The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 16

Weds 15 June 1994

Contents

o Congressman Jack Brooks' Statement on Crypto
David Banisar
o WSJ article: RFI hoses medical equipment
Robert Allen
o Summary of safety-critical computers in transport aircraft
Peter Ladkin
o More on Airbuses
Robert Dorsett
Peter Ladkin
Wesley Kaplow
Pete Mellor
Kaplow again
Bob Niland
o Info on RISKS (comp.risks)

Congressman Jack Brooks' Statement on Crypto

David Banisar <Banisar@epic.org>
Tue, 14 Jun 1994 14:20:25 -0400
  The following statement by Rep. Jack Brooks (D-TX) was today
  entered in the Congressional Record and transmitted to the
  House Intelligence Committee.  Rep. Brooks is Chairman of the
  House Judiciary Committee and played a key role in the
  passage of the Computer Security Act of 1987 when he served
  as Chairman of the House Government Operations Committee.

  David Sobel <sobel@epic.org>
  Legal Counsel
  Electronic Privacy Information Center

  =============================================================

                 ENCRYPTION POLICY ENDANGERS U.S.
              COMPETITIVENESS IN GLOBAL MARKETPLACE


       For some time now, a debate has been raging in the media
  and in the halls of Congress over the Administration's
  intention to require U.S. corporations to use and market the
  Clipper Chip, an encryption device developed in secret by the
  National Security Agency.

       The Clipper Chip will provide industry and others with
  the ability to encode telephone and computer communications.
  The use of the Clipper Chip as the U.S. encryption standard
  is a concept promoted by both the intelligence and law
  enforcement communities because it is designed with a back
  door to make it relatively easy for these agencies to listen
  in on these communications.

       The law enforcement and intelligence communities have a
  legitimate concern that advances in technology will make
  their jobs more difficult.  But the issue here is whether
  attempts to restrict the development, use and export of
  encryption amounts to closing the barn door after the horse
  has already escaped.

       The notion that we can limit encryption is just plain
  fanciful.  Encryption technology is available worldwide --
  and will become more available as time goes on.

       First, generally available software with encryption
  capabilities is sold within the U.S. at thousands of retail
  outlets, by mail, even, over the phone.  These programs may
  be transferred abroad in minutes by anyone using a public
  telephone line and a computer modem.

       Second, it is estimated that over 200 products from
  some 22 countries -- including Great Britain, France,
  Germany, Russia, Japan, India, and South Africa -- use some
  form of the encryption that the Government currently
  prohibits U.S. companies from exporting.  According to the
  May 16, 1994 issue of _Fortune_, not only are U.S. companies
  willing to purchase foreign encryption devices, American
  producers of encrypted software are also moving production
  overseas to escape the current export controls.

       Third, encryption techniques and technology are well
  understood throughout the world.  Encryption is routinely
  taught in computer science programs.  Text books explain the
  underlying encryption technology.  International
  organizations have published protocols for implementing high
  level encryption.  Actual implementations of encryption --
  programs ready to use by even computer novices -- are on the
  Internet.

       The only result of continued U.S. export controls is
  to threaten the continued preeminence of America's computer
  software and hardware companies in world markets.  These
  restrictive policies jeopardize the health of American
  companies, and the jobs and revenues they generate.

       I support, therefore, the immediate revision of current
  export controls over encryption devices to comport with the
  reality of worldwide encryption availability.

       I believe law enforcement and the intelligence community
  would be better served by finding real, and targeted ways to
  deal with international terrorists and criminals rather than
  promoting scattershot policies, which restrict American
  industries' ability to design, produce and market technology.

       Now -- more than ever -- we cannot afford to harm our
  economic competitiveness and justify it in the name of
  national security.


WSJ article: RFI hoses medical equipment

Robert Allen <Robert.Allen@eng.sun.com>
Wed, 15 Jun 1994 11:37:44 -0700
The 15 Jun 1994 Wall St. Journal has an interesting front-page article about
how RFI generated by radios & cellphones is screwing up operation of sensitive
medical equipment such as heart defibrillators, diagnostic equipment, and even
electric wheelchairs.

