Incident Details

Incident: Integrated Bridge and Navigation System (IBNS) Failure on USS McCain

Published Date: 2019-12-22

Postmortem Analysis
Timeline	1. The software failure incident involving the touch-screen control system installed in the USS John S McCain happened in August 2017 as reported in Article 93042.
System	1. Integrated Bridge and Navigation System (IBNS) installed in the USS John S McCain [93042]
Responsible Organization	1. The Integrated Bridge and Navigation System (IBNS) designed and installed by Northrup Grumman was largely at fault for the collision on the USS John S McCain [93042]. 2. The Navy was responsible for placing blame on operator error and not adequately addressing the flaws in the IBNS system [93042].
Impacted Organization	1. The USS John S McCain warship and its crew members were impacted by the software failure incident [93042].
Software Causes	1. The touch-screen control system, Integrated Bridge and Navigation System (IBNS), installed in the USS John S McCain was found to be largely at fault for the collision [93042]. 2. An NTSB investigation found that the design of the touch-screen steering and thrust control system of the IBNS increased the likelihood of operator errors that led to the collision [93042]. 3. The IBNS was described as 'flawed', 'unstable', with 'multiple and cascading failures regularly' [93042]. 4. The IBNS software was prone to frequent malfunctions, and Navy officials discovered a flaw in the system in 2014 that caused it to get overwhelmed by too much data [93042]. 5. The IBNS software did not alert sailors when steering control was transferred, leading to confusion among the crew [93042]. 6. The IBNS software had an error in the propellers that caused them to start operating separately, leading to the ship turning into the path of the oil tanker [93042]. 7. The misunderstanding among crew members about the function of a big red button on the IBNS contributed to the failure incident [93042]. 8. The instruction manual on the bridge was three years out of date, which could have contributed to crew members' misunderstanding and confusion during the incident [93042].
Non-software Causes	1. Lack of proper training and familiarity with the complex Integrated Bridge and Navigation System (IBNS) by the crew members [93042]. 2. Flawed design and instability of the touch-screen control system installed in the USS John S McCain [93042]. 3. Inadequate staffing levels and lack of specialized training for maintaining the IBNS on board the ship [93042]. 4. Poor decision-making by the ship's captain, Alfredo Sanchez, including putting the system in backup mode and changing the crew manning the bridge [93042]. 5. Confusion and errors in the transfer of steering controls on the bridge, leading to a lack of clarity on who was in charge of steering the ship [93042].
Impacts	1. The software failure incident involving the touch-screen control system installed in the USS John S McCain led to a deadly collision with an oil tanker in 2017, resulting in the deaths of 10 sailors and injuries to 58 others [93042]. 2. The incident caused a bulkhead collapse on the USS McCain, flooding compartments where sailors were sleeping, leading to fatalities and injuries [93042]. 3. The flawed Integrated Bridge and Navigation System (IBNS) installed by Northrup Grumman was identified as a major factor in the collision, with the design of the touch-screen steering and thrust control system increasing the likelihood of operator errors [93042]. 4. The software failure incident resulted in the Navy placing blame on operator error initially, but subsequent investigations revealed that the flawed IBNS system played a significant role in the collision [93042]. 5. The incident led to the Navy launching a probe, forcing several admirals into retirement, punishing the USS McCain's captain, petty officer, and sailors on duty that night, and ultimately charging individuals involved with dereliction of duty and other offenses [93042].
Preventions	1. Conducting thorough testing and validation of the Integrated Bridge and Navigation System (IBNS) before installation on the USS McCain to identify and address any flaws or instability in the system [93042]. 2. Providing comprehensive and ongoing training for sailors on how to operate the IBNS effectively, including practicing complicated maneuvers necessary for navigation in critical situations [93042]. 3. Ensuring that the instruction manual for the IBNS is regularly updated and accurate to prevent misunderstandings among crew members during critical operations [93042]. 4. Implementing a system for tracking and addressing reported issues and malfunctions in major ship systems, such as the IBNS, to prevent critical failures from going unnoticed [93042]. 5. Enforcing proper staffing levels and specialized training requirements for maintaining and operating the IBNS to ensure that the system is managed effectively during all operations [93042].
