Installations

Home

Introduction

Still awaiting writeup of specification and response.

System closed down on 28 March 1991 - went into service 1971 The pictures show the ceremony - Marconi represented by Roger Woodcock, John Lancaster and Bill White - and the final log entry.

The following report in the press prompted a series of comments - www.telegraph.co.uk/news/aviation/11291891/Air-traffic-failure-never-seen-before.html

Bob Mountfort

Having worked in a contracts capacity on CAATS, Swisscontrol, CUA & P C A Jeddah, I learned it ain't easy. Ultimately it is the customer that writes the spec, fixes the budget and determines the performance of the system. Seeing how the CAATS hardware specs increased, and how the numbers of lines of code increased exponentially and seeing the dialogue between engineers and the operators, sometimes it's a wonder when the system goes operational. Then there are continuous upgrades and checks. A lifetimes work, until the next new system is put out bid. Who knows what that may look like. Glad I am retired.

Don Halstead

I saw a report last night that NATS were attributing the Swanwick problem to one line of code which caused problems as, probably, they brought more positions on-line to deal with the evening peak traffic. Well, maybe.

As I understand it, even when software on such a scale is well-proven and mature there is likely to be a handful of bugs which will take a very long time to show up. I believe John Pearce published a note about the West Drayton Myriad system which, even when rigorously tested and 'mature', was confidently predicted to include perhaps 20? long-term bugs with a half-life of many years; with experience seeming to agree with the theory. Doubtless many MOGS will have their own views on this; I wonder if Richard Worby saw anything like this at Eurocontrol Bretigny for instance?

Ian Gillis

That scurrilous source the Professional Pilots' Rumour Network has a thread at http://www.pprune.org/rumours-news/552783-all-london-airspace-closed-4.html. It has a link to the equally scurrilous "The Register" site which says it was all due to an IBM 390 FDP falling over

Richard Worby

Remember also that the triplicated Myriads at W Drayton were first succeeded by the 9020Ds - Robin Turner, myself and Roger Watkins spent months incarcerated in Shell Mex House specifying the 'Anglisisation' of the FAA kit for a UK environment. And by and large, I am told it did the business. As did SCATCC, with its distributed Locus solution. But Swanwick, in my opinion and based on the Bretigny experience, not only strayed back far too close to centralised architecture, but tried to implement too much innovation, too soon, and without fail-safe modes being adequately addressed AND TESTED. Software will ALWAYS fail, it's only a matter of time. What matters is what happens when it does. So one must conclude Swanwick has zero resilience to failure, otherwise there would have been some ATC capacity left, albeit with increased vertical and horizontal separation. But to be obliged to shut down, yes SHUT DOWN UK airspace - that beggars belief. Heads should indeed roll. But what is most upsetting is just how far we haven't come since FPPS. In an ATC environment it isn't a matter of a bug fix, it's a matter of "graceful degradation" while you fix it. There was nothing graceful about what happened at Swanwick, and it wasn't the first time either.

John Lancaster

When MRSL was awarded the contract for FPPS West Drayton, the operational requirement was based on the RRE Spec X6114, and, based on our interpretation of that spec, we estimated that the software requirement would be between 14 and 18 man-years.  An ATC Detachment was set up to finalise the requirements, under the leadership of Bill Towers-Perkins.  There were something like 100 ATCD meetings, and eventually the sotware grew to about 200 man-years.  (fortunately the sotware contract was on a 'price to be agreed' basis, only the hardware was fixed price.)  The software team grew to over 100 programmers.  Sidney Morleigh devised a formula which showed that, if the process were allowed to go on unchecked, probably the whole working population of China would be employed on FPPS!  Our customer was wise to this, and, as we all know, the 'MAS only' amendment was introduced.  So the Myriad system managed only the Middle Airspace, and this it did with more or less unbroken service until it was finally de-commissioned on 4th. April 1991. (Three years before I got de-commissioned!)

We can only guess at the equivalent processes and figures for Swanwick, but, as others have pointed out, software is complex, and there will always be bugs, but it all depends on the system procedures you introduce to cope with the situation while the bugs are being fixed.  On Friday, as far as I can tell from the  Press reports, the radar and comms systems continued to function, but the flight data processing system failed.  So the controllers knew where the planes were at a given point in time, and could talk to the pilots, but didn't  know where they were going...........! 

Bob Mountfort

My Program Manager, when at Hughes Aircraft Canada, later Raytheon Canada, a Scottish Canadian ATC engineer tells me that the NATS kit  is "Lockheed-Martin kit. Still based on software I managed in the 70's !”. I expect you all knew that.

Nigel Cutmore

To continue John’s history from my unreliable memory. CAA opted for IBM computers (9020D) to perform the role that was originally intended for Myriad. These computers were intended to automate the job that was then performed by the controller who would manually update flight plans, in the new system an assistant would be used to input change/progress data to the computer and this would print modified paper strips to the controller. I believe Marconi developed a touch wire system to aid this process. The current system is, I believe, based on the FAA’s ASS (Advanced Automation System) FAA reduced their ambitions when the cost estimate reached something like 7 billion USD.

Reading between the lines the fault last weekend was to do with the system’s ability to be reconfigured when traffic intensity changes i.e. the aircraft/controller allocation varies, they seemed to have brought more workstations on line and lost the flight plans during the switchover (there is no paper strip standby now) and as aircraft still don’t possess decent brakes it was a matter of landing or diverting aircraft. The concept of reducing separation using procedural control no longer exists.  It is interesting that one reason for the FAAs cost escalation was the requirement for a reliability figure of 99.99999%. – I think there were 5 nines after the point!

References

New Scientist

Installations

Home