Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
from Boston Globe, Apr 6, 1989, front page story: Use of autopilot tied to Alaskan oil spill A computer operated autopilot aboard the Exxon Valdez may have been set by Capt. Joseph Hazelwood for a course that headed his ship toward a reef, overriding commands by the third mate and leading to the nation's worse oil spill, according to an Alaskan newspaper. The report in today's Anchorage Times was based on comments by the Coast Guard's chief marine investigator, Mark DeLozier. According to the report, neither the third mate who was in charge on the bridge nor the helmsman who was steering the ship was aware that manual turns of the wheel had no effect on the rudder or the course of the ship because the automatic pilot had been set. If confirmed, the report would explain how the outbound tanker - even under the hands of an unlicensed mate - veered 1 1/2 miles across an inbound vessel traffic lane and tore open eight cargo tanks on Bligh Reef 25 miles outside the Valdez oil terminal." [Remainder of article concerns the cleanup and captain's arraignment.] Was there no "AUTOPILOT" indicator? Glenn Lea
[quotes are from Insight/April 10, 1989; typos from me :-)]
_Weather Agency Maps More Efficient Service_
The National Weather Service will be a leaner and much more
automated operation in the 1990s. Under a modernization plan
submitted to Congress, the National Association of Atmospheric
Administration will establish a national network of 115
forecasting offices equipped with high-technology sensing,
processing, and communication system. Currently, the service
relies on nearly 300 local offices to collect and disseminate
weather data.
Improved satellites, a national network of sophisticated
Doppler radars (which allow forecasters to see inside storms)
and a 1000-unit Automated Surface Observation System that
collects temperature, wind speed, air pressure, and other
atmospheric data will enable the service to phase out 800
jobs, reducing agency staff to some 3900. The new
technological systems should allow for "earlier detection and
permit the short-range prediction of destructive, violent,
local storms and floods, thereby mitigating a glaring
shortfall in current warning services," according to the
service's plan.
As a pilot, I've been following the NWS transition from human observers to ASOS
machines in the last year very carefully. While these machines report
objective things (temperature, dewpoint, precip over last N hours) rather
accurately (barring mechanical breakdown, etc etc), they do very poorly at
cloud cover and current precipitation. For cloud cover, an ASOS reports what
is *overhead* (possibly modified by some recent history information, I'm not
sure). This is very different from what the human observers report, which is
generally a function of weather for about 5 miles around. This means one
little stationary puffy at 1000 feet directly over the ASOS can be confused
with a 1000 foot overcast.... quite a different situation. Humans can also
include "rain ended at 24 minutes past the hour" or "frontal passage [a wind
shift] at 18 minutes past the hour", which I believe the ASOS cannot do. (This
is very useful to decide where the front will be farther downwind at a later
time.) And how do you come up with a sensor that recognizes "blowing snow"
contrasted with "blowing dust" (quite a different thing :-)?
The talk in the aviation community been rather specific on the resulting
decrease in aviation safety because of the *reduced* information available to
pilots. What gets me is that this article touts the *advantages* of
automation. Notice the reduction in personnel: this will probably be all the
human observers replaced with ASOS machines. The Doppler radars are mostly in
place; the new satellites would have been there anyway; so all we are really
doing is losing the "human touch".
On a local (for us Oregonians...) note: one of the human observations cut was a
mountain-top observation station in the Cascades near Eugene (or Medford... I
forget). This cut made headlines because the local meterologists were apalled;
the station had been making continuous observations since the early part of
this century, and served as a baseline for very long range weather trend
information. Although other stations in the area provide similar information
(which is reportedly why the station was cut), they have not been reporting for
nearly as long, thus destroying their long-term-trend usefulness.
Randal L. Schwartz, Stonehenge Consulting Services
Date: Mon, 27 Mar 89 10:33:35 PST
From: Peter Scott <PJS@grouch.JPL.NASA.GOV>
if you're prepared to assume that the mail
software at the actual host claimed in the message is trustworthy, and
if you assume no perversions of the network short of line-tapping.
Both of these assumptions do not hold and probably never will. (Not only is
line-tapping trivial and widespread, ala Ethernet sniffers, but
modification, protocol and hardware address spoofing and the like is easy,
if not trivial.)
