Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Chemical & Engineering News, February 26, 1990, p. 168: Physician Beatrice Golomb tells of a 99-year-old man who turned up in the emergency room (JAMA, Dec. 8, 1989, page 3132). His white blood cell count, although far out of line, was reported by the computer to be within normal limits. The computer, it turned out, was reporting values for the newborn, having figured that year of birth, plugged in as '89, was 1989, not 1889. Golomb's comment: "The normal ranges provided by hospital computers are not always to be credited." [And what with happen to the 102-year-old admitted on 2000 Jan 01?]
On Tuesday Feb. 27, 1990, the central computer that controls the traffic
light timing for the city of Lakewood (a major suburb of Denver) failed,
causing traffic delays of over 30 minutes. The computer system's disk
drive suffered a burnt and seized bearing, causing it shut itself down.
The replacement of the drive did not occur until the next evening.
Several interesting items related to this incident:
1> The system has exactly one drive. No redundancy (sp?). Of course,
they do backup the disk, however, since there is only one disk drive,
they had nowhere to put the backed data. (The disk crash apparently eat
the disk media). From past experience with supposedly critical computer
systems, it would seem that this is common. Concern about reliability of
computer systems to most operators of said systems seems to stop once
they are assured that no data will be lost. Of course, it never seems to
occur to them that if they cannot access that data it's useless.
2> All of Lakewood's traffic system is controlled by one computer. Need
I say more?
3> The traffic system was apparently design under the impression that a
computer failure would be virtually impossible. When the computer failed,
traffic lights had no fall back mechanism for running under a reasonable cycle
time. Each light had to be manually set by city traffic crews.
One wonders if this kind of traffic control system is representative of
common practice. If so, think - you could immobilize a major urban area
by knocking out three or four computer systems.
Richard Neitzel, National Center For Atmospheric Research
Box 3000 Boulder, CO 80307-3000 303-497-2057
[Quoting J.A.Hunter via Brian Randell]
> Modern British practice requires that once a route has been set, a time delay
> of about one minute is enforced by the software before a conflicting route
> can be set.
The actual practice is that if the signal governing entry to the route is at
"Danger", the route can be cancelled immediately (by pulling the button for
that route on the panel). If the signal is in any other state (i.e. a train
could legally pass it), then the route is locked for a while. Simple locking
locks the route for 2 minutes (not 1). Comprehensive locking only locks the
route if there is a train near enough to the signal to be affected by it
turning red, and waits until that train has come to a stop at the signal (e.g.
has occupied a 200m track circuit at the signal for 30 seconds). If a train
passes a signal at Danger, points ahead of that signal are locked
automatically.
> That such systems are not perfect and still rely on human vigilance was shown
> by the Clapham (South London) accident late in 1988 where a faulty track
> circuit train detector "lost" a train standing at a signal allowing an
> automatic system to route another train into the rear of it.
This accident was caused by faulty installation. At the time, the signalling
system was being replaced by a new one, and a wire had been removed from the
logic concerned with a certain track circuit. The wire had not been cut back
and had its end insulated, but was just bent out of the way. Later work on
that logic disturbed the wire, and it came back into contact with the terminal
it had been removed from. It then fed current into the logic, making it appear
as if the track was clear. This allowed the signal to turn green.
> A good source book for information on British railroad safety is:
>
> "Red for Danger", by L.T.C.Rolt,
> published by David & Charles Inc. (North Pomfret, Vermont 05053),
> ISBN 0-7153-8362-0
Not just a good book, but the definitive one. The current edition has been
updated by Geoffrey Kitchenside.
BTW, it's railway.
^^^
Clive D.W. Feather, IXI Limited, 62-74 Burleigh Street, Cambridge U.K.
