ISO 23629-12:2022

INTERNATIONAL ISO
STANDARD 23629-12
First edition
2022-07
UAS traffic management (UTM) —
Part 12:
Requirements for UTM service
providers
Gestion du trafic d'UAS (UTM) —
Partie 12: Exigences pour les fournisseurs de services UTM
Reference number
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Service provision . 4
5.1 SP key tasks . 4
5.2 Geographical scope . 4
5.3 Technical requirements . 4
5.4 Interoperability and electromagnetic compatibility . 5
5.5 Subcontracts . 5
6 Safety . 5
6.1 Requirements for all SPs . 5
6.2 Additional requirements for safety-related UTM SPs . 6
6.3 Additional requirements for safety-critical UTM SPs . 7
6.4 Tasks of the COMO . 8
6.5 Tasks of the SAFO . 8
7 Security . 9
7.1 Requirements for all SPs . 9
7.2 Additional requirements for safety-related UTM SPs . 10
7.3 Additional requirements for safety-critical UTM SPs . 10
7.4 Tasks of the SECO . 11
8 Software safety assurance .12
8.1 Requirements for all SPs . 12
8.2 Additional requirements for safety-related UTM SPs .12
8.3 Additional requirements for safety-critical UTM SPs .12
9 Contingencies .13
9.1 Requirements for all SPs . 13
9.2 Additional requirements for safety-related UTM SPs . 13
9.3 Additional requirements for safety-critical UTM SPs .13
10 Maintenance .14
10.1 Requirements for all SPs . 14
10.2 Additional requirements for safety-related UTM SPs . 14
10.3 Additional requirements for safety-critical UTM SPs . 15
11 Privacy and data protection .15
11.1 Requirements for all SPs .15
11.2 Additional requirements for UTM SPs . 15
11.3 Tasks of the DPO . 16
12 Personnel competency .16
12.1 Requirements for all SPs . 16
12.2 Additional requirements for safety-related UTM SPs . 17
12.3 Additional requirements for safety-critical UTM SPs . 18
13 Manuals, procedures and records .18
13.1 Requirements for all SPs . 18
13.2 Additional requirements for safety-related UTM SPs . 19
13.3 Additional requirements for safety-critical UTM SPs . 19
14 Insurance .19
iii
Annex A (normative) Safety-critical UTM services .20
Annex B (normative) Safety-related UTM services .22
Annex C (normative) Operation support services .24
Bibliography .25
iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/
iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 20 Aircraft and space vehicles,
Subcommittee SC 16, Unmanned aircraft systems (UAS).
A list of all published or planned parts in the ISO 23629 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
Introduction
0.1  Background
The functional structure of the UAS traffic management (UTM) services, including respective role of
[1]
possible services, is standardized in ISO/DIS 23629-5 .
Conversely, this document focuses on the responsibilities of the UTM service providers (UTM SPs) for
the safety, security and compliance monitoring of the provided services, as well as protection of related
data and information. A UTM SP contributes to the safety, security and compliance of operations of
unmanned aircraft systems (UAS), supporting the fulfilment of the responsibilities of the UAS operator.
[2]
Operational procedures and requirements for the UAS operator are specified in ISO 21384-3 .
Although UTM services are established considering the needs of UAS operators, these services also
support operations of properly equipped manned air traffic in the respective designated operational
coverage (DOC).
One organization may provide several UTM services; and each may have a specific DOC. The DOC may
be established by the regulatory authorities, depending on applicable legislation.
0.2  Purpose of the UTM SP integrated management system
[3]
The adoption of a management system according to ISO 9001 by the UTM SP can enable an
organization to provide high quality services. This document provides more specific guidance for safe,
secure and efficient air traffic management and air navigation services within the respective DOC.
The purpose of the organisation of the UTM SP is to provide a framework for ensuring safety and security
controlling related risks and opportunities. The aim and intended outcomes of the UTM services are to
prevent aviation accidents and incidents through the provision of UTM digital information planned in a
safe, secure and efficient way conforming to planned ISO 23629-3, while also ensuring sufficient quality
and protection of data and information; consequently, it is extremely important for the organization
of the UTM SP to identify hazards and minimize safety, security and privacy risks by taking effective
prescriptive, reactive, proactive, predictive and inter-organizational measures.
