WEDNESDAY 8 NOVEMBER 2000

MR IAIN FINDLAY, MR ANDY MOONIE, MR ANGUS MACCORMICK, MR LAURENCE KING AND MR NICK EWING

  20. Do not get me wrong, you people are very serious and have a very skilled job, it is looking at a plane on a radar screen and guiding it into the airport or letting it go off the airport. It is as simple as that. Why has it got so complicated?
  (Mr King) The problem with software is, we all know it is a very complex issue, no matter how you try and test a certain amount—particularly as the software gets more complicated the more you have to try and test it to find the faults—there is only one real test and that is real life. No matter what you try and think up about what individuals might do, particularly a combination of individuals, you can very, very rarely try and test for every particular scenario, as much as you possibly try. Unfortunately when you have so many individuals, as you have in air traffic control, operating a particular system it is always possible to find a fault somewhere that you just completely overlooked.

  21. You can train against those contingencies, surely. They are not just turning up for work and doing whatever happens to be presented in front of them. You train people to handle these contingencies.
  (Mr King) One of the difficulties about the failure on the 17th was it was a very problematic failure, one of the worst we have seen, and it is very difficult in those circumstances to train. There is a degree of instruction for the managers about how to get the best on the systems and restart and also to try and contain the traffic to a manageable level. It takes quite a time to achieve that and it does rapidly increase the work load of the controllers involved.

  22. When these things do happen what is the capacity of the controllers to revert back to manual procedures?
  (Mr MacCormick) If I can take that up from an airport controller's point of view. From an airport controller's point of view, a radar controller's point of view as well, the computer does not actually separate aircraft. The pilots fly, the airplanes still fly, the controller controls the aircraft. All the computers do is help us with that task. We are the people that hold it altogether when it does fall to pieces. Your capacity is very difficult. One of the problems during the 17th incident was that part of the computer failure, the data interlink, went on for most of the day, which is why some aircraft out of Heathrow were delayed for seven hours, because there was no flight plan in the system. The first thing we do before we allow aircraft to depart is we make sure that everybody knows about it and they have a flight plan in the system and that everybody is going to get the correct information. The first thing you do, if they do not have that, is you keep them on the ground. Around midday on the 17th at Heathrow—I started work about 2.15 that day—consequently there were about 60 airplanes sitting on gates, without flight plans, waiting to depart. That is a safe situation, it is not a desirable situation because I understand that the pilots were frustrated, and the controllers were frustrated.

  23. I do not suppose the passengers were overly happy.
  (Mr MacCormick) I was just about to say, the 120 Irish men on the Aer Lingus flight were not particularly happy either.

  24. I hope you let them off first.
  (Mr MacCormick) You mentioned earlier about the commercial considerations. We are very aware of that. Most of the pilots were running out of crew hours that day and we knew the effect it was having. Part of the main difficulty for us was that we did not have any information to pass on to them, we did not know ourselves.

  25. Was it the fact that the system was down that it took you seven hours because you had not enough staff and air traffic controllers who could revert back to the manual system? I understand what you are saying about the flight plan, but it is not rocket science to pick a phone up and tell somebody what it is and you guys understand it.
  (Mr MacCormick) The problem with the manual system on that day was that part of the computer was working properly at this point but the data link between several computers was not working. We were not getting the information but nobody knew we were not getting the information. At one point you had three flight plans for the same aircraft, none of which were valid. When I say valid, I mean that were updated to be able to be passed on to the other sectors of airplanes that get airborne. That is what Mr King was talking about earlier.

  26. You are not really saying that somebody did not realise there was a failure in the data link?
  (Mr MacCormick) That is what my understanding was, being at the sharp end.

  27. You were at the sharp end doing all the work and other people did not realise the stream was not coming through.
  (Mr MacCormick) I do not know if they knew but they obviously could not do anything about it because it went on for most of the day.

  28. There is a difference between not knowing and not being able to do anything about it.
  (Mr MacCormick) I could not answer that.

  29. Can I be clear, when the failure starts to occur is there any mechanism for getting extra staff in for the manual side of it, is there extra staff to work on it?
  (Mr MacCormick) I can answer that. Quite frankly we do not have the extra staff in air traffic control terms to get in. Even if you did, it is not necessarily the staff that are the problem in terms of air traffic control, it may well be assistant support staff, and I could not speak for them. In terms of controllers the restrictions are in terms of getting flight plans together, getting air space and getting data information between controllers. Having more air traffic controllers just would not help that scenario.

  30. Is there a procedure in place that when it starts to fail certain things happen?
  (Mr MacCormick) Yes. The first thing that happens, speaking specifically at the tower is, you stop all departures. That is clear. You continue to land the airplanes because you have to. The idea then is that on safety grounds you get all the airplanes out of the sky you possibly can and you do not let any more go in until the situation is under control. There are action cards in terms of contingency handed out from the tower supervisors at Heathrow and the other tower controllers around the country and you then go through a full set of procedures in terms of how you will revert to manual operations or revert to automatic operations.

