Software contributions to aircraft adverse events: Case studies and analyses of recurrent accident patterns and failure mechanisms

Abstract

Software is central to aircraft flight operation, and by the same token it is playing an increasing role in aircraft incidents and accidents. Software related errors have distinctive failure mechanisms, and their contributions to aircraft accident sequences are not properly understood or captured by traditional risk analysis techniques. To better understand these mechanisms, we analyze in this work five recent aircraft accidents and incidents involving software. For each case, we identify the role of software and analyze its contributions to the sequence of events leading to the accident. We adopt a visualization tool based on the Sequential Timed Event Plotting (STEP) methodology to highlight the software's interaction with sensors and other aircraft subsystems, and its contributions to the incident/accident. The case studies enable an in-depth analysis of recurrent failure mechanisms and provide insight into the causal chain and patterns through which software contributes to adverse events. For example, the case studies illustrate how software related failures can be context- or situation-dependent, situations that may have been overlooked during software verification and validation or testing. The case studies also identify the critical role of flawed sensor inputs as a key determinant or trigger of “dormant” software defects. In some cases, we find that software features put in place to address certain risks under nominal operating conditions are the ones that lead or contribute to accidents under off-nominal or unconsidered conditions. The case studies also demonstrate that the software may be complying with its requirements but still place the aircraft in a hazardous state or contribute to an adverse event. This result challenges the traditional notion, articulated in most standards, of software failure as non-compliance with requirements, and it invites a careful re-thinking of this and related concepts. We provide a careful review of these terms (software error, fault, failure), propose a synthesis of recurrent patterns of software contributions to adverse events and their triggering mechanisms, and conclude with some preliminary recommendations for tackling them.