System Safety Case Study the Vincennes Shoot-Down Incident V1.3

System Safety Case Study The Vincennes Shoot-down Incident V1.3

Matthew Squair

UNSW@Canberra

1 November 2015

1 Matthew Squair The Vincennes Shoot-down Incident V1.3 Except for images whose sources are speciﬁcally identiﬁed, this copyright work is licensed under a Creative Commons Attribution-Noncommercial, No-derivatives 4.0 International licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/

2 Matthew Squair The Vincennes Shoot-down Incident V1.3 Introduction

3 Matthew Squair The Vincennes Shoot-down Incident V1.3 Introduction Introduction

AEGIS is a USN cruiser/destroyer man-machine weapon system developed in the late 1970s and early 80s On July 3, 1988 in the Strait of Hormuz the USS Vincennes, an Aegis class cruiser, mis-identified an Iranian A300 civilian flight as a hostile fighter aircraft and shot it down 260 men women and children loose their lives in the incident How did this happen?

4 Matthew Squair The Vincennes Shoot-down Incident V1.3 The AEGIS program Context of the system

Geopolitical context - Depth of the new Cold War The need - Deep water air defence of the carrier battle group The threat - Supersonic (Backfire) bombers with standoff missiles Response Highly automated system (Auto, Auto-special, sem-auto, manual) Extensive of user defined ‘doctrinal’ rulesets Cruiser platform built around SPY-1A/B phased array radars A system of systems IFF, Radar, Weapons, Command & Decicion systems Although a ‘man-machine’ system not much emphasis on the man part (late 70s and early 80s technology and approach)

5 Matthew Squair The Vincennes Shoot-down Incident V1.3 The AEGIS program

6 Matthew Squair The Vincennes Shoot-down Incident V1.3 The AEGIS program Safety program

System developed using MIL-STD-882A for the safety standard A strong leadership role was taken by the USN, through a number of peak bodies: Navy Weapon System Explosives Safety Review Board Software System Safety Technical Review Board Navy Safety Study Group (Nuclear Safety) System Safety Working Group (SSWG) coordinated activities Nuclear Safety Advisory Group acted as adjunct to SSWG Multiple safety analyses conducted including, computer program hazard, inadvertent launch and weapon control interface safety analyses Overall combat system safety statement (C3S) report prepared to tie it all together

7 Matthew Squair The Vincennes Shoot-down Incident V1.3 Background to the incident The background to the incident

Iran and Iraq had been at war since 1981 Tanker war - each attacking the other’s tankers and oil terminals Kuwaiti and other non-belliggerant tankers targeted The USN found itself protecting tankers in a littoral environment USS Stark was hit by two Iraqi ﬁred Exocet missiles in May 1987 (37 dead) US Intelligence predicted attacks around 24 July 1988 The Joint Chiefs of Staﬀ had changed the ROE after Stark (positive ID required)

8 Matthew Squair The Vincennes Shoot-down Incident V1.3 Background to the incident The immediate events leading up to the shootdown

The USS Vincennes had responded to Iranian gunboats ﬁring on the Vincenne’s helicopter. A running gun battle ensued.

10:47 USS Vincennes is engaging (chasing) Iranian gunboats 10:47 IA655 appears as approaching Unknown/hostile track 10:49 USS Vincennes warns IA655 initially on Military channels 10:50 Warnings repeated on military & civilian channels, no response 10:51 Warning that aircraft will be shot-down inside 20 nm 10:51 Vincennes holds ﬁre due to confusion as to aircraft track 10:53 Final warning, still no response 10:54 Two SM-2 are launched & destroy the aircraft at 8nm, 13,500 ft

9 Matthew Squair The Vincennes Shoot-down Incident V1.3 Background to the incident

10 Matthew Squair The Vincennes Shoot-down Incident V1.3 Background to the incident What it looked like - The Iranian pilots

To the Iranian pilots (busy in a routine ﬂight) We’re squawking Mode 3 - so everyone can see we’re civilian What’s Tehran ATC saying right now? What’s Bandar Abbas approach saying? Those US calls must be directed at that P3, no need to respond 1

1If they heard the Vincennes at all.. 11 Matthew Squair The Vincennes Shoot-down Incident V1.3 Background to the incident What it looked like - To the USS Vincennes crew

To the USS Vincennes operators (In the middle of a surface engagement in ’hostile’ waters) Incoming unidentiﬁed track Why won’t they respond? Why is it civilian and military IFF? They’re descending towards us (are they, aren’t they?) Need to make a decision, launch or not? And, to the USS Vincennes software (within engagement rule set?)

