Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
April 1. Hampstead, MA. Motorist Peter Newone said he felt as if a nightmare had just ended. Newone, 53, was driving his newly purchased luxury car when he entered the traffic circle in the city center around 9 AM yesterday, Friday. The car was equipped with the latest safety features, including a new feature called Lane Keeping. "It just wouldn't let me get out of the circle," said Newone. "I was in the inner-most lane, and every time I tried to get out, the steering wheel refused to budge and a voice kept saying over and over, 'warning, right lane is occupied.' I was there until 11 at night, when it finally let me out," Newone said from his hospital bed, his voice still shaky. "I managed to get out of the circle and to the side of the road, and then I don't remember what happened." Police say they found Newone collapsed in his car, incoherent. He was taken to the Memorial Hospital for observation and diagnosed with extreme shock and dehydration. He was released early this morning. A representative of the automobile company said that they could not explain this behavior. "Our cars are very carefully tested," said Mr. Namron, "and this feature has been most thoroughly vetted by our technicians. It is an essential safety feature and it is designed so that it never exerts more than 80% of the torque required, so the driver can always overrule the system. We designed it that way as a safety precaution. We grieve for Mr. Newone, but we are asking our physicians to do their own evaluation of his condition." Police say they have never heard of a similar situation. Mr. Newone evidently encountered a rare occurrence of continual traffic at that location: there was a special ceremony in the local school system which kept traffic high all day, and then there was an unusual combination of sports events, a football game, and then a late concert, so traffic was unusually heavy all day and evening. Attempts to get statements from relevant government officials were unsuccessful. The National Transportation Safety Board which is supposed to investigate all unusual automobile incidents says that this is not officially an accident, so it does not fit into their domain. Federal and state transportation officials were not available for comment.
Airbus has successfully completed the evacuation test on the A380, as reported in the news on 27 Mar 2006. 853 passengers were evacuated in less than the required 90 seconds from half of the exit doors, at the expense of minor injuries and one broken leg. An Airbus spokesman said that the test had been successful: "In a group of 853 people, the chances that one person has a broken leg and doesn't yet know it are substantial. The test showed that everyone came out at least as healthy as when they went in." Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
I reported in RISKS-24.03 ("Flight Control System Software Anomalies") on a
partial-loss-of-control incident with a Boeing 777 aircraft that resulted in
a US emergency Airworthiness Directive to replace the software in the air
data inertial reference unit (ADIRU) with an earlier version, while the
manufacturer, Honeywell, developed a fix for the software.
It seems as if that is not the only problem at Honeywell. The *North German
Herald-Advocate* reported on 28 Mar 2006 that the well-known Easter Egg
writer and charter member of the International Aerobatic Club, Jody
K. Beltramina, had retired from her position as Lead Avionics Software
Developer in order to "spend more time with her family".
Peter B. Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com www.rvs.uni-bielefeld.de
Cambridge, UK. An old dream of cartographers has finally been realized through flat-panel displays and small, portable computational devices. For centuries, cartographers have dreamed of full-scale maps, that is, a map with a scale of 1:1, so that 1 Km. of the map would represent 1 Km. of the world. Implementation difficulties made such a map impractical. But now, scientists at Cambridge University have been able to display the full-scale map on a flat-panel screen, scrolling the map as necessary to cover the territory. The new technique has already revealed important results: errors in the existing geographical databases. These errors were revealed when geographers in Cambridge compared the full scale map with the terrain and discovered that they didn't fit precisely: Several structures, including a college building and several roads were determined to be in the incorrect location. "Rather interesting," said Lewis Carroll, spokesperson for the university, "several college buildings are quite off their correct location." Unfortunately, initial estimates for moving the buildings and roads to correct these discrepancies are too expensive, so, as Carroll puts it, "we will have to put up with these problems, but we will annotate the map to show where these placement errors occur." An unexpected positive finding is that the map serves both types of map-users well: those who like to orient the maps so that North is always up, regardless of their direction of travel, and those who like to orient the map so that it corresponds to the positions of objects in the world. Now, either type of map user can be accommodated, something which was not possible when full-scale maps were implemented only on paper. When asked what new developments might be expected from the college, Mr. Carroll stated that they were working on full-scale biographies, providing a much more realistic depiction of a person's life. This would allow a biography, for example, to take place in the same time-scale as the person's life, increasing the realism dramatically. Full scale renditions of other phenomena are in the works, but Carroll said that confidentiality restrictions prevented discussion until they were fully realized.
