ANNEX III — Part-ATM/ANS.OR

COMMON REQUIREMENTS FOR SERVICE PROVIDERS (Part-ATM/ANS.OR)

SUBPART A — GENERAL REQUIREMENTS (ATM/ANS.OR.A)

Regulation (EU) 2017/373

In accordance with Article 6, this Annex establishes the requirements to be met by the service providers.

ED Decision 2020/008/R

DEFINITIONS AND SCOPE IN RELATION TO SERVICE PROVIDERS

(a)To recognise which of the annexes applies to which service provider, it is necessary to understand how services are defined. These definitions have determined the structure and the content of Annexes III to XIII.

(b)Article 3(q) of Regulation (EC) No 216/2008 defines ATM/ANS as ‘the air traffic management functions as defined in Article 2(10) of Regulation (EC) No 549/2004, air navigation services defined in Article 2(4) of that Regulation, and services consisting in the origination and processing of data and formatting and delivering data to general air traffic for the purpose of safety-critical air navigation’.

(c)It should, therefore, be noted that ATM/ANS include more services than ‘Air Traffic Management’ and ‘Air Navigation Services’ together.

(d)In this Regulation, ‘services’ refers to those specified in Annex VIII(2) to Regulation (EU) 2018/1139.

(e)As already defined, ‘ATM network functions’ refers to functions performed by the Network Manager in accordance with Regulation (EU) No 677/2011³⁵.

(f)Figure 1 below provides a pictorial representation of the services and how they interrelate through the various definitions.

(g)Figure 1 indicates both a further breakdown of ATS into air traffic control services (ATC), alerting services, air traffic advisory services, and flight information services and groupings of:

(1)air traffic management (ATM): comprising ATS, ASM, and ATFM;

(2)air navigation services (ANS): comprising ATS, CNS, MET, and AIS; and

(3)flight procedure design services (FPD) and data services (DAT) and ATM network functions.

(h)It is important to note that ATS is included in ATM and ANS.

Figure 1: The scope of the services, subject to certification, as specified in Regulation (EU) 2018/1139.

SERVICES

(a)Annex III (Part-ATM/ANS.OR) applies to the service providers, as relevant, and contains the common requirements for the service providers. This Annex is broken down into four subparts:

(1)Subpart A — General requirements (ATM/ANS.OR.A);

(2)Subpart B — Management (ATM/ANS.OR.B);

(3)Subpart C — Specific organisational requirements for service providers other than ATS providers (ATM/ANS.OR.C); and

(4)Subpart D — Specific organisational requirements for ANS and ATFM providers and the Network Manager (ATM/ANS.OR.D).

(b)Subpart D applies only to ANS and ATFM providers and the Network Manager (and not to ASM and DAT providers).

(c)Thereafter, each specific requirement for various service providers is allocated to an annex (Annexes IV to XII) which contains specific requirements for that service provider. Table 1 below indicates which annexes are applicable to each service provided.

(d)Annex XIII contains requirements for service providers regarding personnel training and competence assessment.

AIR TRAFFIC SERVICES FOR FLIGHT TEST

(a)When the flight tests have one of the following characteristics:

(1)frequent changes in levels and headings, depending on the tests which are carried out with certain unpredictability;

(2)unless necessary for the purpose of the flight tests, navigation in general (route/destination, etc.) is not the primary objective of these flights;

(3)specific aircraft configurations sometimes resulting in reduced ability to manoeuvre;

(4)technical constraints, including airborne and ground testing facilities;

(5)airborne equipment is not proven to be up to the required certification level; and

(6)the planning for conducting flight tests can be of a very ad hoc nature giving little timing for carrying out strategy or pre-tactical air traffic flow management. (e.g. the need to test under specific weather conditions which would require flexibility for allocation of slots for these flight tests),

then the air traffic services provider providing services to this type of flight testing may need a specific privilege within the certificate issued by the competent authority because of the specificities of the air traffic services to be provided to this type of operations and because of the need to ensure safe operations in the airspace in which flight tests are being conducted.

(b)Given the characteristics in (a), flight tests can be made in cohabitation with other airspace users in controlled or non-controlled airspace, and sometimes in temporarily reserved areas when necessary.

ED Decision 2020/008/R

Table 1: Applicability of annexes to service providers

X = Applicable annexes for each service provider.

Note 1: Section 3 of Annex IV (Part-ATS) only applies to providers of air traffic control services and not to providers of alerting, air traffic advisory, and flight information services.

Note 2: The applicability of Annex XIII is dependent upon the scope as specified within each of the subparts of Annex XIII.

Regulation (EU) 2017/373

(a)Application for a service provider certificate or an amendment to an existing certificate shall be made in a form and manner established by the competent authority, taking into account the applicable requirements of this Regulation.

(b)In accordance with Article 6, in order to obtain the certificate, the service provider shall comply with:

(1)the requirements referred to in Article 8b(1) of Regulation (EU) No 216/2008;

(2)the common requirements set out in this Annex;

(3)the specific requirements set out in Annexes IV to XIII, where those requirements are applicable in light of the services that the service provider provides or plans to provide.

ED Decision 2017/001/R

EXPOSITION — DAT PROVIDERS

(a)The DAT provider should submit to the competent authority an exposition providing the following information:

(1)a statement signed by the accountable manager confirming that the exposition and any associated manuals which define the organisation’s compliance with the requirements will be complied with at all times;

(2)the duties and responsibilities of the manager(s) as required by ATM/ANS.OR.B.020 including matters on which they may deal directly with the competent authority on behalf of the organisation;

(3)an organisational chart showing lines of responsibility and accountability throughout the DAT provider, including a direct accountability of the accountable manager as required by ATM/ANS.OR.B.005(a)(1);

(4)a list of attesting staff as referred to in DAT.TR.100(b);

(5)a general description of manpower resources;

(6)a general description of the facilities of the DAT provider;

(7)a general description of the activities for which the DAT provider’s certificate is requested;

(8)the procedure for the notification of organisational changes to the competent authority;

(9)the amendment procedure for the exposition;

(10)a description of the management system and the procedures as required by DAT.OR.110; and

(11)a list of those contracted organisations referred to in ATM/ANS.OR.B.015(b).