— Jon
There was a story a few weeks ago in the Wall Street Journal discussing
this new concept in horse racing. The horses are *not* mechanical. The
horses are of a smaller breed that was used to pull small carriages
around the turn of the century. The jockeys *are* mechanical. They
consist of a small piece of telerobotic hardware that can control
the speed and direction of the horse. This controll is achieved using
conventional reigns and a loudspeaker. These jockeys are controlled
remotely by a radio control similar to that used for R/C airplanes and such.
The main reason for using the hardware-based jockeys is weight. Even the
lightest human (wetware-based :-) ) jockey would slow these minature horses
down to a very unexciting pace. The robot-jockeys weigh only 22 pounds and in
the illustration they looked like a small tin man with arms, a racing derby and
no legs. The original prototypes were developed for patrolling the perimeter of
a very large ranch. To protect the rancher from thieves, the ranch perimeter
was constantly patrolled by several men on horseback. In an effort to cut
costs, the inventors thought of mounting a TV camera on a horse with some
method of control, hence the robot-sentry/jockey was born.
The military anti-jamming technology mentioned involves the standard
practice of encoding the control signals on many frequencies simultaneously
(perhaps 10-100 different frequencies) to improve the odds of transmitting
a signal in the presence of a jamming signal and/or noise.
As far as RISKS go, it doesn't take a leap of the imagination to conceive of
this technology being used in battlefield environments. One of the most
difficult problems currently facing robotics researchers is navigation and
locomotion in unstructured environments. By coupling current robotic technology
to biologically-based locomotion systems, this problem may be overcome for the
time being. A variety of scenarios is possible for any animal that can be
trained to respond to the commands of some robot. Perhaps the day may come when
robots and animals will fight the actual battle while we humans sit back,
joystick and beer in hand, safely directing the battle while remotely viewing
the results on a CRT monitor (1/2 :-) ). Sounds like a new idea for a video
game. (full :-) ).
Brad L. Hutchings
With respect to the fly-by-wire issue, I think it's important to separate two concepts: (1) Whether cables, hydraulic lines, or electrical signals, sensors, computers, and actuators translate the pilot's actions to the control surfaces (the A320 article stated "FBW replaces the conventional stick and rudder controls with a series of computers and miles of electronic cables", as if similar amounts of cables or the equivalent were not required to accomplish the conventional method). (2) How much additional "intelligence" is placed between the pilot and the control surfaces. It may well make sense to replace mechanical cables by electrical or fiber-optic ones, for reasons of reducing cost, weight, and complexity, or of improving redundancy. I am confident that a system whose only function was to make this substitution could be made robust enough to equal or exceed the reliability of existing systems, especially in damage situations. For example, one could arrange to use multiple battery-powered actuators, with a radio link as a final backup even, to reduce the chances that an engine falling off would disrupt the control signals, as it did in the Chicago DC-10 accident. I believe many of the space shuttle controls include this direct mapping as a fallback. Most of the FBW systems discussed in this forum apparently add significant processing stages between pilot input and control output, sometimes of necessity, since these aircraft are sometimes not inherently stable. Ultimately, that seems like a good idea, too, but it's a lot more complicated, since essentially it means that the computer is flying the plane. Clearly this approach deserves at least as much scrutiny as it is receiving, here and elsewhere.