In RISKS DIGEST 9.72 Martyn Thomas <mct@praxis.UUCP> writes:
>The A320 sidestick layout is asymmetric - the captain flies with the
>left hand, the first officer with the right. This means that when the
>first officer is flying in the left-hand seat - as will happen from
>time-to-time, e.g., for training - there is the added unfamiliarity of
>using the other hand.
and Peter Neumann writes:
> [It is pessimal when the captain is right-handed and the first officer
> is left-handed and *both* are flying with the *wrong* hand. But the
> switching back and forth must undoubtably be confusing. PGN]
This is not a new risk. Older generation aircraft that have yolks instead
of sidesticks are flown in exactly the same manner. Throttles are usually
located in the center panel, and both pilots use their inboard hand for
throttles, and their outboard hand to manipulate the yoke. Sidestick
controllers just change the position of the hand, but not which hand is used.
There are other differences in the use of sidesticks (such as lack of
interconnection on the Airbus), but in handedness they are similar to
conventional controls.
Switching hands with which one flies is generally viewed as a non-problem.
Pilots get used to switching seats and the hands they fly with early on in
their training, usually well before they step into a jet airliner cockpit. On
a frequent basis I switch between right and left seats and between aircraft
yokes (which are flown with the left hand from the left seat) and sticks (which
are flown with the right hand from the left seat. The process is natural and
not at all confusing.
I have not seen any reports that indicate that there is a significant
problem in switching, although that doesn't prove that there is no loss of
performance. Pilots reports of difficulty with this are rare (at least, in my
experience).
It is far more difficult to change between aircraft types, or even between
individual aircraft of the same type, when the positions of instruments and
secondary controls vary. Problems arising from such differences are well
documented and have been identified as causal in numerous accidents.
The New York Times has recently had two articles on avionics.
On Feb 14, the Business Technology column featured "McDonnell's
Less Costly New Jet", the MD-11, which is 16% cheaper to fly than the
DC-10, and is intended to "fill a niche" between Boeing's 767 and 747.
The plane contains an automated cockpit that the company calls the
world's most advanced, as well as more fuel-efficient engines, some
lighter-weight parts and aerodynamic refinements like a shortened tail.
But, later we find that
The plane is a prime example of how aircraft manufacturers are hesitant to
introduce new technology if it does not translate into savings for the
airlines. "High technology isn't necessarily what an airline wants," said
Dale Warren, a vice president at Douglas. "They're in business to make a
profit." For example, the company replaced only a few aluminum parts with
lightweight composite materials, which are more expensive, and chose not to
use a "fly by wire" electronic control system, in part because of its cost.
A few paragraphs describe the cockpit:
The most dramatic change to the DC-10 is in its cockpit, which Douglas says
is the world's most automated. The plane will have two pilots, compared with
three in the DC-10; the flight engineer has been replaced by computers that
automatically perform duties like monitoring fuel flow and adjusting cabin
pressure.
The computers can, to some extent, "think" for the pilots, switching valves
if something should go wrong. Pilots watch six video displays run by
computers instead of the dozens of mechanical gauges and dials on the DC-10.
"Essentially, the pilot pushes a button at the end of the runway and the
system will guide the plane to the concrete at the destination," sayd George
Wallace, program manager for Honeywell Inc., which makes the cockpit
electronics for the plane.
While similar automated cockpits--already in place on Boeing aircraft and
Douglas's MD-80 plane--have won prais, pilots have also expressed concern
that their basic flying skills may atrophy.
Douglas chose to use a conventional control system, in which the controls are
operated from the cockpit by mechanical means rather than electronically by
computers in a new system as "fly by wire" that is used on some Airbus jets.
The article ends by noting that flight testing is 6 months behind schedule.
The Sunday Business section on Feb 18th had a long article "All About:
Avionics". This mentioned that "Cockpit electronics have become sophisticated
enough to all but take the place of the pilot. ... With the push of a few
buttons, autopilots can guide a plane from NY to LA while the real pilot sits
back."
The electronics may cost $1M, or 10% of the plane's price. The article notes
that American companies (Bendix/King, Collins Avionics, and Honeywell) dominate
the market. Other companies would have a hard time entering the market because
of the need for government approval of the systems.