Fixes	1. Implement a new, improved version of the Integrated Bridge and Navigation System (IBNS) that addresses the flaws and instability of the current system [93042]. 2. Ensure proper training for sailors on how to operate the new IBNS effectively to prevent operator errors that could lead to collisions [93042]. 3. Update the instruction manuals and documentation for the IBNS to ensure they are accurate and up to date, providing clear guidance to the crew [93042]. 4. Conduct thorough testing and validation of the new IBNS version to identify and address any potential issues before deployment on ships [93042]. 5. Enhance the monitoring and reporting systems to track problems in major ship systems, including the IBNS, to detect and address issues promptly [93042]. 6. Hold accountable those responsible for the development and deployment of the flawed IBNS system to ensure consequences for the failures that led to the USS McCain disaster [93042].
References	1. ProPublica [93042]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization	(a) The software failure incident related to the USS John S McCain's Integrated Bridge and Navigation System (IBNS) designed by Northrup Grumman has happened again within the same organization. The incident occurred on the USS Fitzgerald two months before the McCain collision. The USS Fitzgerald crash also involved a collision at sea due to steering control errors, and there were rumors that the crew had been overworked before the collision [93042]. (b) The software failure incident related to flawed touch-screen control systems causing collisions at sea has not been explicitly mentioned to have happened at other organizations in the provided articles.
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase: - The design of the USS McCain's touch-screen steering and thrust control system was found to have increased the likelihood of operator errors that led to the collision [93042]. - The Integrated Bridge and Navigation System (IBNS) installed on the USS McCain was described as 'flawed' and 'unstable' with 'multiple and cascading failures regularly' [93042]. - Problems with the IBNS system developed shortly after its introduction, with the system being complex and overwhelming for junior sailors who used it [93042]. - The IBNS system was prone to frequent malfunctions, and Navy officials discovered a flaw in the system in 2014 that caused it to get overwhelmed by too much data [93042]. - The Navy's solution to the IBNS flaw was to instruct sailors to delete data before it reached a certain point, indicating a design flaw in the system [93042]. (b) The software failure incident related to the operation phase: - The crew members of the USS McCain struggled to manage the helm and propulsion control due to the complexities of the IBNS interfaces, leading to confusion and errors during operation [93042]. - The crew resorted to rebooting the IBNS system when it malfunctioned, as they lacked specialized training to maintain the system, highlighting operational challenges [93042]. - The crew mistakenly believed that pressing a big red button would revert control to the back of the ship, but it actually sent control back to its original location, indicating operational misunderstandings [93042]. - The crew faced challenges in settling the steering control between the front and back stations, leading to confusion and delays in correcting the ship's trajectory before the collision [93042]. - The Navy issued new IBNS instructions to address operator response to system malfunctions, emphasizing the importance of proper operational procedures to prevent errors [93042].
