Software bugs represent a common mode failure that can affect multiple elements of the air navigation services (ANS) infrastructure.
The contingency policy should include a list of the key contingency events and related risk areas that the organisation has identified and that it wishes to protect itself against. These could mention infrequent situations such as floods or fires but also contingencies that might result from major software bugs where complete ANS units could be totally out of service for long periods of time.
Such software bugs can create 'common mode' failures that might threaten both primary and contingency facilities, irrespective of the strategy chosen. If the same software systems are used in the primary applications as are used in secondary and fallback systems then there is a danger that a single bug could cause vulnerabilities throughout contingency systems. This concern would affect co-located facilities just as it would regional or national centres.
There are numerous safeguards against such common mode failures. EUROCONTROL Safety Regulatory Requirement (ESARR) 6 and its associated guidance material introduce many of these approaches. For instance, N-version programming techniques can ensure that different companies create independent primary and contingency facilities. However, this can be extremely costly and does not, typically, provide protection against failures that stem from problems in configuration data. Other ANSPs use careful version control so that it should always be possible to roll back to a previous working version of a system. However, this can take a considerable amount of time depending on the point at which a bug was originally introduced into an application. A particular concern over this common mode threat is that the increasing integration and complexity of software systems may make these types of problems harder to identify, especially given some of the plans for future airspace configurations in both Europe and North America.