Subject: RISKS DIGEST 10.06 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Thursday 7 June 1990 Volume 10 : Issue 06 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Bei Mir ist es nicht schoen (PGN) Re: Network follies (Carl Howe) Bitnet FTP-ing of back issues (Paolo Mattiangeli) Risk is in the eye of the beholder? (Dick Wexelblat) Re: The A320's attacks of nerves (Robert Dorsett, Steven Philipson) Re: Article on A320 (Karl Swartz) A320 - The Attacks Continue (Pete Mellor) Re: Private mail on BBSes...(and the A320?) (Pete Mellor) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]GET RISKS-i.j ; j is TWO digits. Vol summaries in risks-i.00 (j=0); "dir risks-*.*" gets you directory listing of back issues. ALL CONTRIBUTIONS ARE CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. ---------------------------------------------------------------------- Date: Thu, 7 Jun 1990 16:13:40 PDT From: "Peter G. Neumann" Subject: Bei Mir ist es nicht schoen Sorry for the GermanoRussian pun, but the two Soviet cosmonauts aboard the space station Mir (= peace) for the past three months have been waiting for supplies to be brought up by the module Kristall, launched on 31 May, so that they may attempt to stay in space to attempt repairs of their Soyuz spacecraft (whose insulation was damaged on launch on 11 February). The conputer controlling the docking of Kristall with Mir shut down the docking operation two hours ahead of schedule yesterday. A Tass report speculates that the computer system might have detected a malfunction in one of the Kristall's orientation system engines. Keep an eye out for further details. [Source: San Francisco Chronicle, 7 June 1990, p. A20] ------------------------------ Date: Thu, 7 Jun 90 16:08:45 EDT From: chowe@BBN.COM Subject: Re: Network follies (Shimeall, RISKS-10.05) I'm sure someone must have already replied to you about this, but what they probably were doing were reconfiguring to deal with the fact that the Arpanet was decommissioned on June 1. There is no more Arpanet. You were probably rerouted to your local regional net, which in turn is gatewayed to other networks, thereby making it apparent that the Arpanet is "back". But rest assured, the Arpanet is dead. Carl [THE ARPANET IS DEAD. LONG LIVE THE ARPANET. PGN] ------------------------------ Date: Thu, 7 Jun 90 06:04:01 -0700 From: MERCEDES@IRMUNISA.BITNET Subject: Bitnet FTP-ing of back issues At last I have discovered a way to get back issues of RISKS-Forum via BITNET. I think it could be interesting for you: BITFTP at PUCC is the e-mail address to get FTP-BITNET redirection. You shuld send a message like this to BITFTP: ftp CRVAX.sri.com login anonymous cd sys$user2:[risks] get risks-i.j [for some legitimate values of i and j, obviously] quit Please note that connection to CRVAX.sri.com is allowed only after 7 PM. After a while, BITFTP replies with a session log and, if the file has been succesfully retrieved, will send the file itself. P. Paolo Mattiangeli, Universit{ di Roma "La Sapienza", Dipartimento di Fisica N.E., P.le Aldo Moro, 4 - 00185 Roma Italy ------------------------------ Date: Thu, 07 Jun 90 14:44:08 E+1 From: rwex@ida.org Subject: Risk is in the eye of the beholder? At a briefing today, we were given information about the ATF (advanced tactical fighter) reported to be "tip-top secret." (ATF is a highly automated plane that will eventually -- one is told -- house the Pilot's Assistant, an AI package that can fly, land, and fight the plane under every circumstance. Right. Anyway...) The ATF has two cockpits. In the front one is a man. In the back one is a dog. The responsibility of the man is to turn around periodically and feed the dog. The responsibility of the dog is to bite the man if he ever tries to touch any of the controls. Well, it seemed funny at the time. --Dick Wexelblat [We seem to be specializing in old shaggy dog stories. PGN] ------------------------------ Date: Wed, 6 Jun 90 22:52:05 CDT From: rdd@rascal.ics.utexas.edu (Robert Dorsett) Subject: Re: The A320's attacks of nerves (RISKS-10.02) > Mr. Bertrand Bonneau (the translator to English) Actually, Mr. Mellor did the translation. [Yes, that's what he said in RISKS-10.02. PGN] >For example, I was very surprised by the total absence of any reference >to the B7[5]7/B767 with their glass cockpits and computers. The B757/767 and A320 are two different generations of aircraft. And nobody's crashed a 757/767 yet. The airplanes could certainly come in for criticism (for the way Boeing's addressed the general man-machine problems of glass cockpits), but the *critical* issue of the day is the A320. Looks like it's time for some refresher background: 757, 767, and A310: introduced in '82 and '83: characterized by *conventional* flight controls, glass artificial horizons and nav displays (EFIS), and performance management systems (PMS). These airplanes are referred to as "classical glass" by at least one magazine (Flight International). The 757 and 767 have identical cockpits. They have conventional (analog dial) airspeed, altitude, vertical speed, and VOR/ADF indicators. These surround the two glass EFIS CRT's to form the "classic T." Engine monitoring is accomplished through an Engine Indication Control Advisory (EICAS) system, which is comprised of a primary flight instrumentation display (engine power, temperature, etc) and a secondary advisory display (checklists, hints, systems info, etc. pop up). These are stacked on top of each other on the center console. Boeing's operational cockpit philosophy, since the early 1970's, has been "need to know." The 757/767 represent the most extreme manifestation of this philosophy, by any manufacturer, to date. The im- plementation has resulted in the *necessity* of pilots having to work around system obstacles, by pulling circuit breakers (one source claims that on a typical 767 flight, sixty CB's are set and reset). Data from an (unpublished?) survey by Earl Wiener indicates that pilots are neatly divided in their opinions of the 757/767 cockpit. The A310 is similar, except it packs more info into the EFIS displays, and it has conventional dial engine instruments. However, it also has two EICAS displays, to handle a multitude of system and advisory information. Airbus's philosophy (on the A310) was "nice to know." The cockpit is not, however, popular with pilots, because of a variety of environmental factors (too cold, for one). There is a retrofit which gives the A300-600 more or less the A310's cockpit. The A320 design leans more in the 757/767 direction. Next generation: the A320 (introduced in 1988). The A320 did away with most dials (except for backup instrumentation) and combined airspeed and altitude information into the primary flight display. These bracket (left and right, respectively) the artificial horizon display. The display is quite small (7.25") , and, in my opinion, poorly designed (this was recently discussed ad nauseum on RISKS and sci.aeronautics). The nav display (beneath it) is more or less a typical nav display. Nothing revolutionary there. The flight controls on the A320 are non-standard. The aircraft is controlled through sidesticks, which map pilot commands into aircraft action. There are a multitude of control modes available (for instance, "direct" mode, in which the sidestick deflections map to surface deflections), "autopilot" (in which the sidestick controls the autopilot), "C*" (which provides an unconventional method of flight guidance), etc. There are also many "protections" built into the various modes, such as automatic engine spool- up if the angle of attack gets too high (alpha floor--but it doesn't work under 100' radio altitude, hence the Habsheim crash), preventing excessive bank or pitch, etc. The two sidesticks do not provide "active" artificial feel (although they do have a spring to prevent excessive deflection), and are not interconnected. There are manual backups to the flight control system, but they're not intended for normal use. The "manual" backups amount to electric trim, a manual rudder, and, according to at least one source, a manually settable horizontal stabilizer. At least one source has claimed that Airbus isn't advocating training for the "manual" flight mode, despite it being the only way that a test flight (which Bev Littlewood recently mentioned) could have been landed. Latest generation: MD-11/747-400. The MD-11 (1990) and 747-400 (1989) feature six large color CRT displays, and provide data in a manner similar to that of the A320 and 757/767. The MD-11 features a "fly-by-wire" system (without any changes in control laws and no protections), with a fully "manual" hydraulic backup. The 747-400 features a standard hydraulic-based control system. Both airplanes are two-man ships, though, and include significantly reworked electrical and systems design. Note, though, that both Boeing and McDonnell-Douglas have opted for *conventional* flight laws. Boeing is reportedly continuing the trend with the 767-X (777), which, if launched, will have fiber-optic "fly-by- light" systems. In essence, these airplanes share (a) similar nav displays, (b) similar PMS/FMCS systems, (c) similar (unknown) problems relating to the consequences of using digital electronics for flight-critical systems (these range from static problems to temperature to solar radiation), (d) the unknown effects of "hiding" a lot of information in two little CRT's, and (e) a propensity to encourage "heads-down" behavior. Only the A320, however, has a fly-by-wire system with "unconventional" control laws, and only the A320 has been sold on the basis of preventing the pilot from making fatal errors. As you note, though, >The main point of this article is that the procedures were bad, which brings us back to ERGONOMICS. The point of the article was to draw attention to the questionable workmanship of the aircraft, and the poor man-machine interface. In my opinion, the A320 is the real loser in the crop of digital airplanes, with the 747-400/MD-11 coming a distant second (for the idiotic decision to introduce long-range aircraft with only two pilots). >the French FAA was conducting the investigation rather than the French >Department of Justice. Actually, both the DGCA and a local magistrate were conducting an investigation. The DGCA has released its report, which white-washed the aircraft and systems. The magistrate's report is still to be released (?). >Even if the French judges are only ten times >technically-smarter than ours