Some of the horror stories sound apocryphal, like the electric wheelchair
"zapped by radio waves" that sent it's passenger over a cliff.  Others sound
entirely possible: a 72 year old man died in an ambulance when the heart
defib. device he was on failed due to RFI from the ambulance two-way radio.
The ambulance mfgr. had replaced the steel roof with a fiberglass dome, and
put the antenna on top (duhhhhh).  The best story however was about some poor
sap who had a pacemaker installed after diagnostic equipment indicated he
needed one.  It was later discovered the diagnosis was in error, and was
caused by RFI from a television in the same room.  Runners up for best story
were from the mother who's use of a cellphone in the car affected the
ventilator her child was using in the back seat.  In a hospital ward a whole
bunch of ventilators alarmed when the handyman keyed his transceiver.

As is demonstrated by the TV case, even having technicians install and test
new equipment can't account for the fact that just moving the stuff around
during a spring cleaning might put two pieces in juxtaposition to cause
problems.

Having recently seen more than my share of medical equipment, I'm solely
unimpressed with the ruggedness of it (it sort of reminds me of ICOM radios).
Still, with more and more people using cellphones I figure we'll have more and
more problems.  I wonder if cellphones will be the health hazard in the '90's
that radium watch dials were in the '40's?

Robert


Summary of safety-critical computers in transport aircraft

Peter Ladkin <Peter.Ladkin@loria.fr>
Wed, 15 Jun 1994 22:13:19 +0200
Given the interest in RISKS on computers in aviation, and some confusion
concerning characteristics of Airbus aircraft, I thought it might be useful to
summarise for RISKS readers some of the current state of things.

I believe there have been three major accidents involving Airbus aircraft in
the last year: an A320 ran off the end of the runway in Warsaw in September
1993, killing two people and injuring many; the crew of an Aeroflot Airbus
A310 lost control during cruise flight, which led to the death of everyone on
board; and a China Airlines A300 crashed recently tail-first (!) on landing at
Nagoya, killing all or almost all on board.

The A300 and A310 aircraft have `conventional' control, that is, physical
control of the aircraft is transmitted by mechanical or hydraulic means to
most of the flight control surfaces. The normal flight control of the Airbus
A320, A321, A330 and A340 aircraft, in contrast, is achieved by computer, to
which the pilots' sidestick movements are one set of inputs. This is
colloquially known as `fly-by-wire'. `Fly-by-wire' aircraft have been in
regular use by the military for over 20 years, but the A320 is the first
commercial `fly-by-wire' transport, introduced in the early 90's. Pilots have
extremely limited direct physical control of A320/21/30/40 aircraft should the
flight control computers be unavailable, a situation which is anticipated not
to occur during the lifetime of the fleet.

The first flight of the Boeing 777 took place on Sunday 12 June, 1994.  The
B777 is Boeing's first `fly-by-wire' commercial transport, which it is hoped
will be `certificated' in April 95 with delivery to its first customer, United
Airlines, in May 95.

The B777 is a significantly different design from the A320, and I would be
very surprised if there were to be any accidents attributable to features
common to A320/21/30/40 and B777 aircraft which are not also common features
of conventional aircraft such as the B737.

Airbus claims its design philosophy is `evolutionary', that is, the systems
are not designed from scratch, but introduced gradually into the company's
designs after success in previous designs. Nevertheless, there are steps, such
as that to `fly-by-wire' in the A320, which RISKS readers may consider more
significant than others. See the article by J.P. Potocki de Montalk, Head of
Airbus Cockpit/Avionic Engineering at Airbus, in Microprocessors and
Microsystems 17(1).

A useful and readable reference for those interested in A320 accidents is
RISKS contributor Peter Mellor's long paper `CAD: Computer-Aided Disaster!'
which contains a description of the design of the A320 Electrical Flight
Control System, and detailed commentary on all A320 accidents to date, and is
to my knowledge the only single source to do so.  A version of this paper is
to appear in High Integrity Systems journal.

Apart from the flight control on A320/321/330/440s and B777s, there are
potentially RISKy computer-based systems on almost all modern transport
aircraft, of which maybe the most important are the autopilot/Flight-Director
and the FADEC (Full-Authority Digital Engine Control). All commercial aircraft
have autopilots of various degrees of sophistication (and most have Flight
Directors, which provide passive guidance rather than active control), and
these may be suspect in certain incidents (e.g.  the Collins autopilots on
B757 and B767 aircraft: see PGN in RISKS-15.08, and my posting in
RISKS-15.13).  Many modern aircraft also have FADEC, which has occasionally
come under investigation, but I can't think of occasions so far on which they
have been considered primary cause of accidents or incidents.