(b)The exposition should be amended as necessary to remain an up-to-date description of the organisation, and copies of any amendments should be supplied to the competent authority.

ED Decision 2017/001/R

EXPOSITION — DAT PROVIDERS

The exposition should contain the following table of contents:

1.General

Table of contents, document revision history, abbreviations, and terms.

2.Introduction

Purpose, scope, standards declaration, and reference documents.

3.Company description and policy

Description of the company, products and services, quality policy and objectives, customer requirements.

4.Terms of approval

Scope of work, notification of changes to the terms of approval, control of documents and records.

5.Management/resources responsibilities

Management team and personnel, organisation charts, duties and responsibilities of personnel.

Management review, human resources, competence, awareness, and training.

6.Production processes

Data production procedures, arrangements with suppliers, users/customers and other DAT providers, data receiving inspection and testing, data release, data distribution process, data products identification and quality checks, tailored data, data error reporting.

7.Management system

Introduction, document control, quality assurance, internal system audits, standards compliance plan audits, methods of improvement, occurrence management and reporting, record-keeping.

8.Appendix 1 — List of relevant personnel

ED Decision 2017/001/R

EXPOSITION — DAT PROVIDERS

A means to develop the exposition may be by cross-referring to the procedures of the quality manual, which are needed to demonstrate compliance with these requirements.

ED Decision 2020/008/R

GENERAL — AIS PROVIDER

Terrain data sets are part of the digital data sets, but are typically originated and maintained by organisations different than AIS providers. The provision of terrain data sets by an AIS provider for the purpose of air navigation is consequently limited to the mere distribution of a finished product or even only the provision of information on how the product can be obtained, in accordance with the applicable requirements of Regulation (EU) 2017/373.

Regulation (EU) 2017/373

(a)Notwithstanding point (b), the air traffic services provider may apply for a certificate limited to the provision of services in the airspace under the responsibility of the Member State where its principal place of operation or, if any, registered office is located, when it provides or plans to provide services only with respect to one or more of the following categories:

(1)aerial work;

(2)general aviation;

(3)commercial air transport limited to aircraft with less than 10 tonnes of maximum take-off mass or less than 20 passenger seats;

(4)commercial air transport with less than 10 000 movements per year, regardless of the maximum take-off mass and the number of passenger seats; for the purposes of this provision, ‘movements’ means, in a given year, the average over the previous three years of the total number of take-offs and landings.

(b)In addition, the following air navigation service providers may also apply for a limited certificate:

(1)an air navigation service provider, other than a provider of air traffic services, with a gross annual turnover of EUR 1 000 000 or less in relation to the services they provide or plan to provide;

(2)an air navigation service provider providing aerodrome flight information services by operating regularly not more than one working position at any aerodrome.

(c)As determined by the competent authority, an air navigation service provider applying for a limited certificate in accordance with points (a) or (b)(1) shall comply, as a minimum, with the following requirements set out in:

(1)point ATM/ANS.OR.B.001 Technical and operational competence and capability;

(2)point ATM/ANS.OR.B.005 Management system;

(3)point ATM/ANS.OR.B.020 Personnel requirements;

(4)point ATM/ANS.OR.A.075 Open and transparent provision of services;

(5)Annexes IV, V, VI and VIII, where those requirements are applicable in light of the services that the service provider provides or plans to provide, in accordance with Article 6.

(d)As determined by the competent authority, the air navigation service provider applying for a limited certificate in accordance with point (b)(2) shall comply, as a minimum, with the requirements set out in points (c)(1) to (c)(4) and with the specific requirements set out in Annex IV.

(e)An applicant for a limited certificate shall submit an application to the competent authority in a form and manner established by the competent authority.

ED Decision 2017/001/R

GENERAL

The relationship between the type of service provision, criteria to be complied with and the applicable rules are indicated in Table 2 below.

Table 2: Type of service provision, criteria to be complied with, and the applicable rules

Regulation (EU) 2017/373

(a)Pursuant to Article 7, a flight information services provider may declare its capability and means of discharging the responsibilities associated with the services provided where it meets, in addition to the requirements referred to in Article 8b(1) of Regulation (EU) No 216/2008, the following alternative requirements:

(1)the flight information services provider provides, or plans to provide, its services by operating regularly not more than one working position;

(2)those services are of a temporary nature, for a duration agreed with the competent authority as necessary to ensure proportional safety assurance.

(b)A flight information services provider declaring its activities shall:

(1)provide the competent authority with all the relevant information prior to commencing operations, in a form and manner established by the competent authority;

(2)provide the competent authority with a list of the alternative means of compliance used, in accordance with point ATM/ANS.OR.A.020;

(3)maintain compliance with the applicable requirements and with the information given in the declaration;

(4)notify the competent authority of any changes to its declaration or the means of compliance it uses through submission of an amended declaration;

(5)provide its services in accordance with its operations manual and comply with all the relevant provisions contained therein.

(c)Before ceasing the provision of its services, the flight information services provider declaring its activities shall notify the competent authority within a period determined by the competent authority.

(d)A flight information services provider declaring its activities shall comply with the following requirements set out in:

(1)point ATM/ANS.OR.A.001 Scope;

(2)point ATM/ANS.OR.A.020 Means of compliance;

(3)point ATM/ANS.OR.A.035 Demonstration of compliance;

(4)point ATM/ANS.OR.A.040 Changes — general;

(5)point ATM/ANS.OR.A.045 Changes to the functional system;

(6)point ATM/ANS.OR.A.050 Facilitation and cooperation;

(7)point ATM/ANS.OR.A.055 Findings and corrective actions;

(8)point ATM/ANS.OR.A.060 Immediate reaction to a safety problem;

(9)point ATM/ANS.OR.A.065 Occurrence reporting;

(10)point ATM/ANS.OR.B.001 Technical and operational competence and capability;

(11)point ATM/ANS.OR.B.005 Management system;

(12)point ATM/ANS.OR.B.020 Personnel requirements;

(13)point ATM/ANS.OR.B.035 Operations manuals;

(14)point ATM/ANS.OR.D.020 Liability and insurance cover,

(15)Annex IV.