The SAT service is reportedly contemplating the development of paperless Internet-accessible laptop-based SAT software that will in essence be like DRE voting machines, presumably with no audit trails and no ability to do rescoring apart from asking the SAT-taker to resubmit the answers! All students will most likely be required to use their own laptops or school-supplied systems, typically over unencrypted wireless and local networks. RISKS readers might also suspect that the SAT exam will be implemented as an unsigned ActiveX applet, and thus work only in IE. Perhaps other constraints as well will make students with Macs ineligible for college admission. This would be most unSATisfying. We hope the system will be more carefully designed and implemented, to level the playing field and to avoid numerous opportunities for cheating, collusion, and even malicious alterations of other students's exams. However, on the whole this item sounds too much like an April Fools' piece.
OK, if these are the false NEGATIVES (scores less than deserved), how many false POSITIVES were there (scores more than deserved)? And how many admission decisions were thereupon based? [In reality, a bunch of overly high scores were reported, but those were apparently left unchanged. PGN]
I'm puzzled by the explanation put forth by Pearson regarding the cause of the October SAT mis-scoring (namely, humidity-induced dimensional changes in the test forms themselves). Everyone in the scanning business knows that the size of a piece of paper can vary substantially with the weather; that's why scannable test forms (e.g., Scantron) always include a number of registration marks around the edges of the page. Could it be that the SAT forms don't contain a sufficient quantity and/or distribution of registration landmarks, or is the real problem somewhere else?
Do you believe in sanity clauses! Bounds checks? An AP item datelined Palmdale, California notes that George Beane was charged $4,334.33 for four burgers at Burger King. To make a long story short, the cashier entered $4.33 and then forgetfully reentered the same amount again, resulting in a debit-card charge that instantly was paid out of his Bank of America account, wiping out their balance. After this was discovered, the bank insisted the funds were on a three-day hold and the debit could not be be reversed. "For those three days, those were the most expensive value burgers in history," Pat Beane said. http://hosted.ap.org/dynamic/stories/C/COSTLY_BURGERS?SITE=CAVAN&SECTION=HOME&TEMPLATE=DEFAULT
Florida state employees who worked for the state during the 1.5 years beginning 1 Jan 2003 are being told that their personal information from the state's People First payroll and human resources system may have been improperly transferred offshore by a subcontractor working for outsourcing service provider Convergys Corp. [Source: US laws may not help prevent PII disclosure, Robert McMillan, *ComputerWorld*; PGN-ed] http://www.computerworld.com/securitytopics/security/story/0,10801,109938,00.html
http://www.theregister.co.uk/2006/03/24/tuttle_centos/ An Oklahoma town threatened to call in the FBI because its website was hacked by Linux maker Cent OS. However, it turns out CentOS didn't hack Tuttle's web site. The city's hosting provider had simply botched a web server. [Source: Oklahoma city threatens to call FBI over 'renegade' Linux maker: Our mistake is YOUR problem, Ashlee Vance, *The Register*, 24 Mar 2006; PGN-ed, from item on John McMullen's list, John F. McMullen, johnmac@acm.org johnmac@computer.org http://johnmacrants.blogspot.com/ Lizard's blog: http:\\www.xanga.com\lizard_sf]
The Daily WTF: Curious Perversions in Information Technology, Alex Papadimoulis, 28 Mar 2006 http://www.thedailywtf.com/ Josh Breckman worked for a company that landed a contract to develop a content management system for a fairly large government website. Much of the project involved developing a content management system so that employees would be able to build and maintain the ever-changing content for their site. Because they already had an existing website with a lot of content, the customer wanted to take the opportunity to reorganize and upload all the content into the new site before it went live. As you might imagine, this was a fairly time consuming process. But after a few months, they had finally put all the content into the system and opened it up to the Internet. Things went pretty well for a few days after going live. But, on day six, things went not-so-well: all of the content on the website had completely vanished and all pages led to the default "please enter content" page. Whoops. Josh was called in to investigate and noticed that one particularly troublesome external IP had gone in and deleted *all* of the content on the system. The IP didn't belong to some overseas hacker bent on destroying helpful government information. It resolved to googlebot.com, Google's very own web crawling spider. Whoops. After quite a bit of research (and scrambling around to find a non-corrupt backup), Josh found the problem. A user copied and pasted some content from one page to another, including an "edit" hyperlink to edit the content on the page. Normally, this wouldn't be an issue, since an outside user would need to enter a name and password. But, the CMS authentication subsystem didn't take into account the sophisticated hacking techniques of Google's spider. Whoops. As it turns out, Google's spider doesn't use cookies, which means that it can easily bypass a check for the "isLoggedOn" cookie to be "false". It also doesn't pay attention to Javascript, which would normally prompt and redirect users who are not logged on. It does, however, follow every hyperlink on every page it finds, including those with "Delete Page" in the title. Whoops. After all was said and done, Josh was able to restore a fairly older version of the site from backups. He brought up the root cause — that security could be beaten by disabling cookies and javascript — but management didn't quite see what was wrong with that. Instead, they told the client to NEVER copy paste content from other pages.