Integration of several functions in the organisation enables reducing the required resources otherwise
necessary to implement separate quality, compliance monitoring, safety, security and privacy systems.
An efficient organisation can also assist an UTM SP to fulfil applicable regulatory requirements.
Demonstration of successful implementation of this document can be used by an organization to:
— assure continuous improvement of its safety, security and privacy performance;
— give assurance to UAS operators and other affected stakeholders that an effective organisation is in
place;
— give evidence to insurance companies;
— provide an acceptable means of compliance (AMC) with regulatory requirements, when accepted by
the competent authority.
Adoption of this document by an UTM SP, however, will not in itself guarantee prevention of aviation-
accidents and incidents, in which performance of the UTM services may be one of the causal factors.
The level of detail, the complexity, the extent of documented information and the resources needed to
ensure the success of an UTM SP organisation depends on several factors, such as:
— the organization’s context (e.g. number of staff, size, geographical scope, culture, legal and regulatory
requirements);
— the scope of the provided UTM services;
vi
— the nature, safety criticality and scope of the provided UTM services and the related safety, security
and privacy risks.
0.3  Content of this document
This document contains requirements that can be used by an organization to provide safe, secure and
efficient UTM services.
This document includes requirements on qualifications and training of personnel, UTM service
provision, maintenance and competence of maintenance staff as well as occurrence reporting, safety,
security and privacy.
Technical requirements for verification, and validation, of UTM constituents, systems and services
(transaction time, availability, continuity, integrity, security, etc.) to comply with safety, security and
quality requirements for UTM services are specified in planned ISO 23629-2 or any suitable standard
published by an authoritative standard development organisation (SDO).
This document does not include requirements specific to other topics, such as those for quality,
occupational health and safety (OH&S), social responsibility, environmental or financial management
or use of the electro-magnetic spectrum, though its elements can be aligned or integrated in the
organisation of the UTM SP.
An organization that wishes to demonstrate conformity to this document can do so by:
— making a self-determination and self-declaration;
— seeking confirmation of its conformity by parties having an interest in the organization, such as
UAS operators using the services provided by the UTM SP;
— seeking confirmation of its self-declaration by an independent, accredited and competent third-
party external to the organization; or
— seeking certification of its organisation by an aviation authority, when required by applicable
regulations.
NOTE The International Accreditation Forum (IAF) is the world association of conformity assessment
accreditation bodies and other bodies interested in conformity assessment in the fields of management systems,
products, services, personnel and other similar programmes of conformity assessment. Its primary function is to
develop a single worldwide program of conformity assessment which reduces risk for business and its customers
by assuring them that accredited certificates can be relied upon. Accreditation assures users of the competence
and impartiality of the body accredited. These bodies are referred under different terms in different states, like,
e.g. “designees”, “notified bodies”, “qualified entities” or else.
vii
INTERNATIONAL STANDARD ISO 23629-12:2022(E)
UAS traffic management (UTM) —
Part 12:
Requirements for UTM service providers
1 Scope
This document includes compliance monitoring, safety, security, privacy and other organisational
requirements for providers in the context of UAS traffic management services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 21384-4, Unmanned aircraft systems — Part 4: Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 21384-4 and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
constituent
tangible objects such as hardware and intangible objects such as software upon which the provision of
UTM services (3.9) depends
Note 1 to entry: The definition is adapted from Reference [4].
3.2
designated operational coverage
DOC
geographic volume of airspace within which an UTM service (3.9) is available in compliance with
designation by competent authorities if applicable, with sufficient performance including availability,
continuity, integrity and timeliness and, if applicable, with sufficient radio signal quality and protection
from other users of the electromagnetic spectrum
Note 1 to entry: The definition is adapted from Reference [5].
3.3
in-time system-wide safety assurance
ISSA
safety net utilising system-wide information to provide alerting and to trigger mitigation strategies in
time to address emerging risks
Note 1 to entry: It is part of proactive safety management.
Note 2 to entry: The definition is adapted from Reference [6].
3.4
operation support service
web-based tools and information provided by a service provider (SP) to an UAS operator or its staff, to
support safe and efficient planning and execution of a flight mission, as well as post-flight activities
Note 1 to entry: Operation support services cover a time span much wider than UTM services (3.9). Although they
support UAS operations, they are neither traffic management nor air navigation services.
