1.This Regulation lays down the requirements for the definition and implementation of a software safety assurance system by air traffic service (ATS) providers, entities providing air traffic flow management (ATFM) and air space management (ASM) for general air traffic, and providers of communication, navigation and surveillance (CNS) services.
It identifies and adopts the mandatory provisions of the Eurocontrol Safety Regulatory Requirement — ESARR 6 — entitled ‘Software in ATM Systems’ issued on 6 November 2003.
2.This Regulation shall apply to the new software and to any changes to the software of the systems for ATS, ASM, ATFM, and CNS.
It shall not apply to the software of airborne constituents and to space-based equipment.
For the purposes of this Regulation, the definitions in Article 2 of Regulation (EC) No 549/2004 shall apply.
The following definitions shall also apply:
‘software’ means computer programmes and corresponding configuration data, including non-developmental software, but excluding electronic items, namely application specific integrated circuits, programmable gate arrays or solid-state logic controllers;
‘configuration data’ means data that configures a generic software system to a particular instance of its use;
‘non-developmental software’ means a software not developed for the current contract;
‘safety assurance’ means all planned and systematic actions necessary to provide adequate confidence that a product, a service, an organisation or a functional system achieves acceptable or tolerable safety;
‘organisation’ means either an ATS provider, a CNS provider or an entity providing ATFM or ASM;
‘functional system’ means a combination of systems, procedures and human resources organised to perform a function within the context of ATM;
‘risk’ means the combination of the overall probability, or frequency of occurrence of a harmful effect induced by a hazard and the severity of that effect;
‘hazard’ means any condition, event, or circumstance which could induce an accident;
‘new software’ means a software that has been ordered or for which binding contracts have been signed after the entry into force of this Regulation;
‘safety objective’ means a qualitative or quantitative statement that defines the maximum frequency or probability at which a hazard can be expected to occur;
‘safety requirement’ means a risk-mitigation means, defined from the risk-mitigation strategy that achieves a particular safety objective, including organisational, operational, procedural, functional, performance, and interoperability requirements or environment characteristics;
‘cutover or hot swapping’ means the approach of replacing European air traffic management network (EATMN) system components or software while the system is operational;
‘software safety requirement’ means a description of what is to be produced by the software given the inputs and constraints, and if met, ensures that EATMN software performs safely and according to operational need;
‘EATMN software’ means software used in the EATMN systems referred to in Article 1;
‘requirements validity’ means the confirmation by examination and provision of objective evidence that the particular requirements for a specific use are as intended;
‘achieved with independence’ means, for software verification process activities, that the verification process activities are performed by a person(s) other than the developer of the item being verified;
‘software malfunction’ means the inability of a programme to perform a required function correctly;
‘software failure’ means the inability of a programme to perform a required function;
‘COTS’ means a commercial available application sold by vendors through public catalogue listings and not intended to be customised or enhanced;
‘software components’ means a building block that can be fitted or connected together with other reusable blocks of software to combine and create a custom software application;
‘independent software components’ means those software components which are not rendered inoperative by the same failure condition that causes the hazard;
‘software timing performances’ means the time allowed for the software to respond to given inputs or to periodic events, and/or the performance of the software in terms of transactions or messages handled per unit time;
‘software capacity’ means the ability of the software to handle a given amount of data flow;
‘accuracy’ means the required precision of the computed results;
‘software resource usage’ means the amount of resources within the computer system that can be used by the application software;
‘software robustness’ means the behaviour of the software in the event of unexpected inputs, hardware faults and power supply interruptions, either in the computer system itself or in connected devices;
‘overload tolerance’ means the behaviour of the system in the event of, and in particular its tolerance to, inputs occurring at a greater rate than expected during normal operation of the system;
‘correct and complete EATMN software verification’ means all software safety requirements which correctly state what is required of the software component by the risk assessment and mitigation process and their implementation is demonstrated to the level required by the software assurance level;
‘software life cycle data’ means the data that is produced during the software life cycle to plan, direct, explain, define, record, or provide evidence of activities; this data enables the software life cycle processes, system or equipment approval and post-approval modification of the software product;
‘software life cycle’ means:
an ordered collection of processes determined by an organisation to be sufficient and adequate to produce a software product;
the period of the time that begins with the decision to produce or modify a software product and ends when the product is retired from service;
‘system safety requirement’ means a safety requirement derived for a functional system.
