The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 6

Thursday 7 June 1990

Contents

o Bei Mir ist es nicht schoen
PGN
o Re: Network follies
Carl Howe
o Bitnet FTP-ing of back issues
Paolo Mattiangeli
o Risk is in the eye of the beholder?
Dick Wexelblat
o Re: The A320's attacks of nerves
Robert Dorsett
Steven Philipson
o Re: Article on A320
Karl Swartz
o A320 - The Attacks Continue
Pete Mellor
o Re: Private mail on BBSes...(and the A320?)
Pete Mellor
o Info on RISKS (comp.risks)

Bei Mir ist es nicht schoen

"Peter G. Neumann" <neumann@csl.sri.com>
Thu, 7 Jun 1990 16:13:40 PDT
Sorry for the GermanoRussian pun, but the two Soviet cosmonauts aboard the
space station Mir (= peace) for the past three months have been waiting for
supplies to be brought up by the module Kristall, launched on 31 May, so that
they may attempt to stay in space to attempt repairs of their Soyuz spacecraft
(whose insulation was damaged on launch on 11 February).  The conputer
controlling the docking of Kristall with Mir shut down the docking operation
two hours ahead of schedule yesterday.  A Tass report speculates that the
computer system might have detected a malfunction in one of the Kristall's
orientation system engines.  Keep an eye out for further details.  [Source: San
Francisco Chronicle, 7 June 1990, p.  A20]


Re: Network follies (Shimeall, RISKS-10.05)

<chowe@BBN.COM>
Thu, 7 Jun 90 16:08:45 EDT
I'm sure someone must have already replied to you about this, but what they
probably were doing were reconfiguring to deal with the fact that the Arpanet
was decommissioned on June 1.  There is no more Arpanet.  You were probably
rerouted to your local regional net, which in turn is gatewayed to other
networks, thereby making it apparent that the Arpanet is "back".  But rest
assured, the Arpanet is dead.
                                                   Carl

      [THE ARPANET IS DEAD.  LONG LIVE THE ARPANET.   PGN]


Bitnet FTP-ing of back issues

<ERCEDES@IRMUNISA.BITNET>
Thu, 7 Jun 90 06:04:01 -0700
At last I have discovered a way to get back issues of RISKS-Forum via
BITNET. I think it could be interesting for you: BITFTP at PUCC is the
e-mail address to get FTP-BITNET redirection. You shuld send a message
like this to BITFTP:

ftp CRVAX.sri.com
login anonymous
cd sys$user2:[risks]
get risks-i.j               [for some legitimate values of i and j, obviously]
quit

Please note that connection to CRVAX.sri.com is allowed only after 7 PM.  After
a while, BITFTP replies with a session log and, if the file has been
succesfully retrieved, will send the file itself.
                                                            P.

Paolo Mattiangeli, Universit{ di Roma "La Sapienza", Dipartimento di Fisica
N.E., P.le Aldo Moro, 4 - 00185 Roma Italy


Risk is in the eye of the beholder?

<rwex@ida.org>
Thu, 07 Jun 90 14:44:08 E+1
At a briefing today, we were given information about the ATF (advanced
tactical fighter) reported to be "tip-top secret."

(ATF is a highly automated plane that will eventually -- one is told --
house the Pilot's Assistant, an AI package that can fly, land, and fight
the plane under every circumstance.  Right.  Anyway...)

    The ATF has two cockpits.  In the front one is a man.  In the
    back one is a dog.  The responsibility of the man is to turn
    around periodically and feed the dog.  The responsibility of the
    dog is to bite the man if he ever tries to touch any of the
    controls.

Well, it seemed funny at the time.

--Dick Wexelblat
                  [We seem to be specializing in old shaggy dog stories.  PGN]


Re: The A320's attacks of nerves (RISKS-10.02)

Robert Dorsett <rdd@rascal.ics.utexas.edu>
Wed, 6 Jun 90 22:52:05 CDT
> Mr. Bertrand Bonneau (the translator to English)

Actually, Mr. Mellor did the translation.
                               [Yes, that's what he said in RISKS-10.02.  PGN]

>For example, I was very surprised by the total absence of any reference
>to the B7[5]7/B767 with their glass cockpits and computers.