and if the French-FAA is only ten times >more corrupted than ours, I'd still rather see their FAA, not their DoJ >conduct the investigation. But there's an explicit conflict of interest there: Airbus Industrie is essentially a public-works project for the aerospace sector in Europe. It is HEAVILY financed by the French government, and is a major employer in France. French prestige is on the line, and we all know how "weird" the French government can get, when protecting its interests (remember the Rainbow Warrior? :-)). The behavior of both the French government after Habsheim, and Airbus Industrie after Bangalore, are certainly bases for skepticism. >Well, in the US the NTSB (and the FAA) >typically have "probable cause" within a day, even though investigations >take many months or even years. Is it suspect, too? There are numerous cases when the NTSB has not been able to issue a probable cause, and numerous more where the probable cause has turned out to be in- correct. What the French government did, however, was state--in a definitive manner--that the Habsheim crash was a result of pilot error. The FORM their statement took would certainly not be acceptable coming from the NTSB. It must be very awkward to have a supposedly objective government agency im- mediately *defending* an airplane of which many hard questions can be asked. It's my impression that what irked many people was this very sight of their government playing the role of apologist. To the best of my knowledge, the FAA does not issue probable-cause statements. Its options are limited to emergency regulatory action, based upon preliminary crash assessments from the NTSB (cf. the AAL DC-10 at O'Hare). It, too, has been known to reverse its decisions. >To sum it up: opinionated reporting may leave something to be desired. The style of the article was somewhat clumsy, but it has a number of good points. It is not appropriate to discount it sorely because of its feeble attempts at rhetoric. A number of people seem to have been thrown off by the assumption that it represents the epitome of the debate in France. It doesn't, as Pete Mellor has noted. But it certainly contains enough (apocryphal) anecdotes to stimulate serious discussion. Robert Dorsett Moderator, Internet: rdd@rascal.ics.utexas.edu Aeronautics Digest UUCP: ...cs.utexas.edu!rascal.ics.utexas.edu!rdd ------------------------------ Date: Thu, 7 Jun 90 15:26:06 PDT From: stevenp@decpa.pa.dec.com (Steven Philipson) Subject: Re: The A320's attacks of nerves (Cohen, RISKS-10.05) In RISKS 10.05, Danny Cohen made some statements regarding accident investigation in the US that are not correct. > [...] Well, in the US the NTSB (and the FAA) >typically have "probable cause" within a day, even though investigations >take many months or even years. Is it suspect, too? The FAA *never* issues statements of probable cause -- it is outside its jurisdiction. The NTSB has primary jurisdiction. The role of the FAA in accident investigation is to collect facts and assist the NTSB in their investigation of accidents. Probable cause statements are issued by the NTSB in accident reports that typically are released about six months after the accident. NTSB board members will on occasion issue statements about the focus of investigation, and about preliminary findings, but official statements are not made until exhaustive study is complete and the accident report is completed. Safety recommendations can be made more expeditiously when an urgent need is perceived, but this is not equivalent to a statement of probable cause. There would be a tremendous negative response to a Board member if he/she made such a statement within a day, and indeed, such a statement would be suspect. Just for fun, I challenge all RISKS readers to find a single case wherein such a statement was made "within a day". In the case of the Aloha accident certain facts were known fairly quickly. Recommendations were made to the FAA to address perceived safety problems, but no statement of probable cause was issued until the official report was released. >To sum it up: opinionated reporting may leave something to be desired. Granted. The same can be said of misinformed reporting. Steve Philipson ------------------------------ Date: 4 Jun 90 02:21:46 PDT (Mon) From: kls@ditka.UUCP (Karl Swartz) Subject: Re: Article on A320 (Mellor, RISKS-10.02) I don't have definitive answers, but I think I can clarify the terms a bit. "About-turn on the ground" is an abort before the beginning of the takeoff roll, that is, a decision to return during the pre-takeoff taxiing, whereas an "acceleration-stop" is an abort after the beginning of the takeoff roll but before V1 (the velocity at which the plane is committed to a takeoff) is attained. The latter is an aborted takeoff; beyond V1 the plane is committed to a takeoff though once airborne the crew could immediately turn back and land. As for the matter of "cabin altitude being on the increase", pressure in the cabin is measured in terms of altitude rather than PSI or bars or some other unit. Typically, the cabin of a commercial aircraft is pressurized to a pressure equal to that at an altitude of 8,000 feet above mean sea level. A failure of the pressurization system would cause