| Recurring |
one_organization |
(a) The software failure incident has happened again at one_organization:
- The article mentions that weeks earlier, another high-tech surveillance aircraft crashed while attempting to land in Wales in poor weather conditions [57781]. This indicates a similar incident occurred with another aircraft within the same organization or project.
(b) The software failure incident has happened again at multiple_organization:
- There is no specific mention in the article about the software failure incident happening at multiple organizations. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident in the article can be attributed to design-related factors introduced during the system development phase. The report highlighted issues with the automatic landing system of the drone, stating that it works as designed in good weather but can encounter anomalies in poor weather conditions like low-cloud, fog, gusts, or precipitation. These anomalies can lead to the air vehicle self-aborting its approach to landing. The selection of the Master Override (MO) can remove the in-built safety protection, increasing the risk of a crash. The report emphasized that the software needed to be fixed before the drone could provide a reliable capability in various weather conditions, indicating design flaws in the system [57781].
(b) Additionally, the incident also involved operational factors related to the misuse of the system. The crew operating the drone was criticized for prematurely selecting the manual override button, which turned off many safety protections, leading to the crash. The report mentioned that the crew could have waited for weather conditions to improve instead of forcing the vehicle to land by using the manual override. This operational decision contributed to the software failure incident [57781]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident involving the army drone crashing was primarily within the system. The incident was caused by the pilot pressing the manual override button, which turned off many safety protections of the aircraft's automatic landing system. This action led to the drone crashing on the runway at Boscombe Down [57781]. The report highlighted that the decision to select the Master Override (MO) was significant as it increased the risk of the air vehicle crashing. It also mentioned that the software needed to be fixed before the drone could provide a reliable and credible capability in a range of weather conditions [57781].
(b) However, there were also contributing factors outside the system that affected the incident. The report criticized the lack of flying expertise and organization within the project, indicating issues with supervision during the training mission and disappointing organizational control of activity and governance [57781]. Additionally, the report mentioned that the official documentation of the aircraft claimed it was an all-weather aircraft, which was not true, leading to operators having expectations beyond its true capabilities. This lack of accurate information in the documentation could be considered an external factor influencing the incident [57781]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in the article was primarily due to non-human actions. The incident occurred because the automatic landing system of the drone had anomalies in poor weather conditions such as low-cloud, fog, gusts, or precipitation. These anomalies could cause the air vehicle to self-abort its approach to landing. For example, false height readings from the laser altimeters due to fog or low cloud below the vehicle could prompt the system to self-abort the landing approach. Additionally, wind gusts or sudden vehicle maneuvers could also trigger the system to self-abort the landing attempt [57781].
(b) Human actions also played a significant role in the software failure incident. The pilots pressed the manual override button, which turned off many safety protections of the drone. This action was taken when the aircraft was still flying at 22 feet, and the sensors believed it was on the ground, causing the drone to plunge out of the sky at a 35-degree nose-down angle. The report criticized the crew for being premature in selecting the manual override as the aircraft still had plenty of fuel, and they could have waited for weather conditions to improve. The decision to select the Master Override (MO) was highlighted as significant as it increased the risk of the air vehicle crashing [57781]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident in the article was primarily due to hardware-related factors. The incident involved a drone crash after the pilot pressed the manual override button, which turned off many safety protections, leading to confusion in the system caused by a false reading from the laser altimeter. This hardware-related issue contributed to the crash of the drone [57781].
(b) The software failure incident also had contributing factors originating in software. The automatic landing system of the drone was reported to work as designed in good weather conditions but faced anomalies in poor weather conditions, such as low-cloud, fog, gusts, or precipitation. The software's inability to handle these conditions led to the self-abort of the landing approach. Additionally, the decision to select the Master Override (MO) in the software increased the risk of the air vehicle crashing. The report highlighted that the software needed to be fixed before the drone could provide a reliable capability in various weather conditions [57781]. |
| Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident described in the articles is non-malicious. The incident was primarily attributed to human error and lack of expertise rather than any malicious intent. The failure occurred due to the pilot's decision to press the manual override button, which turned off safety protections and led to the drone crashing during landing attempts in poor weather conditions [57781]. The investigation report highlighted issues with the software's response to adverse weather conditions and the lack of proper guidance in the official documentation, indicating a non-malicious failure scenario. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident was related to poor decisions made by the pilots. The incident occurred when the pilots pressed the manual override button, which turned off many safety protections, causing the drone to crash. The report criticized the crew for being 'premature' in selecting the manual override as the aircraft still had plenty of fuel, and they could have waited for weather conditions to improve [57781].
(b) The software failure incident was also related to accidental decisions or unintended consequences. The automatic landing system of the drone was designed to work in good weather conditions, but anomalies in the system could cause the air vehicle to self-abort its approach to landing in poor weather conditions like low-cloud, fog, gusts, or precipitation. The selection of the Master Override (MO) to force the vehicle to land removed the in-built safety protection, increasing the risk of a crash. The report highlighted that the decision to select MO was significant and could lead to the air vehicle crashing [57781]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident in the article was related to development incompetence. The investigation report criticized the lack of flying expertise and organization within the £1.2 billion project, highlighting issues with supervision during the training mission and the need for fixing the software before the drone could provide a reliable capability in various weather conditions. The report also mentioned that the software needed to be fixed and that technical issues would be addressed [57781].
(b) The incident was not attributed to accidental factors but rather to the lack of professional competence and oversight in the development and operation of the drone software. |
| Duration |
temporary |
The software failure incident described in the articles can be categorized as a temporary failure. The incident occurred when the pilots pressed the manual override button, which turned off many safety protections, causing the drone to crash. The report highlighted that the decision to select the Master Override (MO) was significant as it increased the risk of the air vehicle crashing [57781]. Additionally, the investigation concluded that the crew was premature in selecting the manual override as the aircraft still had plenty of fuel, and they could have waited for weather conditions to improve [57781]. This indicates that the failure was temporary and could have been avoided or mitigated by different actions taken by the operators. |
| Behaviour |
crash, omission, other |
(a) crash: The software failure incident in this case led to a crash of the army drone. The drone crashed on the runway at Boscombe Down after the pilot pressed the manual override button, which closed down several safety systems, causing the drone to plunge out of the sky at a 35-degree nose-down angle [57781].
(b) omission: The software failure incident also involved an omission where the system failed to perform its intended functions. The automatic landing system of the drone was designed to work in good weather conditions but in poor weather conditions like low-cloud, fog, gusts, or precipitation, anomalies in the system could make the air vehicle self-abort its approach to landing. The system could register false height due to fog or low cloud below the vehicle, leading to the drone aborting its landing approach [57781].
(c) timing: The software failure incident did not specifically involve a timing issue where the system performed its intended functions correctly but too late or too early.
(d) value: The software failure incident did not involve the system performing its intended functions incorrectly.
(e) byzantine: The software failure incident did not involve the system behaving erroneously with inconsistent responses and interactions.
(f) other: The software failure incident involved a situation where the pilots had the option to select the Master Override (MO) which would remove the in-built safety protection of the automatic landing system, causing the drone to continue its approach unless a manual abort was commanded by the crew. This decision to select MO was significant as it increased the risk of the air vehicle crashing. The report criticized the crew for being 'premature' in selecting the manual override when the aircraft still had plenty of fuel, and they could have waited for weather conditions to improve [57781]. |