(e)A flight information services provider declaring its activities shall only start operation after receiving the acknowledgement of receipt of the declaration from the competent authority.

ED Decision 2017/001/R

MODEL TEMPLATE OF DECLARATION OF COMPLIANCE

Regulation (EU) 2017/373

(a)Alternative means of compliance (AltMOC) to the AMC adopted by the Agency may be used by the service provider to establish compliance with the requirements of this Regulation.

(b)When the service provider wishes to use an AltMOC, it shall, prior to implementing it, provide the competent authority with a full description of the AltMOC. The description shall include any revisions to manuals or procedures that may be relevant, as well as an assessment demonstrating compliance with the requirements of this Regulation.

A service provider may implement these alternative means of compliance subject to prior approval by the competent authority and upon receipt of the notification as prescribed in point ATM/ANS.AR.A.015(d).

Regulation (EU) 2017/373

(a)A service provider's certificate shall remain valid subject to:

(1)the service provider remaining in compliance with the applicable requirements of this Regulation, including those concerning facilitating and cooperating for the purposes of the exercise of the powers of the competent authorities and those concerning the handling of findings as specified in points ATM/ANS.OR.A.050 and ATM/ANS.OR.A.055 respectively;

(2)the certificate not having been surrendered, suspended or revoked.

(b)Upon revocation or surrender, the certificate shall be returned to the competent authority without delay.

Regulation (EU) 2017/373

A declaration made by the flight information services provider in accordance with point ATM/ANS.OR.A.015 shall remain valid subject to:

(a)the flight information services remaining in compliance with the applicable requirements of this Regulation, including those concerning facilitating and cooperating for the purposes of the exercise of the powers of the competent authorities and those concerning the handling of findings as specified in point ATM/ANS.OR.A.050 and ATM/ANS.OR.A.055 respectively;

(b)the declaration not having been withdrawn by the provider of such services or deregistered by the competent authority.

Regulation (EU) 2017/373

A service provider shall provide all the relevant evidence to demonstrate compliance with the applicable requirements of this Regulation at the request of the competent authority.

ED Decision 2017/001/R

EVIDENCE — DAT PROVIDERS

The exposition as referred to in AMC1 ATM/ANS.OR.A.005 ‘Application for service provider certificate’ EXPOSITION — DAT PROVIDERS should be considered as one of the means to demonstrate compliance with the applicable requirements.

ED Decision 2017/001/R

GENERAL — DAT PROVIDERS

In order to demonstrate compliance with the applicable requirements, the DAT provider should produce a compliance matrix/checklist detailing how its data production processes relate to EUROCAE ED-76A/RTCA DO-200B ‘Standards for Processing Aeronautical Data’, dated June 2015. EUROCAE ED-76/RTCA DO-200A may be also used for the demonstration of compliance.

ED Decision 2020/008/R

RELEVANT EVIDENCE

ATM/ANS.OR.B.005(e) requires ‘The management system shall be proportionate to the size of the service provider and the complexity of its activities, taking into account the hazards and associated risks inherent in those activities.’ Consequently, the relevant evidence to demonstrate compliance with the applicable requirements of this Regulation should be also proportionate to the size of the service provider and the complexity of its activities.

ED Decision 2023/018/R

WITNESSING THE COMPLIANCE ACTIVITIES — STATEMENT OF COMPLIANCE

The ATM/ANS provider will, when demonstrating the compliance of the ATM/ANS equipment with applicable requirements, such as user or safety requirements, allow the competent authority, if so requested, to participate in any compliance activity concerning the demonstration of compliance of the ATM/ANS equipment in the final or suitably mature design configuration. These demonstrations are necessary to determine that the product has no feature or characteristic that renders the ATM/ANS equipment unsafe for the intended use. Competent authority participation will increase confidence on the evidence presented as part of the SoC and facilitate its efforts to review the associated changes to the functional system. Such participation is in any case guaranteed by ATM/ANS.OR.A.050.

Regulation (EU) 2017/373

(a)The notification and management of:

(1)a change to the functional system or a change that affects the functional system shall be carried out in accordance with point ATM/ANS.OR.A.045;

(2)a change to the provision of service, the service provider's management system and/or safety management system, that does not affect the functional system, shall be carried out in accordance with point (b).

(b)Any change as referred to in point (a)(2) shall require prior approval before implementation, unless such a change is notified and managed in accordance with a procedure approved by the competent authority as laid down in point ATM/ANS.AR.C.025(c).

ED Decision 2017/001/R

CHANGE OF THE OWNERSHIP AND/OR THE LOCATION

A change of the service provider’s ownership and/or the location of its facilities should comply with ATM/ANS.OR.A.040(a)(2) and should not be subject to the procedure identified in ATM/ANS.AR.C.025(c).

ED Decision 2017/001/R

PROCEDURE FOR CHANGES REQUIRING PRIOR APPROVAL

For changes requiring prior approval, a procedure should define how the service provider should notify the competent authority and obtain an approval issued by that authority:

(a)Notifications should be submitted before any such change is made in order to enable the competent authority to determine continued compliance with Regulation (EC) No 216/2008 and its implementing rules and also to amend, if necessary, the certificate and the related conditions attached to it.

(b)Changes should only be implemented upon receipt of approval by the competent authority in accordance with the procedure established by that authority.

(c)The service provider should operate under the conditions prescribed by the competent authority during such changes, as applicable.

ED Decision 2017/001/R

PROCEDURE FOR CHANGES NOT REQUIRING PRIOR APPROVAL

(a)For changes not requiring prior approval, the procedure should define how the service provider should notify and manage the change.

(b)The service provider should inform the competent authority of any changes to nominated persons specified in ATM/ANS.OR.B.020(b) and ATS.OR.200(1)(iii), as applicable.

ED Decision 2017/001/R

PROCEDURE FOR CHANGES NOT REQUIRING PRIOR APPROVAL

The procedure agreed by the service provider and the competent authority may also include the process for the reaction by the service provider to an unplanned change that may arise with the need for urgent action that would normally require prior approval of the competent authority. This is the case in which the service provider responds immediately to a safety problem as required in ATM/ANS.OR.A.060 or when an emergency situation arises in which the service provider has to take immediate action to ensure the safety of the services.

