paths that must be validated individually. The 15-minute recovery target is derived from ANSP service level agreements with CAA and requires empirical confirmation.

Rationale: OLDI B2B interoperability requires testing against the actual CFMU acceptance environment — the protocol has version-specific behaviours and error handling that cannot be validated against a local stub. Coordination failures at sector boundaries are a historical cause of mid-air collision precursor events; the interface must be tested against real CFMU message flows.

Rationale: SYS-REQ-011 has regulatory compliance implications — failure to provide tamper-evident recordings risks UK CAA enforcement action under the Air Navigation Order 2016. Tamper-evidence cannot be verified by inspection of the cryptographic scheme alone; active tampering attempts are required to confirm the implementation correctly rejects modifications. The 2-hour retrieval SLA must be tested end-to-end including data format conversion and secure transfer mechanisms.

Rationale: ASTERIX Cat 062 latency must be tested at full track density because the DDN and track output gateway share network resources with operational processing — contention only appears under load. The CFMU 500ms SLA has contractual and operational consequences if breached; test coverage must replicate real consumer endpoint behaviour.

Rationale: Accuracy verification by simulation replay is the only practicable method — live flight measurement requires extensive air traffic coordination, airspace closure, and reference aircraft instrumentation. Radar replay facilities with known-position injection are the standard ANSP acceptance test method, validated in EUROCONTROL's ASTERIX test framework. 1000 tracks provides statistical significance at the required 250m and 50m RMS thresholds.

Rationale: The 10^-6 missed detection target cannot be verified by statistical testing — achieving sufficient test volume would require hundreds of millions of conflict scenarios. FTA per IEC 61508 is the accepted certification methodology for safety-critical detection systems at this integrity level. Independent safety assessor review is required by EUROCONTROL ESARR 4 and national CAA requirements for safety-critical ATM system changes.

Rationale: Availability targets at the 99.9997% level can only be demonstrated by extended operational service — simulation cannot replicate the full range of environmental, hardware aging, and operational failure modes that occur in live service. 12 months provides sufficient observational period to distinguish random failures from systematic weaknesses. Automated logging prevents subjective outage classification and ensures auditability for CAA certification review.

Rationale: Network latency must be verified under realistic load conditions — idle-state measurements do not reveal queuing delays under burst traffic. 110% overload scenario tests QoS behaviour when total offered load exceeds capacity, confirming that safety-critical traffic maintains priority and low latency while operational traffic is degraded. Measurement is only possible via synthetic injection — live traffic cannot be instrumented without affecting operational messages.

Rationale: Display performance requirements cannot be verified by software instrumentation alone — the GPU rendering pipeline, video hardware, and monitor refresh rate all contribute to perceived latency. High-speed camera measurement captures the full end-to-end latency including display hardware. The 40-aircraft concurrent load test ensures performance degradation under realistic operational conditions is characterised before deployment.

Rationale: Nuisance alert rate cannot be accurately assessed in lab simulation because traffic density and complexity drive false positive rates; 6-month operational trial is the EUROCONTROL acceptance standard for STCA deployments.

Rationale: Guard frequency independence is a regulatory requirement; inspection plus live failure test is the CAA-mandated verification approach for safety-critical independence claims. Simulation is not accepted for this requirement class.

Rationale: Degraded-mode performance cannot be verified by analysis alone; a live controlled failure injection test is required to validate sensor switching and fusion algorithm behaviour under realistic conditions.

Rationale: Recording completeness and integrity are legal requirements; verification must confirm both storage longevity (30 days) and cryptographic integrity of the stored data, which cannot be validated by shorter-duration testing.

Rationale: Cryptographic authentication can fail by accepting bad messages or rejecting good ones. Both failure modes must be tested. The 1000-message suite provides statistical confidence that false-positive rate is below 1 in 1000, acceptable for an operational system where false rejections degrade datalink availability.

Rationale: The 40-minute horizon is a functional boundary condition. The plus or minus 30 second STA accuracy threshold is derived from AMAN operational requirements: controllers issue speed instructions in 10-knot increments which produce approximately 30-60 second time adjustments, so AMAN predictions must be accurate to within one instruction step.

Rationale: FDP trajectory prediction accuracy is measured by replaying recorded traffic and computing position error statistics — this is a test procedure with quantified acceptance criteria (90th percentile ≤NM at T+5 through T+20 minutes), not an analysis. Analysis would imply algorithmic derivation from specifications; here we are instrumenting the running system against known reference data.

Rationale: The 120-second look-ahead is the primary parameter of the conflict detection algorithm and must be verified across the full operational envelope. 500 scenarios spanning closing speed and geometry provides coverage of failure modes identified in EUROCONTROL STCA Specification Version 2.1.

