1-Feb-86 16:46:02-PST,9315;000000000001 Mail-From: NEUMANN created at 1-Feb-86 16:44:17 Date: Sat 1 Feb 86 16:44:17-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.3 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Saturday, 1 Feb 1986 Volume 2 : Issue 3 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: The possible vs the impossible (Dave Parnas) RISKS generalizations (Jim Horning) Challenger speculation (Henry Spencer) Possible triggering of the self-destruct mechanism (Don Wegeng) Redundancy in the Shuttle's Computers (Mark S. Day) Galileo Plutonium power (Herb Lin) Icing the Shuttle (Jim McGrath) Corrections: (oops!) RISKS-2.1 & 2.2 should have been dated 1 Feb 1986, not 1 Jan. Rollover error. In RISKS-2.1 summary list: Date of Challenger was 28 Jan 1986, not 29 Jan. The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol 1 Issue n stored in SRI-CSL:RISKS-1.n.) ---------------------------------------------------------------------- Date: Sat, 1 Feb 86 08:52:11 pst From: vax-populi!dparnas@nrl-css.arpa (Dave Parnas) To: nrl-css!RISKS@SRI-CSL.ARPA Subject: Re: The possible vs the impossible In response to an off the cuff remark by an unnamed physicist, Sean Malloy writes, "Too many scientists over history have declared something impossible or impractical that is commonplace today to reject some line of research because of such pronouncements." It is equally true that, too many scientists over history have declared to be possible or practical something that was later found to be impossible or impractical to pursue some line of research or development because of such pronouncements." There have been countless schemes to build perpetual motion machines, faster than light transport, 600 user time-sharing systems, world champion chess programs, unbreakable codes, impregnable forts, unsinkable ships, etc. etc. We cannot reject a negative prediction simply because earlier negative predictions have been wrong just as we cannot reject a positive prediction simply because earlier positive predictions have been wrong. To have credence any prediction must be supported by detailed argumentation. If nobody can produce a convincing refutation of that argumentation, it is foolish not to act on the prediction. I would not support any effort to build faster than light rockets until someone shows me the flaw in Einstein's reasoning. Any researchers who hope to execute the following algorithm, "for I:=1 step 1 until 10,000 do `build rocket with n stages using DoD funding' should begin with a serious study of relativity, not with an SDI proposal to build a national totem pole center. David L. Parnas ------------------------------ From: horning@decwrl.DEC.COM (Jim Horning) Date: 1 Feb 1986 1339-PST (Saturday) To: RISKS@SRI-CSL.ARPA Subject: RISKS generalizations Thanks for the digest of the digest. In following Risks from day to day, it was easy to lose sight of the general principles illustrated by all the specific cases and discussions. I guess that I would add to your list just one more generalization, concerning our ability to predict failures: If a system is complex, it is practically impossible to predict its sources of catastrophic failure. This is especially true in well- engineered systems, since good engineers make allowance for the problems that they foresee. Jim H. [Jim, That is perhaps the most important of all. Thanks. Peter] ------------------------------ Date: Sat, 1 Feb 86 05:11:33 PST From: ihnp4!utzoo!henry@ucbvax.berkeley.edu To: risks@sri-csl.arpa Subject: Re: Challenger speculation Herb Lin writes: > If you are into pure, unadulterated speculation, another possibility > is that a bullet was fired into an SRB while it was on the ground, and > lodged there. When the fuel burned to that point, a jet leaked out, > and triggered an explosion. Alas for this particular speculation, the SRB fuel burns outward from the booster axis rather than upward along the booster. Combustion starts from a hole running the full length of the axis, and reaches the outer casing only at the very end of the burn. There may well be a few places near the ends where casing is progressively uncovered -- I don't have drawings at hand to check on this -- but this imposes much more severe constraints on aim. All in all, it seems implausible. All the more so because the SRBs continued on after the explosion, reasonably intact with no signs of any marked side thrust or substantial extraneous exhaust jets. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,linus,decvax}!utzoo!henry ------------------------------ Date: 1 Feb 86 12:24:16 EST (Saturday) Subject: Re: Possible triggering of the self-destruct mechanism To: risks@sri-csl.arpa From: Don Wegeng I heard on CNN last night that one of the latest theories about the cause of the shuttle accident is that flames from a leak in an SRB may have set off the explosives which are part of the ET self-destruct mechanism. Not knowing anything about explosives, this seems plausible to me. On the other hand, PBS interviewed someone last night (the editor of an aviation magazine, I believe) who said that a fuel leak in an SRB would have probably caused it to immediately stray wildly from its previous trajectory, but that the video of the launch seems to show both of them continuing on in the same general direction after the explosion. I believe that Range Safety did not destroy the SRBs until about 20 seconds after the explosion. /Don ------------------------------ Date: Sat 1 Feb 86 12:58:03-EST From: Mark S. Day Subject: Redundancy in the Shuttle's Computers To: RISKS@SRI-CSL.ARPA A submission in RISKS-2.2 was concerned about a Stratus-like comparator mechanism being a single point of failure in the Space Shuttle's operations. However, the space shuttle's redundant set doesn't use a comparator mechanism. Instead, the actuators are controlled by a hydraulic "force-fight" mechanism, with each computer sending independent commands on independent buses. If one computer of four fails, the other three can exert enough force to overpower its (presumably bad) commands. If this pressure differential persists for long enough, the overpowered one is hydraulically bypassed. For more details, see "Case Study: The Space Shuttle Primary Computer System" by Al Spector and Dave Gifford in CACM 27 #9 (September 1984). --Mark ------------------------------ Date: Sat, 1 Feb 86 11:15:38 EST From: Herb Lin Subject: Galileo Plutonium power To: schoff%rpics.csnet@CSNET-RELAY.ARPA cc: LIN@MC.LCS.MIT.EDU, risks@SRI-CSL.ARPA From: Martin Schoffstall The point is as follows: If pacemakers are designed to handle stresses such as that I would assume that the satellites are designed much better, especially since the Soviets dumped a load on Canada (did they ever pay damages for that?). Bad assumption. The physics of materials tells us that in general, big things are weak and small things are strong -- relatively speaking. The influence that holds things together is an area effect -- the tensile strength in materials. The force that breaks things apart depends on gravity, a volume effect. As the object gets larger, the gravity induced stress grows faster than the tensile stresses. That's why it's harder to break a small clump of ice than a big one. The Soviet ultimately paid about 1/5 the cleanup costs. ------------------------------ Date: Sat 1 Feb 86 19:16:42-EST From: "Jim McGrath" Subject: Icing the Shuttle To: risks%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU cc: aviation%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU From: Werner Uhrig From TV-news coverage, I have the impression as if there might not have been adequate attention paid to icing which is supposed to have occurred this morning on the launch-pad. My understanding was that the shuttle launch was delayed for more than an hour due to the icing. Since they delayed the launch specifically because of the weather, I strongly doubt that they would have delayed it for too short a period (if they are going to be yelled at by the media for being overly cautious, then they might as well delay for the full required time). Jim [This subject drifts somewhat from the computer-related risks. However, because we have to train ourselves to think about vulnerabilities overall, I have included Jim's message. Jim, note the various reports of icicles. PGN] ------------------------------ End of RISKS-FORUM Digest ************************ -------