RISKS-LIST: RISKS-FORUM Digest Tuesday 6 March 1990 Volume 9 : Issue 73 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Another 100-year computer saga (David B. Benson) Traffic System Failure (Rich Neitzel) Railway interlocking systems (Clive Feather) Avionics in the media (John M. Sullivan) Re: A320 (Steven Philipson, Subhasish Mazumdar, Pete Mellor) Mileage Plus wants me to move (Tim Kay) Credit-card fraud (Douglas Mason) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. TO FTP VOL i ISSUE j: ftp CRVAX.sri.comlogin anonymousAnyNonNullPW cd sys$user2:[risks]get risks-i.j . Vol summaries now in risks-i.0 (j=0) ---------------------------------------------------------------------- Date: Sun, 4 Mar 90 14:13:34 PST From: dbenson@cs2.cs.WSU.EDU (David B. Benson) Subject: Another 100-year computer saga Chemical & Engineering News, February 26, 1990, p. 168: Physician Beatrice Golomb tells of a 99-year-old man who turned up in the emergency room (JAMA, Dec. 8, 1989, page 3132). His white blood cell count, although far out of line, was reported by the computer to be within normal limits. The computer, it turned out, was reporting values for the newborn, having figured that year of birth, plugged in as '89, was 1989, not 1889. Golomb's comment: "The normal ranges provided by hospital computers are not always to be credited." [And what with happen to the 102-year-old admitted on 2000 Jan 01?] ------------------------------ Date: 1 Mar 90 14:13:47 GMT From: thor@stout.UCAR.EDU (Rich Neitzel) Subject: Traffic System Failure On Tuesday Feb. 27, 1990, the central computer that controls the traffic light timing for the city of Lakewood (a major suburb of Denver) failed, causing traffic delays of over 30 minutes. The computer system's disk drive suffered a burnt and seized bearing, causing it shut itself down. The replacement of the drive did not occur until the next evening. Several interesting items related to this incident: 1> The system has exactly one drive. No redundancy (sp?). Of course, they do backup the disk, however, since there is only one disk drive, they had nowhere to put the backed data. (The disk crash apparently eat the disk media). From past experience with supposedly critical computer systems, it would seem that this is common. Concern about reliability of computer systems to most operators of said systems seems to stop once they are assured that no data will be lost. Of course, it never seems to occur to them that if they cannot access that data it's useless. 2> All of Lakewood's traffic system is controlled by one computer. Need I say more? 3> The traffic system was apparently design under the impression that a computer failure would be virtually impossible. When the computer failed, traffic lights had no fall back mechanism for running under a reasonable cycle time. Each light had to be manually set by city traffic crews. One wonders if this kind of traffic control system is representative of common practice. If so, think - you could immobilize a major urban area by knocking out three or four computer systems. Richard Neitzel, National Center For Atmospheric Research Box 3000 Boulder, CO 80307-3000 303-497-2057 ------------------------------ Date: Fri, 2 Mar 90 12:46:37 gmt From: Clive Feather Subject: Railway interlocking systems [Quoting J.A.Hunter via Brian Randell] > Modern British practice requires that once a route has been set, a time delay > of about one minute is enforced by the software before a conflicting route > can be set. The actual practice is that if the signal governing entry to the route is at "Danger", the route can be cancelled immediately (by pulling the button for that route on the panel). If the signal is in any other state (i.e. a train could legally pass it), then the route is locked for a while. Simple locking locks the route for 2 minutes (not 1). Comprehensive locking only locks the route if there is a train near enough to the signal to be affected by it turning red, and waits until that train has come to a stop at the signal (e.g. has occupied a 200m track circuit at the signal for 30 seconds). If a train passes a signal at Danger, points ahead of that signal are locked automatically. > That such systems are not perfect and still rely on human vigilance was shown > by the Clapham (South London) accident late in 1988 where a faulty track > circuit train detector "lost" a train standing at a signal allowing an > automatic system to route another train into the rear of it. This accident was caused by faulty installation. At the time, the signalling system was being replaced by a new one, and a wire had been removed from the logic concerned with a certain track circuit. The wire had not been cut back and had its end insulated, but was just bent out of the way. Later work on that logic disturbed the wire, and it came back into contact with the terminal it had been removed from. It then fed current into the logic, making it appear as if the track was clear. This allowed the signal to turn green. > A good source book for information on British railroad safety is: > > "Red for Danger", by L.T.C.Rolt, > published by David & Charles Inc. (North