Professional Documents
Culture Documents
Cast 30
Cast 30
PRELIMINARY SYSTEM
SAFETY ASSESSMENT OF THE
EUROPEAN ATM
INFORMATION MANAGEMENT
SERVICE (EAIMS)
DOCUMENT CHARACTERISTICS
TITLE
Publications Reference:
ISBN Number:
Document Identifier Edition Number: 1.0
Preliminary System Safety Assessment –
Edition Date: 01/09/2016
EAIMS
Abstract
This document presents the results of the high-level Preliminary System Safety Assessment for
EAIMS:
Eight Consolidated Failure Modes were identified
Seventy-five Safety Recommendations were made to address the failure modes.
Keywords
Centralised Service CS5 EAIMS Safety Case
Requirement Assessment AIM AIS
NMOC NM EAD FHA
Hazard Objectives PSSA
Contact Person(s) Tel Unit
Anthony F. Seychell +32 2 729 3721 NMD/NOM/SAF
This document is copyright protected. It may be copied in whole or in part by the recipients for their
own purposes strictly related to the support of the development of Centralised Services by
EUROCONTROL. All copies shall display the following notice "© EUROCONTROL 2016". Any
commercial use of the document or its contents, their use for purposes other than specified in this
notice, as well as their distribution to third parties is strictly prohibited.
DOCUMENT AUTHOR
DOCUMENT APPROVAL
The following table identifies all management authorities who have successively approved the
present issue of this document.
Project Manager
22.09.2016
CS5
Razvan Margauan
Director Network
Manager 22.09.2016
Joe Sultana
Publications
EUROCONTROL Headquarters
96 Rue de la Fusée
B-1130 BRUSSELS
CONTENTS
DOCUMENT CHARACTERISTICS ............................................................................ 2
CONTENTS ................................................................................................................ 5
EXECUTIVE SUMMARY
The aim of this safety activity was to determine the safety requirements for European ATM
Information Management System (EAIMS) needed to meet the safety objectives specified in the
Functional Hazard Assessment Report. Fourteen failure modes were found which could lead to the
three functional level hazards identified in the FHA. Some of these failure modes were common to
two hazards and were eventually consolidated into eight consolidated failure modes.
At present there are only very high-level descriptions of the system architecture mainly because it
will be up to the successful bidder of the CS5 Call For Tenders (CFT) to design in detail the
EAIMS/CS5 system, taking into account the technical and architectural requirements set in the
CFT. Thus the current lack of detail is a severe constraint when it comes to specifying the safety
requirements. Therefore at this phase of the project it is not feasible to establish detailed safety
requirements since the knowledge/information about the system architecture is limited.
Despite this constraint it was still possible to draw up seventy five generic/high-level safety
recommendations to address the failure modes identified. These safety requirements, although
generic/high-level, should assure adequate initial mitigation of the safety risk associated with the
CS5 operations prior to the comprehensive system design since these safety requirements shall be
part of the CFT documentation.
Intentionally blank
CHAPTER 1 – INTRODUCTION
1.1 Purpose
This report presents the results of the Preliminary System Safety Assessment (PSSA) activities
carried out in the period December 2015 – March 2016. The report was updated in August 2016 to
align it with the final version of the EAIMS CONOPS and CFT documentation.
The information contained in this report presents the main output of the EAIMS safety assessment
activities and provides the main safety related input to the subsequent EAIMS/CS5 CFT, validation
activities and implementation safety assessments.
The report should eventually serve as a reference to the Network Manager, the ANSPs and AISPs
regarding the potential means to control the risk associated to the introduction of EAIMS in terms
of mitigation of severity of hazard effects and/or reduction of frequency of their occurrence. The
information contained in this report shall be reviewed and validated (optimised) for use by the
NM/ANSPs/AISPs according to the particular operational environments, i.e. taking into account
local systems and their functional capabilities, procedures, units staffing levels and traffic
complexity.
1 Safety Management of Changes to Functional Systems; NMD SQS; iMS/POL/SMS-SMC; version 2.0; 2013-12-09
2 EU 1035/2011 “Commission Implementing Regulation (EU) No 1035/2011 of 17 October 2011 laying down common requirements for
the provision of air navigation services and amending Regulations (EC) No 482/2008 and (EU) No 691/2010”
1.6 Terminology
services delivered via a computer to computer interface.