Regulation (EU) 2023/1771

(a)A service provider planning a change to its functional system shall:

(1)notify the competent authority of the change;

(2)provide the competent authority, if requested, with any additional information that allows the competent authority to decide whether or not to review the argument for the change;

(3)inform other service providers and, where feasible, aviation undertakings affected by the planned change.

(b)Having notified a change, the service provider shall inform the competent authority whenever the information provided in accordance with points (a)(1) and (2) is materially modified, and the relevant service providers and aviation undertakings whenever the information provided in accordance with point (a)(3) is materially modified.

(c)A service provider shall only allow the parts of the change, for which the activities required by the procedures referred to in point ATM/ANS.OR.B.010 have been completed, to enter into operational service.

(d)If the change is subject to competent authority review in accordance with point ATM/ANS.AR.C.035, the service provider shall only allow the parts of the change for which the competent authority has approved the argument to enter into operational service.

(e)When a change affects other service providers and/or aviation undertakings, as identified in point (a)(3), the service provider and these other service providers, in coordination, shall determine:

(1)the dependencies with each other and, where feasible, with the affected aviation undertakings;

(2)the assumptions and risk mitigations that relate to more than one service provider or aviation undertaking.

(f)Those service providers affected by the assumptions and risk mitigations referred to in point (e)(2) shall only use, in their argument for the change, agreed and aligned assumptions and risk mitigations with each other and, where feasible, with aviation undertakings.

(g)Before integrating ATM/ANS equipment into the functional system, the ATM/ANS provider shall ensure that:

(1)new or modified ATM/ANS equipment is certified by the Agency in accordance with Delegated Regulation (EU) 2023/1768 and manufactured by an approved design or production organisation pursuant to Commission Implementing Regulation (EU) 2023/1769 (³⁶); or

(2)new or modified ATM/ANS equipment is declared by an approved design organisation pursuant to Delegated Regulation (EU) 2023/1768 and manufactured by an approved design or production organisation pursuant to Implementing Regulation (EU) 2023/1769; or

(3)new or modified ATM/ANS equipment is issued with a statement of compliance in accordance with Article 6(1) of Delegated Regulation (EU) 2023/1768; or

(4)when the ATM/ANS equipment is not subject to the conformity assessment under Delegated Regulation (EU) 2023/1768, the particular ATM/ANS equipment has been verified to comply with the applicable specifications and qualifications.

(h)The ATM/ANS provider shall ensure that the ATM/ANS equipment has been verified to comply with the equipment manufacturer’s specifications, including installation and on-site test(s).

(i)Before the ATM/ANS provider puts the ATM/ANS equipment into service, it shall ensure that the modified functional system integrating this ATM/ANS equipment meets all the applicable requirements and shall identify all deviations and limitations.

(j)When the ATM/ANS provider puts the ATM/ANS equipment into service, it shall ensure that the ATM/ANS equipment, or the modified one, is deployed according to the conditions of use, as well as to any applicable limitations, and meets all the applicable requirements.

ED Decision 2017/001/R

NOTIFICATION

The notification of a change should not be considered complete until the following information is provided:

(a)Name of the organisation notifying the change;

(b)Unique identifier of change;

(c)Version number of notification;

(d)Title of the change;

(e)Date of the submission of the original of this change notification;

(f)Scheduled date of entry into service (even if only approximate);

(g)Details of the change and its impact;

(h)The list of the service providers and other aviation undertakings that are affected by the change as identified in ATM/ANS.OR.A.045(a)(3);

(i)Entity in charge of the assurance case; and

(j)Identity of a point of contact for communications with the competent authority.

ED Decision 2020/008/R

NOTIFICATION

(a)A change should be notified as soon as the data defined in AMC1 ATM/ANS.OR.A.045(a) is available. The decision to review a change by the competent authority will be based, in most circumstances, on the notification data. Exceptions to this are cases where the competent authority is not familiar with the type of change or the complexity of the change requires a more thorough consideration.

(b)Early and accurate notification facilitates the interactions between the provider and the competent authority and, thus, maximises the likelihood of introducing a change into service in due time and according to the service provider’s initial schedule when the competent authority has decided to review an assurance case. Therefore, it is advisable that the change description identified in AMC1 ATM/ANS.OR.A.045(a) is completed as soon as possible and contains the following data:

(1)Purpose of the change;

(2)Reasons for the change;

(3)Place of implementation;

(4)New/modified functions/services brought about by the change;

(5)High-level identification of the constituents of the functional system being changed, and what is modified in their functionality;

(6)Consequence of the change, i.e. the harmful effects of the hazards associated with the change — see (f) below and also the definition of ‘risk’ in Annex I (85).

(c)The information provided in (b) may expedite the decision whether to review or not the proposed change, because it will allow the competent authority to gain complete knowledge of the change and, consequently, reduces the need for additional information. However, lack of some of this data should not delay the service provider’s submission of the notification if to do so is likely to impede the introduction of the change. It should be noted that early interaction with its competent authority may help to complete the missing data.

(d)The service provider should take into account that an early, clear and accurate change notification will assist the competent authority in making the decision to review or not the change and may prevent any inconvenience such as:

(1)the competent authority having to ask for more information about the change in order to make its decision as required in ATM/ANS.OR.A.045(a)(2);

(2)the competent authority deciding to review a change unnecessarily because the notification is not clear enough; or

(3)the delay in the competent authority deciding whether to review a change, caused by the lack of information, having an impact on the proposed date of entry into service.

(e)It is recognised that the understanding of the change will improve as the change process progresses and the interaction between the competent authority and the service provider strengthens. The service provider should notify the competent authority when the information provided in the previous notification is no longer valid or when the information previously missing becomes available. When additional information — other than the data specified in AMC1 ATM/ANS.OR.A.045(a) — is supplied at the competent authority’s request, then no update of the notification is required.

(f)For air traffic services (ATS) providers, the consequences of the change specified in (b)(6), should be expressed in terms of the harmful effects of the change, i.e. the effects of the hazards associated with safety risks. These could be the result of a preliminary safety assessment, if available, or an early hazard analysis that concentrates on the service level effects. For service providers other than air traffic services providers, the consequences should be expressed in terms of what aspects of the performance of the service are impacted by the change.