Some problems are discussed:
The biggest advantage of the glass cockpit is that the black boxes can
talk to one another. The on-board computers can calculate an altitude for
the greatest fuel efficiency and the autopilot can guide the plane there.
Most pilots like the new technology, with some reservations. If something
goes wrong, the problem may be hard to detect. "Trouble-shooting is a more
delicate art than before," said Wolfgang Demisch, an analyst with UBS
Securities. And a three-year NASA study of 200 Boeing 757 pilots found that
they were concerned about spending too much time staring at computer screens
and not enough looking out the windows. They also worried that their basic
flying skills would atrophy as they spent more time punching keypads. "I was
somewhat concerned with the 'I can't fly but I can type 80 words per minute'
syndrome," said one pilot. Still, about 90% of the pilots saw the glass
cockpit as a big step forward.
Evidently, new FAA rules will require more electronics by 1993, to warn
of impending collisions and warn of wind shear. The companies that
make the electronics seem happy about this new business. Other
future possibilities mentioned include storing flight maps on optical disk,
exchanging written messages with flight controllers by 'datalink',
and moving to satellite communication and navigation.
The last paragraph mentions that
Another project sounds like it could all but replace the co-pilot. The Air
Force boldly calls it the "pilot associate." More than a mere autopilot, the
associate devices use artificial intelligence to help fly the plane, plan
missions and deploy weapons. The project is in such an early stage that it
will take several years to find its way into jet fighters and, eventually,
commercial planes.
Note that the concerns expressed in these articles are only about the pilot's
own skills decreasing, and not at all about possible mistakes on the part of
the computer system. The only reason given for not using fly-by-wire is
economic.
John M. Sullivan Princeton Univ. Math Dept.
Doubts about Indian engineers and RISKS faced by developing countries. Regarding the A320 crash, George Michaelson <ggm@cc.uq.oz.au> writes: >Doubts were expressed about the ability of the airline to maintain the >complex flight control equipment ... >... it seems from this interview as if the Indian >engineers themselves question their ability to handle this package. > ^^^^^ Indians are extremely annoyed with the performance of the state-run domestic carrier Indian Airlines, which has a long history of incredible management problems aggravated by political interference. Many Indians would agree with those doubts directed at the ability of *that airline*, but few would accept those doubts directed at Indians engineers *in general*. This is not the forum to enumerate the technological sophistication that Indians have demonstrated. Suffice it to say that the interpretation of the word *their* in George Michaelson's analysis is difficult to swallow. >I suspect other parallels exist with well-meaning donation/supply of IT >infrastructure that failed to match local conditions eg lack of tropical >"hardening", availability of spike-free UPS, spares, training. You are right here. Often, however, developing countries are taken for a ride! I was involved in the assembly of a Flying Spot Scanner at the Indian Institute of Science, Bangalore, using equipment imported from a reputed company in the UK. One of the crucial power supplies blew up when powered up. We traced the problem to incorrect wiring (the connections to the collector and emitter of a transistor were reversed, if I remember right). It was evident that the unit *had never been powered up before shipment*, let alone tested; but the company refused to admit it, making sly references instead to our lack of training. We gave up the idea of litigation because of the high costs involved. Please think for a moment about the RISKs FACED BY developing countries. Subhasish Mazumdar,Computer & Information Science, Univ of Massachusetts, Amherst, MA 01003, USA
A few misunderstandings seem to be creeping into the debate on the A320.
At the risk of adding my own misunderstandings, let me try to clarify a few
points raised in RISKS-9.71 by Steve Milunovic and RISKS-9.72 by Robert Dorsett.
Steve Milunovic (9.71) refers to:
> ... a dispute in France over whether the computerized, highly advanced
> aircraft is too complicated to fly.
One justification for introducing fly-by-wire as in the A320 is that, since
most crashes are due to pilot error, a system that reduces the probability
of such error will make flying safer. There are two aspects to this:
- Reduction in the pilot's workload.
- Automatically preventing a command from the pilot taking the aircraft out
of a 'safe flight envelope', e.g. overriding a command to put the nose up
and throttle back if this would cause a stall.