> [NGL: It is interesting that the pilot was never believed about the > altimeter although there is [now] plenty of evidence to back up his story. There is also substantial evidence to discredit him: the voice transcripts indicated a highly unprofessional preflight and takeoff. Normal checklist procedures were not used, and the atmosphere was too relaxed and casual. The French government leaked this data very early in the investigation, which undoubtably influenced where the general direction of the investigation was to go. As someone who has spent a substantial amount of time in airliner cockpits, I can say that the transcripts were quite horrifying in their lack of professionalism. On the specific issue of the altimeter making a difference, the airplane was flying approximately 50 feet off the ground. At that altitude, the pilots' eyes should not be in the cockpit; the airplane's approximate altitude (or, more importantly, its relation to the trees and ground) could have been established at a glance. There's a simple rule of thumb in such cases: if an obstacle is above the horizon, you're going to run into it. This alone seems to suggest poor judgement, perhaps accentuated by the informal atmosphere in the cockpit and the "weekend fair" mentality of the proceedings. I don't think the Mulhouse-Habsheim crash can be used to condemn functional aspects of the A320--at least, judging from the information I've seen on it. The crash is much more vulnerable to questions regarding the human-factors design of the A320 cockpit, and the validity work workload-saving automation and display formats. Considering how senior (each pilot had just over ten thousand hours, and the captain, at the time, was the head of the A320 program for Air France, with more time in type than anyone else) the crew was, one must at least consider the possibility that the cockpit design may have encouraged the atmosphere which led to the poor decisions which led to the crash. Robert Dorsett UUCP: ...cs.utexas.edu!walt.cc.utexas.edu!mentat
In Nancy Leveson's Airbus commentary, "not plenty of evidence to back up his story" should have been "now plenty of evidence to back up his story". [I corrected it in Robert Dorsett's quote of it, in the previous message.] Boston's Logan Airport was fogged in on Tuesday evening, and Nancy took the train back from Washington DC. Evidently her train of thought was dominated by her thought of train.
Having gone out and bought the book, I now have some additional details
about the 1983 incident in which an Air Canada Boeing 767 ran out of
fuel while on a flight from Ottawa to Edmonton.
The book is _Freefall_, by William Hoffer and Marilyn Mona Hoffer;
St. Martin's Press (New York), 1989; ISBN 0-312-02919-5; US$17.95.
To recap, the plane's electronic fuel sensor system failed. The "fuel
quantity processor" on the Boeing 767 in question used two separate,
independent operating channels for redundancy. If one channel failed,
the processor would ignore it and use the other. In this case, however,
a cold solder joint in an inductor caused one channel to fail in an
unanticipated way: instead of cutting off completely, this channel gen-
erated a reduced — but nonzero — signal. The fuel quantity processor
was not designed to deal with such a situation, and so failed entirely.
The night before the fateful flight, a maintenance technician in Edmon-
ton, Alberta tried unsuccessfully to find this problem. No replacement
fuel quantity processor was available, but he discovered that by turn-
ing off the circuit breaker for the faulty sensor channel, he could get
the fuel gauges to work. He marked the breaker with yellow maintenance
tape and made a note in the plane's log book. However, his log notes
seemed to make no sense and were misunderstood by the maintenance crew
at Dorval Airport in Montreal; a technician there reset the breaker
despite the tape over it, without noticing that he had thereby disabled
the fuel gauges again.
Since the plane had left Edmonton the previous night with only one fuel
sensor operational, the manual required a "drip" test with mechanical
dipstick-like devices to double-check the fuel (kerosene) level. The
fuel truck's gauges measured fuel *volume* (in litres) — but this had
to be translated into fuel *mass* as part of the "drip" test. The
mechanics knew how much fuel the plane needed, in kilograms; but when
they went to figure out how much fuel (in litres) to pump into the
tanks, they mistakenly tried to convert from *pounds* to litres. This
error was made all the easier by the fact that the conversion factor was
labelled in the mechanics' reference books as "specific gravity"; the
fact that the number also embodied a volume-mass conversion was com-
pletely glossed over. As I mentioned in my earlier message, the Boeing
767 in question was one of the first "metricized" airplanes in the Air
Canada fleet; other planes still measured fuel in pounds, not kilos.
After the plane was refuelled, the pilot noticed that the fuel gauges
were now blank. On this basis, he asserted to the maintenance people
that the plane was not legal to fly according to the manuals. However,
the mechanics insisted that Maintenance Control had cleared the plane
and that it was OK to fly. In such a situation, the pilot could theo-
retically have stuck to his guns and refused to allow the plane to go
-- but it was well known that "an overly cautious pilot who grounds too
many flights for what others perceive as trivial reasons is likely to
find himself grounded." Further, the written guidelines or "Minimum
Equipment List" for the 767 had already been revised agains and again
-- and, in fact, there were three versions of the MEL book at this time
(one for pilots, one for mechanics, and one for airport Maintenance
Control). So, given that Maintenance Control had cleared the plane for
takeoff on the basis of the fuel "drip" test, the pilot would have put
himself in a potentially indefensible situation by challenging their
decision on the basis of *his* copy of the MEL regulations.
