ATC Safety Net

ATC has multiple systems and procedures designed to keep the traffic flowing after the system suffers various levels of inconvenient to catastrophic failures.

1

Modern aviation is awash in redundancies. Look at any airliner today. Each is powered by at least two engines, each with enough power to keep the aircraft aloft if one fails. Its hydraulic and flight computer systems have backups in case one is compromised. Up front are two crewmembers, each qualified to fly the aircraft in the event one becomes incapacitated.

This expected redundancy makes it all the more striking when we encounter a single point of failure that brings everything—literally—crashing down. The Boeing 737 MAX Lion Air and Ethiopian Airlines accidents that lead to that type’s grounding were shocking, not just for their loss of life, but the revelation of a single, fragile failure point.

Everything the MAX shared with other airliners—multiple engines, systems, crewmembers, etc.—didn’t matter. One software system went rogue and 346 people died. Certainly, there are other technical, training, and economic factors at play, about which there are countless articles in other media. Nevertheless, it was a tragic reminder as to why aviation demands multiple safety nets.

Air traffic control is no different, of course. When controllers are working traffic and keeping aircraft separated, we’re aware the technology we’re using to do our jobs might fail at any time. The redundancy that keeps us working—and our traffic safe—takes several forms.

Frequency Fallbacks

The most obvious and essential ATC tool is a working radio. Imagine an airport is fogged in, with hard IMC and essentially zero visibility. The tower controller can’t see the airplanes. However, using a single radio with his knowledge of the airport layout, and accurate position reports from pilots moving around in the soup, he can still work the traffic. Radar controllers can also rely on pilot position reports to separate traffic in non-radar operations. Again, all they need is a radio and knowledge of their surroundings to build a mental traffic picture.

Given this importance, ATC radios have multiple backups. When I sit down at a radar scope or stand up in front of a tower position, I have multiple radio options within arm’s reach. They’re all readily accessible when—not if—one fails. There’s multiple redundancy.

First is our standard panel where the controller can select available VHF and UHF frequencies. Normally, we can pull up every frequency in the facility from this one panel. If a radar facility has five sectors, they might have at least ten frequencies (each sector could have 1 VHF and 1 UHF freq). A control tower might have at least six (1 VHF and 1 UHF each for Ground, Clearance, and Tower).

Each frequency usually has a main and standby (i.e. backup) transmitter and receiver. If a radio is failing or a pilot is having trouble communicating with us, we can toggle between mains and standby. Making the switch is easy. This used to be toggled by physical buttons or switches. Many facilities have now migrated to touchscreen communication panels, which allow controllers to swap or select radios with a tap of a finger.

What if the comm panel itself fails? We can quickly move to a different position, plug into its panel and key up the freqs. What if all the panels freeze? (Exceedingly rare, but it’s happened.) Next to the position is a bypass jack (typically called the “orange jack” due to its obnoxious color). We’ll plug our headset into the bypass. This—as its name suggests—bypasses the normal radio panel. Now we’re talking and listening again.

The catch is that this only works a single frequency. Imagine a radar controller is working the “A” scope. Traffic is light, so he’s got sectors A, B, and C combined, and has aircraft spread across those three frequencies. Suddenly, his comm panel goes blank. He plugs into the orange jack, but since he’s at the “A” scope, he’ll only have that one frequency.

A fellow controller or supervisor would need to plug into the bypass jacks on B and C scopes, and tell any aircraft on those respective frequencies to contact the controller on the A frequency. All adjacent facilities must also be told to use the A frequency for any traffic entering the stricken facility’s airspace.

What if the mains, the standbys, and the bypass jack don’t work? We come to the fourth tier: a battery-powered backup radio that we can grab and go. They’re not as powerful as our standard transmitters, of course, but they’re effective in a pinch.

DieselGeneratorProcessed
UPS_BatteriesProcessed

Fishing for a Line

Controller communications aren’t just limited to airplanes. We must coordinate with controllers in other facilities regarding what those airplanes are doing. Normally, these are triggered via that same comm panel used for ground-to-air radios. Alongside the radio frequency selections, we’ll have buttons labeled with numbers or acronyms for whatever position we’re calling. For instance, “GC” would be Ground Control.

The lines for interfacility comms typically have a number designation, like “739” or “426”. Some are “shout lines,” where they immediately come out over a loudspeaker, and are for more urgent communications. Others are “dial lines” that work similar to a regular phone; they ring until the receiving controller picks up. These are all recorded.

An approach controller calling their center might tap the button labeled “739”—a shout line, in this scenario—and say, “Low, Approach, 739 line.” The receiving Low controller would hear that over their loudspeaker and/or see the “739” button illuminated on his panel. He taps the button, and now it’s coming through his headset instead of the loudspeaker. They coordinate and then tap the “739” button to hang up.

What happens if a landline fails? We still need to coordinate, so what then? We often have more than one between facilities. For instance, if Approach usually uses 739 to talk to center’s Low sector and 426 to speak with High, and the 739 konks out, they will likely be able to just call both via the 426. All sectors involved will need to be briefed, so they’ll listen for calls on unusual lines. Some patience will also be needed, since more people will be using that single 426 line.

If those preset landlines fail, we have an on-hand directory of additional contacts in the other facility. We can pull up a keypad on the touch screen and—like a phone—manually dial the appropriate number. One of our first calls would be to the other facility’s supervisor, advising them the lines are down. We also have regular commercial phone lines.

What if all the landlines fail? It’s happened. In 2007, Memphis Center suffered a facility-wide communications failure that left them incommunicado with their traffic and the facilities around them. Their 100,000 square miles of airspace in the middle of the USA suddenly went “ATC Zero” with countless flights already inside of it and more en route to it.