PGN asked me some time ago (Oct 2005) about the Helios B737 aircraft accident in Aug 2005. I felt then that not enough was known, but that it likely had no connection with computers and little with digital automation. It is now pretty much known what happened, and certain features relate to the recent contribution by Don Norman in Risks 24.17. Don said "why not design things so that it [sic] can tolerate the well-known forms of human error? ... I have tried to deliver this message many times before. I predict that I will have to give it many times again." and PGN suggested "The RISKS archives themselves suggest that Don will have to continue this long-time consistent thread." I think this accident provides a boundary case. An issue was raised in Nov 2005 about a possible crew confusion over the meaning of a warning tone. The same tone was used for an on-ground warning as well as an in-air warning, with different meanings. However, it is not at all clear that a different tone for each warning would have helped this crew. There are reported to be many other cases in which crews reacted appropriately, so this occurrence has precedents, all with a different outcome. The relevant question is: would one, as an engineer fully cognisant of Don's thesis, have designed these warnings differently? I incline towards the answer: no, this accident is an outlier. Others incline towards the answer yes. On with the story. On 14 Aug 2005, a Helios Airways Boeing 737-300 on flight ZU 522 from Lanarca, Cyprus to Athens ran out of fuel and collided with terrain at Grammaticos, near Athens. The flight was scheduled to take about 1hr 20 minutes, and the aircraft had been airborne for nearly three hours. The aircraft had been intercepted by Greek Air Force F-16s after being alerted by ATC. The interceptor pilots noted the copilot unconscious in his seat, and two other people on the flight deck, but not the captain. The cabin oxygen masks were deployed, but the copilot did not have his mask on (Flight International, 23-29 Aug 2005, p4, report by David Learmount). The aircraft had been serviced before the flight; engineers carried out an on-ground pressurisation of the aircraft to see if the rear service door was leaking, because of a report that it was "noisy" on a previous flight. This check required the use, in manual mode, of the pressurisation control panel. The engineers opened the pressure relief valves after the successful check, to depressurise the aircraft. (Flight International, 13-19 Sep 2005, p15, report by David Learmount). Normal flight crew pre-take-off procedures would have them select cabin altitude to 8,000 ft and the pressurisation switch to automatic (ibid. 13-19 Sep 2005). The cabin altitude (CA) warning horn activated as the aircraft passed through 14,000 ft out of Lanarca in climb to its cruising altitude of 34,000 ft, and it was not canceled for the rest of the flight. The captain called the Helios engineering department on the company frequency. Another alert had sounded just after the CA warning had activated, warning that the avionics bay cooling fans were not operating. Helios's engineering department said that the captain's request was unclear. They asked him whether the pressurisation panel had been reset to automatic from manual. He responded by asking where the circuit breaker was for the avionics bay fans. Engineering told him it was behind his seat. That was the last communication of any sort from the aircraft. There is no recording of this conversation; the report comes from the former Helios chief engineer. (ibid., 13-19 Sep 2005). The aircraft manufacturer Boeing issued a "multi-operator message" to B737 users in Sep 2005 to remind them that both the CA warning and takeoff configuration warning horn are the same sound; that the takeoff configuration warning can sound only when the aircraft's weight is on the wheels; and that if the same alert sounds in flight, it is the CA warning. The chief investigator told David Learmount at a safety seminar in Moscow in Nov 2005 that the pressurisation was set to manual, so that the aircraft did not pressurise as it climbed, and the crew failed to notice this in pre-take-off checks; the crew thought the CA warning was an erroneous takeoff configuration warning, and their "subsequent mindset and actions were determined by this preconception until hypoxia overcame them as the aircraft continued to climb." (Flight International, 15-21 Nov 2005, p9, report by David Learmount). I used to climb up mountains, and have been at altitude without oxygen in small aircraft. The symptoms and dangers of hypoxia should be known to practioners of both activities. Indeed, I get hypoxic when doing interval training on my sport bicycle mounted on the home trainer. It is insidious, in that gradually reducing ability to concentrate is accompanied by lowered self-awareness and feelings of well-being - before, if it does too far, one loses consciousness. But I had thought that any reasonably aware and well-trained pilot would know how to recognise the symptoms before it got to that stage. When I flew high, I used to write my signature regularly on my kneeboard, the idea being that when it got hard, or the signature too straggly, it was time for an immediate descent. I found that this view did not resonate with many pilot colleagues. I talked about it in Oct 2005 to a colleague who is a senior aviation accident investigator and human factors specialist at one of the most respected accident investigation organisations. He pointed out that in the situations in which I had experienced hypoxia, I could have expected it and therefore was particularly attuned to the symptoms. Also that I seemed to have had known and varied experience with it and through this experience was likely more cognisant of the symptoms as they start to occur. He