One system will interact with another system via services. Services are made
B2B Services
available via a set of APIs (Application Programming Interface) that a software
developer has to use to make his own system inter-operate with the other system.
services delivered via an HMI, targeted for human interaction.
B2C Services An end user can interact with the system via a client application. The client
application interacts via services with the system.
a consortium composed of ANSPs and other industrial partners which will be
entrusted with the development of the EAIMS/CS5 system and its operations as
CS5 Contractor
outcome of the CS5 Call For Tenders process under the EUROCONTROL
procurement rules.
for the purpose of the safety assessment, ‘data’ is considered to encompass not
only AIS data or any other representation of facts, concepts or instructions in a
Data formalised manner suitable for communication, interpretation or processing by the
EAIMS/CS5 but also products such as AIS products (e.g. aeronautical charts and
AIPs).
the complete European ATM Information Management Service managed under
EAIMS the auspices of EUROCONTROL as the Network Manager, irrespective of
outsourced/insourced components and services.
the system which will be contracted (subject of the CS5 Call For Tenders
(CS5/CFT)) for development and operation and will be the reference source for
EAIMS/CS5 the AIS and ATFCM/ASM data (e.g. managing the reference source) and a
central access point for aircraft type characteristics and performance data and
MET and natural hazards data in support of flight operations.
adaptations to the existing NM CACD and other NM systems. The CACD system
adaptations to
remains in a first implementation step the reference source for the ATFCM and
NM systems
dynamic ASM Data being later integrated in EAIMS/CS5.
a combination of: physical components (hardware, equipment), procedures
System
(manuals, guidelines, software) and human resources
2.1 Objective
The EUROCONTROL Air Navigation System Safety Assessment Methodology defines the objectives
of a Preliminary System Safety Assessment (PSSA) as:
Preliminary System Safety Assessment (PSSA) is a mainly top-down iterative process, initiated at the
beginning of a new design or modification to an existing design of an Air Navigation System. The
objective of performing a PSSA is to demonstrate whether the assessed system architecture can
reasonably be expected to achieve the Safety Objectives specified in the FHA.
The PSSA process apportions Safety Objectives into Safety Requirements allocated to the system
elements, i.e. specifies the risk level to be achieved by the system elements. PSSA also identifies an
Assurance Level per system element.
The system architecture can only achieve the Safety Objectives established during the FHA, provided
the architecture elements meet their Safety Requirements.”
The aim of the PSSA is thus to determine the safety requirements for EAIMS needed to meet the
safety objectives specified in the Functional Hazard Assessment Report. At this stage only a high-
level PSSA can be performed because the detailed system architecture would be available only
after a contractor had been chosen.
Several workshops were held to analyse the functional level hazards identified in the PSSA and
elaborate an initial Failure Mode and Cause Analysis. The objectives of these workshops were:
Ensure correctness and completeness of FHA Results –
• Are the failure modes correct and complete?
• Are the barriers correct and all applicable barriers identified?
• Are the mitigation means correct and what other mitigation means can be put in
place?
Are there links between the Functional Level Hazards?
Are the Failure Modes linked?
Identify split between the contracted system elements subject of the CFT and the
adaptations to NM systems in order to be able to specify the high-level requirements
applicable to the CFT scope of work.
As requirements were being developed in parallel with PSSA the EAIMS high-level architecture
diagram was reviewed after each subsequent PSSA workshop. The final version is shown in the
following figure (Figure 1).
2.2.1 PSSA#1
The first version of the EAIMS high-level architecture diagram was used during PSSA#1 to analyse
the relationships between the various actors.
During the meeting there were two clarifications regarding the diagram used:
a. AIMSL is the current EAD B2B technology which some AISPs may opt to continue using to
provide/retrieve data to the CS5 database. This system would not use the N-Conect service
layer and it would not be able to access all the EAIMS services.
b. External Systems could be COTS systems e.g. Charting Tool, AIP Production Tool, which
would need data from CS5 to operate.
