RISKS-LIST: RISKS-FORUM Digest Wednesday, 28 October 1987 Volume 5 : Issue 51 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Re: Reported Japanese Autopilot Problems (Will Martin) (Non-)Japanese Autopilot Problems (Joe Morris) Possible nuclear launch prevented by parked vehicle (Scot Wilcoxon) SDI information system announced (Scot Wilcoxon) 'Computers In Battle' (Rodney Hoffman) Re: Amusing bug: Business Week Computer (F)ails (John Pershing) Civil Disobedience (Fred Baube) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM. For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j. Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97). ---------------------------------------------------------------------- Date: Wed, 28 Oct 87 10:56:58 CST From: Will Martin -- AMXAL-RI <wmartin@ALMSA-1.ARPA> To: Nancy Leveson <nancy%murphy.uci.edu@ROME.UCI.EDU> Cc: risks@csl.sri.com Subject: Re: Reported Japanese Autopilot Problems Yes, I heard that report, and watched most of it (I was in the kitchen at the time and it was on the tiny-screen set on top of the fridge, and I was doing other things at the same time, but I caught the gist). The particular plane is a corporate turboprop, and there have been repeated instances of crashes at high speed into the ground. Recordings of pilot-to-tower conversations indicate that the autopilot has had a history of seizing control away from the human pilot, and that turning it off again is sometimes difficult or impossible. (There weren't many details; I am guessing that to disable it the pilot has to hit circuit breakers or otherwise power down the autopilot, and it may be hard to do when he is also wrestling with the controls to try to keep the plane from crashing.) Could it be that, this being a corporate plane, there is normally only a single pilot, not a pair (pilot & copilot), so there are no free hands to fiddle about with such switches or seldom-used controls? (That's just an unsupported speculation on my part...) In any case, it was a for-real broadcast. You might be able to get a transcript from CBS or from one of the video-news-recording/clipping services. (Side note to the list: Does anyone have a comprehensive list of such video-clipping services? I've heard of them several times, and it seems that people often need to get such info, like in this case, after hearing about a televised report or event that they missed. I don't know any specific firm or organization names or locations, nor have I any idea of what such services cost.) Regards, Will Martin ------------------------------ Organization: The MITRE Corp., Washington, D.C. To: risks@csl.sri.com Subject: (Non-)Japanese Autopilot Problems Date: Wed, 28 Oct 87 12:43:39 EST From: Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.arpa> In RISKS 5:50, Nancy Leveson writes: > Supposedly, the [Japanese MU-2's] computerized autopilot will, under > certain conditions, not let the pilot have control back. I think you'll find that most autopilots -- indeed, most avionics of any type -- in American-registered aircraft will be American-manufactured. At least at the low and middle end (I can't speak for the high-priced spread types) there isn't much penetration by foreign manufacturers. While I've never flown the MU-2, my memory says that those I've seen had either King, Bendix, or Sperry avionics packages, probably with a matching IFCS (Integrated Flight Control System). I recall seeing some MU-2 accident reports a while back that referred to the autopilot as being involved, including one in which the pilot told the FAA controller that he had autopilot problems just before the (fatal) crash. I'm inclined to doubt that "the autopilot would not let the pilot have control back", since the control servo drives the (mechanical) control wire through a slip clutch whose breakaway limit must be no greater than can be overcome by the pilot. It would require a runaway autopilot *and* a siezed clutch to deny the pilot control. The MU-2 has a reputation of requiring an unusually high degree of attention by the pilot, so any autopilot problems could be more serious in a MU-2 than the same problem would be in, say, a Cessna 421. What may be more likely is that the autopilot sets up divergent oscillation which ultimately overstresses the airframe. If for some reason the pilot fails to disconnect the autopilot promptly, the result can be spacial disorientation which in turn can cause the pilot to lose control of the aircraft even if the autopilot-induced load was within limits. What does this mean to RISKS-readers? One problem which is found in many aviation accident reports is that the aircrew (student pilot through 747 captain) has become complacent due to the assistance given by the "black boxes" on the aircraft. When one of those boxes fails, the sudden transition to basic flying and navigation (probably not practiced for a l-o-n-g time) isn't successful and the airplane does things it's not supposed to. Even worse, the boxes can give false or conflicting data and the aircrew doesn't