RISKS-LIST: RISKS-FORUM Digest Monday 16 May 1988 Volume 6 : Issue 85 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Don't always assume the computer is wrong [elevator control] (Greg Kable) Warning: Trojan turkey program (Doug Fouts via Tim Morgan and Nancy Leveson) Program Trading (Vint Cerf) Metallic Helium Balloons (Steven McBride) A320 update (Robert Dorsett, Franklin Anthes) Navigation (Robert Dorsett) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, ftp kl.sri.com, get stripe:risks-i.j ... . Volume summaries in (i, max j) = (1,46),(2,57),(3,92),(4,97),(5,85). ---------------------------------------------------------------------- Date: Sun, 15 May 88 17:19:58 EST From: munnari!ubo.oz.au!gregk@uunet.UU.NET (Greg Kable) Subject: Don't always assume the computer is wrong [elevator control computer] I recently heard of an interesting risk associated with people ignoring (apparently) invalid results because they assume the computer displaying them is broken. The State Bank building in Sydney has lifts (elevators) which announce (with a North American accent) the current floor and lift direction each time the door opens. They also have a strip display above the door showing the date, time of day, temperature and such. While travelling to an appointment in this building, a friend noticed that according to the display the temperature was 63 degrees Celsius (about 145 Fahrenhieit). He naturally assumed this was some sort of error and ignored it. However when he went to leave the building fifteen minutes later, he found that the lifts were out of order due to a fire in the control room. So if you are ever in one of these lifts and the temperature display is a bit high, please notify the building management in case it's on fire. Greg Kable Honeywell Bull Australia ACSnet: gregk@ubo.honeywell.oz 124 Walker St, UUCP: uunet!munnari!ubo.honeywell.oz.au!gregk Nth Sydney, NSW, 2060 Phone: (02) 9239549 ------------------------------ Date: Thu, 12 May 88 19:20:43 -0700 From: Nancy Leveson Subject: Warning: Trojan turkey program To: ICS@ruby-falls.ICS.UCI.EDU Subject: Warning! Date: Thu, 12 May 88 13:07:21 -0700 From: Tim Morgan Everyone should be aware of the program described in the following message. We don't want to have to restore any files for anyone... Date: Tue, 10 May 88 12:48:16 PDT From: Doug Fouts To: jwills@venera.isi.edu Subject: EMAIL WARNING I have just been informed by a friend of mine here at U.C.S.B. that there is a program being passed around via ARPAnet (and also some other computer networks) that is called "turkey". The instructions that are sent with the program say that when compiled and run the program will draw a nice picture of a turkey. I have been informed that the program is a (not very funny) joke. It does not draw a turkey, but it does erase all of the unprotected files in your directory. You might want to pass this information along to people you know who use the network, as I am doing. Doug Fouts ------------------------------ Date: 14 May 1988 06:12-EDT From: CERF@A.ISI.EDU Subject: Program Trading Do RISKS Forum readers have anything to say about the following thought on program trading: The stock market is a closed-loop feedback control system. Prices fluctuate based on the demand for stock or desire to sell it. The introduction of computer-based trading which makes decisions on a very short time-scale, introduces into the system a very rapid response time. In other feedback control systems, it is necessary to introduce damping to avoid wild oscillations, when you have a very fast response mechanism. The present stock market automation system, including the program trading facilities, appears to offer no damping at all. Is it legitimate to conclude that the system is an example of an undamped feedback control and therefore prone to wildly oscillatory behavior? Would some form of damping (limits on maximum stock value excurions as a percentage of stock value, for instance) serve as an adequate damper? I am not a control theoretician, so my thought may simply be naive analogical reasoning - I am prepared to be educated on the point. Vint [Program trading has been considered in RISKS-5.44, 5-52, 5-70, 6.1, 6.11, and 6.37. There were some earlier discussions on stable feedback loops. Perhaps someone will venture a definitive response... PGN] ------------------------------ Date: Wed, 11 May 88 13:05:07 pdt From: Steven McBride Subject: Metallic Helium Balloons A Boeing Company Renton Division Safety Alert: SOARING PROBLEM: METALLIC HELIUM BALLOONS CAN CAUSE POWER OUTAGES. Metallic helium balloons -- popular gifts during holidays, birthdays and other special