(g)The point of contact, as required in point (j) in AMC1 ATM/ANS.OR.A.045(a), provides a focal point for the competent authority to contact when seeking complementary information about the change when required. The aim is to improve communications between the provider and the competent authority about the change.

(h)All notified changes should be unambiguously identified. The service provider and its competent authority should agree on a means of referencing so as to associate a unique identifier to a given notified change.

(i)For routine changes, the notification to the competent authority may be done in a simpler manner, e.g. using forms less detailed than those specified in AMC1 ATM/ANS.OR.A.045(a) or notifying these changes collectively after being implemented at regular periods of times agreed between the provider and the competent authority. A service provider and its competent authority should coordinate so as to reach a common agreement on these types of changes that may not be reviewed by the competent authority. The list of such changes should be documented and formalised. The formalised agreement becomes part of the change management procedures identified in ATM/ANS.OR.B.010. Consequently, the list will be reviewed by the competent authority as part of the audits it performs that are described in ATM/ANS.AR.C.010(a). The relevant audit activity is detailed in AMC1 ATM/ANS.AR.C.010(a)(a)(2).

ED Decision 2019/022/R

NOTIFICATION — SOFTWARE CRITICALITY

Depending on the complexity of the change to the functional system and the criticality of the software, the depth of the evaluation may vary. The service provider should coordinate as soon as possible with the competent authority in order to define a software oversight strategy as part of the change review activities, if a decision for change review is taken.

ED Decision 2017/001/R

NOTIFICATION TO USERS OF THE SERVICE

Having notified a change, the service provider should:

(a)individually inform all known service providers potentially affected by the notified change; and

(b)inform all aviation undertakings potentially affected by the change either individually or via a representative body of aviation undertakings or by publishing details of the planned change in a dedicated publication of the service provider or aeronautical information publications such as an aeronautical information circular (AIC).

ED Decision 2017/001/R

DEDICATED PUBLICATION FOR PROPOSED CHANGES

The final users of services potentially affected by a change to a functional system may not be known by the service provider proposing the change. However, this should not prevent the service provider from using other means for notification than direct communication with the interested parties. In that case, the changes may be published in a dedicated website where the users of the service can periodically check for current proposed changes to the functional system that may affect them.

ED Decision 2017/001/R

MODIFICATION OF A NOTIFIED CHANGE

(a)The service provider should inform the competent authority that was initially notified about any update in the notification data when the information provided in a previous notification about the same change is no longer valid or when information previously missing becomes available. The other service providers and aviation undertakings should also be informed, when they are affected by the new data.

(b)The cancellation of a previously notified change should be considered as a modification of a notified change. Therefore, the service provider should inform about this update the competent authority, and inform other service providers and aviation undertakings that were initially informed about the change.

ED Decision 2017/001/R

ENTRY INTO OPERATIONAL SERVICE OF A CHANGE SELECTED FOR REVIEW

The service provider should not start the implementation of any part of the change that has the potential to affect the safety of the services currently being provided until a valid safety (support) assessment for that part of the change exists and, if the change is subject to competent authority review, it has been approved by the competent authority.

ED Decision 2017/001/R

TRANSITION INTO SERVICE

(a)No matter whether the competent authority has decided to review the notified change or not, the service provider should not start the implementation of any part of the change that has the potential to affect the safety of any of the services it provides, e.g. the functions performed or the performance of the services, until it has produced a valid argument in accordance with ATS.OR.205(a)(2) or/and ATM/ANS.OR.C.005(a)(2), as appropriate.

(b)Implementation of the change, which means the creation and installation of the items to be used in the changed operational system may or may not affect the performance of the current services offered by the service provider. For example, much of the implementation of equipment and procedures can be performed ‘off line’, i.e. in development facilities that do not interact with the operational services and installation may be started, provided the items are not connected to the operational system and their presence in the operational environment does not affect the current services. However, these items must not be introduced into the operational system, i.e. they must not affect the behaviour of any operational service, until a valid assurance case exists and, if the change is subject to competent authority review, before the competent authority has approved the change.

(c)The installation of an artefact may have an impact on services other than the service being changed. This can happen where the installation involves disrupting these other services, e.g. aerodrome operations may be disrupted because runways or taxiways are being used by constructor’s vehicles or are being interfered with. In this case, the scope of the change includes these other services (please refer to ATM/ANS.OR.C.005(a)(1)(iii) & (iv) or ATS.OR.205(a)(1)(iii) & (iv), as appropriate) and the assessment of the change includes the effects installation may have on them, including where the installation does not go according to plan.

ED Decision 2017/001/R

CHANGES AFFECTING MULTIPLE SERVICE PROVIDERS — OVERARCHING SAFETY ARGUMENT

A change as defined in ATM/ANS.OR.A.045(e) may involve more than one service provider changing their functional systems. In this case, the change will consist of a set of changes to different ATM/ANS functional systems or their context. However, no matter how many individual changes to service providers’ functional systems are part of the change, they should be coordinated. An overarching safety argument, coherent with the arguments of the individual changes, that claims the complete change is safe should be provided.

ED Decision 2017/001/R

CHANGES AFFECTING MULTIPLE SERVICE PROVIDERS AND AVIATION UNDERTAKINGS — GENERAL

(a)Any change proposed by a service provider as defined in ATM/ANS.OR.A.045(a) affects other service providers and/or aviation undertakings when:

(1)the proposed change may alter the service delivered to other service providers and aviation undertakings as users of that service; or

(2)the proposed change may alter the operational context in which the services of other service providers and aviation undertakings are delivered or in which the aviation undertakings are operating.

(b)The changes referred to in ATM/ANS.OR.A.045(e) could be considered ‘multi-actor changes’ and are those changes that require coordination between the service provider(s) proposing the change and any service providers and aviation undertakings affected by the change(s) due to the presence of dependencies between the service providers that planned the change and other affected service providers and/or other aviation undertakings. This coordination is essential to ensure a correct safety (support) assessment when there are dependencies.