The B757/767 and A320 are two different generations of aircraft.  And nobody's
crashed a 757/767 yet.  The airplanes could certainly come in for criticism
(for the way Boeing's addressed the general man-machine problems of glass
cockpits), but the *critical* issue of the day is the A320.


Looks like it's time for some refresher background:

757, 767, and A310: introduced in '82 and '83: characterized by *conventional*
  flight controls, glass artificial horizons and nav displays (EFIS), and
  performance management systems (PMS).  These airplanes are referred to as
  "classical glass" by at least one magazine (Flight International).

  The 757 and 767 have identical cockpits.  They have conventional (analog
  dial) airspeed, altitude, vertical speed, and VOR/ADF indicators.  These
  surround the two glass EFIS CRT's to form the "classic T."  Engine monitoring
  is accomplished through an Engine Indication Control Advisory (EICAS) system,
  which is comprised of a primary flight instrumentation display (engine
  power, temperature, etc) and a secondary advisory display (checklists, hints,
  systems info, etc. pop up).  These are stacked on top of each other on the
  center console.  Boeing's operational cockpit philosophy, since the early
  1970's, has been "need to know."  The 757/767 represent the most extreme
  manifestation of this philosophy, by any manufacturer, to date.  The im-
  plementation has resulted in the *necessity* of pilots having to work around
  system obstacles, by pulling circuit breakers (one source claims that on a
  typical 767 flight, sixty CB's are set and reset).  Data from an
  (unpublished?) survey by Earl Wiener indicates that pilots are neatly
  divided in their opinions of the 757/767 cockpit.

  The A310 is similar, except it packs more info into the EFIS displays, and
  it has conventional dial engine instruments.  However, it also has two EICAS
  displays, to handle a multitude of system and advisory information.  Airbus's
  philosophy (on the A310) was "nice to know."  The cockpit is not, however,
  popular with pilots, because of a variety of environmental factors (too
  cold, for one).  There is a retrofit which gives the A300-600 more or less
  the A310's cockpit.  The A320 design leans more in the 757/767 direction.


Next generation: the A320 (introduced in 1988).
  The A320 did away with most dials (except for backup instrumentation)
  and combined airspeed and altitude information into the primary flight
  display.  These bracket (left and right, respectively) the artificial
  horizon display.  The display is quite small (7.25") , and, in my opinion,
  poorly designed (this was recently discussed ad nauseum on RISKS and
  sci.aeronautics).  The nav display (beneath it) is more or less a typical
  nav display.  Nothing revolutionary there.

  The flight controls on the A320 are non-standard.  The aircraft is controlled
  through sidesticks, which map pilot commands into aircraft action.  There
  are a multitude of control modes available (for instance, "direct" mode, in
  which the sidestick deflections map to surface deflections), "autopilot" (in
  which the sidestick controls the autopilot), "C*" (which provides an
  unconventional method of flight guidance), etc.  There are also many
  "protections" built into the various modes, such as automatic engine spool-
  up if the angle of attack gets too high (alpha floor--but it doesn't work
  under 100' radio altitude, hence the Habsheim crash), preventing excessive
  bank or pitch, etc.  The two sidesticks do not provide "active" artificial
  feel (although they do have a spring to prevent excessive deflection), and
  are not interconnected.

  There are manual backups to the flight control system, but they're not
  intended for normal use.  The "manual" backups amount to electric trim, a
  manual rudder, and, according to at least one source, a manually settable
  horizontal stabilizer.  At least one source has claimed that Airbus isn't
  advocating training for the "manual" flight mode, despite it being the
  only way that a test flight (which Bev Littlewood recently mentioned) could
  have been landed.