events -- are no longer allowed on Boeing sites because of the severe damage they can cause to electric power lines. The problem is that the balloons are often coated with one-1,000th of an inch of aluminum, which makes an excellent conductor of electricity. When a stray metallic balloon comes in contact with power lines, it can cause electricity to arc between transformers and sometimes cause live wires to fall to the ground threatening the safety of bystanders. In Antioch, California, last year, a balloon caused a 12-hour blackout in which a power surge fried the wires of microwave ovens, videocassette recorders and television sets. A power outage encompassing the entire Renton complex occurred February 9th when a metallic helium balloon touched a 55,000-volt power line west of the 10-50 building. A similar unscheduled power outage occurred last year when a metallic balloon came in contact with a power line north of the 10-50 building. Because of the serious and costly nature of the problem, no metallic balloons of any kind will be allowed on a Boeing site for any reason. ------------------------------ Date: Sat, 14 May 88 23:19:38 CDT From: mentat@huey.cc.utexas.edu (Robert Dorsett) Subject: A320 update There is a good article on several manufacturers' attitudes toward aircraft avionics in the April 16 issue of "Flight International." Airbus currently feels that the test of fly-by-wire is in maintenance, rather than operational reliability. They have multi-level redundancy on many systems, and enforced strong separation of design teams for the redundant equipment. They used different manufacturers for each level of redundancy, and made sure that there were no common members of the software development teams. Nonetheless, Airbus indicated that the airplane would have faced far stiffer certification without the manual backup on the horizontal stabilizer and rudder (which, ironically, crews are not being trained to use--despite a complete system failure during testing). A rather interesting portion of the article suggests that Boeing, in its never ending quest to cut equipment weights, is considering getting rid of many antiquated analog and digital computers--which provide a de facto high degree of redundancy in a distributed computing environment--and re- placing many of the systems with a single high-speed computer. This should cause interesting problems. An earlier reader indicated that there was a lawsuit being conducted in England to stop the A320 from being utilized by British Airways. Apparently the suit failed. British Airways accepted its first A320 a couple of weeks ago, and should be starting route service about now. BA itself was quite concerned about the cockpit design, and apparently put the airplane through extensive testing. Information that I have suggests they don't really like the air- plane, but can't get out of their commitments. On another front, a more recent issue of "Flight International" suggests that one reason for the A320's popularity with short-haul operators is that Boeing was sluggish in releasing the 737-400, a large-capacity short-range transport (with a glass cockpit, but manual controls). As a consequence, Lufthansa is replacing all of its 727's with A320's, and plans on replacing its DC-10's with A340's for cockpit commonality. It is also planning on replacing all of its 747-200's with 747-400's, the all-glass, fly-by-wire 747. Robert Dorsett, University of TX at Austin Internet: mentat@walt.cc.utexas.edu UUCP:{ihnp4, allegra,decvax}!ut-emx!walt.cc.utexas.edu!mentat ------------------------------ Date: Mon, 9 May 88 17:45:48 +0200 From: mcvax!geocub!anthes@uunet.UU.NET Subject: Airbus 320 (Re: RISKS-6.76) Organization: Greco de programmation, Bordeaux France A couple of details on the AirBus A320 Excerpts from an article published in the May issue of "Sciences & Vie Micro" (translated from the French original) When taking the plane [the A320], what is the probability that it will crash due to a software error? One chance in a million? Wrong! One chance in a billion and that for each hour of flight. ------------------------------ Date: Sat, 14 May 88 23:21:47 CDT From: mentat@huey.cc.utexas.edu (Robert Dorsett) Subject: Navigation In reference to my earlier post on KAL 007, I should also point out that it has been suggested (in Hirsh's book, if memory serves) that if the original airplane waypoint (the start position on the ground, waypoint 0) is entered incorrectly, the entire course will be translated somewhat. For this to occur, the start position would have to be entered in intermix mode (BIG no-no), and the INS's would have had to have been shut down