Air traffic control system is 'not safe', say UK controllers

Air traffic control system is 'not safe', say UK controllers

Summary: Prestwick, one of two major air traffic control hubs in the UK, is in the process of implementing new flight data technology that controllers have said is 'not fit for purpose'

TOPICS: Security

Technology being introduced at one of the two major UK air traffic control hubs is "not fit for purpose" and did not adequately handle a breakdown in air traffic communications, according to a number of air traffic controllers.

Glasgow Prestwick Airport

Technology being introduced at an air traffic control centre in Glasgow is "not fit for purpose", according to air traffic controllers.

The EFD (Electronic Flight Data) system rolled out at the Scottish and Oceanic Air Traffic Control (ATC) Centre at Glasgow Prestwick Airport has had difficulty handling complex inputs, according to people posting on an air traffic control forum.

"[Controllers] don't want to use this system, not because they like to have a whinge, but because they know it is neither safe, nor efficient enough to do the job," wrote one Prestwick controller, Arty-Ziff, on the Pprune forum in February. "This system should have been tested properly before it went into live operations."

Another, maintainhighspeed, said: "EFD is used in Nigeria, Israel and various towers. This system has experienced nothing as complex as the Prestwick Control Centre. It is struggling.

"I strongly feel that EFD is not capable of handling an Oceanic interface, ATSOCAS [Air Traffic Services Outside Controlled Airspace], procedural control, airways, single-man and double-man operation all in one," maintainhighspeed added.

[Controllers] don't want to use this system, not because they like to have a whinge, but because they know it is neither safe, nor efficient enough to do the job.

– Arty-Ziff, Pprune forum

EFD uses electronic flight data strips called smartStrips to log aircraft locations and commands, rather than the paper strips long used in ATC. The technology used at Prestwick runs on Java and Linux, and is being implemented by the National Air Traffic Service (NATS), the organisation in charge of UK ATC. The major human interface component is a Wacom tablet.

"My worry is that for a busy session, EFD will not be as quick or as robust as paper strips," wrote Pprune member anotherthing, who noted concerns that controllers might miss conflicts with electronic strips.

Real-time traffic

Theodor Zeh, director of human factors for Austria-based Frequentis, the provider of the technology, said the EFD system is capable of handling real-time air traffic at Prestwick. "The system can handle fast inputs," Zeh said on Monday.

However, he said that problems had been ironed out in live testing, which began at the end of January.

"The last big change to air traffic management was the introduction of radar 50 years ago. When change comes, it can be extremely painful and difficult. Any change will decrease the performance of a system by a certain amount of time," he told ZDNet UK.

Similar EFD systems have been implemented in Nigeria and New Zealand, Zeh added. The problems lie in air traffic controllers feeling comfortable with the interface, he said.

We fully understand where this comes from — air traffic controllers are really working in an extremely difficult environment — but change needs to be brought in.

– Theodor Zeh, Frequentis

"This is about how to implement functionality so controllers are fully confident, not [about] the capacity of the system," said Zeh. "We fully understand where this comes from — air traffic controllers are really working in an extremely difficult environment — but change needs to be brought in."

The EFD system is being phased in at Prestwick on a rolling basis. It is currently being used by controllers looking after West 2 LAG, the sector that covers Manchester in a 100-mile radius around the airport runway. The phasing-in began on 28 January, but has suffered problems, including latency and screens not working, according to forum posts.

"All we want is to go to work and not put two [planes] together. For the meantime, EFD is only making that more likely," wrote one Pprune user on 11 February. "I just hope that one day we don't have to turn around and say 'we told you so'."

System failure

On 15 February, the IBM-based National Air Traffic Service system covering the UK stopped talking to EFD. Air traffic controllers at Prestwick scrambled to remedy the situation. Some people on days off had to go into work to try to move the traffic build-up, which caused numerous delays to flights.

