Subject: RISKS DIGEST 16.16 REPLY-TO: risks@csl.sri.com RISKS-LIST: RISKS-FORUM Digest Weds 15 June 1994 Volume 16 : Issue 16 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for information on RISKS (comp.risks) ***** Contents: Congressman Jack Brooks' Statement on Crypto (David Banisar) WSJ article: RFI hoses medical equipment (Robert Allen) Summary of safety-critical computers in transport aircraft (Peter Ladkin) More on Airbuses (Robert Dorsett, Peter Ladkin, Wesley Kaplow, Pete Mellor, Kaplow again, Bob Niland) Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. ---------------------------------------------------------------------- Date: Tue, 14 Jun 1994 14:20:25 -0400 From: David Banisar Subject: Congressman Jack Brooks' Statement on Crypto The following statement by Rep. Jack Brooks (D-TX) was today entered in the Congressional Record and transmitted to the House Intelligence Committee. Rep. Brooks is Chairman of the House Judiciary Committee and played a key role in the passage of the Computer Security Act of 1987 when he served as Chairman of the House Government Operations Committee. David Sobel Legal Counsel Electronic Privacy Information Center ============================================================= ENCRYPTION POLICY ENDANGERS U.S. COMPETITIVENESS IN GLOBAL MARKETPLACE For some time now, a debate has been raging in the media and in the halls of Congress over the Administration's intention to require U.S. corporations to use and market the Clipper Chip, an encryption device developed in secret by the National Security Agency. The Clipper Chip will provide industry and others with the ability to encode telephone and computer communications. The use of the Clipper Chip as the U.S. encryption standard is a concept promoted by both the intelligence and law enforcement communities because it is designed with a back door to make it relatively easy for these agencies to listen in on these communications. The law enforcement and intelligence communities have a legitimate concern that advances in technology will make their jobs more difficult. But the issue here is whether attempts to restrict the development, use and export of encryption amounts to closing the barn door after the horse has already escaped. The notion that we can limit encryption is just plain fanciful. Encryption technology is available worldwide -- and will become more available as time goes on. First, generally available software with encryption capabilities is sold within the U.S. at thousands of retail outlets, by mail, even, over the phone. These programs may be transferred abroad in minutes by anyone using a public telephone line and a computer modem. Second, it is estimated that over 200 products from some 22 countries -- including Great Britain, France, Germany, Russia, Japan, India, and South Africa -- use some form of the encryption that the Government currently prohibits U.S. companies from exporting. According to the May 16, 1994 issue of _Fortune_, not only are U.S. companies willing to purchase foreign encryption devices, American producers of encrypted software are also moving production overseas to escape the current export controls. Third, encryption techniques and technology are well understood throughout the world. Encryption is routinely taught in computer science programs. Text books explain the underlying encryption technology. International organizations have published protocols for implementing high level encryption. Actual implementations of encryption -- programs ready to use by even computer novices -- are on the Internet. The only result of continued U.S. export controls is to threaten the continued preeminence of America's computer software and hardware companies in world markets. These restrictive policies jeopardize the health of American companies, and the jobs and revenues they generate. I support, therefore, the immediate revision of current export controls over encryption devices to comport with the reality of worldwide encryption availability. I believe law enforcement and the intelligence community would be better served by finding real, and targeted ways to deal with international terrorists and criminals rather than promoting scattershot policies, which restrict American industries' ability to design, produce and market technology. Now -- more than ever -- we cannot afford to harm our economic competitiveness and justify it in the name of national security. ------------------------------ Date: Wed, 15 Jun 1994 11:37:44 -0700 From: Robert.Allen@eng.sun.com (Robert Allen) Subject: WSJ article: RFI hoses medical equipment The 15 Jun 1994 Wall St. Journal has an interesting front-page article about how RFI generated by radios & cellphones is screwing up operation of sensitive medical equipment such as heart defibrillators, diagnostic equipment, and even electric wheelchairs. Some of the horror stories sound apocryphal, like the electric wheelchair "zapped by radio waves" that sent it's passenger over a cliff. Others sound entirely possible: a 72 year old man died in an ambulance when the heart defib. device he was on failed due to RFI from the ambulance two-way radio. The ambulance mfgr. had replaced the steel roof