Boundary (Internal/External)	within_system	(a) The software failure incident related to the USS John S McCain collision can be categorized as within_system. The incident was primarily attributed to the flawed Integrated Bridge and Navigation System (IBNS) installed on the warship. ProPublica's report highlighted that the design and implementation of the touch-screen control system within the IBNS contributed to operator errors that led to the collision [93042]. The ProPublica report detailed how the IBNS was described as 'flawed' and 'unstable', with multiple and cascading failures regularly occurring. The system was prone to malfunctions, and Navy officials raised concerns about its complexity overwhelming junior sailors who used it. Additionally, the report mentioned that the IBNS software did not provide adequate alerts or indications to the crew regarding critical changes in control, leading to confusion and ultimately the collision [93042].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident on the USS John S McCain was primarily attributed to the flawed Integrated Bridge and Navigation System (IBNS) installed on the warship. An NTSB investigation found that the design of the touch-screen steering and thrust control system of the IBNS increased the likelihood of operator errors that led to the collision [93042]. The ProPublica report highlighted that the IBNS system was described as 'flawed' and 'unstable', with multiple and cascading failures regularly occurring, indicating that the software failure was primarily due to the system's design and technical issues [93042]. (b) The software failure incident occurring due to human actions: While the Navy initially placed blame on operator error, stating that the crew members did not follow protocol and were improperly trained on the complex IBNS system, the ProPublica report argued that the blame should not have been solely on the crew. It mentioned that no amount of training would have been adequate to run the flawed IBNS system, which was designed and installed by Northrup Grumman [93042]. Additionally, the report highlighted that the crew members mistakenly believed the function of a big red button on the IBNS console, leading to confusion and incorrect actions during the critical moments before the collision [93042].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: - The incident involving the USS John S McCain's collision in 2017 was primarily attributed to the Integrated Bridge and Navigation System (IBNS), which was a touch-screen control system installed on the warship [93042]. - An NTSB investigation found that the design of the touch-screen steering and thrust control system on the USS McCain increased the likelihood of operator errors that led to the collision [93042]. - The IBNS was described as flawed, unstable, and prone to multiple and cascading failures regularly, indicating hardware issues with the system [93042]. - Problems with the IBNS emerged after a new version was installed in the USS McCain in 2016, leading to crashes when trying to integrate radar images in the ship's navigation computer, pointing to hardware-related malfunctions [93042]. (b) The software failure incident occurring due to software: - The software failure incident on the USS McCain was primarily linked to the flawed design and functionality of the Integrated Bridge and Navigation System (IBNS) software [93042]. - The IBNS software was described as complex, overwhelming junior sailors who used it, and prone to frequent malfunctions, indicating software-related issues with the system [93042]. - The IBNS software had issues such as data overload, patches on top of patches, and a lack of a full picture of the seas around the ship, highlighting software flaws in the system [93042]. - The confusion and errors related to steering control transfers, propeller operations, and control station switching were all attributed to software failures within the IBNS system [93042].
Objective (Malicious/Non-malicious)	non-malicious	(a) The software failure incident related to the USS John S McCain collision in 2017 was non-malicious. The incident was primarily attributed to the flawed Integrated Bridge and Navigation System (IBNS) installed on the warship, which was designed and installed by Northrup Grumman. The ProPublica report highlighted that the design of the touch-screen steering and thrust control system of the IBNS increased the likelihood of operator errors that led to the collision [93042]. The incident was a result of technical flaws and system failures rather than intentional actions to harm the system.
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	The software failure incident related to the USS John S McCain collision in 2017 involved contributing factors introduced by both poor decisions and accidental decisions. 1. Poor Decisions: - The Navy awarded Northrop a contract to install the Integrated Bridge and Navigation System (IBNS) on the USS John Paul Jones, touting it as the 'way of the future' to improve safety and reduce the number of sailors needed on the bridge [93042]. - The Navy continued with the installation of the IBNS on multiple ships despite problems developing with the system, including complexity overwhelming junior sailors, frequent malfunctions, and patches that left destroyers without a full picture of the seas around them [93042]. - The Navy allowed ships to sail without enough time for training or repairs, as highlighted by the former chief of naval operations, John Richardson, calling the USS McCain and Fitzgerald crashes 'avoidable tragedies' [93042]. 2. Accidental Decisions: - The captain of the USS McCain, Alfredo Sanchez, made decisions during the incident that had fateful consequences, such as putting the IBNS in backup mode and changing up the crew manning the bridge, leading to confusion over steering control [93042]. - The transfer of steering controls on the bridge and an error in the propellers causing them to operate separately were accidental decisions that contributed to the collision, with the Navy unable to conclusively determine how the error occurred despite multiple investigations [93042].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident occurring due to development incompetence: - The incident involving the USS John S McCain's collision in 2017 was attributed to the Integrated Bridge and Navigation System (IBNS) installed on the warship, which was designed and installed by Northrup Grumman [93042]. - ProPublica's report highlighted that the IBNS system was described as 'flawed' and 'unstable' with 'multiple and cascading failures regularly' [93042]. - The Navy placed blame on operator error initially, but ProPublica's investigation concluded that the crew should not have been heavily blamed as the flawed IBNS system was a significant factor in the collision [93042]. - The complexity of the IBNS overwhelmed junior sailors who used it, and the system was prone to frequent malfunctions, requiring patches and workarounds to address issues [93042]. - Northrup continued making improvements to the system, leading to different controls on each ship, making it harder for sailors to familiarize themselves with the system [93042]. (b) The software failure incident occurring accidentally: - The incident involving the USS John S McCain's collision in 2017 had elements of accidental factors, such as the confusion and errors that occurred during the steering control transfer on the bridge, leading to the collision with the oil tanker [93042]. - The ProPublica report highlighted that crew members mistakenly believed that pressing a big red button would revert control to the back of the ship, but it actually sent control back to its original location, contributing to the confusion during the critical moments before the collision [93042]. - The report pointed out that the misunderstanding among the crew could have been influenced by outdated manuals and lack of proper training on the IBNS system [93042].
