Obsolescence in Aviation Systems of Systems with Applications in ATM

Systems-of-Systems theory is enlarging the perspective that engineers have on the objects of their work. Previously, efforts were focused at the system level, and by managing system inputs and outputs, all interactions between systems were thought to be addressed. With age, a system-of-systems designed individually at different moments in time will degrade as an overall fitness to purpose, will grow to a certain degree of obsolescence. In aviation this is most evident since systems invented and put in place 60 years ago are still operating. The assumptions made originally when the system was created became obsolete, gradually or in quantum leaps. This paper uses examples from air navigation to illustrate that the fitness for purpose for an individual system does change over time and with the changes in the environment the system is working in. The first time a system is established as an industry standard, its first design, and its first architecture presumably best fit the requirements, the specifications. Although these specifications of the system do not change in time, the fitness to the purpose does change and usually decays. This is only obvious in a systems-of-systems analysis, done for the system now part of a system-of-systems. The paper studies the following cases of obsolescence with impact on Air Traffic Management: Radar Altimeters, ILS Glide Slope intercept from above, Continuous Descent Approach effects on turbine engines, and evolution of SSR transponder utility.


Introduction
Aeronautical safety is now at an unprecedented level of just 0.2 accidents per million flights in Europe and North America [1].Accidents and incidents are no longer in statistically significant numbers to allow improvements by statistical analysis.New approaches to safety are needed, for example, the study of latent conditions, weak signals, and second-order causal factors.This paper is an analysis of latent conditions caused by obsolescence.The case studies considered have one thing in common: the evolution of air navigation operations caused a legacy system operational failure, despite it being initially correctly designed, safe, and fit for purpose.The evolution of air navigation operations over several decades may bring some systems to a tipping point, from where the system becomes unsafe in a subtle, nonobvious way.The consequence of these findings is the idea that a very thorough safety case should be done every time a change is considered in air navigation, and this analysis should include a wide range of systems and subsystems which may be affected.In the cases below, such a safety case was strictly limited to the navigation problem or did not exist at all.The subtlety of this type of latent condition escaped even the accident or incident investigation reports, which search for the immediate causal factors.Any system is normally designed with a safety concern, and it is safe and fit for purpose at the time of its design.Over time, minor and major changes may impact the way

Methodology
Applying changes in aviation systems requires a study of the impact on safety with mitigating factors for all the identified risks (risk management) [2].A new system is accepted only if it is fit for purpose and operationally safe.Consequently, the changes do not degrade safety in most cases.Specific training helps lower the risks.As the new systems grow older, the safety improves because there is more experience using them, fewer operational surprises, and the systems deliver what is expected from them in a multitude of scenarios (Figure 1).However, a reversal of safety in time can be identified; systems do not deliver what is expected from them anymore, not because they change, but because what is expected from them changes: obsolescence.This paper aims to test the validity of the following hypothesis: the systems obsolescence could be a latent condition with an impact on safety.Which proofs of this hypothesis can be found?An analysis of the ways the obsolescence develops is another objective of this paper.
A case study methodology is used, with a bottom-up analysis of examples.Are there major changes in the way legacy systems are used?Do these changes impact safety?
The focus of this paper is the impact of air navigation, flight trajectory, and ATM (Air Traffic Management) changes in how the systems are being used.

Systems impacted by obsolescence and changes which trigger the phenomenon
Four legacy systems have been found to be impacted by obsolescence due to changes in navigation: • ILS-GP (Instrument Landing System -Glide Path Subsystem)   2, which is also described in Table 1.

Obsolescence Due to Continuous Descent Approach (CDA)
Initially, the intermediate approach consisted of a segment of level flight until the Final Approach Point (FAP), where the aircraft started descent along the glide slope.The whole descent phase consisted of an alternance of level segments and descents.The optimal descent trajectory however is a continuous descent to touch down.The CDA introduced in the 2000s [6] typically saves 500 kg of fuel per flight due to the shorter time of flight, and at the same time reduces emissions and noise impact on the residential areas near the airport.However, it introduces a deviation from some specifications of the ILS-GP and propulsion systems and reduces the error margin in-flight energy management.
Figure 2 -Timeline of systems impacted by obsolescence.
Such continuous descent operations created unprecedented premises for fuel freezing in turbofan engines during extremely cold temperatures, as illustrated by the BAW 38 case.

