Preliminary investigation into the serious UK air traffic control failure on 28 August has traced the root cause to a processing conflict triggered by a single flightplan featuring two separate waypoints which – although geographically distant – had identical designators.
UK air navigation service NATS has not disclosed details of the flight involved, such as the operator or its origin and destination, but indicates it planned to transit UK airspace.
The aircraft’s flightplan included two waypoints – one near the beginning of the route and one near the end – which were 4,000nm apart but coincidentally had the same name. Both lie outside of UK airspace.
“Although there has been work by ICAO and other bodies to eradicate non-unique waypoint names there are duplicates around the world,” says NATS in its preliminary findings.
“In order to avoid confusion, latest standards state that such identical designators should be geographically widely spaced.”
The airline submitted a flightplan for the 11h flight to Eurocontrol flight planning distribution system, which passed it to NATS at 08:32 UK time, several hours ahead of the aircraft’s reaching UK airspace.
NATS uses a subsystem called FPRSA-R for automated flightplan reception, and this subsystem extracts the portion of the flightplan covering UK airspace entry and exit, in order to pass it to the flight-data processing system and air traffic controllers.
When the original flightplan, filed by the airline in ICAO4444 format, was converted to the ADEXP format used by Eurocontrol, it was supplemented with further information – including additional waypoints for the onward journey once the aircraft had transited UK airspace.
“The ADEXP waypoints plan included two waypoints along its route that were geographically distinct but which have the same designator,” states NATS.
After searching the ADEXP flightplan to identify the UK airspace entry and exit points, the FPRSA-R software then searched the original ICAO4444 part of the flightplan to identify the entry and exit points.
It searched from the beginning of this data to find the entry waypoint, and then backwards from the end to find the exit point.
But the exit point could not be found, because there is no requirement for a flightplan to contain exits from a country’s airspace. In such cases, the software logic uses the ADEXP file to search for the nearest waypoint beyond the UK exit point.
The search, however, identified the waypoint with the duplicated name and, as a result, the software could not extract a valid UK portion of the flightplan between entry and exit.
“This is the root cause of the incident,” says NATS.
Given that the system could not reconcile the error, the fail-safe software logic intervened to prevent the incorrect data being passed to air traffic controllers, and the FPRSA-R primary system – as designed – suspended its functioning and handed its tasks to a back-up system. But the back-up system applied the same logic to the flightplan, with the same result, and similarly suspended itself.
NATS says the FPRSA-R subsystem – built by Austria’s Frequentis to replace an older system in 2018 – has processed over 15 million flightplans without the loss of both its primary and back-up functions.
“It is therefore certain that this specific flight plan, with its associated characteristics, including duplicate waypoint names, has never previously been filed,” says NATS.
“Further work needs to be undertaken to trace back through the development and testing of the FPRSA-R subsystem to understand whether the combination of events that led to the incident could have been mitigated at some point in the software development cycle.
“It is our understanding from the manufacturer that the specific area of software related to this investigation is unique to NATS.”
The organisation’s analysis of the failure estimates that over 1,500 flight were cancelled on the day, and over 10% of the 5,500 operated flights were delayed, as the failure forced a reversion to manual flightplan processing. Additional cancellations followed on 29 August as carriers sought to recover schedules.
NATS stresses that the incident did not, at any point, present a safety concern, and the UK Civil Aviation Authority agrees with this conclusion.
“This technical event is now understood and should it reoccur would be fixed quickly with no effect to the aviation system,” the CAA states.
In order to explore the incident further, the CAA is to conduct an independent review of the technical failure and NATS’s response, in order to assess whether any statutory and licensing obligations were breached.
But it adds: “A software adaptation is planned to be implemented by the manufacturer this week once testing is complete and change process assessed, this will mean it will not reoccur.”