The RISKS Digest
Volume 9 Issue 73

Tuesday, 6th March 1990

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Another 100-year computer saga
David B. Benson
Traffic System Failure
Rich Neitzel
Railway interlocking systems
Clive Feather
Avionics in the media
John M. Sullivan
Re: A320
Steven Philipson
Subhasish Mazumdar
Pete Mellor
Mileage Plus wants me to move
Tim Kay
Credit-card fraud
Douglas Mason
Info on RISKS (comp.risks)

Another 100-year computer saga

David B. Benson <dbenson@cs2.cs.WSU.EDU>
Sun, 4 Mar 90 14:13:34 PST
Chemical & Engineering News, February 26, 1990, p. 168:

Physician Beatrice Golomb tells of a 99-year-old man who turned up in
the emergency room (JAMA, Dec. 8, 1989, page 3132).  His white blood
cell count,  although far out of line, was reported by the computer to
be within normal limits.  The computer, it turned out, was reporting
values for the newborn, having figured that year of birth, plugged in
as '89, was 1989, not 1889.  Golomb's comment:  "The normal ranges
provided by hospital computers are not always to be credited."

[And what with happen to the 102-year-old admitted on 2000 Jan 01?]

Traffic System Failure

Rich Neitzel <thor@stout.UCAR.EDU>
1 Mar 90 14:13:47 GMT
On Tuesday Feb. 27, 1990, the central computer that controls the traffic
light timing for the city of Lakewood (a major suburb of Denver) failed,
causing traffic delays of over 30 minutes. The computer system's disk
drive suffered a burnt and seized bearing, causing it shut itself down.
The replacement of the drive did not occur until the next evening.
Several interesting items related to this incident:

    1> The system has exactly one drive. No redundancy (sp?). Of course,
they do backup the disk, however, since there is only one disk drive,
they had nowhere to put the backed data. (The disk crash apparently eat
the disk media). From past experience with supposedly critical computer
systems, it would seem that this is common. Concern about reliability of
computer systems to most operators of said systems seems to stop once
they are assured that no data will be lost. Of course, it never seems to
occur to them that if they cannot access that data it's useless.

    2> All of Lakewood's traffic system is controlled by one computer. Need
I say more?

    3> The traffic system was apparently design under the impression that a
computer failure would be virtually impossible. When the computer failed,
traffic lights had no fall back mechanism for running under a reasonable cycle
time. Each light had to be manually set by city traffic crews.

One wonders if this kind of traffic control system is representative of
common practice. If so, think - you could immobilize a major urban area
by knocking out three or four computer systems.

Richard Neitzel, National Center For Atmospheric Research
Box 3000 Boulder, CO 80307-3000              303-497-2057

Railway interlocking systems

Clive Feather <clive@ixi.UUCP>
Fri, 2 Mar 90 12:46:37 gmt
[Quoting J.A.Hunter via Brian Randell]
> Modern British practice requires that once a route has been set, a time delay
> of about one minute is enforced by the software before a conflicting route
> can be set.

The actual practice is that if the signal governing entry to the route is at
"Danger", the route can be cancelled immediately (by pulling the button for
that route on the panel). If the signal is in any other state (i.e. a train
could legally pass it), then the route is locked for a while. Simple locking
locks the route for 2 minutes (not 1). Comprehensive locking only locks the
route if there is a train near enough to the signal to be affected by it
turning red, and waits until that train has come to a stop at the signal (e.g.
has occupied a 200m track circuit at the signal for 30 seconds). If a train
passes a signal at Danger, points ahead of that signal are locked

> That such systems are not perfect and still rely on human vigilance was shown
> by the Clapham (South London) accident late in 1988 where a faulty track
> circuit train detector "lost" a train standing at a signal allowing an
> automatic system to route another train into the rear of it.
This accident was caused by faulty installation. At the time, the signalling
system was being replaced by a new one, and a wire had been removed from the
logic concerned with a certain track circuit. The wire had not been cut back
and had its end insulated, but was just bent out of the way. Later work on
that logic disturbed the wire, and it came back into contact with the terminal
it had been removed from. It then fed current into the logic, making it appear
as if the track was clear. This allowed the signal to turn green.

> A good source book for information on British railroad safety is:
>    "Red for Danger", by L.T.C.Rolt,
>    published by David & Charles Inc. (North Pomfret, Vermont 05053),
>    ISBN 0-7153-8362-0

Not just a good book, but the definitive one. The current edition has been
updated by Geoffrey Kitchenside.