Duration	permanent, temporary	The software failure incident related to the USS John S McCain collision in 2017 involved both permanent and temporary aspects: (a) Permanent Failure: The software failure incident involving the Integrated Bridge and Navigation System (IBNS) installed on the USS McCain was characterized by permanent failure aspects. The ProPublica report highlighted that the IBNS system was described as 'flawed' and 'unstable' with 'multiple and cascading failures regularly' [93042]. The design of the touch-screen steering and thrust control system was found to have increased the likelihood of operator errors that led to the collision, indicating a permanent flaw in the system [93042]. (b) Temporary Failure: On the other hand, temporary aspects of the software failure incident were also evident. The incident involved temporary malfunctions and errors that occurred during the operation of the IBNS system. For example, the IBNS began to crash when trying to integrate radar images in the ship's navigation computer, indicating temporary operational issues [93042]. Additionally, the crew resorted to rebooting the system when it malfunctioned, suggesting temporary solutions to address the immediate problems caused by the software failure [93042].
Behaviour	crash, omission, timing, value, byzantine, other	(a) crash: The software failure incident in the USS John S McCain was characterized by a crash, where the system lost control and did not perform its intended functions, leading to the deadly collision with an oil tanker. The Integrated Bridge and Navigation System (IBNS) on the USS McCain suffered from multiple failures, crashes, and malfunctions, which ultimately contributed to the collision [93042]. (b) omission: The software failure incident also involved instances of omission, where the system omitted to perform its intended functions. For example, there were errors in the transfer of steering controls on the bridge, leading to confusion among the crew members. The system failed to alert the operators about the transfer of steering control, contributing to the collision [93042]. (c) timing: The timing of the software failure incident was crucial in the USS McCain collision. The system was reported to have performed its intended functions incorrectly at critical moments, such as when the steering control was transferred between different stations on the bridge. These incorrect actions at specific times led to the ship turning into the path of the oil tanker [93042]. (d) value: The software failure incident also involved failures where the system performed its intended functions incorrectly. For example, the IBNS software did not alert the operators about the transfer of steering control, leading to confusion and ultimately contributing to the collision. Additionally, the system's backup mode inadvertently removed some built-in safeguards, affecting the control of the ship [93042]. (e) byzantine: The software failure incident exhibited characteristics of a byzantine failure, where the system behaved erroneously with inconsistent responses and interactions. The IBNS on the USS McCain was described as 'flawed' and 'unstable,' with multiple and cascading failures regularly occurring. The system overwhelmed junior sailors who used it and was prone to frequent malfunctions, indicating inconsistent behavior [93042]. (f) other: In addition to the above behaviors, the software failure incident in the USS John S McCain also involved complexities in the system interfaces that led to the helmsmen struggling to manage the helm and propulsion control. The system's design flaws, complexity, and lack of proper training contributed to the incident, showcasing a combination of crash, omission, timing, value, and byzantine behaviors [93042].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, actuator, embedded_software	(a) sensor: The failure was related to the perception layer of the cyber physical system that failed due to contributing factors introduced by sensor error. The touch-screen control system, specifically the Integrated Bridge and Navigation System (IBNS), installed in the USS John S McCain was identified as a major factor in the collision that led to the deaths of 10 sailors. An NTSB investigation found that the design of the touch-screen steering and thrust control system increased the likelihood of operator errors that led to the collision [93042]. (b) actuator: The failure was also related to the actuator within the cyber physical system. An error in the transfer of steering controls on the bridge led to confusion over which officer was steering. This confusion ultimately resulted in the propellers operating separately, with one propeller working