Risk Assessment and Functional Safety Management in Air Traffic Control and Automated Air Traffic Control

  • 1 Budapest University of Technology and Economics, Hungary


Risk assessment is a crucial aspect of functional safety. As many of the safety development methods define the development process and applicable procedures based on the required risk reduction (safety level or tolerable hazard rate). System development, including hardware and software development requires special measures to reduce the dangerous effects of random hardware failure as well as systematic developer-made errors that can lead to dangerous situations during operation. This set of measures is known as safety management.
In air traffic management there are international and European legislation and industry-specific standards that mainly focus on software issues. Additionally, general functional safety standards offer more complex hardware and software solutions to achieve the desired level of safety for newly developed systems.
This paper discusses on the risk assessment challenges posed by new, highly automated air traffic control systems. These systems rely on hardware and software components to perform safety-critical control functions without human intervention or human supervision. The paper identifies the relevant legislative entities and compares a domain-specific risk assessment method for air traffic control with widely used general risk assessment methods. An example Air Traffic Control function is analysed according to EUROCAE ED153 (“Guidelines for ANS
Software Safety Assurance”), according to 2017/373/EU (“Commission Implementing Regulation laying down common requirements for providers of air traffic management/air navigation services and other air traffic management network functions and their oversight…”) and in comparison, according to general functional safety standard IEC 61508 (“Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems”).



  1. European Organisation for Civil Aviation Equipment (EUROCAE). "ED-153: Guidelines for ANS Software Safety Assurance." EUROCAE, (2009).
  2. European Organisation for Civil Aviation Equipment (EUROCAE). "ED-109A: Software Integrity Assurance Considerations for Communication, Navigation, Surveillance and Air Traffic Management (CNS/ATM) Systems." EUROCAE, (2013).
  3. International Electrotechnical Commission. "IEC 61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems." 2nd ed., International Electrotechnical Commission, (2010).
  4. "Commission Implementing Regulation (EU) 2017/373." March 8, 2017. OJ L 62, 8.3.2017, p. 1–62
  5. "Commission Implementing Regulation (EU) No 1035/2011." October 17, 2011. OJ L 271, 18.10.2011, p. 23–41
  6. "Commission Implementing Regulation (EU) No 482/2008." June 3, 2008. OJ L 143, 31.5.2008, p. 5–10
  7. EUROCONTROL. "Automatic Dependent Surveillance-Contract (ADS-C) operational at MUAC." (2023).
  8. European Organisation for Civil Aviation Equipment (EUROCAE). ED-125: Process for Specifying Risk Classification Scheme and Deriving Safety Objectives in ATM. EUROCAE, 2010.
  9. Brown, Simon. "Overview of IEC 61508 Design of electrical/electronic/programmable electronic safety-related systems." Computing and Control Engineering Journal 11.1 (2000): 6-12.
  10. European Aviation Safety Agency. "Annex to ED Decision 2014/035/R." European Aviation Safety Agency, (2014).
  11. Ladkin, Peter Bernard. "Comparing software safety standards EUROCAE-ED-153 and IEC 61508." 11th International Conference on System Safety and Cyber-Security (SSCS 2016). IET, (2016).

Article full text

Download PDF