3.5
safety-critical UTM service
UTM service (3.9) providing functions that, if lost or degraded, or as a result of incorrect or inadvertent
operation, could result in catastrophic consequences
[SOURCE: ISO 14620-1:2018, 3.1.17, modified — The term has been changed from "safety critical
function"; "function" has been changed to "UTM service providing functions"; "or critical" has been
removed before "consequences". See Reference [7].]
3.6
safety-related UTM service
UTM service (3.9) providing functions that have the potential to contribute to the violation of or
achievement of a safety goal, but whose loss of degradation would not in itself produce catastrophic
consequences
[SOURCE: ISO 26262-1:2018, 3.1.17, modified — The term has been changed from "safety-related
function"; "function" has been changed to "UTM service providing functions"; "but whose loss of
degradation would not in itself produce catastrophic consequences" has been added at the end. See
Reference [8].]
3.7
UAS traffic management
UTM
set of traffic management and air navigation services (ANS) aiming at safe, secure and efficient
integration of multiple manned and unmanned aircraft flying inside the respective DOC (3.2) of each
service
Note 1 to entry: The definition is adapted from Reference [9] and harmonised with the one in Reference [10].
Note 2 to entry: In accordance with Reference [10], UTM services (3.9) initiate when the UAS operator files a
request for clearance to enter airspace and terminates when the UA reaches the parking position, the primary
propulsion systems are switched off and the operational plan is closed.
[SOURCE: ISO 23629-7:2021, 3.11, modified — Notes 1 and 2 to entry have been added.]
3.8
UTM actor
role played by an UTM user (3.12) or UTM SP (3.10) or provider of operation support (3.4) that interacts
with the UTM subject (3.11)
Note 1 to entry: An actor models a type of role played by an entity that interacts with the subject (e.g., by
exchanging signals and data), but which is external to the subject.
[11]
Note 2 to entry: The definition is adapted from ISO/IEC 19501 .
3.9
UTM service
result of at least one activity necessarily performed at the interface between the UTM SP) (3.10) or
operation support (3.4) provider and the UTM user (3.12), which consist in the provisions of digital data
and information
[11]
Note 1 to entry: The definition is adapted from ISO/IEC 19501 .
Note 2 to entry: To provide the service, the SP uses facilities, trained and qualified staff, organizational
procedures as well as systems and devices executing one or more functions.
3.10
UTM service provider
UTM SP
organization playing the role of an UTM actor (3.8) which provides, normally in exchange of a fee, digital
data and information to UTM users (3.12), which may choose to take advantage from the offered service
[11]
Note 1 to entry: The definition is adapted from ISO/IEC 19501 .
3.11
UTM subject
information technology (IT) entity (including subsystem, component, or even class) representing a
software system residing on a physical system or platform, supporting the exchange of digital data and
information among several UTM users (3.12) and several UTM SPs (3.10) or operation support SPs (3.4),
and to which a set of use cases applies in the UTM (3.7) context
[11]
Note 1 to entry: The definition is adapted from ISO/IEC 19501 .
Note 2 to entry: Utilisation of at least one UTM subject is a necessary technical enabler for any UTM service (3.9),
but it is not a service in itself.
3.12
UTM user
organization or system, which uses digital data and information offered by an UTM SP (3.10) to fulfil
their mission that is neither an UTM SP nor an operations support SPs (3.4)
[11]
Note 1 to entry: The definition is adapted from ISO/IEC 19501 .
Note 2 to entry: The UTM user is an UTM actor (3.8).
Note 3 to entry: In addition to UAS operators, a non-exhaustive list of UTM users includes public authorities and
civil aviation authorities, law enforcement agencies (for safety, security and privacy), search and rescue, fire
brigades and other emergency services, providers of ATM/ANS to manned aviation, operators of aerodromes,
vertiports or other facilities supporting take-off/launch or landing/recovery of UAS, UAS manufacturers and
owners, insurance companies, ISO certifying bodies and qualified entities, training organizations, general public.
Note 4 to entry: In the digital ecosystem, at least three IT entities are typically under the responsibility of the
UAS operator:
a) the unmanned aircraft which during the flight exchanges digital information;
b) the station of the remote pilot, also exchanging digital data with other IT entities, but only when activated;
and
c) the workstation of the fleet manager (FM) potentially active full time and used in particular for planning the
flight exploiting some of the UTM or operation support services.