(c)A single-actor change is one that is limited to those cases where a change to a service provider’s functional system alters neither the service nor the operational context of other service providers and aviation undertakings.

ED Decision 2017/001/R

AFFECTED STAKEHOLDERS — SERVICE PROVIDERS AND AVIATION UNDERTAKINGS

(a)‘Other service providers’ mentioned in ATM/ANS.OR.A.045(e) refers to European service providers other than the service provider proposing the change, that are regulated in accordance with Regulation (EC) No 216/2008 and its implementing rules;

(b)Aviation undertakings affected by the change included in ATM/ANS.OR.A.045(e) can be understood as the stakeholders and professional associations with dependencies with the changed service, and may include the following:

(1)service providers that do not fall under the remit of Regulation (EC) No 216/2008 and its implementing rules, e.g. non-European service providers;

(2)aerodrome operators;

(3)aircraft operators;

(4)airframe and equipment manufacturers;

(5)maintenance organisations;

(6)regulatory bodies, e.g. European Commission, EASA, national aviation authorities (NAAs); and

(7)other bodies not regulated by Regulation (EC) No 216/2008 and its implementing rules, e.g. power suppliers or military authorities.

ED Decision 2017/001/R

CHANGE AFFECTING MULTIPLE SERVICE PROVIDERS AND AVIATION UNDERTAKINGS — COORDINATION

(a)ATM/ANS.OR.A.045(e) applies to all the affected service providers involved in the change, and, therefore, they should coordinate dependencies as well as shared assumptions and shared risk mitigations. They should only use the agreed and aligned assumptions and mitigations that are related to more than one service provider or aviation undertaking in their safety or safety support cases, as required by ATM/ANS.OR.A.045(f).

(b)Assumptions and risk mitigations used during the assessment of the change that are not shared by the affected service providers, can be handled independently by each service provider, and do not need agreement.

(c)This coordination means that the affected service providers:

(1)have jointly identified the scope of their responsibilities with regard to the change, and in particular their safety responsibilities, e.g. what part of the change will be covered in whose safety (support) assessment case;

(2)have jointly identified the dependencies;

(3)have jointly identified the hazards associated with the change in the common context;

(4)have mutually agreed on the assumptions for the change that jointly relate to them; and

(5)have mutually agreed on the mitigations for risks that require joint implementation.

(d)Service providers would need to achieve a common understanding about:

(1)consequences in the shared operational context; and

(2)chains of causes/consequences.

(e)Service providers would jointly need to identify their dependencies to be able to assess the change to their functional systems.

(f)Where necessary in relation to the dependences identified in accordance with GM1 ATM/ANS.OR.A.045(e)(1), the service providers may perform together:

(1)identification of hazards/effects;

(2)assessment of risks;

(3)evaluation of risks;

(4)planning and assessment of risk mitigations; and

(5)verification.

(g)The level of interaction and coordination between service providers and aviation undertakings will vary depending on the particular needs of the change at hand.

ED Decision 2017/001/R

COORDINATION WITH AFFECTED AVIATION UNDERTAKINGS

(a)The aviation undertakings are the entities, persons or organisations as defined in point 34 of Annex I to Regulation (EU) 2017/373 and thus, ATM/ANS.OR.A.045(e) does not apply to them. However, any service provider affected by a change should seek the participation of aviation undertakings when assumptions and risk mitigations used in the safety (support) assessment are shared with those aviation undertakings.

(b)When the number of aviation undertakings affected by the change is large, the service providers may not need to involve every individual stakeholder. If a body can represent the views of a group of affected aviation undertakings, it may suffice to involve that representative body to obtain the supporting evidence to move forward with the assessment of the change.

ED Decision 2017/001/R

CHANGE AFFECTING MULTIPLE SERVICE PROVIDERS AND AVIATION UNDERTAKINGS — ASSUMPTIONS AND RISK MITIGATIONS

In order to satisfy ATM/ANS.OR.A.045(e)(2), the affected service providers coordination will identify those assumptions and risk mitigations that relate to:

(a)more than one service provider;

(b)a service provider and one or more aviation undertakings; or

(c)multiple service providers and aviation undertakings.

ED Decision 2017/001/R

LACK OF COORDINATION

(a)If an aviation undertaking decides not to cooperate, the service provider, who has identified dependencies with the aviation undertaking, in accordance with ATM/ANS.OR.A.045(e)(1), needs to consider the impact of having the assumptions and risk mitigations not agreed with that aviation undertaking. It should propose a way forward by doing one or more of the following:

(1)making the assumptions themselves and providing evidence that supports them;

(2)adding additional mitigating measures so that the change remains acceptably safe;

(3)modifying the scope of the change, or even reconsidering and cancelling the change.

(b)The service provider affected by a lack of cooperation with an aviation undertaking may wish to inform its competent authority about those aviation undertakings that are not participating and its form of non-participation, in order to seek the assistance of the competent authority in trying to persuade the aviation undertaking to participate.

ED Decision 2023/018/R

GENERAL

The ATM/ANS provider should ensure that an EASA release form or a statement of compliance, as appropriate, exists for each ATM/ANS equipment affected by the change prior to putting the changed functional system into service as a part of the corresponding safety assessment or safety support assessment, as applicable.

ED Decision 2023/018/R

MODIFIED ATM/ANS EQUIPMENT

ATM/ANS equipment is considered ‘modified’ in the context of changes to functional systems when there is:

—a modification of the hardware (HW) or software (SW) that forms the ATM/ANS equipment itself [software and hardware]; or

—a modification of the usage of the ATM/ANS equipment, when such usage is part of the applicable detailed specifications or any identified limitation.

For that purpose, the category of the equipment [certification, declaration, or statement of compliance] or the applicable detailed specifications may be impacted and therefore reassessed.

Modifications of the usage of the equipment are modifications to the way the components of the functional system are organised. In other words, such modifications are modifications to the architecture of the functional system, and, thus, subject to safety (support) assessment.

ED Decision 2023/018/R

EQUIPMENT NOT SUBJECT TO CONFORMITY ASSESSMENT

(a)Some equipment (such as HW and SW used to provide flight procedure design and data services) will not be subject to the ATM/ANS conformity assessment framework under Delegated Regulation (EU) 2023/1768, but it will be subject to safety (support) assessment requirements specified by this Regulation. Such equipment belongs to the functional system of the ATM/ANS provider and, consequently, Regulation (EU) 2017/373 applies to it.

