RISKS-LIST: RISKS-FORUM Digest  Wednesday, 28 October 1987  Volume 5 : Issue 51

        FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Contents:
  Re: Reported Japanese Autopilot Problems (Will Martin)
  (Non-)Japanese Autopilot Problems (Joe Morris)
  Possible nuclear launch prevented by parked vehicle (Scot Wilcoxon)
  SDI information system announced (Scot Wilcoxon)
  'Computers In Battle' (Rodney Hoffman)
  Re: Amusing bug: Business Week Computer (F)ails (John Pershing)
  Civil Disobedience (Fred Baube)

The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM.
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).

----------------------------------------------------------------------

Date:     Wed, 28 Oct 87 10:56:58 CST
From: Will Martin -- AMXAL-RI <wmartin@ALMSA-1.ARPA>
To: Nancy Leveson <nancy%murphy.uci.edu@ROME.UCI.EDU>
Cc: risks@csl.sri.com
Subject:  Re: Reported Japanese Autopilot Problems

Yes, I heard that report, and watched most of it (I was in the kitchen
at the time and it was on the tiny-screen set on top of the fridge,
and I was doing other things at the same time, but I caught the gist).

The particular plane is a corporate turboprop, and there have been
repeated instances of crashes at high speed into the ground. Recordings
of pilot-to-tower conversations indicate that the autopilot has had a
history of seizing control away from the human pilot, and that turning
it off again is sometimes difficult or impossible. (There weren't many
details; I am guessing that to disable it the pilot has to hit circuit
breakers or otherwise power down the autopilot, and it may be hard to do
when he is also wrestling with the controls to try to keep the plane
from crashing.) Could it be that, this being a corporate plane, there is
normally only a single pilot, not a pair (pilot & copilot), so there are
no free hands to fiddle about with such switches or seldom-used
controls? (That's just an unsupported speculation on my part...)

In any case, it was a for-real broadcast. You might be able to get a
transcript from CBS or from one of the video-news-recording/clipping
services. (Side note to the list: Does anyone have a comprehensive list
of such video-clipping services? I've heard of them several times, and
it seems that people often need to get such info, like in this case,
after hearing about a televised report or event that they missed. I
don't know any specific firm or organization names or locations, nor
have I any idea of what such services cost.)

Regards, Will Martin

------------------------------

Organization: The MITRE Corp., Washington, D.C.
To: risks@csl.sri.com
Subject: (Non-)Japanese Autopilot Problems
Date: Wed, 28 Oct 87 12:43:39 EST
From: Joe Morris (jcmorris@mitre.arpa) <jcmorris@mitre.arpa>

In RISKS 5:50, Nancy Leveson writes:

>  Supposedly, the [Japanese MU-2's] computerized autopilot will, under 
>  certain conditions, not let the pilot have control back.

I think you'll find that most autopilots -- indeed, most avionics of any
type -- in American-registered aircraft will be American-manufactured.  At
least at the low and middle end (I can't speak for the high-priced spread
types) there isn't much penetration by foreign manufacturers.  While I've
never flown the MU-2, my memory says that those I've seen had either King,
Bendix, or Sperry avionics packages, probably with a matching IFCS
(Integrated Flight Control System).

I recall seeing some MU-2 accident reports a while back that referred to the
autopilot as being involved, including one in which the pilot told the
FAA controller that he had autopilot problems just before the (fatal) crash.
I'm inclined to doubt that "the autopilot would not let the pilot have
control back", since the control servo drives the (mechanical) control wire
through a slip clutch whose breakaway limit must be no greater than can
be overcome by the pilot.  It would require a runaway autopilot *and* a
siezed clutch to deny the pilot control.

The MU-2 has a reputation of requiring an unusually high degree of attention
by the pilot, so any autopilot problems could be more serious in a MU-2 than
the same problem would be in, say, a Cessna 421.

What may be more likely is that the autopilot sets up divergent oscillation
which ultimately overstresses the airframe.  If for some reason the pilot
fails to disconnect the autopilot promptly, the result can be spacial 
disorientation which in turn can cause the pilot to lose control of the
aircraft even if the autopilot-induced load was within limits.

What does this mean to RISKS-readers?  One problem which is found in many
aviation accident reports is that the aircrew (student pilot through 747
captain) has become complacent due to the assistance given by the "black
boxes" on the aircraft.  When one of those boxes fails, the sudden transition
to basic flying and navigation (probably not practiced for a l-o-n-g time)
isn't successful and the airplane does things it's not supposed to.  Even
worse, the boxes can give false or conflicting data and the aircrew doesn't
resolve the problem in time to prevent an accident, like a 727 did a few
years ago in New York when its stall warning (in effect, underspeed...no
flames, please) and Mach warning (overspeed) alarms both activated.  The result
was a "superstall" and crash with no survivers...straight down from 30,000 feet.