12 Matthew Squair The Vincennes Shoot-down Incident V1.3 Operational and technical causal factors Operational

Vincennes (Capt Roberts) reputation for aggressive behaviour, “robo-cruiser” Poor management of CIC resources & resulting group think Anonymous shouts and warning calls in CIC communications channels overloaded by CIC ’lurkers’ requiring frequent manual switches to restore them

Poor training and level of readiness for this scenario Air warfare oﬃcer pressed the wrong launch keys 23 times Confusion about which time zone they were operating in

13 Matthew Squair The Vincennes Shoot-down Incident V1.3 Operational and technical causal factors Technical

There were problems with getting the launchers to load, increasing tension onboard Ship was not equipped with civilian radio-sets Human Machine Interface (HMI) issues Track ID was automatically re-cycled (old/new ID confusion2) Dual transponder code discrepancy (Iranian F-14 & COMAIR)3 IFF data senescence or IFF operator error4 Display of speed/altitude (adjacent, numeric values) Lack of rate of change indication for speed/altitude No online COMAIR listing (paper based entry was missed)

2Old ID was reassigned to US A6 intruder which was descending at time 3IFF is inherently ambiguous 4IFF transponders can fail, so keeping the last indicated is actually reasonable 14 Matthew Squair The Vincennes Shoot-down Incident V1.3 The USN’s technical response Tactical Aid to Decision Making Under Stress (TADMUS)

Design Goal: Prevent another USS Vincennes A prototype decision support system (DSS) was developed to enhance Navy tactical decision-making based on naturalistic decision processes Displays were developed to support critical decision making tasks through Recognition-primed decision making Explanation-based reasoning Presentation of conﬁrming and disconﬁrming evidence

15 Matthew Squair The Vincennes Shoot-down Incident V1.3 The USN’s technical response TADMUS screen layout

16 Matthew Squair The Vincennes Shoot-down Incident V1.3 The USN’s technical response Speciﬁc TADMUS HMI design features

Abstract to detail layout of display Task sequence queues to reduce short term memory overload Use of graphical identiﬁcation and coding Major decisions can be made without recourse to numbers Switching track tasks aided by priority list Provide historical threat data Use base rates to indicate typicality of certain events Use qualitative assessments to avoid false assumptions of accuracy Allow the operator to compare alternative threat hypotheses Indicate the perceived level of threat posed (with rationale) Locate all relevant information near the track & on-screen

17 Matthew Squair The Vincennes Shoot-down Incident V1.3 The USN’s technical response TADMUS screen shot

18 Matthew Squair The Vincennes Shoot-down Incident V1.3 The USN’s technical response But...

All the USN’s concern about the human in the loop and ecological HMI design is understandable, but it begs the question What would the USS Vincenne’s system have done if operated in semi-automatic mode with the appropriate rule set loaded, e.g. If aircraft range decreasing AND altitude decreasing THEN treat as threat

After all the C&D software was not going to misread altitude? So maybe the USN’s reaction should be seen more as a response to the realisation that automation had supplanted the role of the human in making command decisions?

19 Matthew Squair The Vincennes Shoot-down Incident V1.3 Lessons learned Operational (crisis leadership) lessons

Maintain ﬂexibility Be willing to show ﬂexibility Be open to suggestions on how to solve crises

Avoid task ﬁxation Someone needs to be looking at the big picture

Avoid scenario fulﬁllment biases Don‘t neglect to search for disconﬁrmatory information

Keep things simple Ask people to do things that they are already trained to do People don’t rise to meet a crisis, they fall to their level of training

20 Matthew Squair The Vincennes Shoot-down Incident V1.3 Lessons learned Technical lessons

Safety arguments and safety requirements can be aﬀected by changes is operational use Often they are based on implicit assumptions Look for problems and incidents The system needs to support the user in performing his task If you want the user to consider disconﬁrming evidence, provide it Be aware of stress as a performance shaping factor

Open systems and environmental context The more complex a system’s interaction with it’s environment the more inevitable that it’s design will contain many implicit assumptions about that environment.

21 Matthew Squair The Vincennes Shoot-down Incident V1.3