4 Abbreviated terms
AIMU aeronautical information management for UAS
AMC acceptable means of compliance
ANS air navigation service(s)
ATM air traffic management
COMO compliance monitoring officer
DAL design assurance level
DPO data protection officer
DSM digital surface model
DTM digital terrain model
FM fleet manager
HT head of training
IAF International Accreditation Forum
IT information technology
IUEI intentional unauthorised electronic interaction
OH&S occupational health and safety
OJT on-the-job training
SAFO safety officer
SDO standard development organisation
SECO security officer
SLA service level agreement
SP service provider
TBO trajectory-based operations
UAS unmanned aircraft system
V&V verification and validation
5 Service provision
5.1 SP key tasks
All providers of the UTM services listed in Annexes A and B and all providers of operation support
services listed in Annex C SPs shall establish and apply policies and procedures to ensure that:
a) a risk assessment is conducted for every type of service;
b) all personnel executing safety-related tasks are professionally competent and qualified in
compliance with Clause 12;
c) all systems necessary to provide UTM are maintained in accordance with the maintenance
programme consistent with the manufacturer’s instructions;
d) all activities are conducted according to appropriate checklists;
e) terms of service provision are clearly communicated to users, through conditions to be accepted by
the UAS operator or other service user, before registering to benefit from a given service; and
f) service level agreements (SLA) with other SPs or relevant organisations are in place when
cooperation has been established.
5.2 Geographical scope
The UTM SP shall define and communicate to potential users the designated operational coverage
within which services are available.
5.3 Technical requirements
The UTM SP shall control the accuracy and currency of information originated by the SPs or obtained
from external providers, in accordance with:
a) applicable industry standards, including in the series ISO 23629 and those developed by ISO/IEC
joint technical committee JTC 1 or those listed in the bibliography to this document;
b) procedures developed by the SP to complement a).
5.4 Interoperability and electromagnetic compatibility
The UTM SP shall implement technical means and procedures with regards to:
a) protocols to exchange information with UTM users and other SPs;
b) control of the interfaces with other UTM SPs, other service providers and UTM users;
c) ensuring that radio transmitting equipment generating minimum harmful interferences to other
users of the electromagnetic spectrum.
5.5 Subcontracts
Where contracts exist with third party organization(s), the UTM SP shall be responsible for the
conformance of the outsourced services with this document.
6 Safety
6.1 Requirements for all SPs
All UTM and operation support SPs listed in Annexes A, B and C shall:
a) address the structure, responsibilities, processes and procedures that promote and establish an
environment and culture of continuing improvement and enhancement of service provision safety;
b) appoint a person as compliance monitoring officer (COMO);
c) appoint a person as safety officer (SAFO);
d) designate the COMO and the SAFO based on professional qualities and, in particular, expert
knowledge of laws, regulations and practices on safety of unmanned aviation and the ability to
fulfil the tasks, respectively referred to in 6.4 and 6.5;
e) train and qualify personnel on safety management of provided services;
f) establish procedures for prescriptive safety including as a minimum:
1) monitoring and assessing changes to regulations which can affect service provision;
2) establish evidence that all applicable regulations are complied with;
g) establish procedures to support reactive safety through:
1) maintaining records of any service activity for at least three months, or longer taking into
account relevant regulations or because the state or other authority competent for the matter
has opened an accident or incident investigation;
2) timely provision of any information required by such an authority;
h) establish procedures for proactive safety including as a minimum:
1) possibility for staff, users, subcontractors or other partner SPs to report any relevant and
perceived safety occurrence;
2) mandatory reporting of safety occurrences to the competent authority, based on applicable
regulations;
3) voluntary reporting to the competent authority of any additional and relevant observed safety
occurrence, in a manner that would allow a further safety analysis by the authority, if deemed
appropriate by the latter;
4) collection of received or originated safety occurrence reports;
5) timely feedback to originators of the report;
6) storage of received or originated safety occurrence reports;
7) protection of related information, in particular identity of the author of the report, according
to Clause 11;
8) dissemination of safety information to involved personnel and affected stakeholders;
9) taking decisions, implementing and monitoring effect of corrective actions originated by
received reports;
i) establish procedures for interorganizational safety, allowing exchange of safety information with
affected stakeholders.
NOTE 1 The COMO or SAFO can be employees of the SP or not.