Read this

Cybercrime policing to get £63m boost

The government money will be used by experts from the Serious Organised Crime Agency and the Metropolitan Police Central e-Crime Unit to combat e-crime

Read more+

"Situation has deteriorated in Prestwick Centre," said an alert email quoted on the Pprune forum. "Problems with the electronic flight data processing system have not been solved yet."

Zeh said that the situation on 15 February had not endangered air travellers and that back-up systems at Prestwick had worked. "There were several fall-back layers — there wasn't ever an unsafe situation," he said. "The performance only went down when there was a real failure of the link [between NAS and EFD]."

The National Air Traffic Service, which is in charge of implementing the EFD system at Prestwick, declined to comment on the adoption and performance of the new technology.

"We don't comment on internet chatroom rumours," said NATS spokesman Patrick Horwood. "EFD is progressing and will be implemented in full. The project team continues to work hard to ensure there is minimal impact to our customers while it is introduced."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Digital is not less safe than a bad system already in place, it does however exposes a bad old system much faster than a whistle blower.
  • The thing is that the controllers are understandably concerned what'll happen when, not if, the system has a hiccup. Simply saying "we're working on it" and "the system will work" is simply not enough. If you don't understand that you have no business selling software to critical sectors like ATC.

    The paper system the controllers work with is extremely robust, well-understood, and easy to remedy. The controllers clearly feel the replacement system does not offer them the capability. If the system is supposed to have it but the controllers feel it doesn't, then it doesn't -- practical failure wins from marketing tickboxes every time. Even if the after-crash report will blame "insufficient controller training". That's still a software vendor failure to make their software work for the controllers.

    Therefore, I think that there must be extensive fault remedial and survival sessions where the controllers get to not merely use the system, but break it in every conceivable way, both from vendor-, regulatory body-, and controller-supplied failure scenarios. And then find out how to revive it again. The system cannot be safe unless the controllers feel they can work with it including kicking it into a working state immediately after multiply-compounded catastrophic failure. This story fails to tell the vendor did all that. Logically it follows that the controllers are right to be concerned.
  • So, are you saying that the paper strips are a "bad" system and digitizing it has exposed the problems with data strips?

    Paper strips have worked well in all kinds of situations including the highest traffic loads in the world.

    If you read TFA, there are some curious comments by the vendor such as: "The last big change to air traffic management was the introduction of radar 50 years ago.". This is patently untrue as computerized display and management systems have been in place since the 1970's. He also says that any change will decrease the efficiency of a system for a period of time. No wonder they are having problems if this is the attitude going in.
  • I seem to remember that ATC in the military dropped paper/stencil based systems 20 years ago, because it was impossible for a Human to track 300 or more targets.

    Paper belongs to the turboprop era. Not the age concorde issued in, there are now thousands of light civil aircraft today, some jet, most fast turboprop. All need to be tracked across a whole world.

    Using a system based on tracking hostile aircraft using sound cones from 1936 on a UK spread into several boards with manual plotting just is not good enough.

    ATC has procedures that mostly work 99.999% of the time , in good weather and good visibility, which falls flat in bad flying weather, that is what you get when you use a paper system based in the 1930's world, change has been slow and incremental. Now it needs to be fast to catch up with traffic volume, we cannot wait on the ATC to change its culture.

    And yes, computers are un-reliable if you buy custom made which defence based suppliers machines always are, they are ultra expensive, impossible to source broken components and really hard to program. So you buy off the shelf virtual VMware/Virtual machine types, use MySql databases, virtualise the ATC control machines as clients and have multiple redundancy throughout, you have the robust system you wanted.

    The difference is that the civil service and defence types who bought the last batch which failed neither understood the technology, or the companies they bought it from. Civil data infrastructure now has the reliability due to multiple redundancy that the best military technology can provide.
  • I'm sorry L1ma but you clearly have no idea how ATC works. I'd love to meet the guy who can work 30 a/c at once, let alone 300. If you don't have any knowledge of the topic then please don't comment as your waffling is completely misleading.
  • ATC does work and if you would like to tell us all how it works we will listen, irrilius. I never said I could do it better than ATC, but this is a technology blog and I can comment on the technology behind it.

