| Recurring |
one_organization, multiple_organization |
(a) The software failure incident related to the touchscreen controls on the USS John McCain destroyers has happened again within the same organization, the US Navy. The incident involving the collision between the USS John McCain and a container ship in 2017, which resulted in the death of 10 sailors, was attributed to flawed touchscreen systems and faulty use by Navy watch standers. As a result, the Navy has decided to revert the touchscreen systems back to physical throttles to address the issues with the touchscreens [88025, 88926].
(b) The software failure incident related to complex touchscreen controls leading to a collision has also been experienced by other organizations or in other contexts. For example, Boeing faced complaints from pilots regarding a software system built to compensate for a design change in the 737 MAX aircraft, which was involved in two fatal crashes. Additionally, engineers questioned the effectiveness of a self-driving technology system that required human monitoring and intervention, highlighting potential issues with human-machine interfaces in critical systems [88025]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase was a significant factor in the collision between the USS John McCain and a container ship. The touchscreen-driven integrated bridge and navigation system on the destroyer was found to have flaws in design, testing, and training. The controls on the touchscreen were inconsistent with best practices for safety-critical control panels, leading to confusion among the sailors operating the system. The flawed design of the helm system, including the touchscreen interface and backup manual mode, contributed to the incident [88025, 88926].
(b) The software failure incident related to the operation phase was also a key factor in the collision. The sailors operating the touchscreen system did not fully understand how it worked, and there were issues with the backup manual mode that some commanding officers preferred for docking and undocking maneuvers. Additionally, poor operational oversight by the Navy and fatigue among the crew increased the likelihood of mistakes during operation. The lack of proper training, failures in command oversight, and misunderstandings among crew members were highlighted as operational factors contributing to the collision [88025, 88926]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident related to the collision between the USS John McCain and a container ship was primarily attributed to factors originating from within the system. The incident was caused by flawed touchscreen systems and their faulty use by Navy watch standers. The investigations found that the touchscreen-driven integrated bridge and navigation system had design flaws, lacked proper training for users, and had issues with the backup manual mode. The complexities of the interfaces led to the helmsmen struggling to manage helm and propulsion control, ultimately resulting in the collision [88025, 88926]. The lack of proper training, failures in command oversight, and misunderstandings among crew members also contributed to the incident [88926]. The Navy is now planning to revert the touchscreen systems back to physical throttles to address these internal system failures [88025, 88926]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the USS John McCain collision with a container ship was primarily due to non-human actions. The incident was attributed to flawed touchscreen systems, bad design, bad testing, and bad training. The touchscreen-driven integrated bridge and navigation system on the destroyer did not align with best practices for safety-critical control panels, leading to confusion and errors in operation [88025, 88926].
(b) However, human actions also played a significant role in the software failure incident. The sailors who piloted the destroyer did not fully understand how the touchscreen-driven system worked, and they were not explicitly trained to use the upgraded helm system. Additionally, there were issues with the backup manual mode and the arrangement of controls on the touchscreen, which led to unintentional and unilateral takeovers of steering control by watch standers [88025]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The incident involving the USS John McCain collision with a container ship in 2017 was partly attributed to flawed touchscreen systems and their faulty use by Navy watch standers, which were contributing factors originating in hardware [88025].
- The complexities of the interfaces of the Integrated Bridge and Navigation System (IBNS) with touchscreen controls on the USS John S. McCain led to helmsmen struggling to manage helm and propulsion control, ultimately resulting in the collision with the oil tanker Alnic MC [88926].
(b) The software failure incident related to software:
- The incident on the USS John McCain was also attributed to bad design, bad testing, and bad training of the touchscreen-driven integrated bridge and navigation system, indicating contributing factors originating in software [88025].
- An investigation by the US National Transportation Safety Board concluded that a lack of proper training and documentation, along with failures in command oversight and correct protocol, resulted in the collision between the USS John S. McCain and the oil tanker Alnic MC, highlighting software-related contributing factors [88926]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident related to the collision between the USS John McCain and a container ship was non-malicious. The incident was attributed to flawed touchscreen systems, bad design, bad testing, and bad training. The investigations by the US Fleet Forces Command and the National Transportation Safety Board found that the touchscreen-driven integrated bridge and navigation system on the destroyer was not well understood by the sailors piloting the ship. The lack of explicit training on the upgraded helm system, inconsistencies in control panel design, and issues with the backup manual mode all contributed to the collision [88025, 88926].