suggested that one could not necessarily expect a flight crew with no altitude-chamber or other experience to recognise hypoxia and get their masks on before passing out. So it seems that my puzzlement over why the crew had not recognised their hypoxia was misplaced. It remains, though, that the CA warning sounded as it should, and the flight crew did not react appropriately. Why not? There have been "many other cases of a Boeing 737 aircraft climbing without pressurisation set, but the crews recognised the alerts and averted crew hypoxia and resultant disaster" (ibid., 15-21 Nov 2005). A report in a German newspaper said that Greek television on 19 Sep 2005 had reported that the coroner had said that the captain had 45% blockage of the coronary arteries and the co-pilot had 90% blockage of the coronary arteries (*Die Welt*, 20 Sep 2005). That would render them particularly susceptible to quick onset of hypoxia and resulting unconsciousness. Fact remains that, under the influence of hypoxia, the crew appeared to be confused over the meaning of the CA alert. On the one hand, the warning is identical to that of the takeoff configuration warning. On the other hand, these are professional pilots who are required to know the meaning of the alerts that activate in their aircraft. This alert is unambiguous: on the ground, it is the takeoff configuration warning. In the air, it is the CA. And "many" other crews have experienced the same sequence of warnings and reacted appropriately. There were apparently serious communication problems within the crew and between crew and their engineering departments. Both the German captain and the Cypriot co-pilot had trouble with English (the engineers were British and had trouble communicating with them about the problems); but that was also the only language which they had in common. The chief investigator, Capt. Akrivos Tsolakis, addressed the European Aviation Safety Seminar in Athens in March 2005, and said that "latent errors have lain there for years waiting for the pilot to pull the trigger". He said that all the parties involved contributed to the systemic latent faults that led to the accident He did not specify the faults or the responsibilities. The draft report has been prepared; involved parties have 60 days to comment and the final report is likely to be ready for publication in June or July 2006 (Flight International, 21-27 March 2006, report by David Learmount). It seems as if we will read a Reason-type "Swiss Cheese" explanation of the accident; the vocabulary stems from e.g., his influential book Human Error (Cambridge U.P., 1990). One might speculate that, had the CA warning had a unique sound, the crew could have recognised it for what it is, rather than confusing it with another alert. If this speculation were to be correct, the Counterfactual Test would lead us to conclude that the CA warning/takeoff configuration warning doublet was a causal factor in the accident. On the other hand, the crew did not seem to know what it meant in any case; their engineering department did know, but engineering's attempts to alert them directly to possible pressurisation problems failed. A different sound does not help any if one doesn't know what it means and cannot follow the appropriate advice of those who do. I doubt whether the final report will be able to give us much guidance on which of these positions it is more reasonable to accept. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
Peter Ladkin properly points out that the Helios 737 accident in 2005 is complex, and so it can be attributed to multiple causes. But I happen to be a fan both of Swiss Cheese and of Jim Reason: Reason and I have worked on error theory together. I agree that the circumstances described — crew hypoxia — makes it impossible to know how much the modal characteristic of the warning signal contributed to the accident. Nonetheless, I contend that modes in general are a bad idea and are well-known sources of difficulty, whether they be in computers, industrial controls, or as in this case, the meaning of a particular warning signal. When something is modal, then its interpretation depends upon the system state, which adds to the mental workload and has been a known source of difficulty in many situations. With the case of a crew with diminished mental capacities (because of hypoxia), I suspect that the extra workload required to interpret the modal warning signal increases the likelihood of a misinterpretation. Of course, in this particular case, the crew may already have been so impaired that nothing would have helped. We will never know. Errors by highly trained pilots are rare, and so difficult to study. Ladkin points out that other crews have properly interpreted the signal. But those crews were not suffering from hypoxia to a similar extent (although we don't really know for sure). And in any event, with low-probability events, a few successes does not mean that the system is trustworthy. (I suspect we are in agreement on this point.) But why take the chance? There is no harm in ensuring that all safety-critical warning signals be unique and distinct (that is, modeless). There may be no benefit either, but any cost analysis comes out in favor of eliminating modes: Minimal cost to do so, possible huge loss if one does not. But thanks to Peter Ladkin for once again providing us with a detailed analysis of the many factors that go into accidents in commercial aviation. Aviation today is so safe, that we have few accidents to investigate, and each of these is always complex, filled with mitigating and possibly causal sequences. Any simple interpretation of such an accident is bound to be wrong. Don Norman, Nielsen Norman Group and Northwestern University http://www.jnd.org
Please report problems with the web pages to the maintainer