University of Bielefeld -  Faculty of technology
Networks and distributed Systems
Research group of Prof. Peter B. Ladkin, Ph.D.
Back to Abstracts of References and Incidents Back to Root
This page was copied from: http://catless.ncl.ac.uk/Risks/16.16.html


Previous Issue Index Next Issue Info Searching Submit Article

The Risks Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16, Issue 16

Weds 15 June 1994

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents

o Congressman Jack Brooks' Statement on Crypto
David Banisar
o WSJ article: RFI hoses medical equipment
Robert Allen
o Summary of safety-critical computers in transport aircraft
Peter Ladkin
o More on Airbuses
Robert Dorsett
Peter Ladkin
Wesley Kaplow
Pete Mellor
Kaplow again
Bob Niland
o Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc.
---------------------------------------------

Congressman Jack Brooks' Statement on Crypto

David Banisar <Banisar@epic.org>
Tue, 14 Jun 1994 14:20:25 -0400
     
       The following statement by Rep. Jack Brooks (D-TX) was today 
       entered in the Congressional Record and transmitted to the 
       House Intelligence Committee.  Rep. Brooks is Chairman of the 
       House Judiciary Committee and played a key role in the 
       passage of the Computer Security Act of 1987 when he served 
       as Chairman of the House Government Operations Committee.
       
       David Sobel <sobel@epic.org>
       Legal Counsel
       Electronic Privacy Information Center
       
       =============================================================
       
                      ENCRYPTION POLICY ENDANGERS U.S. 
                   COMPETITIVENESS IN GLOBAL MARKETPLACE
       
       
            For some time now, a debate has been raging in the media 
       and in the halls of Congress over the Administration's 
       intention to require U.S. corporations to use and market the 
       Clipper Chip, an encryption device developed in secret by the 
       National Security Agency.
       
            The Clipper Chip will provide industry and others with 
       the ability to encode telephone and computer communications.  
       The use of the Clipper Chip as the U.S. encryption standard 
       is a concept promoted by both the intelligence and law 
       enforcement communities because it is designed with a back 
       door to make it relatively easy for these agencies to listen 
       in on these communications.
       
            The law enforcement and intelligence communities have a 
       legitimate concern that advances in technology will make 
       their jobs more difficult.  But the issue here is whether 
       attempts to restrict the development, use and export of 
       encryption amounts to closing the barn door after the horse 
       has already escaped.
       
            The notion that we can limit encryption is just plain 
       fanciful.  Encryption technology is available worldwide -- 
       and will become more available as time goes on.
       
            First, generally available software with encryption 
       capabilities is sold within the U.S. at thousands of retail 
       outlets, by mail, even, over the phone.  These programs may 
       be transferred abroad in minutes by anyone using a public 
       telephone line and a computer modem.
       
            Second, it is estimated that over 200 products from  
       some 22 countries -- including Great Britain, France, 
       Germany, Russia, Japan, India, and South Africa -- use some 
       form of the encryption that the Government currently 
       prohibits U.S. companies from exporting.  According to the 
       May 16, 1994 issue of _Fortune_, not only are U.S. companies 
       willing to purchase foreign encryption devices, American 
       producers of encrypted software are also moving production 
       overseas to escape the current export controls.
       
            Third, encryption techniques and technology are well 
       understood throughout the world.  Encryption is routinely 
       taught in computer science programs.  Text books explain the 
       underlying encryption technology.  International 
       organizations have published protocols for implementing high 
       level encryption.  Actual implementations of encryption -- 
       programs ready to use by even computer novices -- are on the 
       Internet.
       
            The only result of continued U.S. export controls is   
       to threaten the continued preeminence of America's computer 
       software and hardware companies in world markets.  These 
       restrictive policies jeopardize the health of American 
       companies, and the jobs and revenues they generate.
       
            I support, therefore, the immediate revision of current 
       export controls over encryption devices to comport with the 
       reality of worldwide encryption availability.
       