(b)Following point (a), there will be no obligation for such equipment to be manufactured by an approved DPO or for the ANSP to issue a SoC.

ED Decision 2023/018/R

ATM/ANS EQUIPMENT INTO SERVICE

(a)The ATM/ANS provider should ensure that the new or modified ATM/ANS equipment is deployed as necessary to support the minimum requirements for separation of aircraft.

(b)The ATM/ANS provider should ensure that, before putting into service the new or modified ATM/ANS equipment, it implements the most efficient deployment solutions taking into account the local operating environments, constraints and needs as well as airspace users’ capabilities.

(c)As part of the change management procedures as laid down in ATM/ANS.OR.B.010, the ATM/ANS provider should establish deployment procedures for putting ATM/ANS equipment into service to ensure:

(1)the safe integration of new or modified ATM/ANS equipment in its functional system; and

(2)that the new or modified ATM/ANS equipment is deployed according to the conditions of use, as well as according to any prescribed limitations.

(d)The deployment procedures referred to in point (c) could be integrated with the compliance procedures established in accordance with AMC1 ATM/ANS.OR.B.005(a)(8).

ED Decision 2023/018/R

ATM/ANS EQUIPMENT INTO SERVICE | DEPLOYMENT ACTIVITIES

Deployment activities that may be conducted as part of a deployment procedure may include the following:

(a)Assessment of the deployment environment where the ATM/ANS equipment will be operating, including both the physical and operating context, in order to determine whether the conditions of use or limitations are adhered to;

(b)Performance of testing and inspections of the ATM/ANS equipment in its deployment environment to determine whether the conditions of use or limitations are adhered to. The testing may include a period of operation in the deployment environment of a sufficient duration to ensure that the conditions of use or limitations are adhered to.

Regulation (EU) 2017/373

A service provider shall facilitate inspections and audits by the competent authority or by a qualified entity acting on its behalf and it shall cooperate as necessary for the efficient and effective exercise of the powers of the competent authorities referred to in Article 5.

ED Decision 2019/022/R

AUDITS — SOFTWARE ASSURANCE PROCESSES BY THE COMPETENT AUTHORITY

(a) The assessment of an effective application of the documented software assurance processes may necessitate a technical evaluation of the evidence and arguments produced for the software assurance by the competent authority when reviewing a notified change. In this context, the service provider should ensure access to the configuration management system for the competent authority, which may need to verify:

(1) the consistency of all the evidence; and

(2) the fact that all the evidence is derived from a known version of the software (i.e. all evidence and arguments are actually available and can be traced without ambiguity to the executable version).

(b) The service provider should:

(1) anticipate the possibility for on-site audits or inspections by the competent authority; and

(2)when evidence and arguments are developed by contracted organisations, include the corresponding rights of the competent authority to assess said organisations during onsite audits or inspections.

Regulation (EU) 2017/373

After receipt of notification of findings from the competent authority, the service provider shall:

(a)identify the root cause of the non-compliance;

(b)define a corrective action plan that meets the approval by the competent authority;

(c)demonstrate corrective action implementation to the satisfaction of the competent authority within the time period proposed by the service provider and agreed with that authority, as defined in point ATM/ANS.AR.C.050(e).

ED Decision 2017/001/R

GENERAL

(a)Corrective action is the action taken to eliminate or mitigate the root cause(s) and prevent the recurrence of existing detected non-compliance or other undesirable condition or situation.

(b)The proper determination of the root cause is crucial for defining effective corrective actions.

ED Decision 2017/001/R

GENERAL

The corrective action plan defined by the service provider should address the effects of the non-conformity and its root cause.

ED Decision 2017/001/R

CORRECTIVE ACTION IMPLEMENTATION PERIOD — DAT PROVIDERS

In case of a Level 1 finding, the DAT provider should demonstrate corrective action to the satisfaction of the competent authority within a period of no more than 21 working days following receipt of written confirmation of the finding. At the end of this period and subject to the nature of the finding, the 21-working-day period may be extended and agreed by the competent authority when the safety issue is mitigated.

Regulation (EU) 2023/1771

(a)A service provider shall implement any safety measures, including safety directives, mandated by the competent authority in accordance with point ATM/ANS.AR.A.025(c).

When a safety directive is issued to correct the condition referred to in the statement of compliance issued in accordance with Article 6 of Delegated Regulation (EU) 2023/1768, the ATM/ANS provider shall, unless otherwise determined by the competent authority in case urgent action is needed:

(1)propose appropriate corrective action and submit details of that proposal to the competent authority for approval;

(2)following the approval by the competent authority, comply therewith.

Regulation (EU) 2021/1338

(a)As part of its management system, the ATM/ANS provider shall establish and maintain an occurrence-reporting system, including mandatory and voluntary reporting. ATM/ANS providers established in a Member State shall ensure that the system complies with the requirements of Regulation (EU) No 376/2014 and Regulation (EU) 2018/1139, as well as with the delegated and implementing acts adopted on the basis of those regulations.

(b)The ATM/ANS provider shall report to the competent authority and to any other organisation required to be informed by the Member State, where the ATM/ANS provider provides its services, any safety-related event or condition that endangers or, if not corrected or addressed, could endanger an aircraft, its occupants or any other person, and in particular any accident or serious incident.

(c)Without prejudice to point (b), the ATM/ANS provider shall report to the competent authority and to the organisation responsible for the design and/or maintenance of the ATM/ANS systems and constituents, if different from the ATM/ANS provider, any malfunction, technical defect, exceedance of technical limitations, occurrence, or other irregular circumstance that has or may have endangered the safety of services and has not resulted in an accident or serious incident.

(d)Without prejudice to Regulation (EU) No 376/2014 and the delegated and implementing acts adopted on the basis thereof, reports shall:

(1)be made as soon as practicable, but in any case within 72 hours after the ATM/ANS provider has become aware of the event or condition to which the report relates, unless exceptional circumstances prevent this;

(2)be made in a form and manner established by the competent authority;

(3)contain all pertinent information about the condition known to the ATM/ANS provider.