harder than the other, causing the ship to turn into the path of the oil tanker [93042]. (c) processing_unit: The failure was not directly related to a processing unit error. The main focus of the failure was on the touch-screen control system (IBNS) and the errors introduced by the design and functionality of this system, rather than a specific processing unit error [93042]. (d) network_communication: The failure was not directly related to network communication error. The incident primarily revolved around the flaws and malfunctions within the touch-screen control system (IBNS) and the errors introduced by the design and implementation of this system, rather than issues related to network communication [93042]. (e) embedded_software: The failure was related to the embedded software error within the touch-screen control system (IBNS). The system was described as 'flawed' and 'unstable', with multiple and cascading failures regularly occurring. The system was prone to frequent malfunctions, and the Navy had to resort to patches to address issues, leaving the destroyers without a full picture of the seas around them [93042].
Communication	link_level	The software failure incident related to the USS John S McCain collision in 2017 was primarily linked to issues at the link_level, which refers to failures due to contributing factors introduced by the wired or wireless physical layer. The incident was attributed to the flawed Integrated Bridge and Navigation System (IBNS) installed on the USS McCain, particularly the touch-screen control system. ProPublica's report highlighted that the design of the touch-screen steering and thrust control system increased the likelihood of operator errors that led to the collision [93042]. The system was described as "flawed" and "unstable," with multiple and cascading failures regularly occurring [93042]. Additionally, the complexities of the interfaces led to the helmsmen struggling to manage the helm and propulsion control, indicating issues at the physical layer of the system [93042]. Furthermore, the incident involved problems with the propellers operating separately due to an error, causing the ship to turn into the path of the oil tanker. This issue with the propellers aligns with failures at the link_level, which involves physical layer components such as the propeller system [93042]. Overall, the software failure incident on the USS McCain was primarily related to issues at the link_level, involving contributing factors introduced by the physical layer components of the cyber-physical system.
Application	FALSE	The software failure incident related to the USS John S McCain collision in 2017 was primarily attributed to the Integrated Bridge and Navigation System (IBNS) installed on the warship. The failure of the IBNS was not directly related to the application layer of the cyber physical system but was more focused on the design and functionality of the touch-screen control system itself. The failure was described as being caused by flaws, instability, multiple and cascading failures, and the complexity of the system, rather than issues related to bugs, operating system errors, unhandled exceptions, or incorrect usage typically associated with the application layer. Therefore, based on the information provided in the articles, it can be concluded that the failure was not specifically related to the application layer of the cyber physical system as defined in the question [93042].

Other Details

Category	Option	Rationale
Consequence	death, harm	(a) death: People lost their lives due to the software failure The software failure incident involving the touch-screen control system installed in the USS John S McCain led to a deadly collision in 2017 that resulted in the deaths of 10 sailors and injuries to 58 others [93042]. The collision occurred after crew members lost control of the guided missile destroyer due to issues with the Integrated Bridge and Navigation System (IBNS) [93042]. The impact of the collision caused casualties among the sailors who were sleeping in the affected compartments [93042].
Domain	transportation, government	(a) The failed system was intended to support the information industry as it was a touch-screen control system installed in the USS John S McCain, a guided missile destroyer, which was involved in a deadly collision in 2017 [93042]. (l) The failed system was also related to the government industry as it was installed on a U.S. Navy warship, the USS John S McCain, and was a critical component of the ship's navigation system [93042].

Sources

Navy 'ignored flaws in control system on USS McCain' that caused deadly 2017 collision - Daily Mail - Published on: 2019-12-22
Article ID: 93042

Back to List