the pressure to decrease such that the effective cabin altitude would increase from nominal, approaching the actual altitude of the aircraft. Often this occurs due to a rupture of the pressure cabin and a consequent violent decompression, but in this case it appears the decompression was gradual, presumably due to a failure of the regulation systems. No matter, the pilots still must descend to an altitude at which the cabin altitude is within acceptable limits. Karl Swartz, 1738 Deer Creek Ct., San Jose CA 95148 1-408/223-1308 ------------------------------ Date: Thu, 7 Jun 90 20:33:41 PDT From: Pete Mellor Subject: A320 - The Attacks Continue In RISKS-10.05, Danny Cohen writes: > About the A320'S ATTACKS OF NERVES > Mr. Bertrand Bonneau (the translator to English) did a terrific job of > translation, given his knowledge of the subject area. Too bad that the > original writer is not more knowledgeable of aviation. If this is a joke about the translation, it's a bit too subtle for me! My Collins-Robert French Dictionary gives: "crise de nerfs - attack of nerves, fit of hysterics;" Mmm...perhaps the second alternative might be better :-) Assuming from the lack of smiley that Danny Cohen is serious, then he can't have read my disclaimer. He goes on: > For example, I was very surprised by the total absence of any reference > to the B767/B767 with their glass cockpits and computers. Maybe, but M. Bonneau *does* say "...the embedding of numerous pieces of software on board aircraft of the new generation (A320, but also McDonnell-Douglas MD 11, Boeing 747-400, among others) can pose problems for the official agencies.", so he is obviously aware that the A320 is not the only computerised civil aircraft. > The main point of this article... [Actually the main point of the subsection on the enquiry into the Mulhouse-Habsheim crash: the main article is far more concerned with technical problems of FBW and glass cockpits.] > ...is that the procedures were bad, and that > the French FAA was conducting the investigation rather than the French > Department of Justice. Err..not *quite*. Bonneau's point is that French government regulations (to which he gives precise references) place the responsibility for conducting such investigations on the Inspection Generale de l'Aviation Civile (IGAC), under the direct authority of the Minister of Transport [note: *not* the "French Department of Justice"], and not on the Direction Generale de l'Aviation Civile (DGAC), which is the French equivalent of the FAA. The only information I previously had on alleged procedural irregularities came from some slightly confused accounts in the UK and US press (Herald Tribune 11th July 1988, Financial Times 11th July 1988, Guardian 12th July 1988, New Scientist 21st July 1988). It was Germain Sengelin, senior examining magistrate at Mulhouse, who complained at the DFDR and CVR being handed over to the DGAC without being placed under judicial seal to "guarantee their authenticity and integrity" until the enquiry. He was taken off the case. > Well, in the US the NTSB (and the FAA) > typically have "probable cause" within a day, even though investigations > take many months or even years. Is it suspect, too? Depends. The pilot and copilot survived the Mulhouse crash, and immediately made statements implicating delays in engine acceleration (Times 27th June 1988). The engines are controlled by FADEC, and this in turn responds to the EFCS. The question about exactly *what* goes onto the DFDR, and from *where* it is captured in the processing chain, had previously occurred to several people (including myself) who take an interest in the A320. If Bonneau's claims about this are correct, it confirms our suspicions: even *with* the information from the DFDR, it would not be possible to identify "pilot error" as the sole cause without other evidence. Metal fatigue in antique airframes (Aloha B737 28-Apr-88) is well understood as a cause of accident. Systematic failure of a complex FBW system is not. That, together with the statement of an experienced pilot that the engines did not respond to commands, make the following timetable look a bit like a "rush to judgement": 26th June, 1245: Mulhouse crash. DGAC takes control of DFDR and CVR. 26th June, evening: Air France and BA A320's grounded. 27th June: Louis Mermaz, French Minister of Transport, announces that analysis had shown the plane suffered no technical problems. (Guardian, 28th June) Same day: Jean Volff, local public prosecutor at Mulhouse, announces that "The inquiry points towards pilot error." and that "he could not exclude prosecution of the pilots for manslaughter if error is proved". (Guardian, 28th June, same article) Same day: BA reverses grounding decision after "it had discussed the situation with both the Civil Aviation Authority and manufacturers Airbus Industrie". (Evening Standard, 27th June) 28th June: A320's back in service. The last event is the one that matters, of course. Bonneau's speculation that "... the concern of the only technical enquiry had overridden that of the judicial enquiry." may be true. The concern that overrode everything was to get the A320 back in the air. >From the New Scientist, 21st July 1988: "...the day after the accident, the