Human factors are very important. A taskforce has recently been convened to
study incidents of `controlled flight into terrain', in which the continued
safe flight of the aircraft is impeded by a cloud with a crunchy center (see
The Economist, June 4-10 1994, p92). In these accidents the physical
performance of the airplane is generally not a factor, but they may
nevertheless be computer-related, since guidance and air traffic control
relies on computers to various degrees.

Aircraft accidents are amongst the most well-studied of failures in any
engineering discipline. I have never held any position in the aviation
industry, but some of my research interests and hobbies bring me there.  My
continuing experience is that it pays to try to take as much care in forming
opinions about them as it does to report them accurately in the first place. I
wish I could be better at both.

Peter Ladkin


Re: Overy, RISKS-16.15

Robert Dorsett <rdd@netcom.com>
Wed, 15 Jun 1994 13:56:56 -0700
From: Phil Overy <PJO@ib.rl.ac.uk> wrote:
Subject:  Correction of my post on "A-THREE-HUNDRED" crash at Nagoya
>
> The Taiwanese plane did not crash after any kind of automation or airframe
> failure, but when the auto-pilot was left on until too late.

This is not clear.  There are normally three or four ways to disengage any
autopilot:
    - a switch on the glareshield.
    - a deactivate switch on the yoke
    - pushing or pulling forcefully on the yoke
    - a circuit breaker as a last resort

In this case, it appears the crew were aware of the problem for over TWO
MINUTES--an eternity--and fought the airplane to the ground.  I refuse to
see this trivially dismissed as "operator error" or "they didn't turn off
the autopilot until it was too late."

This is a horrifying situation, and if there is a mechanical or interface or
modal failure lurking beneath the scenes, it needs to be rectified.  AND
UNDERSTOOD: if it's even as simple as a service or maintenance issue, then the
problem could recur on other airplanes.


> Peter Ladkin tells me that the president of the airline resigned after the
> crash, so it doesn't sound as if they are trying to transfer responsibility
> to the manufacturers.

Again, after a long string of crashes.  I believe the president or VP of
JAL was ultimately compelled to resign after the 747 SR crash in Japan.
This has nothing to do with culpability: it's accountability.  A form of
personal responsibility which seems to be quite absent in Western
corporate culture.  There is nothing more one can draw from it than that.

>I could have phrased it better, but I would point out that Boeing also now use
>fly-by-wire (on the brand new 777), so the earlier correspondent was misguided
>in thinking that Boeing were staying away from fly-by-wire. The 777 is also a
>much bigger plane than the A320...

Airbus has continued evolving its aircraft line.  There are now the A330 and
A340, heavy long-range transports.  Same interface.


And

> From: Wesley Kaplow <kaploww@cs.rpi.edu> writes:

> Subject: Does it matter why A3??'s have a poor record?
> The average persons response to all of the A3?? technical discussion would
> probably be that it frankly it does not matter why these planes crash!.

There are many people reading this newsgroup whose job descriptions include
understanding and solving these problems so that future generations of
aircraft do not cost lives or resources.

The reason that RISKS keeps harping on airplane automation is that it has
broad ramifications to the computer industry in general, and safety-critical
systems in particular.  What gets established as "safe" in aviation will
undoubtedly define standards of "safety" for other disciplines: this includes
specification and development paradigms.  So these crashes should be of
interest to ALL computer professionals and computer scientists.

And there are certainly people out there whose job descriptions do include
making managerial-level equipment decisions, who may not be aware or
sensitized to some of these issues.


Quarrelling over spilt airplanes [Dorsett, RISKS-16.15]

Peter Ladkin <Peter.Ladkin@loria.fr>
Wed, 15 Jun 1994 21:18:54 +0200
In RISKS-16.15, Robert Dorsett disagrees with two quotes from my
posting in RISKS-16.14. I disagree with his disagreements:

> > Fly-by-wire aircraft use modes because they have to.
>
> This is not true.  Early FBW aircraft were essentially open-loop analog
> systems.