Another clarification made during the meeting concerned the use of the term ‘data’. For the purpose of
the PSSA, ‘data’ is considered to encompass not only AIS data or any other representation of facts,
concepts or instructions in a formalised manner suitable for communication, interpretation or
processing by the CS5 system but also products such as AIS products (e.g. aeronautical charts and
AIPs).
During the FHA brainstorming session there were many issues which were identified as ‘hazards’ but
which were actually ‘failure modes’. These failure models were compiled in an exercise before the
meeting and presented to the meeting participants.
Using the available architecture diagram the group then analysed the failure modes following the
data paths back to the CS5 system. During this analysis it was realised that data flow between
CS5 and NM systems will be only via N-Conect Service Layer. Consequently the direct link
between CS5-CFT and NM systems is incorrect because this data path will not exist.
Another consideration that arose from this analysis was if CS5 would provide a service similar to
the current EAD Basic, which is EAD's free Public Access Service application for the general
public. The solution allows the general public to browse the European AIS Database for a limited
set of aeronautical information via a Web Browser. This service will be part of the CFT and is part
of the use cases. During the meeting it was not possible to check if such a service would be out of
scope of the safety assessment or if a simple disclaimer regarding the use of the data from CS5
would be sufficient mitigation. This matter regarding the provision of such a service would need to
be considered at a project management level and the legal consequences subsequently analysed.
The first activity of the PSSA was to go through the failure modes associated with the first functional
hazard, data corruption, and identify causes. This first workshop established several causes which
could lead to Data Corruption. This exercise was repeated for the other two functional level
hazards.
2.2.2 PSSA#2
“FH-02 Data Unavailability” was assessed during PSSA#2 based on a new version of the EAIMS
high-level architecture which had been amended following the observations made during
PSSA#1.The assessment was run in a systematic way, following the path of the information,
starting from the end-users/CS5-customers.
During the analysis the following additional considerations were raised.
Function Consideration/Comment
Users/Customers’ Local Access rights, authentication, proxy settings and minimal local computers
level configuration need to be defined.
i. As this equipment in central not only to CS5 it may be required to run a
common cause analysis understanding the potential impact on the
different services using this equipment.
N-Connect ii. Assumption: N-Connect is also providing support to flight planning
services. CS5 is considered less critical than flight planning services.
Therefore, the N-Connect reliability is considered to be sufficient for CS5
uses.
CS5 The DB is cached in N-Connect.
Only parts of the overall data provision; complementing the other sources (incl.
AIS Systems
B2B, external systems).
i. What is foreseen in terms of AIS library management?
ii. Is the management tool part of CS-5? Would it be COTS?
AIP/Charts (COTS) iii. Are some requirements foreseen for required minimum configuration of
local computers? Minimum number of computer equipped on site?
(more over if a dedicated tool/SW needs to be installed, incl.
Function Consideration/Comment
authentication/licence)
i. Each working position can handle any task.
ii. Shifts ensuring 24/7.
iii. Sufficient number of working positions.
iv. Different sites.
v. In case no operator can update the data, the customers will have
CS5-Operators incomplete or outdated data.
vi. NM systems, can be directly updated (assuming the data is available by
an alternative mean) by NM/ADS operators.
vii. Need for mitigations for the customers, contingency planning?
viii. How will NM-CSO/Service desk be used in the future? Does it have the
staff, capability and tools to manage this kind of situation?
i. External systems are data providers and users Interacting via B2B
External systems ii. In case they cannot prepare/send their data sets (e.g. NOTAM); they
can send (fax, email, telephone) and request (via CSO/service desk) the
data set to be published by CS5 operators.
2.2.3 PSSA#3
The agenda of the third PSSA workshop was:
Introduce the EAD-CS5 migration plan,
Analyse FH03 ‘data discrepancy’,
Review FH01 and FH02 in the light of the migration,
Examine the barriers and mitigations to ensure their completeness and correctness.
Migration
The PSSA looks into the operational requirements but the design of the system needs to take into
consideration specific requirements for migration. This is not considered during the FHA because
the functionality is not affected by migration. Although the hazards might be the same, the causes
could be different during the migration phase.