Case BAW 38, B772, London Heathrow, 17/01/08
British Airways 38 from Beijing to London Heathrow was on the final approach to RWY 27L 1.7 NM from the threshold and at 700 ft height when both engines failed to respond to increased thrust from the autothrottle.The autopilot tried to maintain the ILS glide slope and sacrificed speed, which went down to 108 kts.Copilot took over manually and Captain Peter Burkill retracted flaps from 30° to 25° to reduce drag.It was a bright decision since it improved the gliding slope and avoided a collision with the ILS antennas by a small margin.With both engines not delivering thrust, the airplane touched down 270 m short of the runway, and the landing gear collapsed.All occupants survived, but the aircraft was destroyed.Both Rolls Royce Trent 800 engines were fuel-starved due to the ice accumulated in the heat exchanger.The flight encountered extremely low temperatures enroute over Siberia (-74°C) and the Continuous Descent Approach (CDA) left the engines idle for 25 minutes.Although the fuel temperature did not exceed limitations, due to the prolonged idle thrust, ice crystals blocked the flow of fuel and both main fuel pumps cavitated.The engine design was found compliant with the specifications.It needed a new design though for the heat exchanger, which provides engine heat to the fuel pipes.When the engines were designed initially, CDA did not exist, so during descent, the engines were not idle for such a long time [6].

Case AFR 7512, A318, Toulon, 20/12/19
The Glide Path (ILS-GP) subsystem of the ILS is aimed at providing a certain and reliable radio signal on the downward glide slope to a touchdown during the final approach [3].ILS is one of the oldest radio navigation systems still in use since 1929.Until 20 years ago the G/S (Glide Slope) signal provided by ILS-GP was fit for purpose.What happened in 2000s was a change in approach flight procedures.In CDA the level flight was removed from the approach procedures.No more level-off segments were performed during the approach, in other words, the descent became continuous.Consequently, at FAP (Final Approach Point) the aircraft was descending instead of flying level, so the G/S radio signal started to be regularly intercepted from above.Before that, the G/S was intercepted normally from below.The classic autopilots were not even technically capable of intercepting the signal from above.
The ILS-GP glide slope signal was designed to be captured from below, as the navigation used to be until 2000s.The problem with capturing it from above was the multiple false signals, which were not distinguishable from the real one.This effect was created by the ground reflection of the lower lobe.As a matter of principle, the ILS equsignal method uses two lobes and the lower lobe was too close to the ground to avoid ground reflections.The integrity of the ILS-GP was lost if the glide slope was to be captured from above.
The flight AFR 7512 from Paris Orly was on a direct ILS approach to RWY 05 at Toulon in up to 50 kts tailwind, which decreased the flight path angle.The air traffic controller noticed the insufficient descent and instructed the crew to miss the approach, but the pilots ignored it.As a consequence of the high altitude, the ILS-GP captured from above a false 9° glide slope (Figure 3), which resulted in an excessive pitch-up attitude (30°).After applying the manual countermeasures in case of an upset situation, the flight continued manually with a Go-Around and landed safely on a second attempt [7].

Case AFR 521, A343, Paris CDG, 13/03/12
The flight AFR 521 from Bamako was on the approach to RWY 08R at Paris Charles de Gaulle in IMC.The APP controller requested a fast approach and at the same time was late in clearing the descent steps.To make things worse, the crew opted for Open Descent (OP DES) instead of the VS mode required by SOP.These factors combined resulted in the A/P capturing the false 10° glide slope instead of the normal 3° (see Figure 4).The situation resulted in an attitude upset (excessive pitch up to 26° in 12 seconds).The captain reacted by disconnecting the A/P and performing a Go-Around.The second approach was successful, but the incident was considered serious.When ILS was designed, all approaches started from a level-off intermediary approach phase, so the capture was done always from below [8].Solutions to prevent false glideslope interceptions are discussed in [9].

Obsolescence Due to Dependant Surveillance
When the SSR Transponder was invented in the 1930s, it was an auxiliary system to the Secondary Surveillance Radar and had no flight safety consequence.If it ceased to function, the Primary Radar lost its Secondary echo, and the air traffic controller noticed a target without a label.The air traffic was sparse at the time, and noticing this change was easy.The reaction to an XPDR malfunction was an RT request on the frequency to the pilots to check their transponder, and the problem could be easily managed.However, the evolution of ATMs gradually dropped civilian Primary Radars, and the transponder itself evolved to provide multiple functions, with a major application in Airborne Collision Avoidance Systems (ACAS) / TCAS systems [10].The consequences of this evolution are two-fold: (1) there is no easy, immediate notice of a transponder failure; (2) flying with a failed transponder results in a major safety risk, in typical crowded airspace.None of these consequences could exist at the time of SSR transponder introduction and design, so a transponder malfunction does not trigger a critical alert (warning or caution) and does not even address the Flight Warning Computer System.The evolution of the aviation system however would require rethinking this decision.Under the newer circumstances, it would be highly appropriate to issue a caution to the pilots.Some types of aircraft do have the transponder malfunction LED visible enough in the pilot's immediate visual field (e.g.Embraer).

