RISKS@SRI-CSL.ARPA (RISKS FORUM, Peter G. Neumann, Coordinator) (02/03/86)
RISKS-LIST: RISKS-FORUM Digest, Sunday, 2 Jan 1986 Volume 2 : Issue 4 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Solid propellants (Mike McLaughlin) Plutonium (Jim McGrath) SRB Self-Destruct Mechanisms (Clive Dawson) Details on the 1981 Quebec election -- a program bug (Jean-Francois Lamy) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:<RISKS>RISKS-i.j.) ---------------------------------------------------------------------- Date: Sun, 2 Feb 86 14:08:17 est From: mikemcl@nrl-csr (Mike McLaughlin) To: risks@sri-csl.ARPA Subject: Solid propellants Odd topic for a computer centered forum - but worth discussing a bit. The computer hook relates to what could have been monitored, detected, and reac- ted to in computer time; but not in human time. I base this discussion on long-ago experience in writing about solid propellant rockets, plus Sunday's TV & radio news. 1. Solid propellants burn at a surface. If they are designed to burn at one end, they are called "cigarette burning." If they are designed to burn through a hole in the middle, they are not. The prepared hunk of propellant is called a "grain." 2. Cigarette burning produces roughly constant propelling force throughout the burn. Chunks of loose propellant (cylinders, spheres, etc.) produce more thrust at the beginning, less at the end, as the surface area of the grains is reduced/consumed. 3. The hole in the center of a grain can be tailored in shape to affect burn characteristics just about any way the engineer wants. In addition, "inhibi- tors" can be put on the grain to further control its burn characteristics. 4. In most boosters the grain fills the container, except for the hole in the center, and a space near the nozzle. An ignitor (actually, another small rocket) is usually at the end opposite the nozzle. 5. Remember, the grain burns at the surface. A crack in the grain provides another surface to burn. If the grain separates from the casing, the exterior of the grain provides another burning surface. If the grain is sectional, i.e. too large to build as one unit, the ends of the sections can provide burning surfaces. Naturally, it is the engineer's job to control and prevent these undesirable burning surfaces, and to produce the thrust profile required for the task at hand. (tutorial ends, speculation begins) It is my understanding that "SRBs" were built in 6 sections, and assembled on-site. Nose, 4 grain sections (not necessarily identical, the hole can be tapered), and tail. I also understand that the casing sections were "bolted" together (probably a fairly complex bolting system); and were considered to be quite safe & reliable. The casings were recovered after a launch, refurb- ished, reloaded, & re-used. Recently released film, computer-enhanced offline, after the accident, show that the right hand SRB had a plume coming out the side, in a location that appeared to me to be about where the joint between the 3rd and 4th grain/ casing sections would be - but, depending on the actual design, could have been further aft, near the end of the grain, towards the nozzle. If this was a casing/grain burn-through, the mildest result would be assymetric thrust. *This should have been immediately detectable by the guidance system's reaction in attempting to maintain the desired trajectory.* If similar per- terbations occurred in wind shears, etc., it might not be recognizable as abnormal. Another result could be that the errant jet impinged on the main fuel tank, heating, penetrating, and igniting the fuel load. (It might be able to ignite it without penetrating the tank structure.) *This should be quickly detec- table by excursions in tank pressure.* Reaction times, even of computers, might not be fast enough to make any difference in the outcome. I believe that both of the above could have been detected with instrumentation that was certainly on board. Additional (or existing?) instrumentation could detect temperature changes in SRB and fuel tank skins, torques on SRB mounts, abnormal "seismic" vibrations within the SRB structure, abnormal "plumes", etc. It is so easy to second-guess. I am sure the engineers concerned are casti- gating themselves for what they failed to forsee, for what they concluded was trivial, for what now seems eminently clear to them. I wish they would quit it. The whole program is so full of checks and balances that only a Higher Power could add more. From "MTM's" description of the safety system, it seems a miracle that it was possible to destroy the SRBs under normal circumstances, much less in the middle of disaster. The astronauts participated in the design and manufacturing process - they were ready to go. We have lost seven of our best and brightest. But perhaps we are seven closer to whatever is out there in space, waiting for us to get on with it, get out there, fulfill our dreams. ------------------------------------------------------------------------------ Peter: this is too long, but I had to write it, tell someone. I went into space in the '50s, with Heinlein and Bonestell. The Challenger Seven must not be regarded as sacrifices on the altar of science - they were just seven of us who went a little closer to the edge of knowledge than the rest of us dare. The human/computer symbiosis will get us out there eventually, and the Challenger Seven will have helped every one who follows them. - Mike ------------------------------ Date: Sat 1 Feb 86 19:20:51-EST From: "Jim McGrath" <MCGRATH%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU> Subject: Plutonium To: risks%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU First, I assume that everyone knows that no atomic explosion would occur under any circumstances. Nor any fallout. That only leaves the actual radioactive fuel itself. Plutonium's danger, for a constant mass, depends upon the size of the particles. The worse thing that can happen is for dust size particles to be inhaled. Large chunks would be a local danger, but one easily handled. Note that if the launch was from the Cape, then it would eventually settle into the ocean. This would aid considerably in dispersing it to extremely low concentrations. Finally, remember that the Soviets lost a satellite powered by radioactives over Canada. While the Canadians were not happy, and took clean up measures, the real problem was getting the Soviets to pony up for the cleanup costs. From: James.Tomayko@a.sei.cmu.edu .... Therefore, aside from several hundred pounds of plutonium ... Are you sure about your numbers? Hundreds of pounds of pure plutonium? The cost would be outrageous. Moreover, this implies a total mass would be thousands of pounds, if not tons (since the plutonium would be diluted to a lower concentration and sufficient shielding for the electronics would have to be provided). Maybe you mean a fuel assembly massing hundreds of pounds? If so, then the actual mass of Plutonium would be a small fraction of the total mass. Jim ------------------------------ Date: Fri 31 Jan 86 13:29:44-CST From: Clive Dawson <AI.CLIVE@MCC.ARPA> Subject: SRB Self-Destruct Mechanisms To: risks@SRI-CSL.ARPA One aspect of the SRB self-destruct mechanism which has bothered me the most is the fact that a single action will destroy BOTH SRB's (and perhaps the external tank as well?). It is clear that recovery of the intact casings would have been invaluable in the NASA investigation. News reports tell us that one of the SRB's was headed on a dangerous course toward popluated areas and had to be destroyed. Fair enough. But why destroy the other one unless and until it was also proved necessary?? Thinking about this further reveals it may not be that simple. First of all, I can imagine scenarios in which both SRB's would need to be destroyed as quickly as possible, especially in the early phases of the launch. You would certainly want to have a mechanism for doing this as exists now. On the other hand, last Tuesday's events show that it would be very valuable to be able to destroy them individually as well. This would imply modifying the hardware/software such that each SRB responded to two sets of tones: a common set for both and an individual set. Perhaps a simpler scheme would be to simply have two different frequencies which could be used simultaneously or separately. Those of us discussing this were momentarily satsified until somebody asked, "Yes, but how do you tell which SRB is which??!" In this case, it was reasonably easy to answer that question when they emerged from the fireball, but this might not always be the case. Furthermore, it's not clear that the task would be any easier when watching them on a radar screen. (What does the Range Safety Officer use?) This difficulty can presumably be overcome by electronic equipment on each SRB that would tag its radar image in some fashion. I'm wondering if this is a case of "good hindsight", or if there are other considerations we didn't think of. Clive ------------------------------ Date: 02 Feb 86 09:40:43 EST (Sun) From: Jean-Francois Lamy <lamy%utai%toronto.csnet@CSNET-RELAY.ARPA> To: Neumann@sri-csl.arpa Subject: Details on the 1981 Quebec election -- a program bug (RISKS-2.1) Organization: CSRI AI, University of Toronto > [FROM THE SUMMARY OF DISASTERS in RISKS-2.1:] > > - Quebec election prediction gave loser big win [1981] (SEN 10 2, p. 25-26) Election monitoring software for two television networks was faulty: votes were being attributed to the wrong candidates. Names were being kept in alphabetical order while votes were kept in decreasing order. This is a language related bug: the contractor was IP Sharp and the software was programmed in APL -- the informations ended up in distinct vectors, with one being mistakenly kept sorted. Jean-Francois Lamy Department of Computer Science, University of Toronto, Departement d'informatique et de recherche operationnelle, U. de Montreal. CSNet: lamy@toronto.csnet UUCP: {utzoo,ihnp4,decwrl,uw-beaver}!utcsri!utai!lamy CDN: lamy@iro.udem.cdn (lamy%iro.udem.cdn@ubc.csnet) [FOR THE RECORD, HERE WAS THE ORIGINAL PARAGRAPH from Software Engineering Notes, from a review by PGN of John Shore's "The Sachertorte Algorithm and Other Antidotes to Computer Anxiety", vol 10 no 2, pp. 25-26, April 1985.] The chapter on Myths of Correctness brings us the tale of the 1981 provincial election in Quebec, Canada. One station's computer had been misprogrammed, and it announced that the overwhelming underdog Union Nationale had won 19 out of 49 races. Their announcers somehow even managed to come up with erudite analyses explaining why this amazing upset had occurred. It was not until twenty minutes after the other station had declared that the Parti Quebecois and the Liberal Party had totally dominated the election that the first station realized that there had been a colossal mistake somewhere! [PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------