Rationale: MSAW is SIL-3. Verification must use representative CFIT-precursor profiles to validate true positive detection. False warning rate testing is equally critical: controller habituation to false MSAW alerts is a systemic safety risk documented in ICAO CFIT prevention circular AN-WP/8779.

Rationale: Multi-sensor fusion correctness cannot be verified by testing each sensor in isolation — fusion algorithm behaviour under concurrent inputs, including conflict resolution when sensors disagree, must be tested with simultaneous feeds. This requirement tests the sensor integration boundary condition that EUROCONTROL guidance identifies as a common integration failure point.

Rationale: Track identity assignment failures cause STCA and MSAW to operate on incorrect track histories, creating safety risks. The re-acquisition scenario tests the most common identity continuity failure mode — controllers routinely rely on track history to predict aircraft behaviour, so identity instability directly degrades situational awareness.

Rationale: Flight plan lifecycle errors are a leading cause of trajectory confusion incidents. The 10-minute persistence test directly verifies the degraded-mode requirement for temporary surveillance loss — controllers operate in airspace where radar blind spots exist and must not lose flight plan context during brief gaps in coverage.

Rationale: CPDLC delivery assurance is an operational safety requirement: unconfirmed clearances may not have been received by the aircraft. The 60-second 99th percentile threshold aligns with EUROCONTROL CPDLC performance monitoring guidance for en-route operations. The 90-second alert threshold gives controllers actionable notification within the time window before re-transmit or voice backup is required.

Rationale: NOTAM propagation delay is operationally critical: a controller displaying an outdated airspace picture may issue clearances into newly restricted airspace. 60-second propagation is derived from ICAO AIM transition standards. Cryptographic validation testing ensures the dual-database integrity mechanism (ARC-REQ-012) actually detects modification — testing both valid and corrupted NOTAMs is required.

Rationale: Switch removal testing must be conducted with live traffic load because network reconvergence time is traffic-dependent. The 50ms safety-critical interruption limit is derived from the SNS update cycle — a 100ms STCA processing window requires network delivery within 50ms to allow processing within cycle. Testing each switch individually identifies any single switch whose removal causes disproportionate impact.

Rationale: SMC detection latency directly affects operator response time to developing failures. The 10-second detection threshold is derived from operational resilience requirements: a subsystem degradation that goes undetected for more than 10 seconds may progress to service disruption before the operator can respond. Testing each subsystem individually validates that monitoring coverage is complete, not just that the alerting mechanism works.

Rationale: Channel independence is a certification requirement under CAA Air Traffic Services Communication Standards. Cross-talk verification at -60 dBc ensures that simultaneous multi-frequency operation does not degrade intelligibility on any channel — the threshold is the minimum intelligibility standard under ICAO Annex 10 for air-ground communications.

Rationale: Simultaneous replay is required during incidents when multiple investigators need independent access to recorded data. The key performance risk is I/O contention between concurrent read sessions and ongoing live recording. Testing confirms that the storage subsystem handles concurrent access without degrading the primary safety function of live continuous recording.

Rationale: Automatic failover timing is safety-critical as SDP outage of >3 s creates a surveillance gap detectable by SNS. Physical disconnect test is the only method that accurately simulates hardware failure — software-simulated failover does not exercise OS process recovery paths and RAID state synchronisation timing.

Rationale: STCA alert latency is a SIL-4 safety requirement — a 3-second delay prevents timely controller intervention for close-proximity conflicts. Physical end-to-end timing must be measured from SNS processing to CWP display; analysis cannot account for IPC queuing latency and display rendering time.

Rationale: AIRAC data currency is an ICAO AIP regulatory obligation — controllers relying on stale airspace boundaries risk procedural non-compliance. A 2-hour update window is tested at system level because AIM data pipelines involve ETL transforms, validation, and publication that must be exercised end-to-end.

Rationale: QoS priority enforcement cannot be verified by Analysis because switch firmware and buffer management behaviour under high load is vendor-implementation-dependent and may not match the datasheet specification. Empirical congestion testing at near-capacity load is the only reliable method.

Rationale: CPDLC failover time is a safety requirement — if rerouting takes >30 s, inflight clearances may be delayed beyond the controller intervention window. Physical link severance test is required because software simulation of ACARS link failure does not exercise real SATCOM routing table convergence timing.

Rationale: AMAN recomputation latency determines whether revised STAs are usable for en-route controller instructions — a 15-second bound is the Eurocontrol A-CDM contractual SLA. Testing under live event injection is required because algorithm convergence time varies with traffic density and amendment type in ways that resist analytical bounding.