BTW, it's railway.
Clive D.W. Feather, IXI Limited, 62-74 Burleigh Street, Cambridge  U.K.

Re: A320 (RISKS-9.72)

Steven Philipson <>
Wed, 28 Feb 90 17:19:04 PST
In RISKS DIGEST 9.72 Martyn Thomas <mct@praxis.UUCP> writes:

>The A320 sidestick layout is asymmetric - the captain flies with the
>left hand, the first officer with the right. This means that when the
>first officer is flying in the left-hand seat - as will happen from
>time-to-time, e.g., for training - there is the added unfamiliarity of
>using the other hand.

   and Peter Neumann writes:

>     [It is pessimal when the captain is right-handed and the first officer
>     is left-handed and *both* are flying with the *wrong* hand.  But the
>     switching back and forth must undoubtably be confusing.  PGN]

   This is not a new risk.  Older generation aircraft that have yolks instead
of sidesticks are flown in exactly the same manner.  Throttles are usually
located in the center panel, and both pilots use their inboard hand for
throttles, and their outboard hand to manipulate the yoke.  Sidestick
controllers just change the position of the hand, but not which hand is used.
There are other differences in the use of sidesticks (such as lack of
interconnection on the Airbus), but in handedness they are similar to
conventional controls.

   Switching hands with which one flies is generally viewed as a non-problem.
Pilots get used to switching seats and the hands they fly with early on in
their training, usually well before they step into a jet airliner cockpit.  On
a frequent basis I switch between right and left seats and between aircraft
yokes (which are flown with the left hand from the left seat) and sticks (which
are flown with the right hand from the left seat.  The process is natural and
not at all confusing.

   I have not seen any reports that indicate that there is a significant
problem in switching, although that doesn't prove that there is no loss of
performance.  Pilots reports of difficulty with this are rare (at least, in my

    It is far more difficult to change between aircraft types, or even between
individual aircraft of the same type, when the positions of instruments and
secondary controls vary.  Problems arising from such differences are well
documented and have been identified as causal in numerous accidents.

avionics in the media

John M. Sullivan <sullivan@math.Princeton.EDU>
Sat, 3 Mar 90 17:32:25 -0500
The New York Times has recently had two articles on avionics.
On Feb 14, the Business Technology column featured "McDonnell's
Less Costly New Jet", the MD-11, which is 16% cheaper to fly than the
DC-10, and is intended to "fill a niche" between Boeing's 767 and 747.

  The plane contains an automated cockpit that the company calls the
  world's most advanced, as well as more fuel-efficient engines, some
  lighter-weight parts and aerodynamic refinements like a shortened tail.

But, later we find that

  The plane is a prime example of how aircraft manufacturers are hesitant to
  introduce new technology if it does not translate into savings for the
  airlines.  "High technology isn't necessarily what an airline    wants," said
  Dale Warren, a vice president at Douglas.  "They're in business to make a
  profit."  For example, the company replaced only a few aluminum parts with
  lightweight composite materials, which are more expensive, and chose not to
  use a "fly by wire" electronic control system, in part because of its cost.

A few paragraphs describe the cockpit:

  The most dramatic change to the DC-10 is in its cockpit, which Douglas says
  is the world's most automated.  The plane will have two pilots, compared with
  three in the DC-10; the flight engineer has been replaced by computers that
  automatically perform duties like monitoring fuel flow and adjusting cabin

  The computers can, to some extent, "think" for the pilots, switching valves
  if something should go wrong.  Pilots watch six video displays run by
  computers instead of the dozens of mechanical gauges and dials on the DC-10.
  "Essentially, the pilot pushes a button at the end of the runway and the
  system will guide the plane to the concrete at the destination," sayd George
  Wallace, program manager for Honeywell Inc., which makes the cockpit
  electronics for the plane.

  While similar automated cockpits--already in place on Boeing aircraft and
  Douglas's MD-80 plane--have won prais, pilots have also expressed concern
  that their basic flying skills may atrophy.

  Douglas chose to use a conventional control system, in which the controls are
  operated from the cockpit by mechanical means rather than electronically by
  computers in a new system as "fly by wire" that is used on some Airbus jets.

The article ends by noting that flight testing is 6 months behind schedule.