Latest generation: MD-11/747-400.
  The MD-11 (1990) and 747-400 (1989) feature six large color CRT displays,
  and provide data in a manner similar to that of the A320 and 757/767.
  The MD-11 features a "fly-by-wire" system (without any changes in control
  laws and no protections), with a fully "manual" hydraulic backup.  The
  747-400 features a standard hydraulic-based control system.  Both airplanes
  are two-man ships, though, and include significantly reworked electrical and
  systems design.

  Note, though, that both Boeing and McDonnell-Douglas have opted for
  *conventional* flight laws.  Boeing is reportedly continuing the trend
  with the 767-X (777), which, if launched, will have fiber-optic "fly-by-
  light" systems.

In essence, these airplanes share (a) similar nav displays, (b) similar
PMS/FMCS systems, (c) similar (unknown) problems relating to the consequences
of using digital electronics for flight-critical systems (these range from
static problems to temperature to solar radiation), (d) the unknown effects of
"hiding" a lot of information in two little CRT's, and (e) a propensity to
encourage "heads-down" behavior.  Only the A320, however, has a fly-by-wire
system with "unconventional" control laws, and only the A320 has been sold
on the basis of preventing the pilot from making fatal errors.

As you note, though,

>The main point of this article is that the procedures were bad,

which brings us back to ERGONOMICS.  The point of the article was to draw
attention to the questionable workmanship of the aircraft, and the poor
man-machine interface.  In my opinion, the A320 is the real loser in the
crop of digital airplanes, with the 747-400/MD-11 coming a distant second (for
the idiotic decision to introduce long-range aircraft with only two pilots).

>the French FAA was conducting the investigation rather than the French
>Department of Justice.

Actually, both the DGCA and a local magistrate were conducting an
investigation.  The DGCA has released its report, which white-washed the
aircraft and systems.  The magistrate's report is still to be released (?).


>Even if the French judges are only ten times
>technically-smarter than ours and if the French-FAA is only ten times
>more corrupted than ours, I'd still rather see their FAA, not their DoJ
>conduct the investigation.

But there's an explicit conflict of interest there: Airbus Industrie is
essentially a public-works project for the aerospace sector in Europe.  It
is HEAVILY financed by the French government, and is a major employer in
France.  French prestige is on the line, and we all know how "weird" the
French government can get, when protecting its interests (remember
the Rainbow Warrior? :-)).  The behavior of both the French government after
Habsheim, and Airbus Industrie after Bangalore, are certainly bases for
skepticism.


>Well, in the US the NTSB (and the FAA)
>typically have "probable cause" within a day, even though investigations
>take many months or even years.  Is it suspect, too?

There are numerous cases when the NTSB has not been able to issue a probable
cause, and numerous more where the probable cause has turned out to be in-
correct.  What the French government did, however, was state--in a definitive
manner--that the Habsheim crash was a result of pilot error.  The FORM their
statement took would certainly not be acceptable coming from the NTSB.  It
must be very awkward to have a supposedly objective government agency im-
mediately *defending* an airplane of which many hard questions can be asked.
It's my impression that what irked many people was this very sight of their
government playing the role of apologist.

To the best of my knowledge, the FAA does not issue probable-cause statements.
Its options are limited to emergency regulatory action, based upon preliminary
crash assessments from the NTSB (cf. the AAL DC-10 at O'Hare).  It, too,
has been known to reverse its decisions.


>To sum it up: opinionated reporting may leave something to be desired.

The style of the article was somewhat clumsy, but it has a number of good
points.  It is not appropriate to discount it sorely because of its
feeble attempts at rhetoric.  A number of people seem to have been thrown
off by the assumption that it represents the epitome of the debate in France.
It doesn't, as Pete Mellor has noted.  But it certainly contains enough
(apocryphal) anecdotes to stimulate serious discussion.

Robert Dorsett                                       Moderator,
Internet: rdd@rascal.ics.utexas.edu                  Aeronautics Digest
UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd


Re: The A320's attacks of nerves (Cohen, RISKS-10.05)

Steven Philipson <stevenp@decpa.pa.dec.com>
Thu, 7 Jun 90 15:26:06 PDT
In RISKS 10.05, Danny Cohen <OHEN@ISI.EDU> made some statements
   regarding accident investigation in the US that are not correct.

