Software in military aviation and drone mishaps: Analysis and recommendations for the investigation process

Software is playing an increasing role in adverse events, and the understanding of its failure mechanisms and contributions to accidents is lacking. A safety gap is growing between the software-intensive technological capabilities and our understanding of the ways they can fail, hindering our ability to prevent accidents. To identify some of these failure mechanisms, we examined the database of the Air Force Accident Investigation Board (AIB) and analyzed mishaps in which software was involved. The choice of military aviation was motivated by several considerations. Military aviation can be thought of as a high-stress testing environment for aviation software. As such, significant safety spillovers can be passed on from military mishaps to commercial aviation. Furthermore, given the push to integrate drones in the National Airspace, the military experience with these systems is rich for probing and analysis, and can help make better-informed decisions for regulation and certification, as we show in this work. Our analysis led to several results and recommendations. Some were specific and related, for example, to shortcomings in requirement flow-down to various pieces of the flight software, or to particular aspects of an aircraft, such as the braking systems (software logic). Others were broader in scope. For example, we find the traditional notion of software failure as non-compliance with requirements too limited to capture the diversity of software’s roles in accidents. This shortcoming creates a blind spot for understanding and mitigating such roles. Moreover, software’s contributions are not examined in accident investigation reports; this constitutes a missed learning opportunity and incomplete feedback loop for accident prevention. We strongly argue for the examination of software’s causal role in accident investigations and the inclusion of a section on the subject in the reports. We conclude with a brief examination of the adequacy and limitation of the AIB reports, and whether a more cost-effective solution and better quality investigation output could be devised.