            I believe law enforcement and the intelligence community 
       would be better served by finding real, and targeted ways to 
       deal with international terrorists and criminals rather than 
       promoting scattershot policies, which restrict American 
       industries' ability to design, produce and market technology.
       
            Now -- more than ever -- we cannot afford to harm our 
       economic competitiveness and justify it in the name of 
       national security.
       
     
---------------------------------------------

WSJ article: RFI hoses medical equipment

Robert Allen <Robert.Allen@eng.sun.com >
Wed, 15 Jun 1994 11:37:44 -0700
     
     The 15 Jun 1994 Wall St. Journal has an interesting front-page article about
     how RFI generated by radios & cellphones is screwing up operation of sensitive
     medical equipment such as heart defibrillators, diagnostic equipment, and even
     electric wheelchairs.
     
     Some of the horror stories sound apocryphal, like the electric wheelchair
     "zapped by radio waves" that sent it's passenger over a cliff.  Others sound
     entirely possible: a 72 year old man died in an ambulance when the heart
     defib. device he was on failed due to RFI from the ambulance two-way radio.
     The ambulance mfgr. had replaced the steel roof with a fiberglass dome, and
     put the antenna on top (duhhhhh).  The best story however was about some poor
     sap who had a pacemaker installed after diagnostic equipment indicated he
     needed one.  It was later discovered the diagnosis was in error, and was
     caused by RFI from a television in the same room.  Runners up for best story
     were from the mother who's use of a cellphone in the car affected the
     ventilator her child was using in the back seat.  In a hospital ward a whole
     bunch of ventilators alarmed when the handyman keyed his transceiver.
     
     As is demonstrated by the TV case, even having technicians install and test
     new equipment can't account for the fact that just moving the stuff around
     during a spring cleaning might put two pieces in juxtaposition to cause
     problems.
     
     Having recently seen more than my share of medical equipment, I'm solely
     unimpressed with the ruggedness of it (it sort of reminds me of ICOM radios).
     Still, with more and more people using cellphones I figure we'll have more and
     more problems.  I wonder if cellphones will be the health hazard in the '90's
     that radium watch dials were in the '40's?
     
     Robert
     
     
---------------------------------------------

Summary of safety-critical computers in transport aircraft

Peter Ladkin <Peter.Ladkin@loria.fr>
Wed, 15 Jun 1994 22:13:19 +0200
     
     Given the interest in RISKS on computers in aviation, and some confusion
     concerning characteristics of Airbus aircraft, I thought it might be useful to
     summarise for RISKS readers some of the current state of things.
     
     I believe there have been three major accidents involving Airbus aircraft in
     the last year: an A320 ran off the end of the runway in Warsaw in September
     1993, killing two people and injuring many; the crew of an Aeroflot Airbus
     A310 lost control during cruise flight, which led to the death of everyone on
     board; and a China Airlines A300 crashed recently tail-first (!) on landing at
     Nagoya, killing all or almost all on board.
     
     The A300 and A310 aircraft have `conventional' control, that is, physical
     control of the aircraft is transmitted by mechanical or hydraulic means to
     most of the flight control surfaces. The normal flight control of the Airbus
     A320, A321, A330 and A340 aircraft, in contrast, is achieved by computer, to
     which the pilots' sidestick movements are one set of inputs. This is
     colloquially known as `fly-by-wire'. `Fly-by-wire' aircraft have been in
     regular use by the military for over 20 years, but the A320 is the first
     commercial `fly-by-wire' transport, introduced in the early 90's. Pilots have
     extremely limited direct physical control of A320/21/30/40 aircraft should the
     flight control computers be unavailable, a situation which is anticipated not
     to occur during the lifetime of the fleet.
     
     The first flight of the Boeing 777 took place on Sunday 12 June, 1994.  The
     B777 is Boeing's first `fly-by-wire' commercial transport, which it is hoped
     will be `certificated' in April 95 with delivery to its first customer, United
     Airlines, in May 95.
     