with a fiberglass dome, and put the antenna on top (duhhhhh). The best story however was about some poor sap who had a pacemaker installed after diagnostic equipment indicated he needed one. It was later discovered the diagnosis was in error, and was caused by RFI from a television in the same room. Runners up for best story were from the mother who's use of a cellphone in the car affected the ventilator her child was using in the back seat. In a hospital ward a whole bunch of ventilators alarmed when the handyman keyed his transceiver. As is demonstrated by the TV case, even having technicians install and test new equipment can't account for the fact that just moving the stuff around during a spring cleaning might put two pieces in juxtaposition to cause problems. Having recently seen more than my share of medical equipment, I'm solely unimpressed with the ruggedness of it (it sort of reminds me of ICOM radios). Still, with more and more people using cellphones I figure we'll have more and more problems. I wonder if cellphones will be the health hazard in the '90's that radium watch dials were in the '40's? Robert ------------------------------ Date: Wed, 15 Jun 1994 22:13:19 +0200 From: Peter Ladkin Subject: Summary of safety-critical computers in transport aircraft Given the interest in RISKS on computers in aviation, and some confusion concerning characteristics of Airbus aircraft, I thought it might be useful to summarise for RISKS readers some of the current state of things. I believe there have been three major accidents involving Airbus aircraft in the last year: an A320 ran off the end of the runway in Warsaw in September 1993, killing two people and injuring many; the crew of an Aeroflot Airbus A310 lost control during cruise flight, which led to the death of everyone on board; and a China Airlines A300 crashed recently tail-first (!) on landing at Nagoya, killing all or almost all on board. The A300 and A310 aircraft have `conventional' control, that is, physical control of the aircraft is transmitted by mechanical or hydraulic means to most of the flight control surfaces. The normal flight control of the Airbus A320, A321, A330 and A340 aircraft, in contrast, is achieved by computer, to which the pilots' sidestick movements are one set of inputs. This is colloquially known as `fly-by-wire'. `Fly-by-wire' aircraft have been in regular use by the military for over 20 years, but the A320 is the first commercial `fly-by-wire' transport, introduced in the early 90's. Pilots have extremely limited direct physical control of A320/21/30/40 aircraft should the flight control computers be unavailable, a situation which is anticipated not to occur during the lifetime of the fleet. The first flight of the Boeing 777 took place on Sunday 12 June, 1994. The B777 is Boeing's first `fly-by-wire' commercial transport, which it is hoped will be `certificated' in April 95 with delivery to its first customer, United Airlines, in May 95. The B777 is a significantly different design from the A320, and I would be very surprised if there were to be any accidents attributable to features common to A320/21/30/40 and B777 aircraft which are not also common features of conventional aircraft such as the B737. Airbus claims its design philosophy is `evolutionary', that is, the systems are not designed from scratch, but introduced gradually into the company's designs after success in previous designs. Nevertheless, there are steps, such as that to `fly-by-wire' in the A320, which RISKS readers may consider more significant than others. See the article by J.P. Potocki de Montalk, Head of Airbus Cockpit/Avionic Engineering at Airbus, in Microprocessors and Microsystems 17(1). A useful and readable reference for those interested in A320 accidents is RISKS contributor Peter Mellor's long paper `CAD: Computer-Aided Disaster!' which contains a description of the design of the A320 Electrical Flight Control System, and detailed commentary on all A320 accidents to date, and is to my knowledge the only single source to do so. A version of this paper is to appear in High Integrity Systems journal. Apart from the flight control on A320/321/330/440s and B777s, there are potentially RISKy computer-based systems on almost all modern transport aircraft, of which maybe the most important are the autopilot/Flight-Director and the FADEC (Full-Authority Digital Engine Control). All commercial aircraft have autopilots of various degrees of sophistication (and most have Flight Directors, which provide passive guidance rather than active control), and these may be suspect in certain incidents (e.g. the Collins autopilots on B757 and B767 aircraft: see PGN in RISKS-15.08, and my posting in RISKS-15.13). Many modern aircraft also have FADEC, which has occasionally come under investigation, but I can't think of occasions so far on which they have been considered primary cause of accidents or incidents. Human factors are very important. A taskforce has recently been convened to study incidents of `controlled flight into terrain', in which the continued safe flight of the aircraft is impeded by a cloud with a crunchy center (see The Economist, June 4-10 1994, p92). In these