To achieve these aims, the A320 must be EASIER to fly than than its
predecessors. It has been argued (I think by one of the pilots' unions) that
being trained to fly the A320 does not qualify a pilot to fly a 'traditional'
('fly-by-string'?) aircraft, in the same way that a driving test taken in an
automatic does not qualify a motorist to drive a vehicle with a standard*
gearbox.
(The issue of MAINTENANCE, as opposed to flying the aircraft, is a different
matter, and I am inclined to agree with Robert Dorsett on this.)
He also refers to a claim that:
> ... the French pilots were opposing it to protect their economic interests.
> The plane uses two pilots; many other aircraft use three.
To be precise, the crew of a traditional aircraft of the size of the A320
includes a pilot, co-pilot, and flight engineer. The flight engineer's job is
to monitor the systems on the aircraft and recover from, or work around, system
failures. Along with fly-by-wire, the A320 includes automatic monitoring of
systems with a CRT display of their status to the pilot and co-pilot. The
argument is that this reporting system does most of the job of the flight
engineer, who is therefore redundant.
Part of the economic justification for the A320 is, therefore:
- Room for one more passenger.
- Save the flight engineer's salary.
It is the French and Australian flight ENGINEERS' unions who have argued most
strongly against two-man crews. Their vested interest is obvious, but they have
made a strong case on the grounds of safety for the traditional division of
labour between flying the plane and watching dials. This case was well
presented in a BBC television program in the 'Horizon' series a year or so ago
called 'The Essential Third Man'.
(I believe that one inducement that was offered to the pilots was increased
rates for two-man crews. I am not sure what the current positions of the various
pilots' unions are. If they still oppose the loss of the engineer, I would say
it is to their credit.)
Steve also points out:
> ... as a small note, the flight augmentation system of the 757 is in no way
> comparable to the A320's fly-by-wire system (or its associated software
> protections). The former is dedicated to damping aerodynamic instability;
> the former [latter? - PM] introduces new *control laws* and appears to be
> intended to work around problems involved in the use of side-stick
> controllers.
Er..., not QUITE. The software in the A320 Electronic Flight Control System
(EFCS) is right at the heart of the whole system. The traditional joy-stick
between the pilot's legs has been replaced by the side-stick because, since the
connection between the pilot and the control surfaces on the wings is electrical
rather than mechanical, brute force is no longer necessary to move the controls.
The side-stick transmits the commands of the pilot to the EFCS, which processes
them together with input from sensors (air-speed indicator, altimeter, etc.) and
sends signals to the effectors governing the control surfaces.
The 'control laws' define how this processing is done. They are implemented as
tables of parameters. There are several sets of laws, each controlling a
particular mode of flight (take-off, cruising, landing, etc.). I am puzzled
by Robert Dorsett's aside:
>... (that is, above 100', beneath which the protections disappear).
The protections CANNOT disappear at any altitude, however low. Perhaps he means
that at this phase of the flight a different set of control laws come into
force. Robert quite correctly states that:
> Airbus proper regards "manual" (electric horizontal stabilizer trim and
> manual rudder) backup as a last-ditch emergency system. Numerous reports
> indicate that its operation isn't even part of the standard Airbus training
> curriculum.
I believe they train to use manual backup on a simulator. I believe also that
an actual landing using manual backup has been demonstrated by a test pilot,
but that the ability to do such a landing was not required as part
of the type certification. The EFCS is 'flight-critical' (if it fails under
certain circumstances it could result in a catastrophic accident), but not
FULL-TIME flight-critical (its availability need not be 100%, since the
mechanical backup will enable the aircraft to cruise straight and level while
the system is rebooted).
Whatever the details, however, the point is that there is NO WAY that the A320
would be flown on a commercial flight without the EFCS, except in an emergency.
He goes on to say:
> Upon examination, various terms could be examined [You can say that again!-PM]
> --perhaps "manual" means hand-flying it (with protections) to the ground,
> rather than tracking an ILS.