     The B777 is a significantly different design from the A320, and I would be
     very surprised if there were to be any accidents attributable to features
     common to A320/21/30/40 and B777 aircraft which are not also common features
     of conventional aircraft such as the B737.
     
     Airbus claims its design philosophy is `evolutionary', that is, the systems
     are not designed from scratch, but introduced gradually into the company's
     designs after success in previous designs. Nevertheless, there are steps, such
     as that to `fly-by-wire' in the A320, which RISKS readers may consider more
     significant than others. See the article by J.P. Potocki de Montalk, Head of
     Airbus Cockpit/Avionic Engineering at Airbus, in Microprocessors and
     Microsystems 17(1).
     
     A useful and readable reference for those interested in A320 accidents is
     RISKS contributor Peter Mellor's long paper `CAD: Computer-Aided Disaster!'
     which contains a description of the design of the A320 Electrical Flight
     Control System, and detailed commentary on all A320 accidents to date, and is
     to my knowledge the only single source to do so.  A version of this paper is
     to appear in High Integrity Systems journal.
     
     Apart from the flight control on A320/321/330/440s and B777s, there are
     potentially RISKy computer-based systems on almost all modern transport
     aircraft, of which maybe the most important are the autopilot/Flight-Director
     and the FADEC (Full-Authority Digital Engine Control). All commercial aircraft
     have autopilots of various degrees of sophistication (and most have Flight
     Directors, which provide passive guidance rather than active control), and
     these may be suspect in certain incidents (e.g.  the Collins autopilots on
     B757 and B767 aircraft: see PGN in RISKS-15.08, and my posting in
     RISKS-15.13).  Many modern aircraft also have FADEC, which has occasionally
     come under investigation, but I can't think of occasions so far on which they
     have been considered primary cause of accidents or incidents.
     
     Human factors are very important. A taskforce has recently been convened to
     study incidents of `controlled flight into terrain', in which the continued
     safe flight of the aircraft is impeded by a cloud with a crunchy center (see
     The Economist, June 4-10 1994, p92). In these accidents the physical
     performance of the airplane is generally not a factor, but they may
     nevertheless be computer-related, since guidance and air traffic control
     relies on computers to various degrees.
     
     Aircraft accidents are amongst the most well-studied of failures in any
     engineering discipline. I have never held any position in the aviation
     industry, but some of my research interests and hobbies bring me there.  My
     continuing experience is that it pays to try to take as much care in forming
     opinions about them as it does to report them accurately in the first place. I
     wish I could be better at both.
     
     Peter Ladkin
     
     
---------------------------------------------

Re: Overy, RISKS-16.15

Robert Dorsett <rdd@netcom.com >
Wed, 15 Jun 1994 13:56:56 -0700
     
     From: Phil Overy <PJO@ib.rl.ac.uk> wrote:
     Subject:  Correction of my post on "A-THREE-HUNDRED" crash at Nagoya
     > 
     > The Taiwanese plane did not crash after any kind of automation or airframe
     > failure, but when the auto-pilot was left on until too late. 
     
     This is not clear.  There are normally three or four ways to disengage any
     autopilot:
     	- a switch on the glareshield.
     	- a deactivate switch on the yoke
     	- pushing or pulling forcefully on the yoke
     	- a circuit breaker as a last resort
     
     In this case, it appears the crew were aware of the problem for over TWO 
     MINUTES--an eternity--and fought the airplane to the ground.  I refuse to 
     see this trivially dismissed as "operator error" or "they didn't turn off 
     the autopilot until it was too late."  
     
     This is a horrifying situation, and if there is a mechanical or interface or 
     modal failure lurking beneath the scenes, it needs to be rectified.  AND
     UNDERSTOOD: if it's even as simple as a service or maintenance issue, then the 
     problem could recur on other airplanes.
     
     
     > Peter Ladkin tells me that the president of the airline resigned after the 
     > crash, so it doesn't sound as if they are trying to transfer responsibility
     > to the manufacturers.
     