A draft migration plan was presented during the meeting and in the CFT there will be a requirement
for the contractor to develop the migration plan. The draft plan will be included in the CFT
documentation.
The discussion of the migration plan became quite detailed. Eventually it was felt that the
discussion was going beyond the scope of the PSSA. Dedicated safety meetings were deemed
necessary to look into the migration issues.
The meeting participants started to analyse FH03 ‘data discrepancy’. This functional hazard was
assessed based on the proposed architecture diagram used previously during PSSA #2,. After the
initial analysis this data-users diagram was considered not to be ideal for the assessment of data
discrepancy, a situation which was recognised in the preparation of the meeting and actually debated
in an ad hoc meeting held on 14th January 2016. The assessment proceeded by examining the
possible causes as identified during the FHA that could lead to data discrepancy. The assessment was
refined in post-workshop analysis.
3.1 Overview
Fourteen failure modes were identified as a result of the PSSA workshops. However there was duplication since a particular failure mode can
lead to more than one functional level hazard. Subsequently the failure modes were consolidated into a group of eight.
CFM-02 Incorrect data FM-FH01 ii Incorrect data FM-FH03 iii Incorrect data
CFM-04 Non removal of obsolete FM-FH01 iv Non removal of FM-FH03 v Non removal of
data obsolete data obsolete data
CFM-05 Cancellation of updates FM-FH01 v Reverse after passing FM-FH03 vi Reverse after
after publication effective date passing effective
(cancellation of date (cancellation of
updates after updates after
publication) publication)
CFM-06 Missing data FM-FH02 i Missing data FM-FH03 vii Missing Data
SR1, SR2, SR3, SR4, SR5, SR6, SR7, SR8, SR9, SR10, SR11, SR12, SR13, SR14, SR15, SR16, SR17, SR18,
SR20, SR21, SR22, SR23, SR24, SR25, SR27, SR28, SR32, SR34, SR36, SR40, SR42,SR43, SR44, SR45, SR46,
FH-01 Data Corruption
SR47, SR48, SR49, SR50, SR51, SR52, SR53, SR55, SR56, SR59, SR60, SR61, SR62, SR63, SR64, SR65, SR66,
SR67, SR68, SR70, SR71, SR72, SR73, SR74, SR75.
SR1, SR2, SR3, SR5, SR6, SR7, SR8, SR9, SR13, SR14, SR15, SR19, SR20, SR21, SR22, SR23, SR24, SR25,
SR26, SR28, SR29, SR30, SR31, SR32, SR33, SR34, SR35, SR36, SR37, SR38, SR39, SR40, SR41, SR42, SR43,
FH-02 Data Unavailability
SR45, SR46, SR47, SR48, SR49, SR50, SR51, SR52, SR53, SR54, SR55, SR56, SR57, SR58, SR62, SR65, SR67,
SR68, SR69, SR70, SR71, SR72, SR73, SR74, SR75.
SR1, SR2, SR3, SR4, SR5, SR6, SR7, SR8, SR9, SR10, SR11, SR12, SR13, SR14, SR15, SR16, SR17, SR18,
SR19, SR20, SR21, SR22, SR23, SR24, SR25, SR26, SR27, SR28, SR32, SR34, SR39, SR40, SR41, SR42, SR43,
FH-03 Data Discrepancy
SR44, SR45, SR46, SR47, SR48, SR51, SR52, SR53, SR54, SR56, SR57, SR58, SR59, SR60, SR61, SR62, SR63,
SR64, SR65, SR66, SR67, SR68, SR69, SR70, SR71, SR72, SR73, SR74, SR75.
The following table details the Safety Requirements and maps them against the relevant Consolidated Failure Modes.
SR No. Safety Requirements Consolidated Failure Mode
CFM-01, CFM-02, CFM-03,
Ensure that appropriate reference manuals, guidelines and use procedures exist for Data Users and Data
SR1 CFM-04, CFM-05, CFM-06,
Providers.
CFM-07, CFM-08
CFM-01, CFM-02, CFM-03,
Validate that the appropriate reference manuals, guidelines and use procedures provide adequate support to
SR2 CFM-04, CFM-05, CFM-06,
Data Users and Data Providers.