Pomfret, Vermont 05053), > ISBN 0-7153-8362-0 Not just a good book, but the definitive one. The current edition has been updated by Geoffrey Kitchenside. BTW, it's railway. ^^^ Clive D.W. Feather, IXI Limited, 62-74 Burleigh Street, Cambridge U.K. ------------------------------ Date: Wed, 28 Feb 90 17:19:04 PST From: stevenp@decpa.pa.dec.com (Steven Philipson) Subject: Re: A320 (RISKS-9.72) In RISKS DIGEST 9.72 Martyn Thomas writes: >The A320 sidestick layout is asymmetric - the captain flies with the >left hand, the first officer with the right. This means that when the >first officer is flying in the left-hand seat - as will happen from >time-to-time, e.g., for training - there is the added unfamiliarity of >using the other hand. and Peter Neumann writes: > [It is pessimal when the captain is right-handed and the first officer > is left-handed and *both* are flying with the *wrong* hand. But the > switching back and forth must undoubtably be confusing. PGN] This is not a new risk. Older generation aircraft that have yolks instead of sidesticks are flown in exactly the same manner. Throttles are usually located in the center panel, and both pilots use their inboard hand for throttles, and their outboard hand to manipulate the yoke. Sidestick controllers just change the position of the hand, but not which hand is used. There are other differences in the use of sidesticks (such as lack of interconnection on the Airbus), but in handedness they are similar to conventional controls. Switching hands with which one flies is generally viewed as a non-problem. Pilots get used to switching seats and the hands they fly with early on in their training, usually well before they step into a jet airliner cockpit. On a frequent basis I switch between right and left seats and between aircraft yokes (which are flown with the left hand from the left seat) and sticks (which are flown with the right hand from the left seat. The process is natural and not at all confusing. I have not seen any reports that indicate that there is a significant problem in switching, although that doesn't prove that there is no loss of performance. Pilots reports of difficulty with this are rare (at least, in my experience). It is far more difficult to change between aircraft types, or even between individual aircraft of the same type, when the positions of instruments and secondary controls vary. Problems arising from such differences are well documented and have been identified as causal in numerous accidents. ------------------------------ Date: Sat, 3 Mar 90 17:32:25 -0500 From: sullivan@math.Princeton.EDU (John M. Sullivan) Subject: avionics in the media The New York Times has recently had two articles on avionics. On Feb 14, the Business Technology column featured "McDonnell's Less Costly New Jet", the MD-11, which is 16% cheaper to fly than the DC-10, and is intended to "fill a niche" between Boeing's 767 and 747. The plane contains an automated cockpit that the company calls the world's most advanced, as well as more fuel-efficient engines, some lighter-weight parts and aerodynamic refinements like a shortened tail. But, later we find that The plane is a prime example of how aircraft manufacturers are hesitant to introduce new technology if it does not translate into savings for the airlines. "High technology isn't necessarily what an airline wants," said Dale Warren, a vice president at Douglas. "They're in business to make a profit." For example, the company replaced only a few aluminum parts with lightweight composite materials, which are more expensive, and chose not to use a "fly by wire" electronic control system, in part because of its cost. A few paragraphs describe the cockpit: The most dramatic change to the DC-10 is in its cockpit, which Douglas says is the world's most automated. The plane will have two pilots, compared with three in the DC-10; the flight engineer has been replaced by computers that automatically perform duties like monitoring fuel flow and adjusting cabin pressure. The computers can, to some extent, "think" for the pilots, switching valves if something should go wrong. Pilots watch six video displays run by computers instead of the dozens of mechanical gauges and dials on the DC-10. "Essentially, the pilot pushes a button at the end of the runway and the system will guide the plane to the concrete at the destination," sayd George Wallace, program manager for Honeywell Inc., which makes the cockpit electronics for the plane. While similar automated cockpits--already in place on Boeing aircraft and Douglas's MD-80 plane--have won prais, pilots have also expressed concern that their basic flying skills may atrophy. Douglas chose to use a conventional control system, in which the controls are operated from the cockpit by mechanical means rather than electronically by computers in a new system as "fly by wire" that is used on some Airbus jets. The article ends by noting that flight testing is 6 months behind schedule. The Sunday Business section on Feb 18th had a long article "All About: Avionics". This mentioned that "Cockpit electronics have become sophisticated enough to all but take the place of the