accidents the physical performance of the airplane is generally not a factor, but they may nevertheless be computer-related, since guidance and air traffic control relies on computers to various degrees. Aircraft accidents are amongst the most well-studied of failures in any engineering discipline. I have never held any position in the aviation industry, but some of my research interests and hobbies bring me there. My continuing experience is that it pays to try to take as much care in forming opinions about them as it does to report them accurately in the first place. I wish I could be better at both. Peter Ladkin ------------------------------ Date: Wed, 15 Jun 1994 13:56:56 -0700 From: rdd@netcom.com (Robert Dorsett) Subject: Re: Overy, RISKS-16.15 From: Phil Overy wrote: Subject: Correction of my post on "A-THREE-HUNDRED" crash at Nagoya > > The Taiwanese plane did not crash after any kind of automation or airframe > failure, but when the auto-pilot was left on until too late. This is not clear. There are normally three or four ways to disengage any autopilot: - a switch on the glareshield. - a deactivate switch on the yoke - pushing or pulling forcefully on the yoke - a circuit breaker as a last resort In this case, it appears the crew were aware of the problem for over TWO MINUTES--an eternity--and fought the airplane to the ground. I refuse to see this trivially dismissed as "operator error" or "they didn't turn off the autopilot until it was too late." This is a horrifying situation, and if there is a mechanical or interface or modal failure lurking beneath the scenes, it needs to be rectified. AND UNDERSTOOD: if it's even as simple as a service or maintenance issue, then the problem could recur on other airplanes. > Peter Ladkin tells me that the president of the airline resigned after the > crash, so it doesn't sound as if they are trying to transfer responsibility > to the manufacturers. Again, after a long string of crashes. I believe the president or VP of JAL was ultimately compelled to resign after the 747 SR crash in Japan. This has nothing to do with culpability: it's accountability. A form of personal responsibility which seems to be quite absent in Western corporate culture. There is nothing more one can draw from it than that. >I could have phrased it better, but I would point out that Boeing also now use >fly-by-wire (on the brand new 777), so the earlier correspondent was misguided >in thinking that Boeing were staying away from fly-by-wire. The 777 is also a >much bigger plane than the A320... Airbus has continued evolving its aircraft line. There are now the A330 and A340, heavy long-range transports. Same interface. And > From: Wesley Kaplow writes: > Subject: Does it matter why A3??'s have a poor record? > The average persons response to all of the A3?? technical discussion would > probably be that it frankly it does not matter why these planes crash!. There are many people reading this newsgroup whose job descriptions include understanding and solving these problems so that future generations of aircraft do not cost lives or resources. The reason that RISKS keeps harping on airplane automation is that it has broad ramifications to the computer industry in general, and safety-critical systems in particular. What gets established as "safe" in aviation will undoubtedly define standards of "safety" for other disciplines: this includes specification and development paradigms. So these crashes should be of interest to ALL computer professionals and computer scientists. And there are certainly people out there whose job descriptions do include making managerial-level equipment decisions, who may not be aware or sensitized to some of these issues. ------------------------------ Date: Wed, 15 Jun 1994 21:18:54 +0200 From: Peter Ladkin Subject: Quarrelling over spilt airplanes [Dorsett, RISKS-16.15] In RISKS-16.15, Robert Dorsett disagrees with two quotes from my posting in RISKS-16.14. I disagree with his disagreements: > > Fly-by-wire aircraft use modes because they have to. > > This is not true. Early FBW aircraft were essentially open-loop analog > systems. I wasn't thinking about history when I made my assertion. There are many fly-by-wire aircraft types around *nowadays*, all but two of which are military, as of last Sunday. Do any of these aircraft *not* use modes? I can't think of one (but I would like to know of the exception that proves my rule). Robert's strong rejection may be as misleading as he thought my assertion was. Robert holds the view that sidestick control may have been the result of non-engineering decisions. That may be true (or not), but I don't consider it relevant to whether sidestick control is well-engineered or not in a given aircraft. > >A further comment about the Nagoya accident is appropriate. Current > >knowledge is that the pilots failed to follow normal, explicit > >procedure for control of the aircraft, > > Really? I've not seen that anywhere. Flight International, 11-17 May 1994 p5, "a pilot pushes forward on the control column to counteract the autopilot nose-up input. *This is against the published procedures ...