CFM-07, CFM-08
CFM-01, CFM-02, CFM-03,
Ensure that appropriate reference manuals, guidelines and use procedures are made available to users (e.g. by
SR3 CFM-04, CFM-05, CFM-06,
means of dedicated meetings with the operators).
CFM-07, CFM-08
Ensure that the reference manuals, guidelines and use procedures are subject to strict document configuration
SR4 CFM-03
control.
SR5 Implement and keep current mechanisms to defeat deliberate security attacks. CFM-01, CFM-02, CFM-06
CFM-01, CFM-02, CFM-03,
SR6 Ensure a process for reporting of technical and operational problems. CFM-04, CFM-05, CFM-06,
CFM-07
Take appropriate measures (testing, monitoring, controls, data validation) to ensure that data is correct and up-to- CFM-01, CFM-02, CFM-03,
SR7
date. CFM-04, CFM-05, CFM-06
Notify EAIMS Data Users of any known deficiencies in EAIMS data, including situations where the timeliness CFM-01, CFM-02, CFM-06,
SR8
requirements cannot be achieved. CFM-07
Ensure that the incident management process provides sufficient support for the reporting and correction of
SR9 CFM-01, CFM-02, CFM-06
erroneous EAIMS data observed by Data Providers or Data Users.
Put in place a process by which the Data Users or Data Provider can report errors identified in the EAIMS data.
SR10 CFM-03
The process shall ensure that corrective actions are defined and implemented.
SR11 Provide facilities for feedback of user-identified errors in EAIMS data to the responsible Data Provider. CFM-03
SR12 Inform Data Providers of any identified or suspected errors in their data. CFM-03
Ensure that procedure(s) exist for continuous update of the system with applicable constraints and issued to CFM-02, CFM-04, CFM-06,
SR13
users (e.g. to avoid incorrect data, errors, missing data and wrong interpretation of data). CFM-08
SR14 Ensure that procedure(s) exist for timely update distribution. CFM-02, CFM-04, CFM-06
SR15 Ensure that a procedure or mechanism exists for consistent database update upon any change of data. CFM-02, CFM-04, CFM-06
More detailed information about potential risk mitigation means and measures is provided in the Safety Requirements traceability table shown in
Annex A. In addition, the Safety Requirements traceability tables provide forward and backward traceability between hazards, failure modes,
related causal and consequential mitigations and derived safety requirements.
CHAPTER 4 – CONCLUSION
Three functional level hazards had been identified in the FHA, namely Data Corruption, Data
Unavailability and Data Discrepancy. It was recognised that these hazards do have a safety impact
but the severity of consequences is directly linked to the nature of the data affected. Further
analysis during the FHA had identified that the overall data handling system, particularly for the
handling of AIS data, is already robust enough to reduce significantly the consequences of these
hazards.
The PSSA work had shown that fourteen failure modes could lead to the hazards mentioned
above. Further analysis had shown that some of these failure modes were common to two
hazards, and thus the fourteen failure modes were eventually consolidated into eight consolidated
failure modes.
At present there are only very high-level descriptions of the system architecture mainly because it
will be up to the successful bidder for EAIMS/CS5 to design in detail EAIMS/CS5 system, taking
into account the technical and architectural requirements set in the CFT. Thus the current lack of
detail is a severe constraint when it comes to specifying the safety requirements. Therefore at this
phase of the project it is not feasible to establish detailed safety requirements since the
knowledge/information about the system architecture is limited.
Despite this constraint it was still possible to draw up seventy-five generic/high-level safety
recommendations to address the failure modes identified. These safety requirements, although
generic/high-level, should assure adequate initial mitigation of the safety risk associated with the
EAIMS operations prior to the comprehensive system design since these safety requirements shall
be part of the CFT documentation.
The process used for this PSSA, assuring that the relevant staff was involved (ref Annex B),
ensured that all human, procedure and equipment components within the scope of EAIMS have
been addressed. Still the process will be made more rigorous since further reviews are planned to
be undertaken by external stakeholders. These reviews may lead to amendments to the analysis
thus necessitating a revision of the safety requirements.
