21-Aug-86 20:44:08-PDT,17041;000000000000 Mail-From: NEUMANN created at 21-Aug-86 20:41:55 Date: Thu 21 Aug 86 20:41:55-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.40 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Thursday, 21 August 1986 Volume 3 : Issue 40 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: QA on nuclear power plants and the shuttle (Eugene Miya, Ken Dymond) CAD, Simulation, Armored Combat Earthmover, and Stinger (Mary C. Akers) Risks Distribution List -- Private-Copy Subscribers PLEASE READ! (PGN) Could computers launch a nuclear attack? (Jeff Myers) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- From: eugene@AMES-NAS.ARPA (Eugene Miya) Date: 20 Aug 1986 1045-PDT (Wednesday) To: risks@sri-csl.ARPA Subject: Re: QA on nuclear power plants and the shuttle (re "portary"-als) > Date: Tue, 19 Aug 86 11:50:39 edt > From: allegra!phri!roy@seismo.CSS.GOV (Roy Smith) > > ... I watched "The China Syndrome" on TV... moderately-trashy movie... > Anyway at one point, the hero exclaims, "but our quality control > is second only to NASA's!" Shows you the RISKS of making comparisons, > doesn't it? Do nuclear plants have O-rings? > > [No, but they do have lots of reports of equipment failures > and human errors that don't seem to get wide public view. PGN] Risks of films? I saw China Syndrome the day TMI occurred. It is a reasonably accurate film, with a minimum of dramatic license (the "vibration" is an example of this as control rooms tend to be more isolated.). I don't regard the film as trashy. There are deliberate attempts by film makers to be "realistic", and this film was well researched. In contrast, War Games looked trashy to computer people. The screenplay writers gave a talk about the film at the Palo Alto CPSR meeting. They deliberately used obsolete hardware so that companies like A*e might not sue them. Sorry, Peter, you are wrong. Reactors do use O-rings. Your car uses O-rings; one just failed in my VW Rabbit. The problem of reporting is historical and dates back to the late 40s and the "mysticism" on about nuclear information. It is very easy to classify nuclear information: for instance, it is not forbidden to have civilians in any nuclear control room (they are not much different from coal fired plants in layout). This was driven by the concern for nuclear terrorism in the late 1970s. It boils down to whether nuclear power should be under civilian or military control: I know civilian physicists at LLNL who think the original decision in the 1940s was a mistake. (They feel it should have been kept a military secret.) NASA's QA. I've not worked on QA. The problem might be in the Q: The paperwork for individual Shuttle tiles weigh more than the tiles themselves. There is a photo in Scott Crossfield's autobiography (1964?) showing paperwork for the X-15 exceeding 3 times the weight of the X-15. We must not mistake quantity for real quality. Maybe software should have more paper.... Let's not confuse quantitative assurance and qualitative. Lastly, (here's the nerve you hit), Hans Mark (currently head of the U of Texas) gave a talk at Ames on Monday on Challenger and Chernobyl. Hans is and was in a unique position to talk about both. He was a chief at LLL, taught nuclear engineering at UCB for 10 years, ran Ames, ran the Air Force, #2 man at NASA and made flight decisions for the first dozen flights (O-ring charring on fights 2, 8 and later). He was interviewed by the Rogers Commission. "O-rings, did not seem like that much of a problem in contrast to other problems like nozzle burn thru..." Mark has decided to write an article based on this talk. He feels somewhat responsible even though he is no longer with NASA. He had scheduled a review regarding O-rings during a period when he took his new U-Texas job. The review never took place. (Lame duck administrator, in his words.) The men who made the final launch decisions were and still are friends of his. The Chernobyl portion was a recapping of known information. In both cases, Mark cites the need for communication between management and workers. --eugene miya NASA Ames Research Center eugene@ames-aurora.ARPA [I saw it the NIGHT BEFORE TMI! But I asked Gene about whether those other O-rings also had problems at low temperatures. (PGN) This was Gene's reply:] Cars: Mine was 8 years old. It was an external seal, it failed at 80 degs F. Power plants: probably not. I would think antarctic snow cars have O-rings and fan belts and all sorts of things that snap. --eugene ------------------------------ Date: 21 Aug 86 09:41:00 EDT From: "DYMOND, KEN" Subject: Re: QA at Nuclear Plants To: "risks" PGN comments in RISKS 3-39 on "QA on nuclear power plants and the shuttle": >No, but they [nuclear power plants] do have lots of reports >of equipment failures and human errors that don't seem to >get wide public view. It may depend on how interested the public is. These reports (and probably PGN is referring to the Licensee Event Reports or LERs which are compiled by the NRC from plants, i.e. holders of licenses to make electricity from nuclear power) are matters of public record. The NRC distributes them to all plants as notices of the kinds of things that happen and should be watched for. They are also maintained in the NRC's public documents room in the D.C. area and in a local public documents room near every nuclear plant. I know of at least one public library (Wiscasset, Maine) that keeps LERs on file because of public interest in the Maine Yankee plant nearby. Most of the time LERs don't make exciting reading. I haven't seen an LER for a while but a representative incident that comes to mind occurred at a plant where the fuel tanks for the emergency diesel generators were allowed to get 300 gallons low (out of 3000 or 30000 gals., can't remember). Some fuel is used up in the weekly test of making sure the generators start and operate and I guess the tanks are supposed to be topped up. The 10 percent or so shortfall of fuel would have been remedied at the next (I think it was weekly) scheduled visit from the oilman. I don't remember whether the NRC levied a fine in this case. The