pilot. ... With the push of a few buttons, autopilots can guide a plane from NY to LA while the real pilot sits back." The electronics may cost $1M, or 10% of the plane's price. The article notes that American companies (Bendix/King, Collins Avionics, and Honeywell) dominate the market. Other companies would have a hard time entering the market because of the need for government approval of the systems. Some problems are discussed: The biggest advantage of the glass cockpit is that the black boxes can talk to one another. The on-board computers can calculate an altitude for the greatest fuel efficiency and the autopilot can guide the plane there. Most pilots like the new technology, with some reservations. If something goes wrong, the problem may be hard to detect. "Trouble-shooting is a more delicate art than before," said Wolfgang Demisch, an analyst with UBS Securities. And a three-year NASA study of 200 Boeing 757 pilots found that they were concerned about spending too much time staring at computer screens and not enough looking out the windows. They also worried that their basic flying skills would atrophy as they spent more time punching keypads. "I was somewhat concerned with the 'I can't fly but I can type 80 words per minute' syndrome," said one pilot. Still, about 90% of the pilots saw the glass cockpit as a big step forward. Evidently, new FAA rules will require more electronics by 1993, to warn of impending collisions and warn of wind shear. The companies that make the electronics seem happy about this new business. Other future possibilities mentioned include storing flight maps on optical disk, exchanging written messages with flight controllers by 'datalink', and moving to satellite communication and navigation. The last paragraph mentions that Another project sounds like it could all but replace the co-pilot. The Air Force boldly calls it the "pilot associate." More than a mere autopilot, the associate devices use artificial intelligence to help fly the plane, plan missions and deploy weapons. The project is in such an early stage that it will take several years to find its way into jet fighters and, eventually, commercial planes. Note that the concerns expressed in these articles are only about the pilot's own skills decreasing, and not at all about possible mistakes on the part of the computer system. The only reason given for not using fly-by-wire is economic. John M. Sullivan Princeton Univ. Math Dept. ------------------------------ Date: Sun, 4 Mar 90 16:48:31 EST From: mazumdar@gaviao.cs.umass.edu (Subhasish Mazumdar) Subject: India Airlines' A320 Doubts about Indian engineers and RISKS faced by developing countries. Regarding the A320 crash, George Michaelson writes: >Doubts were expressed about the ability of the airline to maintain the >complex flight control equipment ... >... it seems from this interview as if the Indian >engineers themselves question their ability to handle this package. > ^^^^^ Indians are extremely annoyed with the performance of the state-run domestic carrier Indian Airlines, which has a long history of incredible management problems aggravated by political interference. Many Indians would agree with those doubts directed at the ability of *that airline*, but few would accept those doubts directed at Indians engineers *in general*. This is not the forum to enumerate the technological sophistication that Indians have demonstrated. Suffice it to say that the interpretation of the word *their* in George Michaelson's analysis is difficult to swallow. >I suspect other parallels exist with well-meaning donation/supply of IT >infrastructure that failed to match local conditions eg lack of tropical >"hardening", availability of spike-free UPS, spares, training. You are right here. Often, however, developing countries are taken for a ride! I was involved in the assembly of a Flying Spot Scanner at the Indian Institute of Science, Bangalore, using equipment imported from a reputed company in the UK. One of the crucial power supplies blew up when powered up. We traced the problem to incorrect wiring (the connections to the collector and emitter of a transistor were reversed, if I remember right). It was evident that the unit *had never been powered up before shipment*, let alone tested; but the company refused to admit it, making sly references instead to our lack of training. We gave up the idea of litigation because of the high costs involved. Please think for a moment about the RISKs FACED BY developing countries. Subhasish Mazumdar,Computer & Information Science, Univ of Massachusetts, Amherst, MA 01003, USA ------------------------------ Date: Mon, 5 Mar 90 13:33:51 PST From: Pete Mellor Subject: Airbus A320: Getting a few things straight Cc: pm@cs.city.ac.uk A few misunderstandings seem to be creeping into the debate on the A320. At the risk of adding my own misunderstandings, let me try to clarify a few points raised in RISKS-9.71 by Steve Milunovic and RISKS-9.72 by Robert Dorsett. Steve Milunovic (9.71) refers to: > ... a dispute in France over whether the computerized, highly advanced > aircraft is too complicated to fly. One justification for