Duplicate waypoints root cause of Nats subsystem failover

The Nats major incident preliminary report has confirmed that dodgy data in a flight plan was the root cause of the error that led to a large volume of flight disruptions on 28 August. The error caused a National Air Traffic Services (Nats) subsystem, the Flight Plan Reception Suite Automated (FPRSA-R), to switch to fail-safe, which involved manual processing of flight plan data.

In air traffic control, airlines submit their flight plans to Eurocontrol, which then passes them onto regional air navigation service providers (ANSPs) such as Nats.

The flight plan contains key information such as aircraft type, speed, callsign and intended routing, which enables ANSPs to plan for, safely control and communicate with the aircraft. The report notes that air traffic control systems require accurate flight data to understand the intended route of aircraft so that ANSPs can assess air traffic demand on their airspace, and support the safe and efficient handling of multiple aircraft within that airspace.

The FPRSA-R subsystem in Nats exists to convert the data received from Eurocontrol (in a format known as ATS Data Exchange Presentation, ADEXP) into a format that is compatible with the UK National Airspace System (NAS). It is used to uniquely identify a waypoint in the flight plan data, to show where the flight would be leaving UK airspace.

The report’s authors note that the specification for waypoints means there is no requirement to avoid duplication, only that duplications are not allowed in the same region’s airspace.

They said FPRSA-R successfully identified the UK airspace entry point then searched back through the section of data to find the UK airspace exit point. This did not appear in that section of the flight plan so the search was unsuccessful. The logic in the software is designed to cope with this scenario and instead utilises the waypoints as detailed in the ADEXP file to search for the next nearest point beyond the UK exit point. This was also not present. The software then moved on to the next waypoint, which succeeded as a duplicate identifier.

“Having found an entry and exit point, with the latter being the duplicate and therefore geographically incorrect, the software could not extract a valid UK portion of the flight plan between these two points. This is the root cause of the incident,” the report stated.

The FPRSA-R primary system then raised a critical error and correctly placed itself into maintenance mode. When such a failure occurs, the backup system is designed to take over processing seamlessly. In this instance, however, the report said the backup system, which took over processing flight plan messages, applied the same logic to the flight plan with the same result, and subsequently raised its own critical exception, placing itself into maintenance mode.

All of this occurred just 20 seconds after the duplicate waypoint data had been identified. “Clearly, a better way to handle this specific logic error would be for FPRSA-R to identify and remove the message and avoid a critical exception,” the report said.

Nats has now established new operating instructions to allow prompt recovery of the FPRSA-R subsystem if the same circumstances recur. The manufacturer of the software has introduced an update, designed to prevent the critical exception from recurring for any flight plan that triggers the conditions that led to the incident. This change will prevent the software from finding a duplicate waypoint that could cause an incident.