The Sunday Business section on Feb 18th had a long article "All About:
Avionics".  This mentioned that "Cockpit electronics have become sophisticated
enough to all but take the place of the pilot. ... With the push of a few
buttons, autopilots can guide a plane from NY to LA while the real pilot sits

The electronics may cost $1M, or 10% of the plane's price.  The article notes
that American companies (Bendix/King, Collins Avionics, and Honeywell) dominate
the market.  Other companies would have a hard time entering the market because
of the need for government approval of the systems.

Some problems are discussed:

  The biggest advantage of the glass cockpit is that the black boxes can
  talk to one another.  The on-board computers can calculate an altitude for
  the greatest fuel efficiency and the autopilot can guide the plane there.

  Most pilots like the new technology, with some reservations.  If something
  goes wrong, the problem may be hard to detect.  "Trouble-shooting is a more
  delicate art than before," said Wolfgang Demisch, an analyst with UBS
  Securities.  And a three-year NASA study of 200 Boeing 757 pilots found that
  they were concerned about spending too much time staring at computer screens
  and not enough looking out the windows.  They also worried that their basic
  flying skills would atrophy as they spent more time punching keypads.  "I was
  somewhat concerned with the 'I can't fly but I can type 80 words per minute'
  syndrome," said one pilot.  Still, about 90% of the pilots saw the glass
  cockpit as a big step forward.

Evidently, new FAA rules will require more electronics by 1993, to warn
of impending collisions and warn of wind shear.  The companies that
make the electronics seem happy about this new business.  Other
future possibilities mentioned include storing flight maps on optical disk,
exchanging written messages with flight controllers by 'datalink',
and moving to satellite communication and navigation.

The last paragraph mentions that

  Another project sounds like it could all but replace the co-pilot.  The Air
  Force boldly calls it the "pilot associate."  More than a mere autopilot, the
  associate devices use artificial intelligence to help fly the plane, plan
  missions and deploy weapons.  The project is in such an early stage that it
  will take several years to find its way into jet fighters and, eventually,
  commercial planes.

Note that the concerns expressed in these articles are only about the pilot's
own skills decreasing, and not at all about possible mistakes on the part of
the computer system.  The only reason given for not using fly-by-wire is
                   John M. Sullivan Princeton Univ. Math Dept.

India Airlines' A320

Subhasish Mazumdar <>
Sun, 4 Mar 90 16:48:31 EST
Doubts about Indian engineers and RISKS faced by developing countries.

Regarding the A320 crash, George Michaelson <> writes:
>Doubts were expressed about the ability of the airline to maintain the
>complex flight control equipment ...
>... it seems from this interview as if the Indian
>engineers themselves question their ability to handle this package.
>                              ^^^^^

Indians are extremely annoyed with the performance of the state-run
domestic carrier Indian Airlines, which has a long history of
incredible management problems aggravated by political interference.
Many Indians would agree with those doubts directed at the ability of
*that airline*, but few would accept those doubts directed at Indians
engineers *in general*. This is not the forum to enumerate the
technological sophistication that Indians have demonstrated. Suffice
it to say that the interpretation of the word *their* in George
Michaelson's analysis is difficult to swallow.

>I suspect other parallels exist with well-meaning donation/supply of IT
>infrastructure that failed to match local conditions eg lack of tropical
>"hardening", availability of spike-free UPS, spares, training.

You are right here. Often, however, developing countries are taken for
a ride! I was involved in the assembly of a Flying Spot Scanner at the
Indian Institute of Science, Bangalore, using equipment imported from
a reputed company in the UK. One of the crucial power supplies blew up
when powered up. We traced the problem to incorrect wiring (the
connections to the collector and emitter of a transistor were
reversed, if I remember right). It was evident that the unit *had
never been powered up before shipment*, let alone tested; but the
company refused to admit it, making sly references instead to our lack
of training. We gave up the idea of litigation because of the high
costs involved. Please think for a moment about the RISKs FACED BY
developing countries.

Subhasish Mazumdar,Computer & Information Science, Univ of Massachusetts,
Amherst, MA 01003, USA

Airbus A320: Getting a few things straight

Pete Mellor <>
Mon, 5 Mar 90 13:33:51 PST
A few misunderstandings seem to be creeping into the debate on the A320.
At the risk of adding my own misunderstandings, let me try to clarify a few
points raised in RISKS-9.71 by Steve Milunovic and RISKS-9.72 by Robert Dorsett.