Case LOT 7293 E170 and Dassault Falcon 900 airprox, Varna, 30/06/15
Dassault Falcon 900 in Varna ACC was involved in an airprox 0.9 NM / 0 ft at FL370 with an unidentified aircraft, LOT 7293 E170 flying without an active transponder.XPDR turned to Standby Mode without pilot awareness (Figure 5).ROMATSA Bucuresti ACC BANAP Sector ATCOs did not notice the missing radar target.Bucuresti ACC DINSI Sector ATCOs were informed by the military about a primary target flying without a transponder, NATO response was activated, but the BULATSA ATCOs were not informed.Other pilots reported seeing the E170 close and without TCAS, but the radar contact was not established before the airprox with the F900 [11].GLO 1907 flight was planned at FL370.No radar control was provided in the Amazonia region of Brazil.The E135 flight was planned for FL380 but was cleared by ATC to fly at FL370 on the same airway, from the opposite direction.The E135 transponder was not functioning, with no alert to the crew, no FWCS caution, just a white colour static message on EICAS.The two aircraft collided, causing the crash of the Boeing 737-800 (GLO 1907).The Embraer managed to land with a damaged wingtip [12].
Figure 5 -Trajectories of flights LOT 7293 and F900 business jet on a collision course [11].

Obsolescence Due to 5G Communications Interference with Radar Altimeters
The radar altimeter (R ALT) is a legacy system developed in the 1950s as a Decision Height reference and major Ground Proximity Warning System sensor, but its use evolved.Since the 1970s it became essential to the autoland function of the autopilot, enabling the automated flare manoeuvre [3], [13].Thus, R ALT got a new role, that of a system involved in vertical navigation guidance in a vulnerable phase of the flight (flare).The lack of R ALT integrity was acceptable before this new role, but now there is an automated manoeuvre close to the ground commanded based on the R ALT signal, and since this signal is not guaranteed, a safety risk occurs [5].
In the beginning, the radio band reserved exclusively for radar altimeters between 4200 and 4400 MHz had quiet neighbouring bands (Figure 6).In this case, the environment changes in the 2020s regarded the use of adjacent radio bands caused disturbance of the normal functioning of radar altimeters.The filters used in some types of legacy radar altimeters are not able to prevent interference (see the receiver front-end filter response in Figure 6).The radar altimeter principle does not provide too much integrity in the sense that false measurements may replace the correct measurements without any warning.Until the automated flare manoeuvres the integrity was not an issue since in the worst case, nuisance alerts could be triggered and as a result, unnecessary climbs may have occurred.
By January 2023, large commercial airplanes recorded not less than 80 incidents of R ALT interference with 5G transmissions since 2021, when the 5G new radio band was occupied in the US.These events were predicted by [14], however, the deployment of the 5G antennas near major US airports continued, based on a competing study [15].No serious incident has been recorded as yet, but this is also the result of the cancelling of hundreds of flights in 2021 under the NOTAMs issued by the FAA.A scenario of what could happen is illustrated by an older accident, THY 1951 when one R ALT was malfunctioning and the only remaining functional R ALT failed during the automated final approach.In 2009 there was no 5G interference, the cause of R ALT failure was its electronics, but the outcome of a 5G interference could be similar.R ALT integrity is not sufficient for its new role in the vertical guidance of a large aircraft close to the ground.

Conclusions
Systems obsolescence is a latent condition with an impact on safety.Aviation safety deals with changes very well, pushing the risks down below at the beginning of the life cycle of a system.However, obsolescence is less studied and less understood, and there is no risk management mechanism to address it.Not even the accident investigation reports go too far in assessing the obsolescence latent conditions.There are active measures (recommendations) which would remove obsolescence effects in the cases presented in this paper: (1) avoid ILS-GP obsolescence by including a filter in the AFCS software to ignore the false glide slopes when capturing G/S from above in the Approach mode; (2) avoid R ALT obsolescence by (i) removing 5G communications antennas from the runway axis at major airports and protect the runway axis area and (ii) integrating R ALT in FWCS as to warn on failures during approach; (3) avoid XPDR obsolescence by integrating XPDR in FWCS as to issue an alert if XPDR does not function, this alert being of equal severity as TCAS TA.

Figure 1 -
Figure 1 -Evolution in time of risks associated with systems, along their life cycle.

Figure 2
Figure 2 illustrates the timeline of these systems impacted by obsolescence.The three changes considered in this paper are the following: (1) Continuous Descent Approach, (2) Dependant Surveillance technology, and (3) 5G communications in the vicinity of airports.They are illustrated in Fig. 2 by rectangles.Six relevant safety occurrences are marked in Fig.2, which is also described in Table1.

Figure 6 -
Figure 6 -The radio C Band spectrum usage explaining the greater impact of 5G antennas in the US in 2021 on the Radar Altimeters [5].
Evolution of technology: new systems or functions added over time on top of existing ones, or new systems starting to use radio bands in the neighbourhood of existing ones.•Air traffic growth and the resulting typical air traffic density.
• Flight trajectory optimisations specifically the Continuous Descent Approach trajectory, enabled by the FMS (Flight Management System) and the AMAN/XMAN (Arrival Management / Extended Arrival Management) ATM automated tools.• The generalisation of flight automation, and growing dependence on automation.