Rationale: Multi-sensor fusion correctness underpins all downstream SNS STCA calculations. Testing must inject all four sensor types simultaneously to verify the Kalman filter bias — testing sensors individually does not demonstrate correct relative weighting during concurrent reception.

Rationale: Clearance distribution latency directly affects conflict resolution — a controller at another sector position acting on a stale flight plan may issue conflicting clearances. End-to-end latency cannot be confirmed by analysis because DDN QoS behaviour under concurrent clearance load is non-linear.

Rationale: CWP input efficiency directly affects controller cognitive load during high-traffic periods. Human-in-the-loop testing with qualified controllers is required because input efficiency depends on UI interaction flow and cognitive steps, not just technical performance metrics.

Rationale: Guard frequency independence is a regulatory requirement (ICAO Doc 4444 emergency communications). The test requires physical VCS shutdown because software simulation cannot verify hardware independence of the guard receiver circuit from the main switching fabric.

Rationale: AIM terrain database accuracy drives MSAW alert validity — insufficient resolution or stale data causes missed CFIT warnings. Statistical sampling across 100 points at random FIR coordinates provides 95% confidence at 5% error rate for coverage and accuracy compliance.

Rationale: SMC refresh accuracy depends on telemetry polling cycles, SNMP trap propagation, and UI rendering pipeline — each of which introduces latency that cannot be analytically bounded without empirical measurement. 10-second visibility is operationally required so shift supervisors can act before subsystem failure.

Rationale: 30-day retention is a mandatory ICAO ATCO occurrence investigation requirement. Storage continuity and cryptographic integrity cannot be verified by Analysis because storage system capacity and filesystem fragmentation behaviour are operational variables. Physical tamper-detection test demonstrates the security mechanism is active, not just configured.

Rationale: Sector ownership currency is safety-critical for handoff coordination — a stale ownership display could lead a controller to issue a clearance for an aircraft in another controller's sector. End-to-end propagation test is required because FDP distribution latency and CWP display rendering latency are both contributors and cannot be reliably bounded without measurement.

Rationale: AMAN sequence computation latency directly affects whether speed/level advisories reach en-route controllers with sufficient lead time for efficient sequencing. The 30-second threshold is a Eurocontrol A-CDM operational requirement and must be demonstrated under representative traffic density.

Rationale: CPDLC authentication prevents spoofed clearances from being presented to controllers. Both acceptance and rejection paths must be tested; analysis of cryptographic library compliance does not demonstrate correct integration into the CPDLC message pipeline.

Rationale: CPDLC logs are mandatory for accident investigation (ICAO Annex 11). Tamper-evidence is a legal obligation — regulatory authorities require logs to be court-admissible. Physical tamper test demonstrates the integrity mechanism is active in the deployed configuration, not just present in the specification.

Rationale: Multi-runway sequence validity is operationally critical for airports with parallel runways requiring simultaneous independent approaches. Testing requires physical configuration switching in a running AMAN instance because sequence state management under concurrent runway configurations cannot be verified by inspection of the design.

Rationale: The 40-minute planning horizon is the minimum needed for en-route controllers to issue pre-sequence speed advisories before the aircraft enters the descent profile. Verification must use a populated traffic scenario because AMAN look-ahead cutoff depends on computational resource allocation that varies with traffic count.

Rationale: OLDI coordination is a bilateral agreement between ANSPs — correct ABI/ACT/REV/LAM processing is required for legal transfer of responsibility at FIR boundaries. 30-second processing is the EUROCONTROL OLDI SLA. End-to-end testing with simulated adjacent ANSP systems is the only method that validates the full coordination loop.

Rationale: FDP trajectory accuracy directly affects STCA look-ahead reliability — prediction errors >2 NM at 20 min cause either false STCA alerts or missed conflicts. Accuracy must be validated against historical ground-truth rather than modelled data because atmospheric variability and aircraft performance model errors are real-world variables.

Rationale: Electronic flight strip sort order and transfer highlighting are the primary pilot awareness tools replacing paper strips — incorrect display directly impairs controller situational awareness. Human-in-the-loop verification with real traffic scenarios is required because display logic interacts with FDP data in ways that cannot be fully confirmed by unit testing.

Rationale: VCS conference latency >40 ms causes noticeable echo and double-talk degradation in controller-pilot voice communications, a known factor in ATCO communication errors (EUROCONTROL Human Factors report HUM.ET1.ST13.3000-REP-01). Latency must be measured physically because digital mixing pipeline delays depend on hardware buffer configuration.