1.Whenever an organisation is required to implement a risk assessment and mitigation process in accordance with applicable Community or national law, it shall define and implement a software safety assurance system to deal specifically with EATMN software related aspects, including all on-line software operational changes, and in particular cutover or hot swapping.
2.The organisation shall ensure, as a minimum, that its software safety assurance system produces evidence and arguments that demonstrate the following:
(a)the software safety requirements correctly state what is required by the software, in order to meet safety objectives and requirements, as identified by the risk assessment and mitigation process;
(b)traceability is addressed in respect of all software safety requirements;
(c)the software implementation contains no functions which adversely affect safety;
(d)the EATMN software satisfies its requirements with a level of confidence which is consistent with the criticality of the software;
(e)assurances are provided confirming that the general safety requirements set out in points (a) to (d) are satisfied, and the arguments that demonstrate the required assurances are at all times derived from:
a known executable version of the software;
a known range of configuration data;
a known set of software products and descriptions, including specifications, that have been used in the production of that version.
3.The organisation shall make available the required assurances, to the national supervisory authority, demonstrating that the requirements provided for in paragraph 2 have been satisfied.
The organisation shall ensure, as a minimum, that the software safety assurance system:
is documented, specifically as part of the overall risk assessment and mitigation documentation;
allocates software assurance levels to all operational EATMN software in compliance with the requirements set out in Annex I;
includes assurances of:
software safety requirements validity in compliance with the requirements set out in Annex II, Part A;
software verification in compliance with the requirements set out in Annex II, Part B;
software configuration management in compliance with the requirements set out in Annex II, Part C;
software safety requirements traceability in compliance with the requirements set out in Annex II, Part D;
determines the rigour to which the assurances are established; the rigour must be defined for each software assurance level, and increase as the software increases in criticality; for that purpose:
the variation in rigour of the assurances per software assurance level must include the following criteria:
required to be achieved with independence;
required to be achieved;
not required;
the assurances corresponding to each software assurance level must give sufficient confidence that the EATMN software can be operated tolerably safely;
uses feedback of EATMN software experience to confirm that the software safety assurance system and the assignment of assurance levels are appropriate. For that purpose, the effects from a software malfunction or failure reported according to the relevant requirements on reporting and assessment of safety occurrences shall be assessed in comparison with the effects identified for the system concerned as per the severity classification scheme established in Section 3.2.4 of Annex II to [F1Commission Implementing Regulation (EU) No 1035/2011] (1).
Textual Amendments
1.For any changes to the software or for specific types of software such as COTS, non-developmental software or previously used software for which some of the requirements of Article 3(2)(d) or (e) or of Article 4(2), (3), (4) or (5) cannot be applied, the organisation shall ensure that the software safety assurance system provides, through other means chosen and agreed with the national supervisory authority, the same level of confidence as the relevant software assurance level whenever defined.
Those means must give sufficient confidence that the software meets the safety objectives and requirements, as identified by the safety risk assessment and mitigation process.
2.In the assessment of the means referred to in paragraph 1, the national supervisory authority may use a recognised organisation or a notified body.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Textual Amendments
This Regulation shall enter into force on the 20th day following that of its publication in the Official Journal of the European Union.
It shall apply from 1 January 2009 to the new software of EATMN systems referred to in Article 1(2), first subparagraph.
It shall apply from 1 July 2010 to any changes to the software of EATMN systems referred to in Article 1(2), first subparagraph, in operation by that date.
This Regulation shall be binding in its entirety and directly applicable in all Member States.