------------------------------

Subject: Possible nuclear launch prevented by parked vehicle
Date: 28 Oct 87 12:23:56 CST (Wed)
From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon)
To: risks@csl.sri.com

Nearly three years ago a malfunctioning guidance system caused indication
of a launch sequence on a Minuteman 3 missile with three nuclear warheads.
An armored vehicle was then parked on the silo to block any accidental
launch.

AP reported that a Wednesday story in the Casper Star Tribune says the
guidance system malfunctioned on January 10, 1984.  Capt. Bill Kalton of
Warren Air Force base says that lights which monitor the status of the
missile followed the pattern of a launch.  When the guidance system
failed it showed false indications on the monitoring equipment.

A response team rushed to the missile site, parked an armored vehicle on
top of the silo and left the scene.  If the concrete cover of the silo
had opened the vehicle would have fallen on the missile, damaging it and
blocking its path.  A maintenance team determined the missile was not in
a launch sequence and that the warheads were not armed.

Scot E. Wilcoxon	sewilco@DataPg.MN.ORG	{ems,meccts}!datapg!sewilco
Data Progress		Minneapolis, MN, USA	+1 612-825-2607

------------------------------

Subject: SDI information system announced
Date: 28 Oct 87 12:23:33 CST (Wed)
From: umn-cs!sewilco@datapg.MN.ORG (Scot Wilcoxon)
To: risks@csl.sri.com

AP reports that the Pentagon has created a computer-based system to
encourage communication of SDI technology.  Col. Jim Ball, director of
technology applications for the SDI Organization, made the announcement.
Using TAIS, "a civilian researcher working on a field also being explored
for Star Wars can obtain an unclassified summary of the Star Wars work
and a referral to the individual researcher for consultation."

The TAIS computer will not have classified information and will be
available at only the cost of a phone call.  U.S. citizens, after
agreeing not to disclose sensitive information, can apply to the Defense
Logistics agency for an access code.  No security clearance is needed,
although the Pentagon considers some information as being sensitive
enough to keep track of those who have access.

Scot E. Wilcoxon	sewilco@DataPg.MN.ORG	{ems,meccts}!datapg!sewilco
Data Progress		Minneapolis, MN, USA	+1 612-825-2607

------------------------------

Date: 28 Oct 87 07:25:03 PST (Wednesday)
Subject: 'Computers In Battle'
To: RISKS@csl.sri.com
From: Rodney Hoffman <Hoffman.es@Xerox.COM>

A brand new book of interest:

'Computers In Battle' edited by David Bellin and Gary Chapman.
Harcourt Brace Jovanovich, 1987, $14.95.
xiv + 362 pages, including Bibliography, Resources, Index.
ISBN 0-15-121232-5

       Table of Contents

Computers in Battle:  A Human Overview
   Severo Ornstein

A History of Computers and Weapons Systems
   Paul N. Edwards

The New Generation of High-Technology Weapons
   Gary Chapman

Computer System Reliability and Nuclear War
   Alan Borning

Computer and the Strategic Defense Initiative
   Eric Roberts and Steve Berlin

The Strategic Computing Program
   Jonathan Jacky

Computers in Weapons:  The Limits of Confidence
   David Lorge Parnas

Artificial Intelligence as Military Technology
   Tom Athanasiou

High Technology and the Emerging Dual Economy
   Lenny Siegel and John Markoff

The Role of Military Funding in Academic Computer Science
   Clark Thomborson

Computers and War:  Philosophical Reflections on Ends and Means
   John Ladd

------------------------------

Date: 28 October 1987, 09:44:47 EST
From: John Pershing <PERSHNG@ibm.com>
To: risks@csl.sri.com
Subject: Amusing bug: Business Week Computer (F)ails

Just an educated guess, but the failure was probably due to the index
generation software not recognizing ligatures (e.g., 'fl' and 'ffl'),
which were stored as single, "non-alphabetic" characters.

      John A. Pershing Jr.,       Yorktown Heights

         [Ligature software carefully before using it.  PGN]

------------------------------

To: risks@csl.sri.com
Subject: Civil Disobedience
Date: Wed, 28 Oct 87 10:38:58 -0500
From: Fred Baube <fbaube@note.nsf.gov>

An important element of civil disobedience is that you take
your lumps as they are determined by the system whose legi-
timacy you are challenging.  Thus the blacks who sat in the
front of the buses and accepted arrest were practicing civil
disobedience, in the hope that the visibility would create
the public sentiment for change.

In a republic such as ours, CD provides an important avenue
of political expression, when the "approved" methods (writing
legislators, organizing, bumperstickers) don't cut the mustard.

   [OK...  I think we have saturated on this one for now.  TNX...  PGN.]

------------------------------

End of RISKS-FORUM Digest
************************