before the flight. This is a very important number, needless to say, and a traditionally high importance has been assigned to its entry. It isn't a "casual entry." Even if it should be entered in intermix mode, both the captain and first officer should cross-check it. There is the possibility, though, that it could be derived from a map, written down incorrectly, then entered properly--but from bad data. In this case, the cross- check wouldn't produce any "errors." However, I do not remember any major gripes reported about the KAL flight by ATC or other authorities, which should have come up if this had happened, since the airplane would have been off course practically from the minute it started its enroute climb. Another reader sent me email asking me to detail manual navigation alternatives to automation. That wasn't exactly my point in the post. There doesn't seem to be any alternative to computer-augmented systems, both from reliability and safety standpoints. Rather, I'm concerned about the way they are supposed to be used by their human operators. The current trend is to assign the pilot a caretaker role, on the assumption that (a) the systems will never fail, and (b) that the pilot is a manager of systems. Unfortunately (a) isn't true, and (b) relegates the human pilot to the role of observer, which can produce operator errors (largely out of boredom or apathy) or render him incapable to intervene in the aircraft's welfare if a bona fide emergency should develop (as the China Airlines flipover three years ago demonstrated). But to answer the question (which may be of academic interest to the readers), here are the main navigational aids and techniques which have been developed over the years: I. Techniques: a. Dead reckoning. Assumes the pilot keeps track of airspeed and has some knowledge of the winds. The relevant instruments are a magnetic compass, airspeed indicator, a clock, and accurate weather information. An altimeter would also be handy at higher altitudes. Dead reckoning requires the pilot to be very much in the aircraft "loop." It is used with a variety of other techniques these days. b. Pilotage. In this mode, the pilot flies by reference to the ground. Traditionally, it's flying by reference to ground features, but the definition can be extended to incorporate ground-based radio navigation aids. As one might guess from the rest of this article, we are moving away from pilotage and back towards dead reckoning as a primary means of flight--with the exception that it is all automated and the pilot is largely out of the loop. II. Airborne systems: 1. ADF. Automatic direction finding. A ground-based navigational aid (really, any source of electromagnetic radiation) "beams" undirected electromagnetic radiation. The instrument on the airplane which interprets the information appears as a needle with some sort of azimuth reference. On most light airplanes, the ADF indicator is a fixed card with markings from 0 to 359 degrees. The aircraft heading is *always* 0 degrees; the card demonstrates a relative offset. For example, if the airplane is pointed due south (180 degrees) and has an ADF bearing of 350 degrees, the navaid's magnetic bearing is 170 degrees. As technology improved, during the 50's a flux-gate gyro compass was installed in many larger airplanes. Essentially, this looked like the fixed ADF card, except it *moved*, and provided precise compass bearings. It did not suffer from the usual gyro precession problems, due to the fact that it automatically recalibrated itself. ADF needles were installed on it (usually two) and thus provided an easy-to-read, precise synopsis of both the airplane's heading and the exact magnetic bearing of the selected navigational aids. It removed one level of computation from the pilot, but this is generally considered a Good Thing; the old system was rather kludgy. The ADF/flux-gate gyro compass is commonly called a Radio-Magnetic Indicator, or RMI. ADF systems generally have a limited range, due to the HF frequencies used. 50-75 miles tops, often quite less. They were also susceptible to atmospheric problems, such as thunderstorms. In modern navigation, the ADF equipment is almost exclusively used in executing approaches in homing onto marker beacons. 