*" (my emphasis). FI and David Learmount are regarded as accurate on such matters. > >and secondly that they had both > >been drinking alcohol, which is illegal for good reason. > > This has also not been substantiated. The investigators will not comment, Robert's assertions do not necessarily contradict mine. It may help to understand more of the context. The investigators will not comment officially, but then they're required not to - the official report on the Warsaw A320 accident is not out yet either, but that doesn't stop us knowing most of the factors involved there. Concerning the Nagoya A300 accident, there are normally-reliable aviation journal reports (sorry, the ref's buried) on the precise blood-alcohol level of the pilots which lead to my conclusion. > >senior management of China Airlines has resigned because of this > > accident. > > Because of the fifth major accident in as many years, > was the way I understood it. ..which are two ways of reporting the facts associated with the same event. Peter Ladkin ------------------------------ Date: Wed, 15 Jun 1994 13:50:41 -0400 From: Wesley Kaplow Subject: Not quite (re: Pete Mellor) Thanks to Peter Mellor it has some to my attention that my statement about loss of craft per craft delivered is not true. Unfortunately, I added that comment based on previous information about per-mile crash rates. The focus that I intended was that the average person does not really care why, only that they perceive that there is a potential safety problem. A good parallel might be the Audi 5000 series of reported "sudden-acceleration" problems. Although the Audi 5000 may not have had a larger incident rate of sudden acceleration than other cars, ultimately perception was the driving factor. People did not say: "oh that sudden acceleration problem, well that Audi 5000 was owned by someone from the '3rd' world, it must be his fault". Ultimately, the car had at least its name changed, and it probably cost Audi car sales. At least in the case of the Audi, I could choose not to buy the car. In the case of airline travel, and cannot make the choice between airframes because the information is not available. I may be making the choice based on poor information, but it is my poor decision to make. Also, the airframe loss statistics can be somewhat misleading as well, as crashes in the information Peter sent to me does not say, for example, if the 747 statistics includes losses such as the Canary Island collision, or the Lockerbee terrorist loss. Once again, I apologize of the incorrect statement. Wesley Kaplow, AT&T Bell Laboratories & Rensselaer Polytechnic Institute ------------------------------ Date: Wed, 15 Jun 94 17:52:23 BST From: Pete Mellor Subject: Re: Does it matter why A3??'s have a poor record? Wesley Kaplow writes in RISKS DIGEST 16.15: > Already, Airbus Industry has lost more planes per delivered plane > than other major aircraft manufacturer in the past 3 decades (Lockheed, > Boeing, MD). I would be interested to learn the source of this information. The following table shows the number of crashes per hull in service for different aircraft types. The source is Lundfahrtindustrie, and the table is quoted from ``Der Traum von Total Sicherheit'', Focus, 38, 1993, pp18-21. Aircraft No. in Hulls % Losses Type Service Lost DC-9/MD-80 2065 68 3.29 Boeing 727 1831 62 3.39 Boeing 737 2515 57 2.27 Boeing 747 988 22 2.23 DC-10 446 21 4.71 Airbus A300/310 636 7 1.10 Airbus A320 411 4 0.97 Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB Tel: +44 (71) 477-8422, Fax.: +44 (71) 477-8585, E-mail (JANET): p.mellor@csr.city.ac.uk ------------------------------ Date: Wed, 15 Jun 1994 13:29:15 -0400 From: Wesley Kaplow Subject: Re: Does it matter why A3??'s have a poor record? (Re: Mellor) Dear Pete, Unfortunately I did a back of the envelope calculation that is probably more suited to comparing the number of takeoffs/landings against accident rates. I remember seeing statistics on the number of 757 lost per total mile (or sorties) vs. A3??. The numbers were quite heavily in favor of the Boeing. However, you are absolutely correct. I should not have made sure that I have accurate data before such a broad statement. Please delete that section the message. I should know better. The real point that I wanted to make is that the general public does not care about root-cause analysis, fly-by-wire, or different flight modes. Perceptions of safety, like those that plagued the DC-10 for several years, and like the Audi 5000, are what people care about. Our rationalization that these crashes occurred due to pilot error in 3rd world countries does not make me feel any safer. It would be interesting to know the breakdown of the essential reasons for the airframe losses in the table you provided. There are three categories I would like to see: 1) Loss on the ground (at least 2 of the 747's were lost this way) 2) Loss due to mechanical defect 3) Crew error. Also, which accidents cause a total loss or just loss of the frame. For example, a 747 was lost part of its skin, but landed safely (with MOST of its passengers). A 737 got a moon roof, but landed safely (with all of its passengers and MOST of the crew). A DC-10 (with the blown cargo door) landed with most of its