
Metro Crash May Exemplify Paradox of Human-Machine Interaction - robg
http://www.washingtonpost.com/wp-dyn/content/article/2009/06/28/AR2009062802481.html?hpid=topnews
======
wallflower
One of the reasons why highways and thruways are relatively safe is because of
an enforced social contract (e.g. if you speed, you may get ticketed and if
you drive erratically, you may put your life and other people's lives in
danger)

With software, there is no such powerful peer contract. Software is not yet as
good at self-healing (e.g. braking suddenly) if something unexpected happens.
How do you handle a system exception safely and robustly at 65mph?

Automated cars are a pipe dream. Automated auto-pilot for cars on highways
(e.g. automated platoons of cars moving in lock-step until they reach their
exit) a.k.a Intelligent Transportation Systems (ITS) will be persistently
hobbled in adoption because failure of the interface between humans and
machines is dangerous at highway speeds. Recent ITS research has focused on
trying to academically prove MITM attacks cannot work for certain ITS systems.
Also, most people like freedom to drive whenever, whereever they want.

~~~
extension
Highways are "relatively" safe? Relative to juggling chainsaws, maybe. After
disease, cars are the leading cause of death in just about any country wealthy
enough to have cars.

Drivers need all the help they can get from automation, even if it backfires
now and then. The fact that any idiot who can spell his own name is allowed to
hurtle through crowded streets with a two ton killing machine and no failsafes
of any kind is clearly absurd.

~~~
pchristensen
_After disease, cars are the leading cause of death in just about any country
wealthy enough to have cars_

No, they're far down the list. Less than 2% of all deaths are from auto
accidents, fewer than influenza and pneumonia and 20x less than cardiovascular
diseases.

<http://www.the-eggman.com/writings/death_stats.html>

~~~
showerst
Everything above auto-accidents on your list is a disease, so technically he's
right =P

~~~
pchristensen
Oops, let me rephrase.

While car accidents are the leading non-accident way to die, you're 45x more
likely to die from a disease.

------
CarolynM
The metro crash may also exemplify an ATO system with a single point of
failure, or poor maintenance, or poor training, or many other things. I am
disappointed that no articles I've read about this crash have discussed the
actual systems beyond them containing track circuits.

------
stcredzero
So does the Air France crash. Speaking of which -- could GPS be used as yet
another backup device for airspeed? It might have high latency, but it would
be better than nothing.

~~~
tokenadult
I think the intentional lack of resolution in civilian GPS is in part because
it is not intended to be an air navigation back-up system.

~~~
LogicHoleFlaw
I was under the impression that the "degraded civilian" properties of GPS have
been disabled for some years now.

~~~
CWuestefeld
I believe that IFR-certified GPS systems have the added capability of
factoring Differential GPS. This is an additional GPS beacon (aside from the
satellites) originating from the airport you're landing at, which have a
location that's very accurately known.

High-price civilian GPS receivers are capable of this -- except you rarely
have access to such a beacon. I mean, the restaurant I'm going to eat at isn't
going to provide my little TomTom with a differential signal. With aviation,
it's important enough that high-traffic airports provide the DGPS beacons.

~~~
cameldrv
This isn't true. IFR certified GPS units generally don't have Differential
receivers. The main reason for this as far as I can tell is integrity. To be
IFR certified, the receiver has to be able to tell when a satellite is giving
bad data. In the older units, this was done with RAIM, which basically
compares what is coming in from all of the satellites, and determines if all
of the satellites are providing positioning that is relatively consistent.
DGPS is a relatively simple system, and there's no way to check the DGPS
signal for integrity. Without the ability to check for integrity, the
additional accuracy is useless, as the design of instrument approaches is
based on worst-case scenarios.

Now newer IFR certified units do have WAAS, which is similar to DGPS, except
the signal is transmitted from a satellite, and is based on measurements from
a couple dozen ground stations, the correction interpolated in the unit.

There has been a proposal to implement a system called LAAS for a number of
years, which would be like DGPS, but would have the integrity checks that are
required for aviation. However, it never really got off the ground.

As it stands, with WAAS, you can be guided to 200 feet above the runway, but
this is not as good as the old analog radio ILS, which, if setup in a
sophisticated way, can take a plane all the way to the surface.

------
mgenzel
On the topic of "The better you make the automation, the more difficult it is
to guard against these catastrophic failures in the future, because the
automation becomes more and more powerful, and you rely on it more and more."
it's instructive to read the last story of Asimov's "I, Robot" called the
"Evitable Conflict" in which the machines lead the Earth's progress.

------
omarish
This touches a lot on why the UI of your application is crucial.

