Especially when it was known already that one mouse click could shut down every radar monitor in the ops room Hope the EFPS thingy still works when the plug gets pulled. I assume that the regulators will be asking for explanations and maybe calling for heads to roll. We'll see how serious they are about safety now. |
<<EFPS has a backup for when that happens, it's a printer in the corner of the room>>
Well, thank God I'm not working if that is the back-up. In a room where I worked there were a few dozen controllers. What would they do? All run to the corner of the room? How can a single printer backup 200 flight progress trips loaded with current information? I've never heard such incredibly un-safe nonsense so please tell me I've completely misunderstood. |
EFPS is used at Airports. Even at Heathrow the number of strips needed immediately isn't that great. That backup has been used in anger at both Gatwick and Stansted.
EFD which will be used at TC and Prestwick will display non interactive electronic strips on a different system if EFD fails. |
will display non interactive electronic strips on a different system if EFD fails b) If these are non-interactive does it mean that at all times you can see what the situation was at the point of failure - probably not much use 5 minutes later! Or is this so that info can be copied onto some paper strips (no doubt locked in a cupboard)? |
eglynt
What a very modern and enlightened attitude. I certainly feel sorry for the guys at Prestwick having to go into work with the nagging doubt hanging over them of whether they are going to be there if it all happens again. On the beach |
<<Even at Heathrow the number of strips needed immediately isn't that great.>>
Sorry, eglnyt, no disrespect intended but your profile gives no clue as to your involvement in ATC and you do convey an impression of not knowing much about what goes on at the sharp end!! I worked Heathrow Tower for 20 years and it is considerably busier now. I would not accept your suggestion, but maybe one of the current controllers would care to comment? If you have a departure off one runway alongside a go-around off the other in bad weather you don't want to have to scamper round the room looking for a backup printer! People's lives are involved..... |
I'm struggling to make any link between commercial pressures and this incident. So far it looks like a combination of a misguided design decision to include that functionality and somebody exercising that functionality when they really should not have. I can't see commercial pressures influencing the first. I can see how commercial pressures might affect the second but until we know what they were trying to do, why they were doing it, the control measures surrounding that task and the environmental factors at the time it's rather too early to say.
I think we can be fairly sure that nobody will do that again for a little while. Unfortunately the ingenuity of man means that whatever defences I and my fellow engineers build into a system will eventually be breached by somebody either deliberately or inadvertently. My capacity to imagine what they might do wrong always seems to be slightly less than that of the user. |
As an engineer I can't build you a system that will never fail so I can never tell you that wont happen. I can build you a system that will be more or less equivalent to not failing but it would cost so much that nobody will be able to afford to fly in and out of your airport. I can also build you a system nearly as good as that at a price that can be afforded but there will always be a risk of failure and that one in a million hours could always be tomorrow.
I wasn't involved in EFPS but much of the risk of that system failing comes not from the system failing while free running but when something different happens around it or maintenance staff interact with it. We can reduce the risk of EFPS fail in the circumstances you describe by ensuring that no work takes place on interfacing systems or EFPS during those conditions. Similarly EFD has redundancy within its design which should make the chances of failure slight enough on it's own but just in case in its NATS implementation there will be a further fallback with sufficient functionality to allow controllers to retain situational awareness for the length of time needed. Again the main risk to EFD comes from people and external changes so those will be restricted at peak times. |
I can build you a system that will be more or less equivalent to not failing but it would cost so much that nobody will be able to afford to fly in and out of your airport |
The problem with this "modern and enlightened attitude" with a no-blame culture attached is that it increases the "risks" disproportionately. Because nobody accepts the blame when things go wrong any more, there is an unconscious relaxation by all involved.
When I worked for NATS there were "accountabilities and responsibilities" which were clearly defined. The comments by others on this thread re EFPS and EFD and the "back-up" provisions really do make me wonder if there was ever a safety case made at all before their introduction, let alone an economic case. On the beach |
The problem with this "modern and enlightened attitude" with a no-blame culture attached is that it increases the "risks" disproportionately. Because nobody accepts the blame when things go wrong any more, there is an unconscious relaxation by all involved. |
eglnyt, well said!
I was not on duty during the NODE failure, but I have discussed it with the lucky controllers who were and it is clear that they (unsurprisingly) handled the incident very safely and professionally. In NATS we do not operate a "no blame culture", but we do have a "just culture" where mistakes can be openly discussed without fear of punitive action. Rest assured that we also have very clear written safety accountabilities defined for all front-line staff! I cannot comment on EFPS, but I am certainly qualified to comment on EFD. The system has been through umpteen very painstaking Hazard Identification processes, covering all aspects of ATC and engineering procedures, and these HI processes will continue to drive development of the system. Fallbacks form an important part of these deliberations and accordingly EFD has very robust engineering architecture and ATC procedures to manage system failures. |
Our EFPS back up will be a laptop and printer which will be able to print something like 30 strips in an hour.
For 8 operational positions. Oh, I can hardly wait. |
On the positive side look at all the TRUCE you got done:ok:
Well done folks ...can't have been pleasant! |
If, as has been quoted above, the hazard was identified before this system came into operation, then I am very interested to learn how this hazard did not get rectified.
On the otherside, if the hazard wasn't identified, why not? Not looking for any blame, just keen to overcome the issues that have caused this and identify some of the unknowns. I expect teams in NATS will already be doing this...but I would like to know this too so I can apply it things I have influence over. |
If there is a need for the control and monitoring system to be able to shut down every radar display in the ops room then there will always be a point at which you are one click or enter key away from doing just that. The questions to answer are whether or not there really is a need to be able to do that and if there is what sequence of events is needed to get to that point. I'd be very surprised if it didn't require several selections before you are one click away. If there is no reason for it then surely the option should not be available, and if that is the case, again, more robust safety procedures should be in force. I would be very surprised given the events which took place if all was found to be competently "risk managed". |
Interesting that this is being called a radar failure. Whilst it appears that it may have been too easy to shut down the consoles, the kit did exactly as it was designed to, and instructed, to do.
I would suggest that the failure was the process that led for this to happen, and not the kit. The chances of "total radar failure" remain as remote as ever... |
It's called poor management that has taken it's eye off the ball and has forgotten that safety comes before finances ...........end of story.
If there had been a serious incident as a result of this then I have no doubt there would be a clear out of certain managers whether by NATS, or through the courts by way of corporate manslaughter legislation which is now current. |
Air Farce 1
If the worst had happened, we'd have had a wholesale change of management (and hopefully ethos) But I fear that's what it's going to take to turn us from this present course. |
I fear that's what it's going to take to turn us from this present course. |
All times are GMT. The time now is 14:01. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.