Originally Posted by
CBSITCB
The airline sent the plan to IFPS which checked it was in the correct format (which it was) and accepted it. IFPS passed it to Swanwick at the appropriate time. There was an anomaly in the route (duplicate fixes) which by NATS' admission the FPRSA-R program logic couldn't handle. NATS says this "led to a ‘critical exception’ whereby both the primary system and its backup entered a fail-safe mode". Personally I find this hard to believe. If the FPRSA-R was still in control of itself surely it would say "Look chaps - this route looks rather weird. There appears to be a duplicate fix. I'll ignore it for now until you guys figure it out. In the meantime I'll carry on processing all the other flight plans". IMHO 'critical exception' and 'fail-safe mode' are spin for "it crashed".
I'm not sure it ever identified that there was a duplicate. It processed the route & got a result it didn't understand. I think the reason it got a result it didn't understand was identified later. But even if it didn't know why it got a strange result it should have been able to identify which plan gave that strange result, isolate it and move on.
Only the design authority can explain why it handled things the way it did. The nuclear option is appropriate for some errors but rather overkill in this case.
As you say describing a crash of your system as failsafe is a rather desperate spin.