passengers and crew. I assume that these airframes are gone, but are they really "losses" in the sense that the average person would think they are crashes. Moreover, some of these craft were blown out of the ski by terrorists, or set fire on the ground. I believe that this changes the numbers in the table. For example, if one does the following 22 hulls lost for the 747 (are there really only 988 in service?) - 2 Canary Island - 1 Lockerbee ----- 19 "Crashed Hulls" 19/988 = 1.92% losses this is compared to the 2.23% losses in the table. Another possibly category, since the blame seemingly points to problems of third world operators, is how many of these crashes are airlines that have questionable maintenance. The last category is time. Although I am chancing fate, when was the last DC-10/MD-11 crash? What is the current rate, as compared to previous years. Do these planes just need to get over "infant" problems, or is the rate essentially constant? Moreover, if we look at unexplainable crashes, at least for the Boeing and DC/MD planes we can usually identify a real design flaw to pin the crash on (cargo doors, engine mount pins) I can proudly say (well not really) OUR DARN AMERICAN PLANS CRASH BECAUSE OF DESIGN FLAWS WE CAN FIGURE OUT AFTER A COUPLE OF REALLY BIG CRASHES! (a smiley face goes here). However, there is a point here and that is why are the A3?? losses seemingly predominately cause by some pilot to ship interface problem. Once again, I'm sorry to have submitted unsubstantiated information, and I promise not to do it again. Wesley Kaplow, AT&T Bell Laboratories & Rensselaer Polytechnic Institute ------------------------------ Date: 15 Jun 1994 16:42:03 GMT From: rjn@hpfcla.fc.hp.com (Bob Niland) Subject: Re: Airbus (Kaplow, RISKS-16.15) > ... if we play only on the statistics, I want a airplane with a good > safety record. ... If the statistics bear this out, it raises a point I haven't seen mentioned in the periodic discussions about the AirBus Industrie family of flying machines. If AI is indeed experiencing more hull losses than comparable airframes from other makers, then as a passenger, I don't really care that AI is having greater success in obtaining "pilot error" determinations in many of the crashes. If their aircraft are more susceptible to pilot error, then AI's aircraft in fact have a problem, and I won't ride them. Whether computer or airliner, successfully blaming system inadequacies on the user is no substitute for designing usable systems in the first place. A comparison of incident/accident rates by airframe, showing the percentage resolved as "pilot error", would be interesting. Bob Niland 1001-A East Harmony Road, Suite 503, Fort Collins Colorado 80525 USA rjn@csn.org CompuServe: 71044,2124 ------------------------------ Date: 31 May 1994 (LAST-MODIFIED) From: RISKS-request@csl.sri.com Subject: Info on RISKS (comp.risks), contributions, subscriptions, FTP, etc. The RISKS Forum is a moderated digest. Its USENET equivalent is comp.risks. Undigestifiers are available throughout the Internet, but not from RISKS. SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) on your system, if possible and convenient for you. BITNET folks may use a LISTSERV (e.g., LISTSERV@UGA): SUBSCRIBE RISKS or UNSUBSCRIBE RISKS. U.S. users on .mil or .gov domains should contact (Dennis Rears ). UK subscribers please contact . Local redistribution services are provided at many other sites as well. Check FIRST with your local system or netnews wizards. If that does not work, THEN please send requests to (which is not automated). CONTRIBUTIONS: to risks@csl.sri.com, with appropriate, substantive Subject: line, otherwise they may be ignored. Must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. PLEASE DO NOT INCLUDE ENTIRE PREVIOUS MESSAGES in responses to them. Contributions will not be ACKed; the load is too great. **PLEASE** include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. Relevant contributions may appear in the RISKS section of regular issues of ACM SIGSOFT's SOFTWARE ENGINEERING NOTES, unless you state otherwise. ARCHIVES: "ftp crvax.sri.comlogin anonymousYourName cd risks: Issue j of volume 16 is in that directory: "get risks-16.j". For issues of earlier volumes, "get [.i]risks-i.j" (where i=1 to 15, j always TWO digits) for Vol i Issue j. Vol i summaries in j=00, in both main directory and [.i] subdirectory; "dir" (or "dir [.i]") lists (sub)directory; "bye" logs out. CRVAX.SRI.COM = [128.18.30.65]; =CarriageReturn; FTPs may differ; UNIX prompts for username, password; bitftp@pucc.Princeton.EDU and WAIS are alternative repositories. See risks-15.75 for WAIS info. To search back issues with WAIS, use risks-digest.src. With Mosaic, use http://www.wais.com/wais-dbs/risks-digest.html. FAX: ONLY IF YOU CANNOT GET RISKS ON-LINE, you may be interested in receiving it via fax; phone +1 (818) 225-2800, or fax +1 (818) 225-7203 for info regarding fax delivery. PLEASE DO NOT USE THOSE NUMBERS FOR GENERAL RISKS COMMUNICATIONS; as a last resort you may try phone PGN at +1 (415) 859-2375 if you cannot E-mail risks-request@CSL.SRI.COM . ------------------------------ End of RISKS-FORUM Digest 16.16 ************************