(Found this on an aviation safety discussion board. FWIW)

Found this one on comp.risks (Vol 21, Issue 53, Tuesday 19 July 2001):

-------------

AVweb (www.avweb.com), a news service for general aviation, reported July 9 that the FAA has issued an Emergency Airworthiness Directive (AD) on one model of Apollo NAV/COM (a combined navigation and communication radio) with a specific DSP Software Version Number, because its bearing indication was found to be off by as much as 14 degrees. The Emergency AD prohibits any flight in an aircraft equipped with the radio until it is marked "Use ... for navigation prohibited."

The navigation function relies on special ground stations that (simplifying a bunch) transmit a signal that varies the phase of the modulation with azimuth, allowing the radio to infer its bearing from a station within a degree or two. An aircraft flying a circle around a station sees the modulation change smoothly.

For many aircraft, this is the primary navigation system when flying by instruments, in clouds. Fifty miles out and 14 degrees off could put you in conflict with FAA airspace rules (bad, takes explaining) or mountains (worse, takes a funeral). In comparison, suddenly not being able to fly by instruments doesn't look so bad.

The AD text suggests that some stations do not adhere to the nominal 30 Hz modulation frequency, but the DSP software depends on the assumption that they do. I would guess that bench-testing was done only with nominal generated signals, and certification flight testing (if needed) only with stations that happened to be nominal. So, no problems showed up until a technician happened to test a new installation in the presence of a non-standard signal.

Risks: assuming, testing within assumptions, having software in the gauges, etc.

Bill Hopkins ([email address removed])

-- Rachel Gibson (rgibson@hotmail.com), July 20, 2001

Answers

http://catless.ncl.ac.uk/Risks/

for latest issue of computer Risks digest.

-- Andre Weltman (aweltman@state.pa.us), July 23, 2001.