EUROCAE - ED-261/3
SAFETY & PERFORMANCE REQUIREMENTS STANDARD FOR A GENERIC SURVEILLANCE SYSTEM - GEN-SUR SPR VOLUME 3
|Publication Date:||1 November 2021|
This Generic Safety Argument Guidance defines operations (ATS SUR Service for Area and Approach Control Services) taking place in a typical Operational Environment supported by a GEN-SUR system (including people, procedures and equipment), as presented in the Figure 1 below.
This Generic Safety Argument Guidance provides argument and evidence for the safe provision of an ATS SUR Service described in Section Chapter 3. PANS-ATM [Ref.1] defines ATS Surveillance service as a term used to indicate a service provided directly by means of an ATS surveillance system.
Therefore, this Generic Safety Argument Guidance can be used as an input for the development of local (i.e. at ANSP level) Safety Case (covering the related ATS Service as per Regulation (EU) 2017/373 [Ref.12]), and includes arguments and evidence which can also be used for the development of local Surveillance Safety Support Case for the provision of a surveillance data at the output of the surveillance chain. The relationship between this Generic Safety Argument Guidance and the local safety documentation is discussed in Section 1.5 based on the proposed definitions from Section 1.4.
It only addresses the typical Operational Environment (traffic density, separation minima and more detailed characteristics) that are developed in section 2.2 and Safety Targets developed in section Chapter 5. Therefore local aspects of those characteristics (e.g. local OE with different traffic density/separation minima or different local Safety Targets) are not included in this document. The following issue is therefore expressed:
I001 This Generic Safety Argument Guidance defines operations (ATC separation) taking place in typical Operational Environments.
GEN-SUR System Scope
The GEN-SUR System addressed in this Generic Safety Argument Guidance includes people, equipment and procedures.
Equipment are referred to as ATC SUR Function in the GEN-SUR SPR (see following Figure 2 and definitions in next Section 1.4). From an equipment perspective, the following items need to be clarified:
• GEN-SUR Volume 1 [Ref.20] and Volume 2 [Ref.21] mostly express requirements on the Ground ATC SUR Function.
• This Generic Safety Argument Guidance assumes a specific airborne design meeting the EASA CS-ACNS specification [Ref.25].
• Co-operative surveillance includes Mode S and / or ADS-B on-board installations that provide for the minimum set of elementary aircraft supplied data (e.g. pressure altitude). It is noted that Mode A/C based co-operative surveillance is considered to be a local implementation option
• All flights are assumed to be RVSM.
• Security issues are out of scope of this document
As human and procedure related failures are heavily dependent on local implementation specifics (that cannot be sufficiently modelled from a generic perspective), assessments of their failure conditions are considered to be outside the scope of this SPR. Indeed, Human Factors issues are considered as the way in which the people (controllers, pilots) deal with the Human Machine Interface (HMI). This covers both physical and cognitive aspects. Therefore the design of the HMI is a crucial factor in Human Factors and this is to be managed by the local implementer, which is out of scope of this SPR. In addition, human tasks supporting the procedures are also out of scope. This is clarified in Chapter 10.
However, generic-level human and procedure related Operational Requirements are expressed in GEN-SUR SPR Volume 2 [Ref.21] to aid the understanding of the ATC Surveillance Service and the conduct of the Performance and Safety assessments on the ATC SUR Function. In particular, people involved in the provision of the ATS SUR service are ATCo and technicians. Procedures are those described in the PANS-ATM [Ref.1] for this service.
The following issues are therefore expressed regarding the generic aspect of this document:
I002 This Generic Safety Argument Guidance is limited to generic aspects, i.e. to a typical ATC service and to the typical design of the GEN-SUR system in Typical Operational Environments
I003 Human tasks, as they are closely related to the implementation, are out of the scope of this Generic Safety Argument Guidance
Regarding life cycle, this Generic Safety Argument Guidance only addresses a typical ATC service and the generic design of the GEN-SUR system in typical Operational Environments (see 2.2). Implementation, transition and in-service stages of the safety lifecycle are therefore not covered in this document.
I004 This Generic Safety Argument Guidance is preliminary in that it addresses only the design stage of the Application. It does not address implementation issues, although the structure of the Safety Argument presented herein does include a high-level framework for the development of assurance relating to the implementation, transition and in-service stages of the safety lifecycle
NOTE: The mapping of the functional requirements expressed in this document onto the (local) physical architecture is out of scope of this document and will have to be covered as part of the implementation stage.
NOTE: The safety assessment of the transition stage is only relevant for ANSP bringing a change to their surveillance system and/or to the ATS service supported by their surveillance system. No activity related to the transition is needed in the case of safety assessment of the existing surveillance system/service as required by (EU) 1207/2011 [Ref.10] article 9.1.