2. VOR. Variable omnirange. A VOR is another ground-based aid, but one which works with aircraft on-board systems to provide an illusion of a "compass rose" emanating from the station. For example, if the airplane is exactly south of the station, and has a bearing of 0 degrees to it, it will be receiving the 180 radial. But that information pertains to the airplane relative to the position to the station, and not the airplane attitude itself: the airplane can be pointed in any direction whatsoever and still receive the 180 radial. VOR range is dependent on the slant range of the airplane to the navaid. VOR's use the very high frequency (VHF) band range (108.00 to 119.95 MhZ) and do not suffer any deterioration in performance due to atmospheric conditions. An airplane flying at, say, 39,000 feet would be able to detect a station (with sufficient broadcasting power) 300 nautical miles away. VOR's provide the standard method of navigation. Four methods have been developed to use this information: a. The first was the course deviation indicator (CDI). This displays information on how far away the airplane is from an arbitrary selected radial. The "distance" information is in degrees of arc. It is neccessary to have some way of specifying the desired radial. To clarify this, the system detects which radial the airplane is currently on, then calculates (mechanically) the offset to the desired radial. b. Next complex is the VOR equivalent of the ADF RMI. This has the same moving compass card, the same one or two needles, but instead of pointing to VOR bearings, the needles indicate the radial the airplane is on. The tail of each needle indicates the radial, while the head indicates (radial + head) mod 360 No additional "selecting" hardware is necessary: the VOR indicator is totally self-contained. Apart from selecting the station frequency, the pilot need do nothing. c. The Horizontal Situation Indicator (HSI) combines the flux-gate compass with the CDI indicator. The CDI is mounted in the center of the instrument; the gyro card moves around it. The HSI is the central navigation instrument on nearly every jetliner. It has replaced the CDI entirely. In addition to basic navigation information, the controls which set the CDI can also be used to provide inputs to the autopilot. There is a "bug" (pointer) which indicates desired heading; this rotates around the compass card. The desired course (the desired radial from/to the VOR station) can also be used to make the autopilot fly an intercept. d. A broad class of CRT navigational displays have come to replace the HSI on the newest jets. For the old-timers' sake, most models can be set to operate as a simple computer-generated HSI. There is also usually a mode which incorporates the concept of area navigation. It displays a variety of supplemental information, such as airplane track, a mini-map of radio aides, etc. These devices often take inputs from flight management computers (such as an INS). As one pilot recently remarked in a magazine, "I like it because I don't have to think; the computer does all the work." Precisely the attitude we wish to stimulate in our young pilots. One problem with the newer "area" modes is that the display formats are not standardized, which can introduce training and, later, operational difficulties. 3. Inertial Navigation Systems (INS's) made their entry in the late 60's and early 70's, first on the 747. The INS is an on-board system, entirely self-contained. Theoretically, an INS fits the definition of a dead reckoning aid. It is networked with most of the other computers on board, and derives its own airspeed information, position data, etc., and generates a wide variety of information ranging from ground speed to wind speed and direction. It's a neat gadget, and the provided features are indispensible for trans-oceanic flight. Common airline practice these days is to fly a flight with the INS. The waypoints along the flight path are entered prior to departure, and the INS is used to drive the autopilot. Pilots are expected to use the VOR indicators for a fast, convenient verification that it's working like it's supposed to. INS waypoints are normally indicated on high-altitude maps, and it's fairly easy to verify that one is where one is supposed to be by cross checking. 4. Distance Measuring Equipment. DME is sort of like a transponder system, and provides slant range distance data between the airplane and a ground station by interacting with the ground station. Nowadays, most DME stations are collocated with VOR stations, either as VORTACs (a military concept) or as two distinct units. 5. Astral navigation. On older airplanes, such as the 707 and some 727's, a port on the cockpit ceiling was used to provide the navigator (a position which no longer exists) the ability to determine the airplane's latitude from the stars. Needless to say, this required a fairly high degree of training and was somewhat prone to errors. Not many people mourne the passing of the navigators; they pretty much disappeared by the mid-70's. It was cheaper to buy an INS (or several) to take their place. 