Finding VIII – Automatic change of flight level without controller's acquiescence
4.12. The X-4000 System used by the area control centers presents side-by-side, on the second line of the data block, two items of information on the flight level23: the level foreseen in the flight plan for the leg being flown and the real level at which the aircraft is flying, obtained by means of the transponder equipment. [...].[NT: ellipsis in original]
[23 Altitude levels separated by 1000 feet (300 m) and defined in such a way that the planes that are flying at the same level are always moving in the same direction.]
4.13. However, the aircraft does not always maintain the flight level foreseen in the plan. In some situations the aircraft receives instructions from the controller to fly at a level different than that foreseen, at the pilot's request or to avoid traffic conflicts. The X-4000 system posses a functionality that automatically alters the flight level at the point on the route foreseen on the plan, without the controller's acquiescence, and independent of the true level at which the aircraft is flying.
4.14. In normal situations, there is no problem, because the information that rules is the aircraft's real flight level, presented on the left side of the data block. The problem can occur when, if there is a failure in the aircraft's transponder equipment or in the secondary radar, the information on the left is suppressed and the data block shows only the information for the level foreseen, which may not correspond to the true level at which the aircraft is flying.
4.15. According to what the air traffic controllers interviewed informed, this situation can induce error. The situation becomes even more serious if there is a communication failure, because the controller does not have any way to query the aircraft on the flight level it is maintaining and has to take decisions based on the level foreseen in the flight plan, which may or may not correspond to the true level being flown.
4.16. Still according to these controllers, in the area control centers it is common for a controller to go a few minutes without having contact with an aircraft or to control various aircraft at the same time, which demands greater effort in control of an aircraft's real flight level. If there is a breakdown in the secondary radar, with more than one aircraft flying at a level different than that foreseen in the flight plan, the incorrect presentation of the level in the data block increases the risk of traffic conflict.
4.17. During the interviews, all the controllers questioned affirmed that they did not agree with the automatic change of flight level without the controller's acquiescence. They said that what would be ideal would be for the system to indicate that there is a change of flight level foreseen in the plan for that segment, alert the controller that the aircraft is flying at a level different than foreseen for that leg and, if there is a loss of radar contact, maintain the last information on the aircraft's true flight level. The change in level should be made via intervention by the controller, if it really does happen according to plan, which would eliminate the display of the incorrect level.
4.18. They allege, further, that they had already made this change request to Decea, which could be proved by an analysis of the occurrence logbooks, danger reports, an by item 1 of the list of suggestions of improvements in the X-4000 system, made by the Cindacta I controllers on December 27, 2006 (p. 43).
4.19. The Decea representatives, for their part, said that they did not agree with the suppression of this functionality. They allege that the system has worked this way for years and the only after the accident involving flights N600XL and GOL 1907, which happened on September 29, 2006, did the controllers start to ask for this alteration, According to the managers heard, this is related to the fact that the controllers involved in the accident had used as a line of defense, in the criminal trial on the case, the thesis that this functionality had been one of the causes of the accident.
4.20. Another argument used by the managers is that the controllers in the Curitiba area control center, where the system was in the implantation phase at the time of the audit, did not agree with the alteration and that, as there is no unanimity of opinion among the controllers, it should not be done. The auditing team did not have the opportunity to interview the controllers in the Curitiba area control center to confirm if these users have this opinion and verify their reasons.
4.21. Despite the positions presented by Decea, the audit team saw clearly that the functionality of the automatic flight level change, in the way in which it is implemented, does not serve a portion of the users of the X-4000 system. In this way, it's up to Decea to proceed to the revision of this functionality, involving the users directly, in a manner that their needs are served in the best manner, to meet the operation's safety needs.
a) Cobit 4.1 –Control Objectives AI2.224;
[24 Item AI2.2 – Detailed Project – Prepare detailed project and the application's technical requirements. Define the acceptance criteria for the requirements. Have the requirements approved to guarantee that they correspond to the high-level project. Undertake re-evaluation when significant technical or logical discrepancies occur during the development or maintenance.]
b) Art. 37, caput, of the Federal Constitution (efficiency principle).
a) Extracts of interviews (CD-ROM annexed);
b) Dispatch nº 6/SDTE/1153 (main volume, p. 43);
c) Occurrence log book, (appendix I, pp. 23, 71, 84 and 86);
d) Danger report (appendix I, p. 112);
e) Client support report (appendix II, pp. 163 and 164);
f) Situation of operational means, (appendix II, pp. 274, 277, 278, 280, 283, 284, 285 and 287).
a) Not identified.
Real and potential effects
a) Increase in controllers' level of stress;
b) Endanger the safety of the services provided.
4.22. The X-4000 system has a functionality that automatically alters the flight level displayed, at the point a change is foreseen, without the controller's acquiescence. By means of interviews and analyses of occurrence logbooks, danger reports, the situation of operational means and client support reports, it was found that the controllers think that this functionality should be suppressed. The controllers understand that when there is a transponder or a secondary radar failure and the aircraft is not flying at the foreseen level, the system will display an incorrect flight level, which could endanger the safety of the operation. This alteration has already been solicited to Decea.
4.23. On the other hand, the Decea managers do not agree with the alteration, under the principal argument that the controllers' opinion is not unanimous. In the opinion of the auditing team, Decea should re-evaluate this functionality, involving controllers from all the area control centers, in such a manner that their needs are met in the best way, to meet the operation's safety needs.
Proposal for follow-through
4.24. Determine to Decea that, with attention to the efficiency principle contained in the caput of art. 37 of the Federal Constitution, it re-evaluate the X-4000 system's automatic change of flight level functionality, involving the controllers directly, in such a manner that their needs are properly met, similarly to the manner foreseen in item AI2.2 of Cobit 4.1.