Rationale: The SDP→SNS interface carries the track data on which STCA conflict predictions are based. Interface timing and format errors at this boundary could cause SNS to operate on stale or malformed tracks, producing missed alerts. End-to-end timing measurement validates that the full IPC path meets the latency budget.

Rationale: The SDP→FDP interface links surveillance identities to flight plans, enabling clearance-track correlation. Correlation errors here lead to clearances being applied to the wrong flight plan. Standardised format compliance (ASTERIX Cat-062) must be verified by injection test because schema validation tools only check structure, not data semantics.

Rationale: OLDI interface correctness is legally required for FIR boundary coordination — incorrect framing or sequence numbering causes adjacent ANSP systems to reject coordination, leaving aircraft without legal transfer of responsibility. Physical protocol testing against a simulated adjacent ANSP is required because OLDI conformance cannot be confirmed by internal FDP unit tests.

Rationale: SNS→CWP STCA delivery latency is the final link in the safety net alert chain. Delays at this interface reduce the controller's response window to below the safety margin. Verifying interface latency separately from end-to-end latency allows locating whether bottlenecks are in the IPC path or in the CWP rendering pipeline.

Rationale: AIM→SDP navigation data currency drives MSAW terrain correlation accuracy. If SDP uses outdated terrain or obstacle data received from AIM, MSAW alerts may be missed or falsely generated. Timing verification must be end-to-end to confirm the publication-to-application propagation cycle meets AIRAC obligations.

Rationale: FDP→CWP flight data delivery is on the critical path for controller situational awareness. A 5-second delivery latency matches the FDP distribution requirement (SUB-REQ-015) and must be confirmed at the interface level to identify whether delays originate in the FDP or the DDN/CWP rendering pipeline.

Rationale: VCS→CWP frequency selection interface is safety-critical — an incorrect routing (transmitting on wrong frequency or receiving on wrong loudspeaker) could cause a controller to miss a pilot call or transmit on an incorrect frequency. Physical radio test with calibrated audio monitoring is required to verify routing correctness.

Rationale: SMC health monitoring interface coverage is required across all subsystems — a single unmonitored subsystem failure could degrade ATC services without operator awareness. Simultaneous breach injection across 4 subsystems verifies that the monitoring interface scales correctly and that subsystem health data is not dropped under concurrent load.

Rationale: RRS recording completeness is a mandatory regulatory requirement (ICAO Annex 11). The RRS→DDN interface must support the full system data rate without packet loss — interface saturation could cause recording gaps that invalidate incident investigation records. Peak-load testing over 4 hours is necessary to detect buffer overflow conditions not apparent in short-duration tests.

Rationale: IFC-REQ-010 specifies a 500ms alert delivery SLA on a dedicated priority channel — head-of-line blocking by operational traffic is the key risk. Test must replicate worst-case DDN congestion to confirm safety VLAN isolation holds under load. Inspection of VLAN config alone is insufficient; active measurement under traffic stress is required per EUROCONTROL ESARR 4.

Rationale: ARC-REQ-001 specifies a 3-second failover with no track continuity loss — Analysis alone cannot verify this because the synchronisation fabric latency and state transfer completeness are implementation-dependent. A live failover test under traffic load is required to confirm that state synchronisation is sufficient to eliminate track correlation loss at switchover. This is the ATC equivalent of a fire drill — it must be tested, not inferred.

Rationale: ARC-REQ-002 specifies SIL 3 for the Safety Net System — this cannot be demonstrated by functional test alone. IEC 62061 requires a systematic safety assessment including FMEA, fault tree analysis, and independence verification. An independent third-party assessment is the accepted verification method for SIL 3 claims; EUROCONTROL ESARR 4 mandates external safety oversight for safety instrumented functions in ATC.

Rationale: DDN VLAN segmentation verification includes an active traffic injection test (flooding the operational VLAN at 90% capacity and confirming zero cross-VLAN bleed on the safety-critical VLAN). The network topology review is a supporting step, but the binding evidence comes from the active injection test. Requirements with quantified pass criteria confirmed by instrumented test execution must be classified as Test, not Inspection.

Rationale: ARC-REQ-012 specifies a live AIRAC switchover procedure with a 2-hour reversion window — this must be demonstrated end-to-end including the ATC operational impact (no service interruption) because database activation faults in production have caused loss of sector boundary visibility. Timed switchover and reversion are operational procedures that must be validated before they are executed in a live ATC environment.

Rationale: SUB-REQ-009 specifies variable-rate synchronised multi-stream replay — synchronisation drift between voice and track data at high playback speeds can mislead safety investigators. The EUROCONTROL export format must be tested with an actual external tool because format compatibility cannot be confirmed by inspection of the export specification alone. Post-incident replay quality directly affects the accuracy of safety investigation findings.