I wasn't thinking about history when I made my assertion.  There are
many fly-by-wire aircraft types around *nowadays*, all but two of
which are military, as of last Sunday.  Do any of these aircraft *not*
use modes? I can't think of one (but I would like to know of the
exception that proves my rule). Robert's strong rejection may be as
misleading as he thought my assertion was.

Robert holds the view that sidestick control may have been the result
of non-engineering decisions. That may be true (or not), but I don't
consider it relevant to whether sidestick control is well-engineered
or not in a given aircraft.

> >A further comment about the Nagoya accident is appropriate. Current
> >knowledge is that the pilots failed to follow normal, explicit
> >procedure for control of the aircraft,
>
> Really?  I've not seen that anywhere.

Flight International, 11-17 May 1994 p5, "a pilot pushes forward on
the control column to counteract the autopilot nose-up input. *This is
against the published procedures ...*" (my emphasis).  FI and David
Learmount are regarded as accurate on such matters.

> >and secondly that they had both
> >been drinking alcohol, which is illegal for good reason.
>
> This has also not been substantiated.  The investigators will not comment,

Robert's assertions do not necessarily contradict mine.  It may help
to understand more of the context.  The investigators will not
comment officially, but then they're required not to - the official
report on the Warsaw A320 accident is not out yet either, but that
doesn't stop us knowing most of the factors involved there. Concerning
the Nagoya A300 accident, there are normally-reliable aviation journal
reports (sorry, the ref's buried) on the precise blood-alcohol level of
the pilots which lead to my conclusion.

> >senior management of China Airlines has resigned because of this
> > accident.
>
> Because of the fifth major accident in as many years,
> was the way I understood it.

..which are two ways of reporting the facts associated with the same event.

Peter Ladkin


Not quite (re: Pete Mellor)

Wesley Kaplow <kaploww@cs.rpi.edu>
Wed, 15 Jun 1994 13:50:41 -0400
Thanks to Peter Mellor it has some to my attention that my statement about
loss of craft per craft delivered is not true.  Unfortunately, I added that
comment based on previous information about per-mile crash rates.  The focus
that I intended was that the average person does not really care why, only
that they perceive that there is a potential safety problem.  A good parallel
might be the Audi 5000 series of reported "sudden-acceleration" problems.
Although the Audi 5000 may not have had a larger incident rate of sudden
acceleration than other cars, ultimately perception was the driving factor.
People did not say: "oh that sudden acceleration problem, well that Audi 5000
was owned by someone from the '3rd' world, it must be his fault".  Ultimately,
the car had at least its name changed, and it probably cost Audi car sales.
At least in the case of the Audi, I could choose not to buy the car.  In the
case of airline travel, and cannot make the choice between airframes because
the information is not available.  I may be making the choice based on poor
information, but it is my poor decision to make.

Also, the airframe loss statistics can be somewhat misleading as well, as
crashes in the information Peter sent to me does not say, for example, if the
747 statistics includes losses such as the Canary Island collision, or the
Lockerbee terrorist loss.

Once again, I apologize of the incorrect statement.

Wesley Kaplow, AT&T Bell Laboratories & Rensselaer Polytechnic Institute


Re: Does it matter why A3??'s have a poor record?

Pete Mellor <pm@csr.city.ac.uk>
Wed, 15 Jun 94 17:52:23 BST
Wesley Kaplow <kaploww@cs.rpi.edu> writes in RISKS DIGEST 16.15:

> Already, Airbus Industry has lost more planes per delivered plane
> than other major aircraft manufacturer in the past 3 decades (Lockheed,
> Boeing, MD).

I would be interested to learn the source of this information.

The following table shows the number of crashes per hull in service for different aircraft types. The source is Lundfahrtindustrie, and the table
is quoted from ``Der Traum von Total Sicherheit'', Focus, 38, 1993, pp18-21.