introducing fly-by-wire as in the A320 is that, since most crashes are due to pilot error, a system that reduces the probability of such error will make flying safer. There are two aspects to this: - Reduction in the pilot's workload. - Automatically preventing a command from the pilot taking the aircraft out of a 'safe flight envelope', e.g. overriding a command to put the nose up and throttle back if this would cause a stall. To achieve these aims, the A320 must be EASIER to fly than than its predecessors. It has been argued (I think by one of the pilots' unions) that being trained to fly the A320 does not qualify a pilot to fly a 'traditional' ('fly-by-string'?) aircraft, in the same way that a driving test taken in an automatic does not qualify a motorist to drive a vehicle with a standard* gearbox. (The issue of MAINTENANCE, as opposed to flying the aircraft, is a different matter, and I am inclined to agree with Robert Dorsett on this.) He also refers to a claim that: > ... the French pilots were opposing it to protect their economic interests. > The plane uses two pilots; many other aircraft use three. To be precise, the crew of a traditional aircraft of the size of the A320 includes a pilot, co-pilot, and flight engineer. The flight engineer's job is to monitor the systems on the aircraft and recover from, or work around, system failures. Along with fly-by-wire, the A320 includes automatic monitoring of systems with a CRT display of their status to the pilot and co-pilot. The argument is that this reporting system does most of the job of the flight engineer, who is therefore redundant. Part of the economic justification for the A320 is, therefore: - Room for one more passenger. - Save the flight engineer's salary. It is the French and Australian flight ENGINEERS' unions who have argued most strongly against two-man crews. Their vested interest is obvious, but they have made a strong case on the grounds of safety for the traditional division of labour between flying the plane and watching dials. This case was well presented in a BBC television program in the 'Horizon' series a year or so ago called 'The Essential Third Man'. (I believe that one inducement that was offered to the pilots was increased rates for two-man crews. I am not sure what the current positions of the various pilots' unions are. If they still oppose the loss of the engineer, I would say it is to their credit.) Steve also points out: > ... as a small note, the flight augmentation system of the 757 is in no way > comparable to the A320's fly-by-wire system (or its associated software > protections). The former is dedicated to damping aerodynamic instability; > the former [latter? - PM] introduces new *control laws* and appears to be > intended to work around problems involved in the use of side-stick > controllers. Er..., not QUITE. The software in the A320 Electronic Flight Control System (EFCS) is right at the heart of the whole system. The traditional joy-stick between the pilot's legs has been replaced by the side-stick because, since the connection between the pilot and the control surfaces on the wings is electrical rather than mechanical, brute force is no longer necessary to move the controls. The side-stick transmits the commands of the pilot to the EFCS, which processes them together with input from sensors (air-speed indicator, altimeter, etc.) and sends signals to the effectors governing the control surfaces. The 'control laws' define how this processing is done. They are implemented as tables of parameters. There are several sets of laws, each controlling a particular mode of flight (take-off, cruising, landing, etc.). I am puzzled by Robert Dorsett's aside: >... (that is, above 100', beneath which the protections disappear). The protections CANNOT disappear at any altitude, however low. Perhaps he means that at this phase of the flight a different set of control laws come into force. Robert quite correctly states that: > Airbus proper regards "manual" (electric horizontal stabilizer trim and > manual rudder) backup as a last-ditch emergency system. Numerous reports > indicate that its operation isn't even part of the standard Airbus training > curriculum. I believe they train to use manual backup on a simulator. I believe also that an actual landing using manual backup has been demonstrated by a test pilot, but that the ability to do such a landing was not required as part of the type certification. The EFCS is 'flight-critical' (if it fails under certain circumstances it could result in a catastrophic accident), but not FULL-TIME flight-critical (its availability need not be 100%, since the mechanical backup will enable the aircraft to cruise straight and level while the system is rebooted). Whatever the details, however, the point is that there is NO WAY that the A320 would be flown on a commercial flight without the EFCS, except in an emergency. He goes on to say: > Upon examination, various terms could be examined [You can say that again!