NOTE 2 A single COMO or single SAFO can perform such a function on behalf of several organisations,
providing that no conflict of interest will arise.
NOTE 3 A single physical person can perform both the function of COMO and of SAFO.
6.2 Additional requirements for safety-related UTM SPs
In addition to 6.1, all SP of UTM safety-related services listed in Annex B shall:
a) not change configuration of the systems used for UTM service provision or the procedures thereof,
without prior evaluation of the related hazards, considering safety, security and privacy, and
emerging risks, complemented by verified implementation of the mitigations stemming from the
evaluation;
b) control system configuration, operational procedures and management changes, verifying their
compliance with applicable regulations, monitoring actual application of such procedures and
maintaining related records for at least two years;
c) establish procedures for predictive safety including as a minimum, safety assessment of any change
affecting service provision, which should include;
1) identification of the scope of the change;
2) verification that the foreseen change is compliant with applicable regulations;
3) identification of related hazards;
4) determination of the safety criteria applicable to the change;
5) risk analysis in relation to the harmful effects or improvements in safety related to the change;
6) risk evaluation and, if required, risk mitigation for the change to meet the applicable safety
criteria;
7) verification that the change conforms to the scope that was subject to safety assessment, and
meets the safety criteria, before the change is put into operation;
8) acquisition of prior approval to implement the change, from the competent authority, taking
into account relevant regulations;
9) specification of the monitoring requirements necessary to ensure that the UTM service
provision operation continues to meet the safety criteria after the change has been
implemented.
NOTE Procedures for managing changes can include analysis, calculations, simulation, laboratory testing,
regression testing for software or testing in real environment, as well as distribution of necessary information to
service users and additional training for staff.
6.3 Additional requirements for safety-critical UTM SPs
In addition to 6.1 and 6.2, all SP of UTM safety-critical services listed in Annex A shall:
a) establish a manual containing all safety procedures and reporting lines;
b) in the context of prescriptive safety, establish a system of periodical internal audits to ensure
continuing compliance with applicable regulations and organization procedures and maintain
related internal audit records;
c) in the context of reactive safety, establish procedures for internal safety investigations on
significant safety occurrences;
d) as part of the proactive processes for safety, establish ISSA real time monitoring of possible failure
conditions, through one or more of the following measures, as appropriate for the provided safety-
critical service(s):
1) architecture for real time data collection and data exchange model with UAS operators and
operators of aerodromes, vertiports or other facilities supporting take-off/launch or landing/
recovery;
2) data mining tools and techniques to detect and identify anomalies and precursors to safety
threats system-wide, including statistical analysis of collected occurrence reports;
3) tools and techniques to assess and predict safety margins system-wide to assure air traffic
safety;
4) prognostic decision support tools and techniques capable of supporting real-time safety
assurance;
5) verification and validation (V&V) tools and techniques for assuring the safety of provided UTM
services throughout the lifecycle of operational UTM systems, and techniques for supporting
the in-time monitoring of safety requirements during operation;
6) decision support tools and automation for reducing safety risks for normal and abnormal
operations;
7) alerting strategies, protocols or techniques which consider the operational context, as well as
the UAS state and intent;
8) methodologies and tools for integrated prevention, mitigation and recovery plans with
information uncertainty and system dynamics in a UAS and in related trajectory-based
operations (TBO) environment;
9) measurement methods and metrics for human-machine team performance and mitigation
resolution;
10) system-level performance models and metrics that include interdependencies and relationships
among human and machine system elements.
e) As part of the inter-organizational processes for safety, establish arrangements with other relevant
organizations (e.g. UAS operators, aerodrome or vertiport operators) to ensure continuous
improvement of the safety of provided services.
The arrangements with other organizations may include inter-organizational teams for joint safety
investigation, safety analysis and development of joint corrective action plans.
NOTE The safety manual can be combined with other manuals of the organisation.
6.4 Tasks of the COMO
The SP shall ensure that the COMO receives any instructions regarding the exercise of the tasks in this
subclause only from the SP top management or from the competent state authorities or other competent
authorities.
The COMO shall not be dismissed or penalized by the SP for performing her or his tasks.
The COMO shall directly report to the highest management level of the SP organization.
The COMO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks,
taking into account applicable legislation.