How on Earth did the controllers work around that? Well, they whipped out their personal cell phones in the radar room, started calling adjacent facilities, and figured out who had radar and radio coverage deep enough in their airspace to see their traffic. Using emergency transmitters and a lot of cellular coordination, they were able to hand off all of their traffic. It was a mess initially, and many flights were obviously impacted or rerouted, but pilot and controller fortitude and teamwork ensured everyone arrived safely.

Don’t Get Left In the Dark

Rain was coming down in sheets outside the control tower windows. A thunderstorm had blown up overhead. Suddenly—poom!—lightning struck a few blocks away. The airport buildings around us went dark.

The tower and radar room kept right on going. Our radios, radar displays, essential lighting, and other pieces of vital equipment are tied into massive battery banks that allow us to work uninterrupted during the power failure.

You’re probably thinking that batteries don’t last forever. Correct. Ours are just there to allow time for our next backup to come online—a diesel generator that can power the required equipment. What’s not required equipment during a power failure? It’s air conditioning and other creature comforts. You know it’s going to be a sweaty day at work when it’s 105 degrees and muggy out, you pull into the tower parking lot, and hear the generator going. Even with the sun shades drawn, a control tower can quickly turn into a greenhouse, and radar room equipment generates a lot of heat.

Talking about equipment, what about radar backups? Approach controls each rely on small numbers of short-range terminal radars—often only a single unit—that cover their airspace neighborhood. Centers use overlapping long range radars (LRR) to cover their much larger airspace.

If an approach loses radar, either to a maintenance outage or a faulty connection, they can switch to using their overlying center’s LRR. Due to technical differences, they’ll need to provide more space between aircraft and will likely be unable to see traffic below a certain altitude. It’s more cumbersome, but it works.

Center radar used to be the only backup to the terminal radars. Since the advent of ADS-B and its myriad overlapping ground stations, ATC can also track aircraft equipped with ADS-B Out. Even without terminal and long-range radars, we might still have excellent tracking available via ADS-B. That’s three layers of redundancy. And finally, even if we can go completely radar-blind, we can work the airspace using non-radar rules via pilot reporting and altitude separation. —TK

Digging Our Way Out

As you can see, when the tech fails, often the people become the backup. Years ago, I was working at an approach control that had a nearby construction site. An enthusiastic backhoe operator accidentally sliced through some underground telecommunications lines. With a slip of a lever, he unwittingly caused a pile of additional work for people across multiple states.

The flight plan processing computers in approach controls and control towers are slaved to the computers in their overlying air traffic control centers. For instance, the towers in the New York area and the radar controllers at New York Approach receive their flight plan data from New York Center. If you file IFR out of Teterboro, NJ (KTEB) via ForeFlight, New York Center’s systems figure out which facilities need your flight plan. In this case, it’s sent to Teterboro’s control tower and New York Approach.

That works in reverse too. If you request VFR flight following from Islip, Long Island (KISP) to Boston, the Islip tower controller would type your request into their computer. The tower’s computer generates a National Airspace System flight plan for you by communicating with the New York Center computer. When you depart and are radar identified, a “departure message” is automatically triggered via that connection as well, sending your flight plan data to every facility on your route.

When the telecom lines were cut, we lost connection with our overlying center. Normally, our radar scopes display targets with their callsign, aircraft type, and destination. We’ll also have access to their full flight plan via our Flight Data Input/Output computer. The center’s computers have sent that information, associating it with a particular squawk code.

Now, we could only see each target’s transponder code. Since our local computer never received any flight-plan data from the center, we had no idea it was actually associated with, for example, Southwest 1234, a Boeing 737-800, landing at our main airport. Likewise, if we had an IFR departure, we would never receive their clearance information, since it normally gets sent down via the center.

How did we make it through? Lots of extra teamwork. For inbounds, the center controllers had to call us on a landline and execute manual handoffs for each aircraft. Approach then had to click on the target—therefore taking control of the target—and manually type in its callsign, type, and destination.

For departures, whenever an aircraft on the ground called for a clearance, tower controllers had to call the center’s flight data position, have that person manually pull up the flight plan, and read aloud the aircraft type, squawk code, route, requested altitude, and any other pertinent details. Prior to takeoff, tower passed along that info to the approach controller.

When the aircraft took off, approach manually typed its callsign on the target. Someone at approach also had to call and tell the center to manually trigger a departure message, so every facility down the road knew the plane was coming.

We improvised and worked our butts off for a couple of days, until it all got sorted out. The magical part of it? The pilots never knew. There was no change in the service they received.

When something fails and the traffic is counting on us, throwing up our hands in despair simply isn’t an option. We’ll use the backups we have on hand, or just figure out a workaround that can keep the traffic moving. Our aim? To minimize the impact on you and the thousands of other pilots and passengers in the sky.


Tarrance Kramer really prefers it when things work as they should while working traffic out in the Midwest.

1 COMMENT

  1. The ATC system is indeed impressive, from the human element (controllers and technicians who maintain the system) to the software, hardware, and facilities. Like all else in aviation, ATC ultimately runs on money and our understanding of the aviation environment.

    How does the facility and system design consider and periodically attempt to simulate unlikely ‘Black Swan’ events? For example, very wide scale techtonic events, long duration Cat 5 hurricanes that maintain strength and persist over large areas, State sponsored broad scale electromagnetic disruptions of communications and power? Or severe budget constraints that VERY significantly reduce operational resources- perhaps by 75% or more? Etc? Some of these events could easily be at national and international scales.

LEAVE A REPLY

Please enter your comment!
Please enter your name here