Nats reviews procedures after air control IT crash

Computer crash disrupts flights

National Air Traffic Services is reviewing its software testing procedures after last week's embarrassing computer failure.

The computer crash at the West Drayton air traffic control centre near Heathrow disrupted flights at all UK airports and caused serious delays for thousands of passengers. It occurred after early morning tests of an upgrade to Nats' 30-year-old Flight Data Processing System.

Nats confirmed last week that an internal investigation would focus on software testing procedures at West Drayton.

It has already ruled out hardware problems with the IBM S390 mainframes used to run the flight data processing system, which provides critical flight information about aircraft displayed on air traffic controllers' screens.

"We are looking into all aspects of how the system was prepared for test, what was tested, and how it was shut down after test," said a Nats spokesman.

Safety-critical software expert Les Hatton of the University of Kent called on Nats to make the results of its investigation public to allow others to learn from its mistakes. "If all we get is anecdote and third-party statements, it is very difficult to improve," he said.

Nats' flight data processing system was due to be replaced in 2000, but it is now unlikely to be replaced before 2011. The system has crashed several times in recent years, including twice in 2002, causing major disruption.

The latest problems occurred after Nats engineers completed an offline test of a software upgrade in the early hours of Thursday morning.

Engineers noticed errors in the flight data three minutes after rebooting the mainframe - one of two parallel systems - for operational use at 6am.

It took the engineers 45 minutes to restart the system, forcing air traffic controllers to resort to manual processes at one of the busiest times of the day.

The failure will prompt questions about Nats' practice of testing upgrades on mainframes used for operational flight control, rather than simulators.

Nats has twin operational systems which allow it to test software while one system is offline. Nats said it had no choice but to test the upgrade, due to be installed next month, on the machine which was due to run the software.

"Although there are twin systems, there is not a third standby system that can be used purely for testing. But there is a lot of testing carried out within the test and development unit, which has specific systems. This software had already gone through primary testing," the spokesman said.

Read more on Business applications