All safety activities so far have used CONOPS Edition Number 2.0, Edition Date 24 October 2013.
The report has been updated prior to the publication of the CFT to align it with the revised
CONOPS Edition Number 2.1, Edition Date 1st September 2016. The update was merely to align
terminology and had no impact on the substance of the safety assessment.
This document will certainly need further refinement as more clarification will be required as the
proposed architecture is refined after the contractor is selected.
FH-01 Data Corruption Failure modes, Causal Factors and Potential Causal Mitigations and
Safety Requirements
Potential Causal Safety
Hazard ID Hazard Description Failure Modes Causal factors
Mitigations Requirements
FH-01 Data Data corruption is the situation i. Corruption following: • Double check at data SR1, SR2,
i. Corrupted data
Corruption where individual items or sets
o at entry because input (4-eyes principle) SR3, SR4,
of data are corrupted from ii. Incorrect data
their intended value. Corrupt Human making a SR5, SR6,
• Graphical representation
data is defined as incorrect The FHA uncovered various mistake (manual SR7, SR8,
data of plausible value or types of incorrect data at data input
entry) SR9, SR10,
content. Corruption can affect
HMI/local • Checksum and CRC SR11, SR12,
one or more of the following
o incorrect PIB, processing corrupts (cyclic redundancy SR13, SR14,
data characteristics:
Briefing to the pilot is the data checks) SR15, SR16,
• Accuracy wrong, includes wrong External Systems SR17, SR18,
interpretation of by • Data verification at Data
• Resolution corrupt the data SR20, SR21,
human (B2B entry) Originator level of final
SR22, SR23,
• Integrity o incorrect airfield o at the interface draft before publication
SR24, SR25,
• Traceability information, COTS systems used • Data verification at user SR27, SR28,
o incorrect airspace in the External site (human and/or
• Timeliness SR32, SR34,
information, Systems are machine) and rejection/ SR36, SR40,
iii. Errors
o human error in wrongly • Correctly designed
interpreting the data
queries from Users to
since
iv. Non removal of provide the expected
obsolete data information being
output
wrongly presented
This failure mode could be to the user because
either total or partial non- of:
removal. Furthermore the
Table 6 Data Corruption Failure Modes, Causal Factors, Potential Causal Mitigations and Safety Requirements Traceability Table
FH-02 Data Unavailability Failure modes, Causal Factors, Potential Causal Mitigations and
Safety Requirements
Potential Causal Safety
Hazard ID Hazard Description Failure Modes Causal factors
Mitigations Requirements
FH-02 Data Data Unavailability is the i. Loss of data • Double check at data SR1, SR2,
i. Missing data due to
Unavailability situation where individual
o This is the situation in o corruption input (4-eyes principle) SR3, SR5,
items or sets of data are
missing, lost or otherwise which information is SR6, SR7,
destroyed by failures or
o errors • Graphical representation
delayed. The following two SR8, SR9,
scenarios can lead to data neglect in storage, o information provided too at data input
SR13, SR14,
unavailability. transmission, or late or too early
• Checksum and CRC SR15, SR19,
processing. o internal CS5 databases
• Loss of Data (cyclic redundancy SR20, SR21,
ii. Service failure not synchronised
o Partial - loss of individual checks) SR22, SR23,
o mismatched data
items of data, SR24, SR25,
o software bug • Data verification at user
o Complete loss of data - SR26, SR28,
o interface problems site (human and/or
sets of data or entire SR29, SR30,
o application, incl. overload machine) and rejection/
single publications could SR31, SR32,
o servers (the machines alerting by users’ system
be lost. SR33, SR34,
themselves) • Graphical presentation at SR35, SR36,
• Service Unavailable
ii. Failure following: user level SR37, SR38,
o Unavailability of EAIMS,
o power failure, resulting in • SR39, SR40,
either to all users or Contingency
data in volatile memory SR41, SR42,
specifically by denying management and
access to individual not being saved to SR43, SR45,
coordination procedures
authorised users. The permanent memory SR46, SR47,
effects of service o hardware failure, such as • Store backup data in a SR48, SR49,
unavailability in respect a head crash in a hard separate physical SR50, SR51,
of safety are the same as disk. location SR52, SR53,
for data loss. o software crash or freeze, SR54, SR55,
It seems infeasible in the resulting in data not SR56, SR57,
current situation (with paper being saved
SR58, SR62,
versions serving as back-up) o software bugs or poor
to have absolutely no SR65, SR67,
usability.
