RISKS@SRI-CSL.ARPA (RISKS FORUM, Peter G. Neumann, Coordinator) (02/02/86)
RISKS-LIST: RISKS-FORUM Digest, Saturday, 1 Feb 1986 Volume 2 : Issue 3
FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
The possible vs the impossible (Dave Parnas)
RISKS generalizations (Jim Horning)
Challenger speculation (Henry Spencer)
Possible triggering of the self-destruct mechanism (Don Wegeng)
Redundancy in the Shuttle's Computers (Mark S. Day)
Galileo Plutonium power (Herb Lin)
Icing the Shuttle (Jim McGrath)
Corrections: (oops!)
RISKS-2.1 & 2.2 should have been dated 1 Feb 1986, not 1 Jan. Rollover error.
In RISKS-2.1 summary list: Date of Challenger was 28 Jan 1986, not 29 Jan.
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
(Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.)
(Back issues Vol 1 Issue n stored in SRI-CSL:<RISKS>RISKS-1.n.)
----------------------------------------------------------------------
Date: Sat, 1 Feb 86 08:52:11 pst
From: vax-populi!dparnas@nrl-css.arpa (Dave Parnas)
To: nrl-css!RISKS@SRI-CSL.ARPA
Subject: Re: The possible vs the impossible
In response to an off the cuff remark by an unnamed physicist, Sean Malloy
writes, "Too many scientists over history have declared something impossible
or impractical that is commonplace today to reject some line of research
because of such pronouncements." It is equally true that, too many
scientists over history have declared to be possible or practical something
that was later found to be impossible or impractical to pursue some line of
research or development because of such pronouncements." There have been
countless schemes to build perpetual motion machines, faster than light
transport, 600 user time-sharing systems, world champion chess programs,
unbreakable codes, impregnable forts, unsinkable ships, etc. etc.
We cannot reject a negative prediction simply because earlier negative
predictions have been wrong just as we cannot reject a positive prediction
simply because earlier positive predictions have been wrong. To have
credence any prediction must be supported by detailed argumentation. If
nobody can produce a convincing refutation of that argumentation, it is
foolish not to act on the prediction. I would not support any effort to build
faster than light rockets until someone shows me the flaw in Einstein's
reasoning. Any researchers who hope to execute the following algorithm,
"for I:=1 step 1 until 10,000 do `build rocket with n stages using DoD
funding' should begin with a serious study of relativity, not with an SDI
proposal to build a national totem pole center.
David L. Parnas
------------------------------
From: horning@decwrl.DEC.COM (Jim Horning)
Date: 1 Feb 1986 1339-PST (Saturday)
To: RISKS@SRI-CSL.ARPA
Subject: RISKS generalizations
Thanks for the digest of the digest. In following Risks from day to
day, it was easy to lose sight of the general principles illustrated by
all the specific cases and discussions. I guess that I would add to
your list just one more generalization, concerning our ability to predict
failures:
If a system is complex, it is practically impossible to predict its
sources of catastrophic failure. This is especially true in well-
engineered systems, since good engineers make allowance for the
problems that they foresee.
Jim H.
[Jim, That is perhaps the most important of all. Thanks. Peter]
------------------------------
Date: Sat, 1 Feb 86 05:11:33 PST
From: ihnp4!utzoo!henry@ucbvax.berkeley.edu
To: risks@sri-csl.arpa
Subject: Re: Challenger speculation
Herb Lin writes:
> If you are into pure, unadulterated speculation, another possibility
> is that a bullet was fired into an SRB while it was on the ground, and
> lodged there. When the fuel burned to that point, a jet leaked out,
> and triggered an explosion.
Alas for this particular speculation, the SRB fuel burns outward from the
booster axis rather than upward along the booster. Combustion starts from
a hole running the full length of the axis, and reaches the outer casing
only at the very end of the burn. There may well be a few places near the
ends where casing is progressively uncovered -- I don't have drawings at
hand to check on this -- but this imposes much more severe constraints on
aim. All in all, it seems implausible. All the more so because the SRBs
continued on after the explosion, reasonably intact with no signs of any
marked side thrust or substantial extraneous exhaust jets.