> [...] Well, in the US the NTSB (and the FAA)
>typically have "probable cause" within a day, even though investigations
>take many months or even years.  Is it suspect, too?

   The FAA *never* issues statements of probable cause -- it is
outside its jurisdiction.  The NTSB has primary jurisdiction.  The
role of the FAA in accident investigation is to collect facts and
assist the NTSB in their investigation of accidents.  Probable cause
statements are issued by the NTSB in accident reports that typically
are released about six months after the accident.  NTSB board members
will on occasion issue statements about the focus of investigation,
and about preliminary findings, but official statements are not made
until exhaustive study is complete and the accident report is completed.
Safety recommendations can be made more expeditiously when an urgent
need is perceived, but this is not equivalent to a statement of probable
cause.  There would be a tremendous negative response to a Board member
if he/she made such a statement within a day, and indeed, such a
statement would be suspect.  Just for fun, I challenge all RISKS readers
to find a single case wherein such a statement was made "within a day".

   In the case of the Aloha accident certain facts were known fairly
quickly.  Recommendations were made to the FAA to address perceived
safety problems, but no statement of probable cause was issued until
the official report was released.

>To sum it up: opinionated reporting may leave something to be desired.


   Granted.  The same can be said of misinformed reporting.

                        Steve Philipson


Re: Article on A320 (Mellor, RISKS-10.02)

Karl Swartz <kls@ditka.UUCP>
4 Jun 90 02:21:46 PDT (Mon)
I don't have definitive answers, but I think I can clarify the terms
a bit.  "About-turn on the ground" is an abort before the beginning of
the takeoff roll, that is, a decision to return during the pre-takeoff
taxiing, whereas an "acceleration-stop" is an abort after the beginning
of the takeoff roll but before V1 (the velocity at which the plane is
committed to a takeoff) is attained.  The latter is an aborted takeoff;
beyond V1 the plane is committed to a takeoff though once airborne the
crew could immediately turn back and land.

As for the matter of "cabin altitude being on the increase", pressure
in the cabin is measured in terms of altitude rather than PSI or bars
or some other unit.  Typically, the cabin of a commercial aircraft is
pressurized to a pressure equal to that at an altitude of 8,000 feet
above mean sea level.  A failure of the pressurization system would
cause the pressure to decrease such that the effective cabin altitude
would increase from nominal, approaching the actual altitude of the
aircraft.  Often this occurs due to a rupture of the pressure cabin
and a consequent violent decompression, but in this case it appears
the decompression was gradual, presumably due to a failure of the
regulation systems.  No matter, the pilots still must descend to an
altitude at which the cabin altitude is within acceptable limits.

Karl Swartz, 1738 Deer Creek Ct., San Jose CA 95148  1-408/223-1308


A320 - The Attacks Continue

Pete Mellor <pm@cs.city.ac.uk>
Thu, 7 Jun 90 20:33:41 PDT
In RISKS-10.05, Danny Cohen <OHEN@ISI.EDU> writes:

>            About the A320'S ATTACKS OF NERVES

> Mr. Bertrand Bonneau (the translator to English) did a terrific job of
> translation, given his knowledge of the subject area.  Too bad that the
> original writer is not more knowledgeable of aviation.

If this is a joke about the translation, it's a bit too subtle for me!
My Collins-Robert French Dictionary gives:

        "crise de nerfs - attack of nerves, fit of hysterics;"

Mmm...perhaps the second alternative might be better :-)
Assuming from the lack of smiley that Danny Cohen is serious, then he can't
have read my disclaimer.

He goes on:

> For example, I was very surprised by the total absence of any reference
> to the B767/B767 with their glass cockpits and computers.

