If you wish to contribute or participate in the discussions about articles you are invited to join SKYbrary as a registered user


PSSA of Controller Access Parameter service via Mode S Enhanced Surveillance

From SKYbrary Wiki

<protect> Important notice This article is a demonstration of functionality under development, do not consider its contents as valid yet.

Article Information
Category: Hazard Identification Documents Hazard Identification Documents
Content source: SKYbrary About_SKYbrary


Document title: Preliminary System Safety Analysis for the Controller Access Parameter service delivered by Mode S Enhanced Surveillance

This document presents a Preliminary System Safety Analysis (PSSA) of four data items required by the controller access parameters (CAP) service, which are delivered by Mode S Enhanced Surveillance. The document has been produced by the EUROCONTROL Mode S Programme to support to the implementation of Mode S Enhanced Surveillance.

The CAP information considered in the safety analysis are (with the equivalent ARINC 429 references included within brackets):

  • Magnetic Heading (equivalent to ARINC429 label 320);
  • Indicated Airspeed (equivalent to ARINC429 label 205 or 206);
  • Vertical Rate (equivalent to ARINC429 label 365 or 212);
  • Selected Altitude (equivalent to ARINC429 label 102).

CAP may be delivered by a number of communications systems (including both voice and datalink). This analysis only considers the use of Mode S Enhanced Surveillance as a means of delivering CAP to the controller.

The document is not a safety case for the implementation of CAP or Mode S Enhanced Surveillance. It is presented as a ‘typical example’ of a safety assessment and as a contributor to the production of local safety cases

The safety analysis has been performed based on a ‘generic’ operational concept and architecture. This means that the analysis does not provide precise safety results but rather an order of magnitude within which readers can make their own judgement as to whether the CAP safety objectives can be achieved. The analysis presented in the document relies on all the assumptions being true and valid.

As a consequence, ANSPs and other readers should ensure that the assumptions made in this document are applicable to their operations, using this document as a contribution to their local safety case.


Some of the Controller Access Parameters (CAPs) have been available for a number of years and are downlinked to the controller over VHF voice. As a consequence the automatic downlinking of the data does not significantly change the concept of operations for ATC but rather it:

  • reduces the VHF voice congestion;
  • presents the information to the controller on the track label;
  • provides additional confirmation (above that of voice) for the value of the CAP.

The CAPs to be downlinked for Enhanced Surveillance are periodically fed by the avionics equipment via specific interfaces (e.g. data concentrator) into the appropriate register of the transponder. Mode S Enhanced Surveillance makes it possible for the ground systems to request a specific aircraft’s current state parameters and short-term intent parameters. This on-board aircraft data may be used both for indicating specific parameters to the controller workstations (the CAP service) and processing by various ATM systems (i.e. the System Access Parameter (SAP) service which is not covered by this analysis). It is assumed that CAP will be displayed on the Controller Working Position (CWP) upon request from the controller.

This analysis considers that aircraft may be Mode S Enhanced Surveillance capable or not, i.e. mixed mode operations are foreseen. However, because the use of the CAP is an additional service to supplement current practices then the unavailability of downlinking CAP for presentation to the controller is still regarded as safe since it is a reversion to current practices which are by definition safe. However, the loss of a CAP may result in the controller reverting to ‘normal’ operations which may cause a short term, slight increase in controller workload (because the data would be obtained via voice rather than datalink).

The operational use for each CAP is summarised below.

  • Magnetic Heading
Magnetic Heading is relayed to the controller via voice communications, whereas with Mode S it will be downlinked automatically and presented on the track label. This may be used as a confirmation of the cleared heading and therefore reduce a possible misunderstanding which could occur between controller and pilot by using voice only.
Similar to Magnetic Heading, Indicated Airspeed (IAS) is relayed to the controller via voice communications, whereas with Mode S it will be downlinked automatically and presented in on the track label.
  • Vertical Rate
Mode S Vertical Rate will allow a more real time view of the aircraft climb or decent profile. It is anticipated that controllers would become more reliant on the Vertical Rate parameter once it is included within the Track Data Block.
It is assumed that the vertical rate information can be provided either by the “Barometric altitude rate” or by the “Inertial altitude rate” depending on the aircraft equipment and that aircraft do not necessarily provide both of them. It is more appropriate (i.e. worst case) to assess the use of barometric altitude rate as the Vertical Rate presented to the controller. This is because a failure of barometric altitude may be more difficult to detect by the controller since the altitude report will be similarly also be corrupted (otherwise the controller would detect the failure).
The Cleared Flight Level (CFL) is currently downlinked to the controller via voice. In future operations this will be supplemented by the presentation of the Selected Altitude, downlinked from the Aircraft Control Panel (ACP), on the track label.
The controller will be expected to verify the CFL acknowledged via voice and the Selected Altitude value presented on the track label is equal to the CFL. If either of these fail to correlate (i.e. either the voice read-back or the track label value) then the controller will re-issue the clearance. Therefore the use of Selected Altitude is simply as a 'digital readback' to complement voice operations.
Selected Altitude does not necessarily represent the aircraft/pilot flight profile (as is the case with VHF CFL confirmation read-back) but rather the understood CFL of the pilot. Therefore the controller continues to monitor the aircraft throughout the climb/descent manoeuvre in order to ensure the aircraft reaches and does not exceed the CFL. An important assumption used in the later analysis relates to the question “how long is the Selected Altitude used during the climb descent phase?”. It is not applicable during the complete climb, but only applicable during the short term following read-back by the pilot (i.e. shortly after the clearance has been issued). Regardless of the duration of the climb, the analysis assumes the controller will only use Selected Altitude for a time of two minutes following the issue of clearance. This is considered pessimistic, in that the time would probably be lower in reality (i.e. the analysis has assumed much worse than is necessary).