Henry Spencer @ U of Toronto Zoology
{allegra,ihnp4,linus,decvax}!utzoo!henry
------------------------------
Date: 1 Feb 86 12:24:16 EST (Saturday)
Subject: Re: Possible triggering of the self-destruct mechanism
To: risks@sri-csl.arpa
From: Don Wegeng <Wegeng.Henr@Xerox.COM>
I heard on CNN last night that one of the latest theories about the
cause of the shuttle accident is that flames from a leak in an SRB may
have set off the explosives which are part of the ET self-destruct
mechanism. Not knowing anything about explosives, this seems plausible
to me.
On the other hand, PBS interviewed someone last night (the editor of an
aviation magazine, I believe) who said that a fuel leak in an SRB would
have probably caused it to immediately stray wildly from its previous
trajectory, but that the video of the launch seems to show both of them
continuing on in the same general direction after the explosion. I
believe that Range Safety did not destroy the SRBs until about 20
seconds after the explosion.
/Don
------------------------------
Date: Sat 1 Feb 86 12:58:03-EST
From: Mark S. Day <MDAY@XX.LCS.MIT.EDU>
Subject: Redundancy in the Shuttle's Computers
To: RISKS@SRI-CSL.ARPA
A submission in RISKS-2.2 was concerned about a Stratus-like comparator
mechanism being a single point of failure in the Space Shuttle's operations.
However, the space shuttle's redundant set doesn't use a comparator
mechanism. Instead, the actuators are controlled by a hydraulic
"force-fight" mechanism, with each computer sending independent commands on
independent buses. If one computer of four fails, the other three can exert
enough force to overpower its (presumably bad) commands. If this pressure
differential persists for long enough, the overpowered one is hydraulically
bypassed.
For more details, see "Case Study: The Space Shuttle Primary Computer System"
by Al Spector and Dave Gifford in CACM 27 #9 (September 1984).
--Mark
------------------------------
Date: Sat, 1 Feb 86 11:15:38 EST
From: Herb Lin <LIN@MC.LCS.MIT.EDU>
Subject: Galileo Plutonium power
To: schoff%rpics.csnet@CSNET-RELAY.ARPA
cc: LIN@MC.LCS.MIT.EDU, risks@SRI-CSL.ARPA
From: Martin Schoffstall <schoff%rpics.csnet at CSNET-RELAY.ARPA>
The point is as follows: If pacemakers are designed to handle stresses
such as that I would assume that the satellites are designed much better,
especially since the Soviets dumped a load on Canada (did they ever pay
damages for that?).
Bad assumption. The physics of materials tells us that in general,
big things are weak and small things are strong -- relatively
speaking. The influence that holds things together is an area effect
-- the tensile strength in materials. The force that breaks things
apart depends on gravity, a volume effect. As the object gets larger,
the gravity induced stress grows faster than the tensile stresses.
That's why it's harder to break a small clump of ice than a big one.
The Soviet ultimately paid about 1/5 the cleanup costs.
------------------------------
Date: Sat 1 Feb 86 19:16:42-EST
From: "Jim McGrath" <MCGRATH%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Subject: Icing the Shuttle
To: risks%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU
cc: aviation%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU
From: Werner Uhrig <CMP.WERNER@R20.UTEXAS.EDU>
From TV-news coverage, I have the impression as if there might not
have been adequate attention paid to icing which is supposed to
have occurred this morning on the launch-pad.
My understanding was that the shuttle launch was delayed for more than
an hour due to the icing. Since they delayed the launch specifically
because of the weather, I strongly doubt that they would have delayed
it for too short a period (if they are going to be yelled at by the
media for being overly cautious, then they might as well delay for the
full required time).
Jim
[This subject drifts somewhat from the computer-related risks.
However, because we have to train ourselves to think about
vulnerabilities overall, I have included Jim's message.
Jim, note the various reports of icicles. PGN]
------------------------------
End of RISKS-FORUM Digest
************************
-------