     Again, after a long string of crashes.  I believe the president or VP of
     JAL was ultimately compelled to resign after the 747 SR crash in Japan.
     This has nothing to do with culpability: it's accountability.  A form of
     personal responsibility which seems to be quite absent in Western 
     corporate culture.  There is nothing more one can draw from it than that.
     
     >I could have phrased it better, but I would point out that Boeing also now use
     >fly-by-wire (on the brand new 777), so the earlier correspondent was misguided
     >in thinking that Boeing were staying away from fly-by-wire. The 777 is also a
     >much bigger plane than the A320...
     
     Airbus has continued evolving its aircraft line.  There are now the A330 and
     A340, heavy long-range transports.  Same interface.
     
     
     And 
     
     > From: Wesley Kaplow <kaploww@cs.rpi.edu> writes:
     
     > Subject: Does it matter why A3??'s have a poor record?
     > The average persons response to all of the A3?? technical discussion would
     > probably be that it frankly it does not matter why these planes crash!. 
     
     There are many people reading this newsgroup whose job descriptions include
     understanding and solving these problems so that future generations of 
     aircraft do not cost lives or resources.
     
     The reason that RISKS keeps harping on airplane automation is that it has 
     broad ramifications to the computer industry in general, and safety-critical 
     systems in particular.  What gets established as "safe" in aviation will 
     undoubtedly define standards of "safety" for other disciplines: this includes
     specification and development paradigms.  So these crashes should be of 
     interest to ALL computer professionals and computer scientists. 
     
     And there are certainly people out there whose job descriptions do include 
     making managerial-level equipment decisions, who may not be aware or 
     sensitized to some of these issues. 
     
     

Quarrelling over spilt airplanes [Dorsett, RISKS-16.15]

Peter Ladkin <Peter.Ladkin@loria.fr>
Wed, 15 Jun 1994 21:18:54 +0200
     
     In RISKS-16.15, Robert Dorsett disagrees with two quotes from my
     posting in RISKS-16.14. I disagree with his disagreements:
     
     > > Fly-by-wire aircraft use modes because they have to. 
     > 
     > This is not true.  Early FBW aircraft were essentially open-loop analog
     > systems.  
     
     I wasn't thinking about history when I made my assertion.  There are
     many fly-by-wire aircraft types around *nowadays*, all but two of
     which are military, as of last Sunday.  Do any of these aircraft *not*
     use modes? I can't think of one (but I would like to know of the
     exception that proves my rule). Robert's strong rejection may be as
     misleading as he thought my assertion was.
     
     Robert holds the view that sidestick control may have been the result
     of non-engineering decisions. That may be true (or not), but I don't
     consider it relevant to whether sidestick control is well-engineered
     or not in a given aircraft.
     
     > >A further comment about the Nagoya accident is appropriate. Current
     > >knowledge is that the pilots failed to follow normal, explicit
     > >procedure for control of the aircraft, 
     > 
     > Really?  I've not seen that anywhere.  
     
     Flight International, 11-17 May 1994 p5, "a pilot pushes forward on
     the control column to counteract the autopilot nose-up input. *This is
     against the published procedures ...*" (my emphasis).  FI and David
     Learmount are regarded as accurate on such matters.
     
     > >and secondly that they had both
     > >been drinking alcohol, which is illegal for good reason.  
     > 
     > This has also not been substantiated.  The investigators will not comment,
     
     Robert's assertions do not necessarily contradict mine.  It may help
     to understand more of the context.  The investigators will not
     comment officially, but then they're required not to - the official
     report on the Warsaw A320 accident is not out yet either, but that
     doesn't stop us knowing most of the factors involved there. Concerning
     the Nagoya A300 accident, there are normally-reliable aviation journal
     reports (sorry, the ref's buried) on the precise blood-alcohol level of
     the pilots which lead to my conclusion.
     