Top Level Claim

The purpose of this PSSA is to determine if the tolerable risk of a failure of the system, specified in a set of safety objectives, can be met by the proposed/modified architecture.

General Assumptions

General assumptions

A number of basic assumptions are made about the operational environment in which CAP and Mode S Enhanced Surveillance will operate. The assumptions provide a generic framework under which the safety analysis has been performed. The results of the safety analysis are therefore constrained to be applicable when all the assumptions are taken as ‘valid’.
These assumptions may not be valid for particular regions of Europe or particular operations and, as such, should be reviewed in detail by the Air Navigation Service Provider (ANSP) (ANSP).
The analysis was performed assuming the CAP information will be used in both En-Route and the Terminal Manoeuvring Area (TMA)/Approach airspace throughout the European Civil Aviation Conference (ECAC) Core Area, where Mode S Elementary Surveillance will be implemented.
Surveillance Coverage is assumed to be based on the EUROCONTROL surveillance coverage standard updated to include Mode S which equates to:
  • En-route - Dual Mode S SSR;
  • Major terminal areas - Dual Mode S SSR and single Primary Surveillance Radar.
For the purposes of the analysis, the aircraft under control are assumed to be flying at the minimum separation standard specified within the airspace. For en-route airspace between FL290 and FL410 this includes the use of Reduced Vertical Separation Minima and the use of Required Navigation Performance (RNP) of RNP-5 for En-route and RNP-1 for TMA.
The aircraft traffic density levels to be considered are consistent with predictions for the period 2005 to 2010 up to the maximum airspace density.
It is assumed that communication with the aircraft is always possible via VHF voice and the concurrent failure of voice communication and surveillance (i.e. both items being in a failed state at the same time) is outside of the scope of this study as there is no additional requirement added on the VHF.
Whilst intended to be a unique identification for a particular airframe, the International Civil Aviation Organisation (ICAO) 24 bit aircraft address is not unique in practice; there are a very small number of repeated addresses. For the purposes of this analysis, it is assumed that the likelihood of repeated addresses occurring within a volume of controlled airspace is improbable, and therefore the International Civil Aviation Organisation (ICAO) 24 bit address is assumed to be unique.
The loss of the Mode S Elementary Surveillance will prevent the transmission of all CAP data.
The ground-based interrogators will detect both Mode S and Mode A/C equipped aircraft.

Aircraft Assumptions

It is assumed that aircraft are fitted with equipment compliant and certified to the requirements of the appropriate regulatory authorities.
It is assumed that within Enhanced Mode S Airspace there will be the following airspace users:
  • Aircraft that are fully Mode S Enhanced Mode S equipped;
  • Aircraft that are partially Mode S Enhanced Mode S capable;
  • Aircraft that are not Mode S Enhanced Surveillance equipped;
It is assumed that ‘partial’ means incapable of a specific CAP (i.e. the avionics may not be capable of filling the appropriate Binary Data Store (BDS) fields). It is assumed that the ground-based systems will only use aircraft CAP data that is indicated as available from the transponder capability report (BDS 17). When the capability report is not available, CAP data will not be presented on the CWP and controllers will only use ‘normal’ control. It is assumed that procedures are in place to accommodate this mode of operations and there is no safety impact.
The system, which is operating within the airspace, is assumed to be able to manage the airspace users identified above during normal operations. It is also assumed that, the airspace can manage, in a safe manner, the change of an aircraft from one type to another (e.g. from fully to partially Mode S Enhanced Surveillance capable), for example, as the result of a failure.

En-Route Operations

The operational environment for all controllers can include sequencing of traffic into hold areas and stacks, and includes the potential for crossing traffic.
The En-Route airspace Controller is assumed to be controlling aircraft within a relatively ordered traffic flow.

TMA/Approach Operations

TMA operations are likely to be more complex than En-Route operations with higher levels of traffic operating with reduced separation than would occur within En-Route airspace. The reaction times required of a controller within the TMA are typically shorter than for a similar role within En-Route airspace.
An Approach Controller is assumed to be handling aircraft arrivals.
The use of TCAS as mitigation for failure is not claimed through this PSSA and as such represents an additional safety net.

Safety Nets

The aircraft ACAS/TCAS system is not claimed as mitigation following any failures of the system.
The activation of an Short Term Conflict Alert (STCA) alert is based upon prediction and is normally made before the loss of standard separation. It is assumed that Short Term Conflict Alert (STCA) is an advisory tool (a “safety net”) and it is not used for air traffic control purposes. Mitigation due to Short Term Conflict Alert (STCA) will not be claimed within the analysis, nor will the impact on operations due to Short Term Conflict Alert (STCA) failures or false alarms.

Associated Hazards

Related Regulations and Standards

  1. EUROCONTROL Standard Document for Radar Surveillance in En-Route Airspace and Major Terminal Areas SUR.ET1.ST01.1000-STD-01-01, Edition 1.0, March 1997
  2. EUROCONTROL Standard Document for Area Navigation Equipment Operational Requirements and Functional Requirements 003-93, Edition 2.2, December 1998
  3. Risk Assessment and Mitigation in ATM ESARR 4, Edition 1.0 05/04/2001
  4. International Civil Aviation Organisation (ICAO) Annex 10 Volume III Amendment 77 28/11/02
  5. JAA CNS/ATM Steering Group on ENHANCED SURVEILLANCE WITH SSR MODE S No. and Revision pp025_76 17th April 2003
  6. Federal Aviation Administration (FAA)/JAA AC/AMJ No: 25.1309 dated Date: 6/10/2002

Document Source