Steve Milunovic (9.71) refers to:
> ... a dispute in France over whether the computerized, highly advanced
> aircraft is too complicated to fly.

One justification for introducing fly-by-wire as in the A320 is that, since
most crashes are due to pilot error, a system that reduces the probability
of such error will make flying safer. There are two aspects to this:

 - Reduction in the pilot's workload.

 - Automatically preventing a command from the pilot taking the aircraft out
   of a 'safe flight envelope', e.g. overriding a command to put the nose up
   and throttle back if this would cause a stall.

To achieve these aims, the A320 must be EASIER to fly than than its
predecessors. It has been argued (I think by one of the pilots' unions) that
being trained to fly the A320 does not qualify a pilot to fly a 'traditional'
('fly-by-string'?) aircraft, in the same way that a driving test taken in an
automatic does not qualify a motorist to drive a vehicle with a standard*

(The issue of MAINTENANCE, as opposed to flying the aircraft, is a different
matter, and I am inclined to agree with Robert Dorsett on this.)

He also refers to a claim that:
> ... the French pilots were opposing it to protect their economic interests.
> The plane uses two pilots; many other aircraft use three.

To be precise, the crew of a traditional aircraft of the size of the A320
includes a pilot, co-pilot, and flight engineer. The flight engineer's job is
to monitor the systems on the aircraft and recover from, or work around, system
failures. Along with fly-by-wire, the A320 includes automatic monitoring of
systems with a CRT display of their status to the pilot and co-pilot. The
argument is that this reporting system does most of the job of the flight
engineer, who is therefore redundant.

Part of the economic justification for the A320 is, therefore:

 - Room for one more passenger.

 - Save the flight engineer's salary.

It is the French and Australian flight ENGINEERS' unions who have argued most
strongly against two-man crews. Their vested interest is obvious, but they have
made a strong case on the grounds of safety for the traditional division of
labour between flying the plane and watching dials. This case was well
presented in a BBC television program in the 'Horizon' series a year or so ago
called 'The Essential Third Man'.

(I believe that one inducement that was offered to the pilots was increased
rates for two-man crews. I am not sure what the current positions of the various
pilots' unions are. If they still oppose the loss of the engineer, I would say
it is to their credit.)

Steve also points out:
> ... as a small note, the flight augmentation system of the 757 is in no way
> comparable to the A320's fly-by-wire system (or its associated software
> protections).  The former is dedicated to damping aerodynamic instability;
> the former [latter? - PM] introduces new *control laws* and appears to be
> intended to work around problems involved in the use of side-stick
> controllers.

Er..., not QUITE. The software in the A320 Electronic Flight Control System
(EFCS) is right at the heart of the whole system. The traditional joy-stick
between the pilot's legs has been replaced by the side-stick because, since the
connection between the pilot and the control surfaces on the wings is electrical
rather than mechanical, brute force is no longer necessary to move the controls.
The side-stick transmits the commands of the pilot to the EFCS, which processes
them together with input from sensors (air-speed indicator, altimeter, etc.) and
sends signals to the effectors governing the control surfaces.

The 'control laws' define how this processing is done. They are implemented as
tables of parameters. There are several sets of laws, each controlling a
particular mode of flight (take-off, cruising, landing, etc.). I am puzzled
by Robert Dorsett's aside:

>... (that is, above 100', beneath which the protections disappear).

The protections CANNOT disappear at any altitude, however low. Perhaps he means
that at this phase of the flight a different set of control laws come into
force. Robert quite correctly states that:

> Airbus proper regards "manual" (electric horizontal stabilizer trim and
> manual rudder) backup as a last-ditch emergency system.  Numerous reports
> indicate that its operation isn't even part of the standard Airbus training
> curriculum.

I believe they train to use manual backup on a simulator. I believe also that
an actual landing using manual backup has been demonstrated by a test pilot,
but that the ability to do such a landing was not required as part
of the type certification. The EFCS is 'flight-critical' (if it fails under
certain circumstances it could result in a catastrophic accident), but not
FULL-TIME flight-critical (its availability need not be 100%, since the
mechanical backup will enable the aircraft to cruise straight and level while
the system is rebooted).

Whatever the details, however, the point is that there is NO WAY that the A320
would be flown on a commercial flight without the EFCS, except in an emergency.

He goes on to say:

> Upon examination, various terms could be examined [You can say that again!-PM]
> --perhaps "manual" means hand-flying it (with protections) to the ground,
> rather than tracking an ILS.