resolve the problem in time to prevent an accident, like a 727 did a few years ago in New York when its stall warning (in effect, underspeed...no flames, please) and Mach warning (overspeed) alarms both activated. The result was a "superstall" and crash with no survivers...straight down from 30,000 feet. ------------------------------ Subject: Possible nuclear launch prevented by parked vehicle Date: 28 Oct 87 12:23:56 CST (Wed) From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon) To: risks@csl.sri.com Nearly three years ago a malfunctioning guidance system caused indication of a launch sequence on a Minuteman 3 missile with three nuclear warheads. An armored vehicle was then parked on the silo to block any accidental launch. AP reported that a Wednesday story in the Casper Star Tribune says the guidance system malfunctioned on January 10, 1984. Capt. Bill Kalton of Warren Air Force base says that lights which monitor the status of the missile followed the pattern of a launch. When the guidance system failed it showed false indications on the monitoring equipment. A response team rushed to the missile site, parked an armored vehicle on top of the silo and left the scene. If the concrete cover of the silo had opened the vehicle would have fallen on the missile, damaging it and blocking its path. A maintenance team determined the missile was not in a launch sequence and that the warheads were not armed. Scot E. Wilcoxon sewilco@DataPg.MN.ORG {ems,meccts}!datapg!sewilco Data Progress Minneapolis, MN, USA +1 612-825-2607 ------------------------------ Subject: SDI information system announced Date: 28 Oct 87 12:23:33 CST (Wed) From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon) To: risks@csl.sri.com AP reports that the Pentagon has created a computer-based system to encourage communication of SDI technology. Col. Jim Ball, director of technology applications for the SDI Organization, made the announcement. Using TAIS, "a civilian researcher working on a field also being explored for Star Wars can obtain an unclassified summary of the Star Wars work and a referral to the individual researcher for consultation." The TAIS computer will not have classified information and will be available at only the cost of a phone call. U.S. citizens, after agreeing not to disclose sensitive information, can apply to the Defense Logistics agency for an access code. No security clearance is needed, although the Pentagon considers some information as being sensitive enough to keep track of those who have access. Scot E. Wilcoxon sewilco@DataPg.MN.ORG {ems,meccts}!datapg!sewilco Data Progress Minneapolis, MN, USA +1 612-825-2607 ------------------------------ Date: 28 Oct 87 07:25:03 PST (Wednesday) Subject: 'Computers In Battle' To: RISKS@csl.sri.com From: Rodney Hoffman <Hoffman.es@Xerox.COM> A brand new book of interest: 'Computers In Battle' edited by David Bellin and Gary Chapman. Harcourt Brace Jovanovich, 1987, $14.95. xiv + 362 pages, including Bibliography, Resources, Index. ISBN 0-15-121232-5 Table of Contents Computers in Battle: A Human Overview Severo Ornstein A History of Computers and Weapons Systems Paul N. Edwards The New Generation of High-Technology Weapons Gary Chapman Computer System Reliability and Nuclear War Alan Borning Computer and the Strategic Defense Initiative Eric Roberts and Steve Berlin The Strategic Computing Program Jonathan Jacky Computers in Weapons: The Limits of Confidence David Lorge Parnas Artificial Intelligence as Military Technology Tom Athanasiou High Technology and the Emerging Dual Economy Lenny Siegel and John Markoff The Role of Military Funding in Academic Computer Science Clark Thomborson Computers and War: Philosophical Reflections on Ends and Means John Ladd ------------------------------ Date: 28 October 1987, 09:44:47 EST From: John Pershing <PERSHNG@ibm.com> To: risks@csl.sri.com Subject: Amusing bug: Business Week Computer (F)ails Just an educated guess, but the failure was probably due to the index generation software not recognizing ligatures (e.g., 'fl' and 'ffl'), which were stored as single, "non-alphabetic" characters. John A. Pershing Jr., Yorktown Heights [Ligature software carefully before using it. PGN] ------------------------------ To: risks@csl.sri.com Subject: Civil Disobedience Date: Wed, 28 Oct 87 10:38:58 -0500 From: Fred Baube <fbaube@note.nsf.gov> An important element of civil disobedience is that you take your lumps as they are determined by the system whose legi- timacy you are challenging. Thus the blacks who sat in the front of the buses and accepted arrest were practicing civil disobedience, in the hope that the visibility would create the public sentiment for change. In a republic such as ours, CD provides an important avenue of political expression, when the "approved" methods (writing legislators, organizing, bumperstickers) don't cut the mustard. [OK... I think we have saturated on this one for now. TNX... PGN.] ------------------------------ End of RISKS-FORUM Digest ************************