  31. How far does that cause extra stress for the people working?
  (Mr MacCormick) In terms of the tower operation at Heathrow the main problem arises on our ground movement planning frequency, where you control the work load of everybody else in the tower and you make sure that everyone has a slot time, a flight plan and you also give them clearance. They call up that frequency initially for permission to start and you make sure that everything is in order for that flight to get ready to go.

  32. What effect does it have when you finish your shift?
  (Mr MacCormick) That day I finished my shift I was very low in morale when I left work, mainly because no air traffic controller likes to delay aircraft. We did not know what was going on. Apart from the fact we were all literally working like one arm paper hangers it was really, really hard work that day. You are also taking on board the stress of the pilots you are talking to and, of course, you know what is going on in the terminals, you know about that.

  33. Does that actually reduce your ability in the last couple of hours that you are working to do a good job?
  (Mr MacCormick) It means you are less efficient, certainly, it does not mean you are less safe. Less efficient, yes.

  34. Given what has been said about the June 17th situation, NATS tell us there have been four incidents this summer of problems, June 17th was by far the worst. Does it concern you that the New En Route Centre and the New Scottish Centre are going to have the core flight data processing systems installed in them?
  (Mr Moonie) No. In general the flight data processing systems have been remarkably stable and reliable. In terms of the development of the New Centre in Scotland and the Swanwick system—the Swanwick system has undergone a very significant testing over a number of years and we would hope and expect that to be equally as stable and reliable—certainly there are going to be benefits in having a commonality of software between the Scottish Centre and Swanwick in terms of support. One of the problems you have with lottery systems is as they become more complex, failures do become rarer but when you do get failures they are very difficult to diagnose. Having that commonality of system means you can share the knowledge and experience, and that should be beneficial.

  35. I understand on 17th June, if we can take that as one of the worst examples, there was a chaotic situation, it has been described to us. I understand that it took the best part of a fortnight to sort out the chaos, before the airlines and the systems got back to anything like normal. In those circumstances, you say you are completely confident that using that system, which presumably triggered off the problem in the first place at Swanwick and at Prestwick, is okay?
  (Mr Moonie) They did go back to earlier versions of software. One of the problems in June was not just a failure of the NATS system but the effect that it had on the related and connected system. I do believe that NATS has put measures in place to try and ensure that those do not happen again. I come back to the comment I made earlier, in general it has been a very stable and reliable system. It is very unfortunate that we had such a catastrophic failure this June. At the end of the day it is a reliable system and it has coped well with the increasing volume of traffic and the amount of changes that has taken place over recent years.

  36. If I can ask you particularly about Prestwick, as I understand it, the original PFI with EDS included a requirement to develop a new system. The PFI just failed. Two questions, why if the core flight data processing system was so reliable and so good did the PFI contain a requirement to development a new system? Secondly, why in those circumstances did the PFI fail in your opinion?
  (Mr King) A point of information, I think you are getting little bit confused. Andy was talking about the NAS system as the basis.

  Chairman: We know that EDS is a firm.

  37. EDS is a company, it is not a system.
  (Mr King) EDS and FDPS are to do with the oceanic part, Flight Data Processing Systems, and they are separate from the discussions that we have just been having, which is about the information distribution system, NAS National Airspace System, the computer.

  38. That is the bit that puts in the stream of information that you need. What concerns Mr Stevenson is the difference between the two systems. We accept what you say about the technicality, but when you come to Prestwick there was an attempt to set up a new arrangement with a commercial company and that failed. That is what we want to know about.
  (Mr Moonie) There were two PFI contracts at Prestwick. There is the Oceanic contract and there is also the New Scottish Centre, which were both PFI contracts.
  (Mr Findlay) On the question of why did EDS fail, we cannot really comment on that. There is a dispute between NATS and EDS at this point in time. It was a private sector company that apparently did not produce what was stated. On the other PFI contract for the New Scottish Centre both the unions, NATS and, indeed, this Committee actually said that PFI was not set up in the correct way. Thank goodness it was set aside.

  39. Can I finally ask a couple of questions about your memorandum to us, particularly about staff. You say in your memorandum at paragraph six that Swanwick will not have the number of ATCs it needs to be fully operational by `O' date—that sounds like James Bond to me—and you clearly state that as a result there could be a reduction in overall capacity. Would you like to clarify that? It is a very startling statement to make.
  (Mr Findlay) The last agreed figures that we have, and this was agreed some while ago, showed that on `O' date we would be some 50 air traffic controllers—