     > >senior management of China Airlines has resigned because of this
     > > accident.  
     > 
     > Because of the fifth major accident in as many years,
     > was the way I understood it.
     
     ..which are two ways of reporting the facts associated with the same event.
     
     Peter Ladkin
     
     

Not quite (re: Pete Mellor)

Wesley Kaplow <kaploww@cs.rpi.edu>
Wed, 15 Jun 1994 13:50:41 -0400
     
     Thanks to Peter Mellor it has some to my attention that my statement about
     loss of craft per craft delivered is not true.  Unfortunately, I added that
     comment based on previous information about per-mile crash rates.  The focus
     that I intended was that the average person does not really care why, only
     that they perceive that there is a potential safety problem.  A good parallel
     might be the Audi 5000 series of reported "sudden-acceleration" problems.
     Although the Audi 5000 may not have had a larger incident rate of sudden
     acceleration than other cars, ultimately perception was the driving factor.
     People did not say: "oh that sudden acceleration problem, well that Audi 5000
     was owned by someone from the '3rd' world, it must be his fault".  Ultimately,
     the car had at least its name changed, and it probably cost Audi car sales.
     At least in the case of the Audi, I could choose not to buy the car.  In the
     case of airline travel, and cannot make the choice between airframes because
     the information is not available.  I may be making the choice based on poor
     information, but it is my poor decision to make.
     
     Also, the airframe loss statistics can be somewhat misleading as well, as
     crashes in the information Peter sent to me does not say, for example, if the
     747 statistics includes losses such as the Canary Island collision, or the
     Lockerbee terrorist loss.
     
     Once again, I apologize of the incorrect statement.
     
     Wesley Kaplow, AT&T Bell Laboratories & Rensselaer Polytechnic Institute
     
     

Re: Does it matter why A3??'s have a poor record?

Pete Mellor <pm@csr.city.ac.uk>
Wed, 15 Jun 94 17:52:23 BST
     
     Wesley Kaplow <kaploww@cs.rpi.edu> writes in RISKS DIGEST 16.15: 
     
     > Already, Airbus Industry has lost more planes per delivered plane
     > than other major aircraft manufacturer in the past 3 decades (Lockheed,
     > Boeing, MD). 
     
     I would be interested to learn the source of this information. 
     
     The following table shows the number of crashes per hull in service for different aircraft types. The source is Lundfahrtindustrie, and the table 
     is quoted from ``Der Traum von Total Sicherheit'', Focus, 38, 1993, pp18-21.
     
     Aircraft         No. in     Hulls      % Losses 
     Type             Service    Lost              
     
     DC-9/MD-80       2065       68         3.29  
     Boeing 727       1831       62         3.39  
     Boeing 737       2515       57         2.27  
     Boeing 747       988        22         2.23  
     DC-10            446        21         4.71  
     Airbus A300/310  636        7          1.10  
     Airbus A320      411        4          0.97 
     
     Peter Mellor, Centre for Software Reliability, 
     City University, Northampton Square, London EC1V 0HB 
     Tel: +44 (71) 477-8422, Fax.: +44 (71) 477-8585, 
     E-mail (JANET): p.mellor@csr.city.ac.uk 
     
     

Re: Does it matter why A3??'s have a poor record? (Re: Mellor)

Wesley Kaplow <kaploww@cs.rpi.edu>
Wed, 15 Jun 1994 13:29:15 -0400
     
     Dear Pete,
     	Unfortunately I did a back of the envelope calculation that is
     probably more suited to comparing the number of takeoffs/landings against
     accident rates.  I remember seeing statistics on the number of 757 lost per
     total mile (or sorties) vs. A3??.  The numbers were quite heavily in favor of
     the Boeing.
     
     	However, you are absolutely correct.  I should not have made sure that
     I have accurate data before such a broad statement.  Please delete that
     section the message.  I should know better.
     