I'm inclined to agree. This confusion over the meaning of "manual" also
bedeviled the accounts of the previous crash.

The point of the slow fly-past at the Mulhouse-Habsheim air show was to
demonstrate the ability of the EFCS to fly the aircraft very close to stalling
without actually doing so. Without such an automatic system, such a manoeuvre
simply would not be possible. Loose statements to the effect that the automatic
system was 'switched off' for the demonstration are nonsense. What probably WAS
done was to set up the EFCS so that cruise 'control laws' still applied at low
altitude, but this is pure speculation on my part, and I should not open my
mouth too wide without hard information as a backup.

To avoid rambling on ad nauseam, I will make two last points:

 - The EFCS is not the only flight-critical software controlled system on the
   A320. The Full-Authority Digital Engine Control (FADEC) is just as vital,
   and obviously must act in cooperation with the EFCS. I have a fair amount
   of information on the fault-tolerant hardware and software architecture of
   the EFCS, but I do not know of anything that has been published about the

 - The overriding concern regarding type-certification of fly-by-wire is our
   continuing inability to certify systems containing software to high levels
   of reliability. FAA and CAA regulations (taken in conjunction with
   explanatory memos) require that a flight-critical system must have a
   demonstrated probability of failure no greater than 10^-9 per flying hour
   in a flight of mean duration. The same set of documents state that no means
   exist of assigning such a probability number to software-induced failure.
   Certification in this case largely rests on the demonstration of adherence
   to a development process standard (RTCA-DOC/178A), together with provision of

It is this latter anomaly that research should address urgently.

*Note for US readers: A vehicle with a standard gearbox has a third pedal
 called the 'clutch', and a wobbly lever next to the driver's seat which has
 to be moved every time you change speed.

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB    Tel.: +44 (0)1-253-4399 Ext. 4162/3/1

Mileage Plus wants me to move

Tim Kay <>
Wed, 28 Feb 90 11:13:29 pst
Mileage Plus is United's travel bank.  I can redeem miles traveled on United
Airlines along with dollars spent on my Mileage Plus Visa card for free travel

I just finished a conversation with a United Mileage Plus representative,
informing her for the FIFTH time that my zip code is 91125 rather than 91102.
Each time their computer changes the zip code back to 91102 in a way that they
cannot override.  I get no mail from them.

The problem is that Caltech has its own zip code.  My address is

    Tim Kay,    Caltech, 256-80,    Pasadena, CA  91125

The representative checked further and explained that their computer "knows"
that Pasadena doesn't have a 91125 zip code.  (They then somehow come up with
91102 totally bogus; 91106 is the surrounding zip code.)  Could I please give
them my home address instead?  No, I don't check my mail box at home.

She had no further suggestions.  I guess I'd have to stop using their services
until I move!

I suggested we try

    Tim Kay,    Box 256-80,     Caltech, CA  91125

I can't wait to see what happens.

Credit-card fraud [previously in; RISKS-relevant too]

Douglas Mason <>
Thu, 1 Mar 90 20:26 CST
Something interesting that I heard was going on at [eastern college] was that a
couple of students were able to get a hold of a credit-card magnetic strip
recorder somehow.  They also stole purses, wallets, anything that they could
get their hands on that had credit cards in it.

After doing the above, they would dig through dumpsters (we all know that
story) and pick up carbons or other receipts that have credit card numbers on
them, and make a list of valid card numbers.

Using the encoding machine, they then erased the old card number off of the
magnetic strip (which had probably been reported stolen by this time) and
encoded on that same strip one of the card numbers that they had picked up out
of the dumpsters.

So now they have say a MasterCard with an invalid number embossed on the front
of it, and a different-but-valid account on the magnetic strip.  What good is
this?  Plenty good for the clever thief!

They then went into shopping malls or anywhere that the credit-card validation
machines were the all-too-familiar "slide the card through and read the number
off the mag strip" type.

The merchant would authorize the card successfully and get an approval code,
then run the card though and get a paper receipt.  The merchants never check
the card number on the authorization machine display and compare it to that of
the card!

When the merchants send in the credit card slips to the bank, they of course
come back, and I imagine it takes a long time to figure out what exactly

Merchants beware!

-Douglas Mason

Douglas T. Mason       or dtmason@m-net.UUCP

Please report problems with the web pages to the maintainer