Maybe, but M. Bonneau *does* say "...the embedding of numerous
pieces of software on board aircraft of the new generation (A320, but also
McDonnell-Douglas MD 11, Boeing 747-400, among others) can pose problems for
the official agencies.", so he is obviously aware that the A320 is not the
only computerised civil aircraft.

> The main point of this article...

[Actually the main point of the subsection on the enquiry into the
 Mulhouse-Habsheim crash: the main article is far more concerned with technical
 problems of FBW and glass cockpits.]

>                                ...is that the procedures were bad, and that
> the French FAA was conducting the investigation rather than the French
> Department of Justice.

Err..not *quite*. Bonneau's point is that French government regulations
(to which he gives precise references) place the responsibility for
conducting such investigations on the Inspection Generale de l'Aviation
Civile (IGAC), under the direct authority of the Minister of Transport
[note: *not* the "French Department of Justice"], and not on the Direction
Generale de l'Aviation Civile (DGAC), which is the French equivalent of the FAA.

The only information I previously had on alleged procedural irregularities came
from some slightly confused accounts in the UK and US press (Herald Tribune
11th July 1988, Financial Times 11th July 1988, Guardian 12th July 1988,
New Scientist 21st July 1988). It was Germain Sengelin, senior examining
magistrate at Mulhouse, who complained at the DFDR and CVR being handed over
to the DGAC without being placed under judicial seal to "guarantee their
authenticity and integrity" until the enquiry. He was taken off the case.

>  Well, in the US the NTSB (and the FAA)
> typically have "probable cause" within a day, even though investigations
> take many months or even years.  Is it suspect, too?

Depends. The pilot and copilot survived the Mulhouse crash, and immediately
made statements implicating delays in engine acceleration (Times 27th June
1988). The engines are controlled by FADEC, and this in turn responds to the
EFCS. The question about exactly *what* goes onto the DFDR, and from *where*
it is captured in the processing chain, had previously occurred to several
people (including myself) who take an interest in the A320. If Bonneau's claims
about this are correct, it confirms our suspicions: even *with* the information
from the DFDR, it would not be possible to identify "pilot error" as the sole
cause without other evidence. Metal fatigue in antique airframes (Aloha B737
28-Apr-88) is well understood as a cause of accident. Systematic failure of
a complex FBW system is not. That, together with the statement of an experienced
pilot that the engines did not respond to commands, make the following timetable
look a bit like a "rush to judgement":

26th June, 1245: Mulhouse crash. DGAC takes control of DFDR and CVR.

26th June, evening: Air France and BA A320's grounded.

27th June: Louis Mermaz, French Minister of Transport, announces that analysis
           had shown the plane suffered no technical problems.
           (Guardian, 28th June)

Same day: Jean Volff, local public prosecutor at Mulhouse, announces that
          "The inquiry points towards pilot error." and that "he could not
           exclude prosecution of the pilots for manslaughter if error is
           proved". (Guardian, 28th June, same article)

Same day: BA reverses grounding decision after "it had discussed the situation
          with both the Civil Aviation Authority and manufacturers Airbus
          Industrie". (Evening Standard, 27th June)

28th June: A320's back in service.

The last event is the one that matters, of course. Bonneau's speculation that
"... the concern of the only technical enquiry had overridden that of the
judicial enquiry." may be true. The concern that overrode everything was to get
the A320 back in the air.

>From the New Scientist, 21st July 1988:

"...the day after the accident, the DGAC announced a preliminary conclusion that
the pilots, and not the aircraft, were to blame for the disaster. According to
the French press, details of the flight records were given to Aerospatiale,
which announced that it had confirmation that the aircraft was not at fault in
the crash. Several days later, the DGAC exonerated the mechanical performance
of the Airbus. The head of the DGAC, Daniel Tenenbaum, said that if this had
not been the case, it would have been necessary to ground the A320 for tests."

(And we couldn't have that, now, could we? :-)

[In fairness, I should add that I have spoken to a number of people in the
CAA and elsewhere who know a lot about flight certification and about the
Mulhouse accident in particular, who have assured me that it *was* pilot
error, but, as always, confidentiality prevented them from saying *how* they
knew that.]