6. Doppler. Doppler was an airplane-based navigation system intended to provide a realistic idea of airplane true airspeed and drift while flying over water. This was then used with dead reckoning and astral navigation to figure out where the airplane is and get it to its destination safely. This method is not used anymore, either, although the equipment is still installed on many airplanes. 7. LORAN. Loran was originally a navigation system intended for commercial shipping. The receiver synchronizes very long frequency radio emmissions from a handful of transmitting sites to determine an approximate idea of its location. Most current units also have additional features. Loran is very, very inexpensive, ranging from $600 on up. LORAN is commonly installed on light aircraft, or as a backup system on corporate aircraft or airliners. 8. Omega. Omega was a neat idea that never caught on in a big way. Most Omega units use information from Omega/VLF stations scattered around the planet to calculate a variety of statistical data, including the approximate airplane position. Most Omega units include the ability to conduct area navigation and commonly have a better-defined database capability than most INS units. Omega installations are more expensive than LORAN installations, and are commonly found on business jets or, more rarely, as backup systems on airliners. 9. Flight performance systems. There are two general classes of flight performance computers available. Most of these systems are installed in more recent airliners and incorporate a wide variety of features. In general, the distinction is whether they can drive the autopilot; if they can, it's probable that they have their own inertial navigation system. Flight performance systems exist to squeeze the last dollar out of an airplane's flight; they were developed at a time when fuel was more expensive, but are retained due to efficiency considerations. There is, theoretically, very limited wastage. Whereas the older INS systems flew an airplane on a two-dimensional course, FMS's can be used to set a *three-dimensional* flight path, from right after takeoff to pattern entry (or even landing) at the destination airport. When coupled with the autopilot and autothrottle (an autothrottle is a computer-controlled throttle system; until the A320, there was a manual override for it), they can fly the airplane more efficiently and more precisely than the human pilots. Flight International reports that NASA's Langely Research division is developing a four-dimensional flight performance computer, capable of conducting a flight within five seconds of accuracy on 50 n.m. segments. As one might guess, such a system would have to be tied into ATC and available on most other aircraft to avoid traffic congestion problems. The question now becomes: what're the pilots supposed to be doing? The answer? "Managing." Not an entirely satisfying one, at that. Now, you may ask: "What're they using on my next flight?" 707: Probably two INS's. HSI, ADF and VOR indicators with the RMI cards. Primitive autopilot. Maybe a left-over Doppler, but it won't be used on the flight. 727: Possibly two INS's, probably not. HSI, primitive autopilot, ADF and VOR indicators with the RMI cards. Maybe a leftover Doppler system. 737: No INS's, HSI, ADF and VOR indicators with the RMI cards. Primitive autopilot. On later -200's and -300's, a flight management system. Perhaps glass CRT displays, but nothing revolutionary. 747: Three INS's, HSI, ADF and VOR indicators with the RMI cards. Nicely designed autopilot. There may be one flight performance computer. With the 747-400, the INS's will be merged with the flight performance computers and the traditional HSI, ADF, and VOR indicators will disappear to be replaced by CRT displays with an unproven (in terms of human interaction) design. 757, 767: The first generation of airliners with glass cockpits. Each pilot's flight director (artificial horizon) and HSI is replaced by a CRT screen. The HSI has the HSI/area navigation mode option. The airspeed, altitude, vertical speed guages bracket the CRT's. There are also two engine diagnostic displays on the center panel. DC-9: Pretty much the same equipment as on the 737. MD-8X: pretty much the same as the 737-300. DC-10: more or less the same as the 747. MD-11: pretty much the same as the 747-400. Robert Dorsett, University of TX at Austin Internet: mentat@walt.cc.utexas.edu UUCP:{ihnp4, allegra,decvax}!ut-emx!walt.cc.utexas.edu!mentat ------------------------------ End of RISKS-FORUM Digest ************************