     	The real point that I wanted to make is that the general public does
     not care about root-cause analysis, fly-by-wire, or different flight modes.
     Perceptions of safety, like those that plagued the DC-10 for several years,
     and like the Audi 5000, are what people care about.  Our rationalization that
     these crashes occurred due to pilot error in 3rd world countries does not make
     me feel any safer.
     
     	It would be interesting to know the breakdown of the essential
     reasons for the airframe losses in the table you provided.  There are
     three categories I would like to see:
     
     	1) Loss on the ground (at least 2 of the 747's were lost this way)
     	2) Loss due to mechanical defect
     	3) Crew error.
     
     	Also, which accidents cause a total loss or just loss of the frame.
     For example, a 747 was lost part of its skin, but landed safely (with MOST of
     its passengers).  A 737 got a moon roof, but landed safely (with all of its
     passengers and MOST of the crew).  A DC-10 (with the blown cargo door) landed
     with most of its passengers and crew.  I assume that these airframes are 
     gone, but are they really "losses" in the sense that the average person
     would think they are crashes.  Moreover, some of these craft were blown out of
     the ski by terrorists, or set fire on the ground.  I believe that this
     changes the numbers in the table.  For example, if one does the following
     
     	22 hulls lost for the 747 (are there really only 988 in service?)
           -  2 Canary Island
           -  1 Lockerbee
           -----
             19 "Crashed Hulls"
     
     	19/988 = 1.92% losses 
     
     this is compared to the 2.23% losses in the table.
     
     Another possibly category, since the blame seemingly points to problems of
     third world operators, is how many of these crashes are airlines that have 
     questionable maintenance. 
     
     The last category is time.  Although I am chancing fate, when was the last
     DC-10/MD-11 crash?  What is the current rate, as compared to previous years.
     Do these planes just need to get over "infant" problems, or is the rate 
     essentially constant?
     
     	Moreover, if we look at unexplainable crashes, at least for the Boeing
     and DC/MD planes we can usually identify a real design flaw to pin the
     crash on (cargo doors, engine mount pins) I can proudly say (well not really)
     OUR DARN AMERICAN PLANS CRASH BECAUSE OF DESIGN FLAWS WE CAN FIGURE OUT AFTER
     A COUPLE OF REALLY BIG CRASHES! (a smiley face goes here).  However, there is
     a point here and that is why are the A3?? losses seemingly predominately cause
     by some pilot to ship interface problem. 
     
     Once again, I'm sorry to have submitted unsubstantiated information, and I
     promise not to do it again.
     
     Wesley Kaplow, AT&T Bell Laboratories & Rensselaer Polytechnic Institute
     
     

Re: Airbus (Kaplow, RISKS-16.15)

Bob Niland <rjn@hpfcla.fc.hp.com >
15 Jun 1994 16:42:03 GMT
     
     > ... if we play only on the statistics, I want a airplane with a good
     > safety record.  ...
     
     If the statistics bear this out, it raises a point I haven't seen mentioned in
     the periodic discussions about the AirBus Industrie family of flying machines.
     
     If AI is indeed experiencing more hull losses than comparable airframes from
     other makers, then as a passenger, I don't really care that AI is having
     greater success in obtaining "pilot error" determinations in many of the
     crashes.  If their aircraft are more susceptible to pilot error, then AI's
     aircraft in fact have a problem, and I won't ride them.
     
     Whether computer or airliner, successfully blaming system inadequacies on
     the user is no substitute for designing usable systems in the first place.
     A comparison of incident/accident rates by airframe, showing the percentage
     resolved as "pilot error", would be interesting.
     
     Bob Niland  1001-A East Harmony Road, Suite 503, Fort Collins
     Colorado 80525   USA      rjn@csn.org     CompuServe: 71044,2124
     
     
---------------------------------------------

Previous Issue Index Next Issue Info Searching Submit Article


Report problems with the web pages to Lindsay.Marshall@newcastle.ac.uk.
This page was copied from: http://catless.ncl.ac.uk/Risks/16.16.html
COPY!
COPY!
Last modification on 1999-06-15
by Michael Blume