The above details can be found in Chapter 13 of the book, starting on page 89.
So, to summarize, the mishap resulted in part from:
(1) Inadequate design of the redundancy systems in the fuel quantity
processor; it failed entirely in the face of an unanticipated
*partial* failure of one of the two sensors.
(2) Miscommunication between mechanics at airports in Edmonton and
Montreal, resulting in the first mechanic's fortuitous "kludge" fix
to the problem being unknowingly undone by the second mechanic.
(3) Metric conversion woes in conjunction with the refuelling of the
plane — compounded by the fact that a key mathematical factor in
the calculation was labelled in such a way as to conceal its true
role as a unit conversion factor between mass and volume.
(4) Ambiguous rules for minimum equipment and line of responsibility in
determining whether the airplane was flight-worthy.
Rich Wales // UCLA Computer Science Department // +1 (213) 825-5683
3531 Boelter Hall // Los Angeles, California 90024-1596 // USA
I recently had a "normal" bad experience with an ATM: (bank name withheld to protect the guilty - but it's a HUGE bank in Massachusetts). The machine gave me half the money I asked for, but the receipt read that it had given me the full amount. Of course, I immediately called the "help" line (which should perhaps be called the "I can't help" line), and reported the incident. I requested that they shut down the machine until they could audit it. To my surprise, they responded that, according to their carefully thought out policy, they could not shut down the machine on the basis of a single customer complaint. Note, however, that if the MACHINE detects an operational irregularity, it shuts ITSELF down immediately, often without returning your card. I find it not only odd, but downright >risky< that the complaint from a customer is given less weight than the machine's "perception" of a possible problem. On the one hand, some software or hardware system has determined that there MAY be a problem - and this is acted on at once. On the other hand, I report an ACTUAL problem - and I find myself being ignored. This says volumes about the propensity to believe the computer at all costs: the customer "couldn't be right - the computer says so."
You're quite right, Brian. BMW seem to specialise in providing
RISKy technology. A few years back I bought a BMW316i on the
basis of an ad in the Guardian describing its ionically-bound
detergent-containing paint. You remember that it claimed to be
self-washing. Well, imagine my surprise when returning to my
new car after a particularly heavy thunderstorm I found that
*all the paint* had washed off!
This is not to mention the self-inflating tyres that blew themselves
up so much that the car lost half a ton in weight, requiring
me to spend 300 pounds (BMW prices!) on a larger spoiler just
to keep the car on the road.
I note that the previous representative, Herr Uve Behnaad, has
been replaced by a new man, Mr Phelfrett. It seems, however,
that BMW policy has *not* changed and that the motoring public
continues to be put at RISK by poorly-tested new technology.
[Comments also from Frank Wales <mcvax!zen.co.uk!frank@uunet.UU.NET>,
who also noted Road Warmers, which follows. Gullible's Travels? PGN]
BMW INTRODUCES ITS NEWEST INNOVATION:
ROAD WARMERS
Having spent the last twenty years perfecting the sports sedan, BMW has now
taken up the ultimate challenge - perfecting the road.
Road Warmers are the result of twenty years of German engineering. And
represent perhaps the single most important contribution to the automotive
industry in the past decade.
Road Warmers employ laser technology to ensure constant road conditions. The
way in which they operate is simple. Underneath the car, four pivoting convex
lasers are mounted in front of each wheel. The lasers are aimed at the
pavement directly in front of the tread stance. They work in tandem with
five-speed turbo fans. So not only do they manage to melt snow and ice, they
also dry the road of excess moisture. And virtually eliminate the need to
clear your driveway during winter. Inside the car, the driver is continually
apprised of the climatic conditions through BMW's onboard computer and Active
Check Control. This enables the driver to set the road to a temperature that
best suits their level of performance. The result is a road that never
changes. Four seasons become one. And performace is assured like never
before. Eventually Road Warmers will be standard on all new BMW's. But as
part of a special offer, your dealer will install them on your present car free
of charge.
But you should hurry. Our offer is only available April 1st, so you would be a
fool to miss this one.
[reprinted from an add in Toronto's Globe and Mail, April 1st.
Please report problems with the web pages to the maintainer