    At that time of writing my previous comment at 5.56 am there were 40 aircraft over the UK which I was watching as they made their way through UK airspace, and yes a single ATC can work 30 at once, tracking 50 Targets used to be the Gannets selling point.

    Funny though the ATC was not using the electronic system, it is available but it uses ADS-B transponders in the aircraft. So most of the system is already here. What is not shown are all the aircraft without them, but the future is there for you to see - check it out.
  • I'm not involved on ATC, but I'd like to add something to this discussion looking at other point of view: The quality of the software.

    IMO, QoS is an objective you can not ensure due to the personal (in)competency of the people involved (designers, developers and managers).

    Software that is related to people security from embedded systems on elevators or cars (remember Toyota?) to the railway's ERTMS or ATC, need to be created, bought or maintained with a high level of care.

    This is my point of view as an industrial engineer working on IT projects for years and very concerned on quality software flaws.

    Unfortunately, software managers are more interested on the managerial view (PMIBOK or ITIL for sample), than on the quality and traceability of the software components. They still don't know that is cheaper to do the best requirement analisys and design than repair infinite bugs.

    Another fact is in our environment, the European Union, doesn't exist yet any ISO or EN technical norms able to be used as "harmonized" norms in the "Conformity assessment" of the EU Directives about industrial products.

    Maybe SPICE (ISO 15404 and ISO 12207) based on the maturity model, could help us in the future to work in software projects with a predictable level of quality on any related people security software. I'm working on it.

    Finally, we should remember that any commercial software product, compiler (java) or also operating systems (windows) have disclaimer clauses about do not use in applications where people security is involved, and, of course, open source comes with no warranty.

  • Dear rocral, the software has already been written in some ways. The Airbus has 3 different software programs each providing command and control throughout the Airplane providing redundancy, and the good commands of two will override the third.

    What handling the Data for ATC by computer does is give the ability to predict far in the future say 12 hours where a flight would be from Say San Francisco to Heathrow, if it follows a pe-defined course and schedule, and gives the ability to automatically change flight plans for all aircraft in advance.

    That means the wake from an Aurora bomber can be modelled and will not cause a Chinook to crash in Scotland some 20 minutes after it lands in Germany.

    It also means light aircraft such as gliders can in the future have individual MAC codes in mini transponders which will allow prediction software from ATC to directly warn of a collision within seconds telling the aircraft Break Right\pull up etc. This system is part of the A300 series flight control and navigation software. That is the future of ATC, and that is why I want to see paper leaving the ATC office.
  • Well, I work with EFD and I trust it more than I do your journalism. The Air Traffic Control Centre is nothing to do with Prestwick Airport. Neither is the photo, which is of Glasgow International. Get your basic facts right..........
  • Hello bald_dad,

    Thanks for your comments. Our production team, who sourced the photo illustrating the story, are in the process of swapping it out.

    Could you clarify your other comments?

    As we understand it, the Scottish and Oceanic Air Traffic Control Centre is based at Prestwick. Please see this Nats record, for example:

    In what capacity do you work with EFD, and do you work with it at Prestwick? If not, where do you work with EFD, and what are its good points?
    Tom Espiner
  • Prestwick Centre is at prestwick but isn't anything to do with the airport, we do however work their inbounds and outbounds.
  • Frequentis' software leaves something to be desired. Some interaction boxes block most of the Wacom display.

    The link that failed between the two systems shouldn't have failed. There are two links. No-one bothered to check that both links were working after a software update. The working link failed, leaving no back-up. Simples?

    NATS' response has been "what a wonderful job everyone did to pull the fat out of the fire".

    It should have been 'despite our quality system, we screwed up. How? Why? How do we make sure it doesn't happen again'.
    I KnowNothing