(e)For ATM/ANS providers that are not established in a Member State, initial mandatory reports shall:

(1)appropriately safeguard the confidentiality of the identity of the reporter and of the persons mentioned in the report;

(2)be made as soon as practicable, but in any case within 72 hours after the ATM/ANS provider has become aware of the occurrence, unless exceptional circumstances prevent this;

(3)be made in a form and manner established by the competent authority;

(4)contain all pertinent information about the condition known to the ATM/ANS provider.

(f)Without prejudice to Regulation (EU) No 376/2014 and its delegated and implementing acts, where relevant, a follow-up report providing details of actions the organisation intends to take to prevent similar occurrences in the future shall be made as soon as these actions have been identified; those follow-up reports shall:

(1)be sent to the relevant entities initially reported to in accordance with points (b) and (c); and

(2)be made in a form and manner established by the competent authority.

ED Decision 2022/004/R

REPORTING RESPONSIBILITIES AND REPORTING PROCEDURES

(a)The ATM/ANS provider should assign one or more suitably qualified persons that has or have clearly defined authority and responsibility to coordinate actions on occurrences and to initiate any necessary further investigation and follow-up activity.

(b)If more than one person is assigned such responsibility, the ATM/ANS provider should identify a single person to act as the main focal point for ensuring a single reporting channel is established to the accountable manager. This should in particular apply to ATM/ANS providers that hold one or more additional organisation certificates within the scope of Regulation (EU) 2018/1139 and its delegated and implementing acts where the occurrence-reporting system is fully integrated with that required under the additional certificate(s) held.

(c)The ATM/ANS provider should establish procedures to be used for reporting to the competent authority and to any other organisation required, which include as a minimum:

(1)a description of the applicable requirements for reporting;

(2)the scope of reporting to other organisations, considering the service provider’s interfaces with other organisations, including organisations contracted in accordance with point ATM/ANS.OR.B.015;

(3)a description of the reporting mechanism, including reporting forms, means and deadlines;

(4)safeguards to ensure the protection of the reporter’s confidentiality and the protection of personal data;

(5)responsibilities of the organisation and personnel involved in the reporting; and

(6)a description of the mechanism and personnel responsibilities for identifying root causes, and the actions that may be needed to be taken to prevent similar occurrences in the future, as appropriate.

Such procedures should be included in the organisation’s management system documentation.

ED Decision 2022/004/R

MANDATORY REPORTING — GENERAL

(a)For ATM/ANS providers that have their principal place of operation and, if any, their registered office located in a Member State, Commission Implementing Regulation (EU) 2015/1018 of 29 June 2015 lays down a list classifying occurrences in civil aviation to be mandatorily reported according to Regulation (EU) No 376/2014. This list should not be understood as being an exhaustive collection of all issues that may pose a significant risk to aviation safety and, therefore, reporting should not be limited to the items listed in that Regulation and the additional items referred to in point ATM/ANS.OR.A.065(c).

(b)In addition to the reports referred to in point (a), ATM/ANS providers should report volcanic ash clouds, encountered by aircraft operators, of which they have become aware.

ED Decision 2022/004/R

GENERAL

Where the ATM/ANS provider holds one or more additional organisation certificates within the scope of Regulation (EU) 2018/1139 and its delegated and implementing acts:

(a)the ATM/ANS provider may establish an integrated occurrence-reporting system covering all certificate(s) held; and

(b)single occurrence reports should only be provided if all the following conditions are met:

(1)the report includes all relevant information from the perspective of the different organisation certificates held;

(2)the report addresses all relevant and specific mandatory data fields and clearly identifies all certificate holders for which the report is made;

(3)the competent authority for all certificates is the same and such single reporting was agreed with that competent authority.

ED Decision 2022/004/R

REPORTING BETWEEN ORGANISATIONS

(a)The reporting to the organisations defined in point ATM/ANS.OR.A.065 does not affect the need to report to other organisations with which the ATM/ANS provider interfaces, and which might be involved in or be affected by the reported event (e.g. other service providers, including contracted parties in accordance with point ATM/ANS.OR.B.015, involved in an occurrence, aerodrome operators, etc.).

(b)Any ATM/ANS provider that reports to the organisation responsible for the design of the air traffic management (ATM)/air navigation services (ANS) systems and ATM/ANS constituents should actively support any investigations that may be initiated by that organisation. Support should be provided by a timely response to information requests and by making available affected system components or constituents, for the purpose of the investigation, subject to an agreement with the respective system component or constituent owners.

(c)In addition to reporting to the organisation responsible for the design of the ATM/ANS systems and ATM/ANS constituents, if different from the ATM/ANS provider, the ATM/ANS provider may be required to report to the aerodrome operator, to other ATM/ANS providers or air operators.

(d)To ensure effective reporting between organisations, it is important that:

(1)an interface is established between the organisations to ensure that there is an effective and timely exchange of occurrence-related information; and

(2)any relevant safety issue is identified, and it is clearly established which party is responsible for taking further action, if required.

ED Decision 2022/004/R

SYSTEMS AND CONSTITUENTS

(a)When determining which failures of systems and constituents are to be reported, a degree of practicality is required as it is not intended that every failure is reported. Only those that have or may have an impact on the safety of the provision of services are reported.

(b)When nothing is defined in European Union or national legislation, the determination of the failures of systems and constituents that need to be reported is done by the service provider and needs to be approved by the competent authority. This determination can be done as a result of an assessment of the installations or changes to the systems and constituents.

(c)The organisation responsible for the design of the systems and constituents may no longer exist or may no longer support the design. In this case, the service provider will have made arrangements to ensure that the safety of the systems and constituents can be assured by appropriate and practical means. In many cases, this means that the service provider has taken over the design responsibilities.

(d)Within the application of Regulation (EC) No 552/2004, the organisation responsible for the design of the constituent will be the entity that signs the Declaration of Conformity or Suitability for use. For systems and constituents which existed before the applicability date of Regulation (EC) No 552/2004, the service provider should identify the responsible organisation, otherwise the service provider should make appropriate arrangements.