(b) The incident was not caused by malicious intent but rather by a combination of factors related to the design, testing, and training associated with the touchscreen systems on the destroyer. The lack of proper training, oversight, and operational issues within the Navy were also highlighted as contributing factors to the software failure incident [88025, 88926]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The intent of the software failure incident related to poor_decisions:
The software failure incident involving the USS John McCain collision with a container ship was primarily attributed to poor decisions made in the design, testing, and training related to the touchscreen-driven integrated bridge and navigation system. The investigations found that the touchscreen systems were flawed due to bad design, bad testing, and bad training. The helm system had been recently upgraded, but the sailors who stood watch had not been explicitly trained to use it. The controls on the touchscreen were inconsistent with best practices in the industry for safety-critical control panels. Additionally, issues with the system's backup manual mode were highlighted, which some commanding officers preferred for docking and undocking maneuvers. The incident also pointed to poor operational oversight by the Navy, poor oversight by the leadership of the ships, and fatigue among the crew, which increased the likelihood of mistakes [88025, 88926].
(b) The intent of the software failure incident related to accidental_decisions:
The software failure incident involving the USS John McCain collision with a container ship was also influenced by accidental decisions or mistakes made by the crew due to the complexities of the touchscreen interfaces. The helmsmen on the USS John McCain struggled to manage the helm and propulsion control due to the complexities of the touchscreen controls. An investigation by the US National Transportation Safety Board concluded that a lack of proper training, documentation, failures in command oversight, and misunderstandings among crew members resulted in the collision. The investigation report highlighted misunderstandings expressed during post-accident interviews and misunderstandings of crew members permanently assigned to the USS John McCain, pointing to a more fundamental issue with the qualification process and training with the Integrated Bridge and Navigation System [88926]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the articles. The incident involving the USS John McCain collision with a container ship was partly attributed to flawed touchscreen systems and their faulty use by Navy watch standers. The investigations found that the touchscreen-driven integrated bridge and navigation system had design flaws, lacked proper testing, and the sailors were not explicitly trained to use it [88025, 88926]. The lack of professional competence in designing, testing, and training for the touchscreen systems contributed to the software failure incident.
(b) The software failure incident also had accidental contributing factors. The incident was exacerbated by poor operational oversight by the Navy, poor oversight by the leadership of the ships, and fatigue among the crew, which increased the likelihood of mistakes [88025]. Additionally, the investigation concluded that misunderstandings, lack of proper training, failures in command oversight, and protocol led to the collision between the USS John McCain and the oil tanker Alnic MC [88926]. These accidental factors played a role in the software failure incident. |
| Duration |
permanent, temporary |
(a) The software failure incident in the articles was more of a permanent nature. The incident involving the touchscreen controls on the USS John McCain was a result of contributing factors introduced by all circumstances, such as bad design, bad testing, bad training, and poor operational oversight by the Navy [88025, 88926]. The decision to revert the touchscreen systems back to physical throttles was made after investigations found that the flawed systems and their faulty use by Navy watch standers were partly responsible for the collision between the destroyer and a container ship that resulted in fatalities [88025, 88926]. The incident highlighted issues with the system's backup manual mode and the complexities of the interfaces that led to the helmsmen struggling to manage helm and propulsion control [88926].
(b) The software failure incident could also be considered temporary to some extent. The incident was exacerbated by poor training and failures in command oversight, which resulted in the collision between the USS John McCain and the oil tanker Alnic MC [88926]. The lack of proper training and documentation, along with misunderstandings and failures in protocol, were identified as contributing factors to the collision [88926]. The Navy is planning to install mechanical throttles in their guided missile destroyers as a solution to the touchscreen control issues, indicating a temporary nature of the failure that can be addressed through hardware and software changes [88926]. |
| Behaviour |
crash, omission, value, other |
(a) crash: The software failure incident in the articles can be categorized as a crash. The touchscreen-driven integrated bridge and navigation system on the USS John McCain led to a collision with a container ship due to flawed systems and faulty use by Navy watch standers, resulting in the loss of control of the ship and ultimately a crash [88025, 88926].
(b) omission: The software failure incident can also be categorized as an omission. The complexities of the touchscreen interfaces on the USS John McCain led to the helmsmen struggling to manage the helm and propulsion control, which resulted in the ship sailing into the path of the tanker due to a mistaken operation of the port throttle, omitting the correct control actions [88926].
(c) timing: The software failure incident does not align with the timing category as there is no indication that the system performed its intended functions too late or too early.
(d) value: The software failure incident can be categorized as a value failure. The flawed design, bad testing, and bad training of the touchscreen system on the USS John McCain led to the system performing its intended functions incorrectly, contributing to the collision with the container ship [88025].
(e) byzantine: The software failure incident does not align with the byzantine category as there is no indication of inconsistent responses or interactions by the system.
(f) other: The software failure incident can be categorized as a crash due to the system losing state and not performing its intended functions, as well as an omission due to the system omitting to perform its intended functions correctly at an instance [88025, 88926]. |