A “one in 15 million” event caused the National Air Traffic Services (NATS) network to shut itself down last week, leading to hundreds of flights to and from the UK being delayed or cancelled. A new report reveals it was triggered after a pair of flight markers in a flight plan had the same name for the same route, but going to different locations. The Civil Aviation Authority (CAA) has launched an independent review of the resilience of the air traffic control system.
Thousands of passengers were left unable to fly on bank holiday Monday as a result of the outage. It was an issue that had never previously occurred in the five years the system has been operational, and an update has been installed to stop it happening again.
The internal report by NATS found that at no point was safety compromised. The duplicate flight path names triggered a shut down inside a sub-system of the air traffic network called the Flight Plan Reception Suite Automated – Replacement (FPRSA-R). This has been described as a “small but important part” of the overall air traffic control infrastructure.
Airlines wishing to fly through controlled airspace have to submit a flight plan that contains key information on the aircraft type, speed, callsign and intended routing. This allows air traffic controllers to plan for, safely control and communicate with the aircraft. Within NATS it is passed to FPRSA-R where it is converted from Eurocontrol, the European air traffic control system, into a format readable by UK flight data processing systems.
An airline filed two identically named flight plans with separate waypoint markers out of the UK airspace. This caused a conflict in the system resulting in a ‘critical exception,’ the report by NATS discovered. This then put the FPRSA-R sub-system into fail-safe mode. Once the system had entered safe mode it could not reject the flight plan without a clear understanding of what impact it might have had down the route. It also couldn’t allow it to go through as it would risk presenting air traffic controllers with incorrect safety critical data.
NATS failure was ‘extremely rare’ occurrence
The entire shut down process took seconds from the point of the flight plan being filled to entering fail-safe mode but recovery took longer due to difficulties identifying the problem. This included finding the specific data, isolate and remove it in a controlled way, and then test it to ensure it could be returned safely into operation, the report explained.
It was a one in 15 million occurrence, with the five-year-old system having previously processed more than 15 million flight plans without an issue. During the height of the issue on August 28, flight plans had to be processed manually, restricting the number of flights with only 60 processed per hour from the usual 400. The automated system was back up and running just before 2.30pm on the day, but it took until 6pm before restrictions could be removed.
Martin Rolfe, CEO of NATS said keeping the sky safe is what guides the agency and that was also the priority during the incident. “Our preliminary report, provided to the CAA this week, details what caused the incident, how we responded and the steps already taken to prevent recurrence. We welcome any further review of the incident that the CAA wishes to conduct.”
The CAA investigation will now examine the wider implications, the resilience of the entire system and take a “deep dive” into this specific issue to ensure any fix is permanent and can’t simply re-occur in the future.
Mark Harper, secretary of state for transport, said in a statement: “Thousands of passengers faced disruption as a result of the failure, with over 1500 flights cancelled and hundreds more delayed. I once again want to echo NATS’s apology to those who were caught up in it, with a technical fix now identified to ensure that such an incident does not recur.”