29-Jan-86 22:42:55-PST,5964;000000000000 Mail-From: NEUMANN created at 29-Jan-86 22:41:11 Date: Wed 29 Jan 86 22:41:11-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-1.44 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Wednesday, 29 Jan 1986 Volume 1 : Issue 44 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS sponsored by the ACM, Peter G. Neumann, moderator Contents: Shuttle SRB/MFT self-destruct mechanisms (Dusty Bleher, Herb Lin, Martin Moore) Challenger speculation (Herb Lin) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol 1 Issue n stored in SRI-CSL:RISKS-1.n.) ---------------------------------------------------------------------- Date: Wed, 29 Jan 86 09:50:10 pst From: decwrl!pyramid!amiga!dusty@ucbvax.berkeley.edu (Dusty [snake] Bleher) Return-Path: To: amiga!aviation [Forwarded to RISKS] Subject: Shuttle SRB/MFT Self-destruct mechanisms Organization: Commodore-Amiga Inc., 983 University Ave #D, Los Gatos CA 95030 [PGN wrote >One unvoiced concern from the RISKS point of view is the presence on each >shuttle of a semi-automatic self-destruct mechanism. Hopefully that >mechanism cannot be accidentally triggered. ] Please Note, and cease to spread your unfounded rumor! ONLY the SRBs and the MFT/mate assy have a destruct mechanism. The shuttle is NOT provided with such a mechanism, any more then an L-1011 is! Dusty Bleher (@@) (408) 395-6616 x265 (wkdays PST) [Yes, Martin Moore noted that in RISKS-1.43. Fortunately L-1011's do not have to take off amidst Solid Rocket Boosters and External Fuel Tanks! Thanks. PGN] ------------------------------ Date: Wed, 29 Jan 86 17:54:23 EST From: Herb Lin Subject: Reliability of Shuttle SRB/MFT self-destruct mechanisms To: mooremj@EGLIN-VAX.ARPA cc: "RISKS-LIST:"@MC.LCS.MIT.EDU, risks@SRI-CSL.ARPA Thanks for your piece. Can you discuss at all the actual devices used on the SRBs and the External Tank to set off explosions? What ensures that they work as expected? ------------------------------ Date: 0 0 00:00:00 CDT Received: from eglin-vax.ARPA by SRI-CSL.ARPA with TCP; Wed 29 Jan 86 18:28:02-PST From: "MARTIN J. MOORE" Subject: Reliability of Shuttle SRB/MFT self-destruct mechanisms To: "lin" cc: Unfortunately, I really can't (as opposed to "won't") amplify much on the actual destruct hardware; as I said, I worked strictly on the ground system, and I have little knowledge of explosives. My exposure to it was pretty much limited to having one of the engineers on that side show me a block diagram of the system and point out the salient characteristics...like everything else that I ever saw in this system, there were double (or more) backup paths for everything. Sorry I can't be of more help here. The one all-pervading factor that I encountered in various mission-critical systems at Cape Canaveral is redundancy. Aside from double and triple circuitry and paths, there are two complete systems for everything; both run at all times, accepting all inputs, but only one is "on-line" with respect to outputs; if the on-line system fails (say in a power failure), the backup takes over. Or a switchover can be requested manually, or the on-line program can deliberately request a switchover if it encounters a hardware or software error. From time to time system redundancy was tested by running a mission simulation and suddenly cutting off one power source completely. The other set of systems was fully capable of supporting the entire mission (of course, the first time we tried this -- long before the first live use of the system -- we did find some problems, e.g., one system had all of its modems on the same power source. Its backup processor ran, but was deaf and dumb!) Having seen this done -- first with one power source and then the other, thus shutting down every piece of equipment at some point -- I can say that I *know* there is no single point of failure among the major system components. I would also say that unless you run such a test, you *can't* know it; you may think it, but you can't know it. mjm [Of course, even if you run such a test, you still may not KNOW IT... You may never know that the test was complete. PGN] ------------------------------ Date: Wed, 29 Jan 86 18:18:19 EST From: Herb Lin Subject: Challenger speculation To: kyle.wbst@XEROX.COM cc: LIN@MC.LCS.MIT.EDU, "RISKS-LIST:"@MC.LCS.MIT.EDU, aviation@R20.UTEXAS.EDU, CMP.WERNER@R20.UTEXAS.EDU, neumann@SRI-CSL.ARPA From: kyle.wbst at Xerox.COM Does anyone know if a rifle shot on the big tank would be enough to structurally weaken it such that during that portion of the launch with maximum stress the thing might rupture? It is obvious that at the time of the explosion, no rifle bullet hit it. Thus, any shot must have been fired much sooner. The rifle shot must then be timed in such a way that it is fast enough to weaken the casing, but not strong enough to penetrate it. It seems that that window is pretty small. If you are into pure, unadulterated speculation, another possibility is that a bullet was fired into an SRB while it was on the ground, and lodged there. When the fuel burned to that point, a jet leaked out, and triggered an explosion. ------------------------------ End of RISKS-FORUM Digest ************************ -------