aeronautical information SR68, SR69,
available, but this is a o business failure (vendor
Table 7 Data Unavailability Failure modes, Causal Factors Potential Causal Mitigations and Safety Requirements Traceability Table
FH-03 Data Discrepancy Failure modes, Causal Factors, Potential Causal Mitigations and
Safety Requirements
Potential Causal Safety
Hazard ID Hazard Description Failure Modes Causal factors
Mitigations Requirements
FH03 Data Data discrepancy is the • Data verification at Data SR1, SR2,
i. Corrupted data i. Corruption following:
Discrepancy situation where individual
o incorrect manual entry Originator level of final SR3, SR4,
items or sets of data are ii. Wrong interpretation draft before publication SR5, SR6,
of data o incorrect data processing
inconsistent between key SR7, SR8,
actors in the Data Chain, the o corrupted B2B entry • Data verification at user
iii. Incorrect data SR9, SR10,
resolution of which may o COTS systems used in site (human and/or
SR11, SR12,
This failure mode was the External Systems are machine) and rejection/
increase Pilot or ATCO SR13, SR14,
considered to include not corrupted alerting by users’ system
workload. The discrepancy only when the data is totally SR15, SR16,
o transfer from data
could be between incorrect but also the
providers/External • Graphical presentation at SR17, SR18,
scenario where the data is
• individual items of one Systems user level SR19, SR20,
correct but not fit for
AIP held by each actor, purpose of the user due to o the database is corrupted • SR21, SR22,
Alternative data sources
• multiple items of one AIP various reasons such as late o N-Connect/CS5-CFT is
SR23, SR24,
held by each actor. delivery or by accessing the
corrupting data • Coordination between SR25, SR26,
wrong database and the adjacent AISP or
Therefore discrepancies o External Systems are SR27, SR28,
data is not sufficiently
between EAIMS and data definition of cross-border SR32, SR34,
accurate for the user’s corrupting the data
providers would result in data ownership of a
purposes. o software corrupts the SR39, SR40,
erroneous or missing data. On
the other hand discrepancies iv. Errors data particular State via SLAs SR41, SR42,
between EAIMS and data SR43, SR44,
o data received from NM • Inconsistent data will not
users might result in additional v. Non removal of system is corrupted SR45, SR46,
ATCO or Pilot workload to be published and the
obsolete data SR47, SR48,
resolve the difference. ii. Wrong interpretation concerned providers will
Discrepancy could also result This failure mode could be SR51, SR52,
because be alerted to verify the
from “interpretation” of data to either total or partial non- accuracy of the data they
SR53, SR54,
suit applications. removal. Furthermore the o Information being
SR56, SR57,
partial/total may also refer to wrongly presented due to have
the content of the data. Thus SR58, SR59,
unclear HMI • Correctly designed
the possible scenarios are: SR60, SR61,
because CS5-CFT
• partial removal of the queries from Users to SR62, SR63,
presents the data in
data from all parts of the provide the expected SR64, SR65,
a format which is
Table 8 Data Discrepancy Failure Modes, Causal Factors Potential Causal Mitigations and Safety Requirements Traceability Table
Annex D – REFERENCES
Regulations
REGULATION (EU) No 1035/2011 “Commission Implementing Regulation (EU) No
1035/2011 of 17 October 2011 laying down common requirements for the provision of air
navigation services and amending Regulations (EC) No 482/2008 and (EU) No 691/2010”
EUROCONTROL Documents
Safety Management of Changes to Functional Systems; NMD SQS; iMS/POL/SMS-SMC;
version 2.0; 2013-12-09
Preliminary System Safety Assessment (PSSA) Report for EAD, 29 September 2014,
v6.2
Preliminary System Safety Assessment Report Airspace Data Repository Service – Static
Data, July 2013, Version 0.10
Intentionally blank