Rationale: REQ-SEAIRTRAFFICCONTROL-002 specifies sub-100ms query response to support real-time trajectory processing in FDP and SDP. If AIM queries exceed this bound, FDP trajectory prediction and SDP track-to-waypoint correlation will lag behind aircraft position, potentially causing late conflict detection. A load test with 50 concurrent clients is required because AIM query latency degrades under simultaneous SDP/FDP access patterns during sector boundary transitions.

Rationale: REQ-SEAIRTRAFFICCONTROL-007 specifies authenticated access with immutable audit logging for SMC configuration — this is a safety-critical control because unauthorised configuration changes could disable subsystem health monitoring or alter safety thresholds. Inspection alone cannot verify that the audit trail is genuinely immutable; injection testing of both authorised and unauthorised access paths is required to confirm the enforcement mechanism.

Rationale: Native SUB-REQ-006 specifies a 4Hz minimum refresh rate for all CWP display elements — controllers require smooth track symbol movement to accurately assess aircraft trajectories and separation trends. Below 4Hz, discrete track jumps impair separation assurance, particularly for high-speed traffic converging at close proximity. Frame capture verification is required because software timer measurements miss missed frames caused by rendering pipeline backpressure.

Rationale: REQ-SEAIRTRAFFICCONTROL-001 makes two verifiable claims: AIRAC data covers all required element types (verifiable only by systematic schema comparison against EUROCONTROL AIXM 5.1) and updates are applied within 2 hours (verifiable only by controlled timing injection). The revert test confirms AIM dual-database safe fallback before new cycle acceptance, required by EUROCONTROL ESARR 4.

Rationale: The 500ms switchover threshold is the system-level requirement driven by EUROCONTROL ESARR 4 short-duration interruption limits. Only a physical mains-failure test exercises the actual ATS relay timing, UPS bridge behaviour, and subsystem resilience simultaneously — software simulation cannot replicate this.

Rationale: Physical tank endurance testing at operational load establishes the actual fuel consumption rate, which cannot be derived analytically with sufficient precision for a 72-hour safety claim. Alarm functional testing is required separately because sensor threshold logic is independently programmable and may be misconfigured without this test.

Rationale: ARC-REQ-011 makes two verifiable claims: VLAN isolation prevents cross-traffic and safety-critical traffic is protected from head-of-line blocking. Injection attempt is the only method to confirm runtime isolation; saturation test confirms protection under load. Inspection of switch config alone is insufficient.

Rationale: ARC-REQ-012 exists to prevent AIRAC update failures from causing AIM operational outages. The staging-failure isolation test is the only method to confirm the dual-database boundary holds under fault conditions — analysis of the architecture cannot confirm runtime isolation.

Rationale: IFC-REQ-010 specifies a 500ms delivery budget on a dedicated high-priority channel that cannot be blocked by non-safety-critical traffic. Test is the only appropriate method: Analysis cannot predict actual network behaviour under saturation, and Inspection of channel configuration cannot confirm runtime priority enforcement. The channel-failure detection test confirms the alerting path is itself monitored.

Rationale: SUB-REQ-009 makes three verifiable claims: multi-stream time synchronisation at variable playback rates, EUROCONTROL standard format export compatibility, and independent concurrent replay session isolation. Only Test with a known golden recording can verify synchronisation accuracy and format compliance. Analysis cannot validate 8x playback timing without runtime measurement.

Rationale: SYS-REQ-013 makes two verifiable claims: no service interruption during swap and 30-minute restoration bound. Both require live-traffic-load testing — bench testing without concurrent ATC operations cannot validate that swap procedures are transparent to the operational traffic path. The pass criterion mirrors the STK-REQ-008 time bound exactly.

Rationale: SYS-012 makes two verifiable claims requiring instrumented measurement: (a) ≤500 ms end-to-end latency from track update to network delivery, and (b) zero message loss over 24 hours for registered consumers.

Rationale: SUB-REQ-030 requires ACARS→SATCOM failover within 30 seconds for active CPDLC sessions. Test verification is mandatory because the 30-second timing constraint is operationally critical — exceeding it could lose ATC separation assurance for aircraft on oceanic tracks — and must be demonstrated under live datalink gateway handshake conditions, not simulation.

Rationale: Training mode isolation cannot be fully verified by functional test alone — architecture inspection confirms the design intent, while network capture provides empirical evidence of separation. The 1-hour concurrent run mimics a realistic proficiency check duration.