> I take it to imply that this shows that because of "*Industrial
> Secrets*" (which cover the software) the operating airlines could not
> use any "good computer scientist" to simply go ahead and fix that fault.
> If this is the case -- how about all the regression testing ...

I agree. If Bonneau thinks that each user could hack together his own patches,
then he's WRONG. He is, however, quite right to point out elsewhere that
it's not possible to certify a system containing embedded software to any
high degree of reliability (and certainly not to 10^-9) by treating it as a
black box, and the industrial secrecy protecting the A320 software means that
it is possible to do little else.

In fact the regulations (FAR 25.1309 plus AC 25.1309-1) require a "critical"
*system* to be demonstrated to have 10^-9 max. probability of failure, but
specifically 'cop out' when it comes to the *software* in those systems, and
refer to RTCA/DO-178A, "Software Considerations in Airborne Systems and
Equipment Certification", which is essentially a set of guidelines for good
development practice, and requires that certain documents (specifications,
test plans and results, etc.) be made available to the certification authority.
There are 3 levels of software, of which level 1 is for "critical" systems
(those which can crash the aircraft if they fail). (However, note that by
"using appropriate design and/or implementation techniques" it may be possible
to put lower level software in a critical system.) Even at level 1, source
code and object code are *not* required, and a source listing is only required
for a re-certification following modification! Only the vendor of the software
and the customer (i.e. the airframe manufacturer) are required to test the
software.

A320 EFCS software was rated as level 1. Heaven knows what's in the FADEC!
(The European regulations are almost identical to the US.)

As a modest proposal for improving our certification of flight-critical
software, may I suggest:

- Access to source and object code by certification authority.

- Independent Verification and Validation (IV&V) by 3rd party.

Danny Cohen ends:

> To sum it up: opinionated reporting may leave something to be desired.

To which I say: so may our certification procedures for flight-critical
software!

Also in RISKS-10.05, Atkielski.TDS-ASF@SYSTEM-M.PHX.BULL.COM points out that
the actual magazine is "Science & Vie", and that the article was in the
"Aeronautique" section. Sorry, my fault. Serves me right for working from a
photocopy of only the relevant pages.

He also points out that:

> A rebuttal from Bernard Ziegler, technical director
> of Airbus Industrie, may be found in the following May issue.

My thanks for this information. Perhaps in the interests of balance, RISKS
should carry a translation of that, too. Are you offering, Bernard? Come on,
it's someone else's turn! :-)

My thanks also to Steven Philipson, Karl Swartz and Jordan Brown for answers
to my queries about the terms "acceleration-stop", etc. Since Karl copied his
reply to RISKS, I assume it will be appearing shortly.

Pete Mellor
(Author of the above, but mere translator of Bertrand Bonneau's article!)


Re: Private mail on BBSes...(and the A320?)

Pete Mellor <pm@cs.city.ac.uk>
Thu, 7 Jun 90 20:53:21 PDT
With regard to David Gursky's points about BBS mail that deals with "illegal"
activities, what if Airbus Industrie decides the Bertrand Bonneau's article
is libellous. Do they sue the publishers of "Science & Vie", M. Bonneau, me,
Peter G. Neumann, or all of us?

OK, RISKS is a moderated forum, so I suppose the buck ought to stop with the
moderator. :-)

This problem reminds me, however, of the case of Goldsmith v. Pressdram
(publishers of the UK magazine "Private Eye") a few years ago. Sir James
Goldsmith sued Private Eye for libel. As part of his action, he also tried to
sue the distributors and retailers of the magazine. This was thrown out, since
if the precedent had been established, it would have meant that every newsagent
and magazine stall-holder in the land would be expected to read every
publication he sold from cover to cover, and be liable if he failed to
withhold any issue that was libellous.

Doesn't a similar common-sense principle apply to (non-moderated) BBS's?

Pete Mellor

Please report problems with the web pages to the maintainer

Top