-PM] > --perhaps "manual" means hand-flying it (with protections) to the ground, > rather than tracking an ILS. I'm inclined to agree. This confusion over the meaning of "manual" also bedeviled the accounts of the previous crash. The point of the slow fly-past at the Mulhouse-Habsheim air show was to demonstrate the ability of the EFCS to fly the aircraft very close to stalling without actually doing so. Without such an automatic system, such a manoeuvre simply would not be possible. Loose statements to the effect that the automatic system was 'switched off' for the demonstration are nonsense. What probably WAS done was to set up the EFCS so that cruise 'control laws' still applied at low altitude, but this is pure speculation on my part, and I should not open my mouth too wide without hard information as a backup. To avoid rambling on ad nauseam, I will make two last points: - The EFCS is not the only flight-critical software controlled system on the A320. The Full-Authority Digital Engine Control (FADEC) is just as vital, and obviously must act in cooperation with the EFCS. I have a fair amount of information on the fault-tolerant hardware and software architecture of the EFCS, but I do not know of anything that has been published about the FADEC. - The overriding concern regarding type-certification of fly-by-wire is our continuing inability to certify systems containing software to high levels of reliability. FAA and CAA regulations (taken in conjunction with explanatory memos) require that a flight-critical system must have a demonstrated probability of failure no greater than 10^-9 per flying hour in a flight of mean duration. The same set of documents state that no means exist of assigning such a probability number to software-induced failure. Certification in this case largely rests on the demonstration of adherence to a development process standard (RTCA-DOC/178A), together with provision of fault-tolerance. It is this latter anomaly that research should address urgently. *Note for US readers: A vehicle with a standard gearbox has a third pedal called the 'clutch', and a wobbly lever next to the driver's seat which has to be moved every time you change speed. Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB Tel.: +44 (0)1-253-4399 Ext. 4162/3/1 ------------------------------ Date: Wed, 28 Feb 90 11:13:29 pst From: tim@through.cs.caltech.edu (Tim Kay) Subject: Mileage Plus wants me to move Mileage Plus is United's travel bank. I can redeem miles traveled on United Airlines along with dollars spent on my Mileage Plus Visa card for free travel rewards. I just finished a conversation with a United Mileage Plus representative, informing her for the FIFTH time that my zip code is 91125 rather than 91102. Each time their computer changes the zip code back to 91102 in a way that they cannot override. I get no mail from them. The problem is that Caltech has its own zip code. My address is Tim Kay, Caltech, 256-80, Pasadena, CA 91125 The representative checked further and explained that their computer "knows" that Pasadena doesn't have a 91125 zip code. (They then somehow come up with 91102 totally bogus; 91106 is the surrounding zip code.) Could I please give them my home address instead? No, I don't check my mail box at home. She had no further suggestions. I guess I'd have to stop using their services until I move! I suggested we try Tim Kay, Box 256-80, Caltech, CA 91125 I can't wait to see what happens. Tim ------------------------------ Date: Thu, 1 Mar 90 20:26 CST From: douglas@ddsw1.mcs.com (Douglas Mason) Subject: Credit-card fraud [previously in misc.security; RISKS-relevant too] Something interesting that I heard was going on at [eastern college] was that a couple of students were able to get a hold of a credit-card magnetic strip recorder somehow. They also stole purses, wallets, anything that they could get their hands on that had credit cards in it. After doing the above, they would dig through dumpsters (we all know that story) and pick up carbons or other receipts that have credit card numbers on them, and make a list of valid card numbers. Using the encoding machine, they then erased the old card number off of the magnetic strip (which had probably been reported stolen by this time) and encoded on that same strip one of the card numbers that they had picked up out of the dumpsters. So now they have say a MasterCard with an invalid number embossed on the front of it, and a different-but-valid account on the magnetic strip. What good is this? Plenty good for the clever thief! They then went into shopping malls or anywhere that the credit-card validation machines were the all-too-familiar "slide the card through and read the number off the mag strip" type. The merchant would authorize the card successfully and get an approval code, then run the card though and get a paper receipt. The merchants never check the card number on the authorization machine display and compare it to that of the card! When the merchants send in the credit card slips to the bank, they of course come back, and I imagine it takes a long time to figure out what exactly happened. Merchants beware! -Douglas Mason Douglas T. Mason douglas@ddsw1.mcs.com or dtmason@m-net.UUCP ------------------------------ End of RISKS-FORUM Digest 9.73 ************************