The COMO may fulfil other tasks and duties in the organisation, providing that any such tasks and
duties do not result in a conflict of interests. Therefore, the COMO may be responsible, for example, for
data protection, safety or security, but not for service provision, maintenance or other activities related
to production.
The COMO shall have at least the following tasks:
a) inform and advise the SP top management and the employees who carry out tasks having regulatory
compliance implications of their obligations pursuant to applicable regulatory provisions;
b) monitor compliance with applicable legislation, with this document and with the policies of the SP
in relation to regulatory provisions, in particular in the context of prescriptive safety management
and including the assignment of responsibilities, awareness-raising and training of staff involved in
relevant services;
c) manage the related internal audits, if applicable, report the findings to the highest management
level in the organization, advice on corrective action plans and monitor implementation of
corrective actions;
d) support possible audits or inspections by competent authorities and prepare responses to
respective protocol questions;
e) provide advice to the SP top management where requested as regards regulatory compliance;
f) act as the contact point for the authorities on issues relating to regulatory compliance;
g) analyse any information relevant for its task, draw up reports and verify maintenance of
documentation listed in Clause 13.
6.5 Tasks of the SAFO
The SP shall ensure that the SAFO receives any instructions regarding the exercise of the tasks in this
subclause only from the SP top management or from the competent State authorities or other competent
authorities.
The SAFO shall not be dismissed or penalized by the SP for performing her or his tasks.
The SAFO shall directly report to the highest management level of the SP organization.
The SAFO shall be bound by secrecy or confidentiality concerning the performance of his or her tasks,
taking into account applicable legislation.
The SAFO may fulfil other tasks and duties in the organisation, providing that any such tasks and duties
do not result in a conflict of interests. Therefore, the SAFO may be responsible, for example, for data
protection, compliance monitoring or security, but not for service provision, maintenance or other
activities related to production.
The SAFO shall have at least the following tasks:
a) compile, update and control the configuration of the safety manual, if applicable;
b) inform and advise the SP top management and the employees who carry out tasks having safety
implications of their obligations pursuant to applicable safety provisions;
c) monitor all SP activities for reactive, proactive, predictive and inter-organizational safety in
compliance with applicable legislation, with this document and with the policies of the SP in
relation to safety, including the assignment of responsibilities, awareness-raising and training of
staff involved in safety relevant services;
d) participate to joint safety teams, where established;
e) provide advice to the SP top management where requested as regards any safety matters;
f) cooperate with the national authorities on safety matters, where applicable;
g) act as the contact point for the authorities on issues relating to safety.
7 Security
7.1 Requirements for all SPs
Taking relevant security regulation into consideration, all providers of UTM and of operation support
services listed in Annexes A, B and C shall:
a) ensure that their facilities, systems and procedures comply with applicable security legislation,
including that covering good repute of personnel;
b) ensure security of their facilities and systems used for provisions of respective services as far as
reasonably practicable;
c) ensure that suitable procedures are in place to securely store, exchange and dispose of all data
gathered during service provision;
d) ensure that data are not distributed to non-eligible entities;
e) equip the premises, compartment or room where the systems for service provision are operated
with a door capable of being locked or with other means to prevent access of unauthorised persons;
f) ensure that this door be closed and locked during operation, except when necessary to permit
access and egress by authorised persons;
g) establish means to reasonably prevent unauthorised access, comprising as a minimum means for
monitoring the area outside the door to identify persons requesting entry and to detect suspicious
behaviour or potential threat;
h) ensure the physical protection of the systems used for provisions of respective services when no
personnel are inside the premises, room or compartment;
i) release portable equipment for service provision, only for use to authorised personnel and only for
the time necessary;
j) ensure that portable equipment for service provision, when not in use, is stored in a secure place.
NOTE Security of systems includes cyber-security.
While UTM services can be cloud-based, nevertheless the servers have to be somewhere and under
responsibility of either the UTM SP maintaining them or through an SLA of the cloud service provider.
The latter is not in itself an UTM service provider, but the cloud service provider would be a sub-
contractor of the UTM SP, in which case 5.5 applies.
7.2 Additional requirements for safety-related UTM SPs
In addition to 7.1, all SP of safety-related UTM services listed in Annex B shall:
a) address the structure, responsibilities, processes and procedures that promote and establish
an environment and culture of continuing improvement and enhancement of service provision
security;
b) appoint a person as security officer (SECO);
...