Aircraft         No. in     Hulls      % Losses
Type             Service    Lost

DC-9/MD-80       2065       68         3.29
Boeing 727       1831       62         3.39
Boeing 737       2515       57         2.27
Boeing 747       988        22         2.23
DC-10            446        21         4.71
Airbus A300/310  636        7          1.10
Airbus A320      411        4          0.97

Peter Mellor, Centre for Software Reliability,
City University, Northampton Square, London EC1V 0HB
Tel: +44 (71) 477-8422, Fax.: +44 (71) 477-8585,
E-mail (JANET): p.mellor@csr.city.ac.uk


Re: Does it matter why A3??'s have a poor record? (Re: Mellor)

Wesley Kaplow <kaploww@cs.rpi.edu>
Wed, 15 Jun 1994 13:29:15 -0400
Dear Pete,
    Unfortunately I did a back of the envelope calculation that is
probably more suited to comparing the number of takeoffs/landings against
accident rates.  I remember seeing statistics on the number of 757 lost per
total mile (or sorties) vs. A3??.  The numbers were quite heavily in favor of
the Boeing.

    However, you are absolutely correct.  I should not have made sure that
I have accurate data before such a broad statement.  Please delete that
section the message.  I should know better.

    The real point that I wanted to make is that the general public does
not care about root-cause analysis, fly-by-wire, or different flight modes.
Perceptions of safety, like those that plagued the DC-10 for several years,
and like the Audi 5000, are what people care about.  Our rationalization that
these crashes occurred due to pilot error in 3rd world countries does not make
me feel any safer.

    It would be interesting to know the breakdown of the essential
reasons for the airframe losses in the table you provided.  There are
three categories I would like to see:

    1) Loss on the ground (at least 2 of the 747's were lost this way)
    2) Loss due to mechanical defect
    3) Crew error.

    Also, which accidents cause a total loss or just loss of the frame.
For example, a 747 was lost part of its skin, but landed safely (with MOST of
its passengers).  A 737 got a moon roof, but landed safely (with all of its
passengers and MOST of the crew).  A DC-10 (with the blown cargo door) landed
with most of its passengers and crew.  I assume that these airframes are
gone, but are they really "losses" in the sense that the average person
would think they are crashes.  Moreover, some of these craft were blown out of
the ski by terrorists, or set fire on the ground.  I believe that this
changes the numbers in the table.  For example, if one does the following

    22 hulls lost for the 747 (are there really only 988 in service?)
      -  2 Canary Island
      -  1 Lockerbee
      -----
        19 "Crashed Hulls"

    19/988 = 1.92% losses

this is compared to the 2.23% losses in the table.

Another possibly category, since the blame seemingly points to problems of
third world operators, is how many of these crashes are airlines that have
questionable maintenance.

The last category is time.  Although I am chancing fate, when was the last
DC-10/MD-11 crash?  What is the current rate, as compared to previous years.
Do these planes just need to get over "infant" problems, or is the rate
essentially constant?

    Moreover, if we look at unexplainable crashes, at least for the Boeing
and DC/MD planes we can usually identify a real design flaw to pin the
crash on (cargo doors, engine mount pins) I can proudly say (well not really)
OUR DARN AMERICAN PLANS CRASH BECAUSE OF DESIGN FLAWS WE CAN FIGURE OUT AFTER
A COUPLE OF REALLY BIG CRASHES! (a smiley face goes here).  However, there is
a point here and that is why are the A3?? losses seemingly predominately cause
by some pilot to ship interface problem.

Once again, I'm sorry to have submitted unsubstantiated information, and I
promise not to do it again.

Wesley Kaplow, AT&T Bell Laboratories & Rensselaer Polytechnic Institute


Re: Airbus (Kaplow, RISKS-16.15)

Bob Niland <rjn@hpfcla.fc.hp.com>
15 Jun 1994 16:42:03 GMT
> ... if we play only on the statistics, I want a airplane with a good
> safety record.  ...

If the statistics bear this out, it raises a point I haven't seen mentioned in
the periodic discussions about the AirBus Industrie family of flying machines.

If AI is indeed experiencing more hull losses than comparable airframes from
other makers, then as a passenger, I don't really care that AI is having
greater success in obtaining "pilot error" determinations in many of the
crashes.  If their aircraft are more susceptible to pilot error, then AI's
aircraft in fact have a problem, and I won't ride them.

Whether computer or airliner, successfully blaming system inadequacies on
the user is no substitute for designing usable systems in the first place.
A comparison of incident/accident rates by airframe, showing the percentage
resolved as "pilot error", would be interesting.

Bob Niland  1001-A East Harmony Road, Suite 503, Fort Collins
Colorado 80525   USA      rjn@csn.org     CompuServe: 71044,2124

Please report problems with the web pages to the maintainer

Top