I'm inclined to agree. This confusion over the meaning of "manual" also
bedeviled the accounts of the previous crash.
The point of the slow fly-past at the Mulhouse-Habsheim air show was to
demonstrate the ability of the EFCS to fly the aircraft very close to stalling
without actually doing so. Without such an automatic system, such a manoeuvre
simply would not be possible. Loose statements to the effect that the automatic
system was 'switched off' for the demonstration are nonsense. What probably WAS
done was to set up the EFCS so that cruise 'control laws' still applied at low
altitude, but this is pure speculation on my part, and I should not open my
mouth too wide without hard information as a backup.
To avoid rambling on ad nauseam, I will make two last points:
- The EFCS is not the only flight-critical software controlled system on the
A320. The Full-Authority Digital Engine Control (FADEC) is just as vital,
and obviously must act in cooperation with the EFCS. I have a fair amount
of information on the fault-tolerant hardware and software architecture of
the EFCS, but I do not know of anything that has been published about the
FADEC.
- The overriding concern regarding type-certification of fly-by-wire is our
continuing inability to certify systems containing software to high levels
of reliability. FAA and CAA regulations (taken in conjunction with
explanatory memos) require that a flight-critical system must have a
demonstrated probability of failure no greater than 10^-9 per flying hour
in a flight of mean duration. The same set of documents state that no means
exist of assigning such a probability number to software-induced failure.
Certification in this case largely rests on the demonstration of adherence
to a development process standard (RTCA-DOC/178A), together with provision of
fault-tolerance.
It is this latter anomaly that research should address urgently.
*Note for US readers: A vehicle with a standard gearbox has a third pedal
called the 'clutch', and a wobbly lever next to the driver's seat which has
to be moved every time you change speed.
Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB Tel.: +44 (0)1-253-4399 Ext. 4162/3/1
Mileage Plus is United's travel bank. I can redeem miles traveled on United
Airlines along with dollars spent on my Mileage Plus Visa card for free travel
rewards.
I just finished a conversation with a United Mileage Plus representative,
informing her for the FIFTH time that my zip code is 91125 rather than 91102.
Each time their computer changes the zip code back to 91102 in a way that they
cannot override. I get no mail from them.
The problem is that Caltech has its own zip code. My address is
Tim Kay, Caltech, 256-80, Pasadena, CA 91125
The representative checked further and explained that their computer "knows"
that Pasadena doesn't have a 91125 zip code. (They then somehow come up with
91102 totally bogus; 91106 is the surrounding zip code.) Could I please give
them my home address instead? No, I don't check my mail box at home.
She had no further suggestions. I guess I'd have to stop using their services
until I move!
I suggested we try
Tim Kay, Box 256-80, Caltech, CA 91125
I can't wait to see what happens.
Tim
Something interesting that I heard was going on at [eastern college] was that a couple of students were able to get a hold of a credit-card magnetic strip recorder somehow. They also stole purses, wallets, anything that they could get their hands on that had credit cards in it. After doing the above, they would dig through dumpsters (we all know that story) and pick up carbons or other receipts that have credit card numbers on them, and make a list of valid card numbers. Using the encoding machine, they then erased the old card number off of the magnetic strip (which had probably been reported stolen by this time) and encoded on that same strip one of the card numbers that they had picked up out of the dumpsters. So now they have say a MasterCard with an invalid number embossed on the front of it, and a different-but-valid account on the magnetic strip. What good is this? Plenty good for the clever thief! They then went into shopping malls or anywhere that the credit-card validation machines were the all-too-familiar "slide the card through and read the number off the mag strip" type. The merchant would authorize the card successfully and get an approval code, then run the card though and get a paper receipt. The merchants never check the card number on the authorization machine display and compare it to that of the card! When the merchants send in the credit card slips to the bank, they of course come back, and I imagine it takes a long time to figure out what exactly happened. Merchants beware! -Douglas Mason Douglas T. Mason douglas@ddsw1.mcs.com or dtmason@m-net.UUCP
Please report problems with the web pages to the maintainer