DGAC announced a preliminary conclusion that the pilots, and not the aircraft, were to blame for the disaster. According to the French press, details of the flight records were given to Aerospatiale, which announced that it had confirmation that the aircraft was not at fault in the crash. Several days later, the DGAC exonerated the mechanical performance of the Airbus. The head of the DGAC, Daniel Tenenbaum, said that if this had not been the case, it would have been necessary to ground the A320 for tests." (And we couldn't have that, now, could we? :-) [In fairness, I should add that I have spoken to a number of people in the CAA and elsewhere who know a lot about flight certification and about the Mulhouse accident in particular, who have assured me that it *was* pilot error, but, as always, confidentiality prevented them from saying *how* they knew that.] > I take it to imply that this shows that because of "*Industrial > Secrets*" (which cover the software) the operating airlines could not > use any "good computer scientist" to simply go ahead and fix that fault. > If this is the case -- how about all the regression testing ... I agree. If Bonneau thinks that each user could hack together his own patches, then he's WRONG. He is, however, quite right to point out elsewhere that it's not possible to certify a system containing embedded software to any high degree of reliability (and certainly not to 10^-9) by treating it as a black box, and the industrial secrecy protecting the A320 software means that it is possible to do little else. In fact the regulations (FAR 25.1309 plus AC 25.1309-1) require a "critical" *system* to be demonstrated to have 10^-9 max. probability of failure, but specifically 'cop out' when it comes to the *software* in those systems, and refer to RTCA/DO-178A, "Software Considerations in Airborne Systems and Equipment Certification", which is essentially a set of guidelines for good development practice, and requires that certain documents (specifications, test plans and results, etc.) be made available to the certification authority. There are 3 levels of software, of which level 1 is for "critical" systems (those which can crash the aircraft if they fail). (However, note that by "using appropriate design and/or implementation techniques" it may be possible to put lower level software in a critical system.) Even at level 1, source code and object code are *not* required, and a source listing is only required for a re-certification following modification! Only the vendor of the software and the customer (i.e. the airframe manufacturer) are required to test the software. A320 EFCS software was rated as level 1. Heaven knows what's in the FADEC! (The European regulations are almost identical to the US.) As a modest proposal for improving our certification of flight-critical software, may I suggest: - Access to source and object code by certification authority. - Independent Verification and Validation (IV&V) by 3rd party. Danny Cohen ends: > To sum it up: opinionated reporting may leave something to be desired. To which I say: so may our certification procedures for flight-critical software! Also in RISKS-10.05, Atkielski.TDS-ASF@SYSTEM-M.PHX.BULL.COM points out that the actual magazine is "Science & Vie", and that the article was in the "Aeronautique" section. Sorry, my fault. Serves me right for working from a photocopy of only the relevant pages. He also points out that: > A rebuttal from Bernard Ziegler, technical director > of Airbus Industrie, may be found in the following May issue. My thanks for this information. Perhaps in the interests of balance, RISKS should carry a translation of that, too. Are you offering, Bernard? Come on, it's someone else's turn! :-) My thanks also to Steven Philipson, Karl Swartz and Jordan Brown for answers to my queries about the terms "acceleration-stop", etc. Since Karl copied his reply to RISKS, I assume it will be appearing shortly. Pete Mellor (Author of the above, but mere translator of Bertrand Bonneau's article!) ------------------------------ Date: Thu, 7 Jun 90 20:53:21 PDT From: Pete Mellor Subject: Re: Private mail on BBSes...(and the A320?) With regard to David Gursky's points about BBS mail that deals with "illegal" activities, what if Airbus Industrie decides the Bertrand Bonneau's article is libellous. Do they sue the publishers of "Science & Vie", M. Bonneau, me, Peter G. Neumann, or all of us? OK, RISKS is a moderated forum, so I suppose the buck ought to stop with the moderator. :-) This problem reminds me, however, of the case of Goldsmith v. Pressdram (publishers of the UK magazine "Private Eye") a few years ago. Sir James Goldsmith sued Private Eye for libel. As part of his action, he also tried to sue the distributors and retailers of the magazine. This was thrown out, since if the precedent had been established, it would have meant that every newsagent and magazine stall-holder in the land would be expected to read every publication he sold from cover to cover, and be liable if he failed to withhold any issue that was libellous. Doesn't a similar common-sense principle apply to (non-moderated) BBS's? Pete Mellor ------------------------------ End of RISKS-FORUM Digest 10.06 ************************