LERs serve as a record of errors in the industry, something that would be a great help if it existed for software engineering. Civil and structural engineers investigate structural failures and publish detailed results of the investigations in their literature, another practice that software engineers might consider. The LERs are supposed to be exhaustive and one thing the resident NRC inspector at every plant does is to make sure that all events required by regulations to be reported do get reported. If the story about the defective welds is true, it should be in an LER somewhere. Ken Dymond ------------------------------ Date: Thu, 21 Aug 86 10:26:23 EDT From: "Mary C. Akers" Subject: CAD, Simulation, Armored Combat Earthmover, and Stinger To: risks@csl.sri.com Recently the Risks list had a short discussion on the excessive use of CAD systems. The September 1986 issue of Discover Magazine has an article by Wayne Biddle on the use and abuse of computer modeling and simulation. It is entitled "How Much Bang for the Buck?" Here are a few interesting quotes: "I want to replace sterile computers simulations with more realistic testing under combat conditions," says Representative Charles Bennett of Florida, [...]"Weapons testing should ensure that our weapons work in combat, not just in the laboratory." With that statement, Bennett zeroes in on the main bone of contention among those concerned with weapons design and testing: whether computer simulation and modeling can take the place of live trails with real equipment." "The thing we worry about most is validating our simulations (that is, proving they're realistic), and validation is lagging, for sure. Without test data, an unvalidated simulation is all we have." "Simulated Flying is so different from real flying that the Navy finds that working in a simulator can be a detriment to safe operation of an airplane." Some of the examples used in the article include: The Army's Armored Combat Earthmover (ACE) - "...which underwent 18,000 hours of testing without ever being operated under field conditions. [When it finally under went live trails at Fort Hood] ...the tests revealed that the ACE's transmission cracked, that is muffler caught fire, that the driver's hatch lid was too heavy to lift, and that doing certain maintenance work "could endanger the operator's life." "The Stinger, a 'man-portable' ground-to-air missile, proved too heavy for soldiers to carry on long marches; gunners must hold their breath after firing to avoid noxious fumes." ------------------------------ Date: Wed 20 Aug 86 11:04:45-PDT From: Peter G. Neumann Subject: Risks Distribution List -- Private-Copy Subscribers PLEASE READ! To: RISKS@CSL.SRI.COM One of our readers asked to be removed from the RISKS list, forwarding this somewhat heavy-handed note from an administrator at his institution: "Please unsubscribe from the lists you have joined. At [...] individuals do not join mailing lists directly. There will be a way for you to read the full distribution of lists in the fall. For now I must ask you to stop receiving your own copies of everything." When RISKS began a year ago, the initial intent was to provide individual subscriptions only until appropriate BBOARDs could be set up. For the convenience of some individuals, we have continued to provide private copies. The local mailer overhead attributable to RISKS is nontrivial -- although the new intelligent mailers cut down on net traffic. Disk storage is now approaching 800 DEC-20 pages for the full collection to date. Maintenance of the RISKS list continues to be a problem with all the address changes, incessant notifications of individual nondeliveries (sorry if we overflow your disk quotas!), host outages, etc. [Welcome back, Dockmaster -- which took months to recover from lightning hitting their IMP.] Unfortunately, various BBOARDs have allocated enough space for only a few recent back issues (presumably on the assumption that the earlier issues can be FTPed or that they lose their timeliness). If you receive a private copy and could conveniently be reading RISKS on a local BBOARD, please ask me to remove you from the list. Thanks... Peter ------------------------------ Date: Thu, 21 Aug 86 09:41:49 cdt From: Jeff Myers To: risks@sri-csl.arpa Subject: Could computers launch a nuclear attack? [NEW ARTICLE ON OLD TOPIC. Earlier followers of this story may wish to read the last three paragraphs. PGN] [from the August 20 *Guardian*, p. 9] By Dave Kadlecek, *Guardian* Bureau SAN FRANCISCO -- A Stanford University computer professional has sued Secretary of Defense Caspar Weinberger, claiming that government plans allowing computers to automatically launch a nuclear attack are unconstitutional. Clifford Johnson, a manager in Stanford's Information Technology Services, filed the suit in federal district court in San Francisco June 17. He charged that the US government has a policy of operating a launch-on-warning capability, under which the US would launch a retaliatory nuclear attack against the USSR on the basis of a warning that Soviet missiles are on the way, before unequivocal confirmation that an attack actually occurred. Due to the short times involved, such a launch capability relies upon computerized warning systems which are prone to error and cannot allow for meaningful human intervention in a launch decision. This automatic decision illegally usurps congressional powers and delegates presidential powers. Thus, Johnson's suit argues, the resulting ``likelihood of a nuclear counterstrike and global environmental damage'' would deprive Johnson of life and property without due process of law, giving him standing to sue now, since it would not be possible to do so after a nuclear war. He asked that the court declare that the secretary of defense's oath of office ``obligates him to forthwith cease and desist from operating his launch-on-warning capability.'' Under a cautious assumption that launch-on-warning is in continuous use only during crisis situations, a number of studies have predicted that an accidental nuclear war is statistically likely within the next 30 years. Johnson maintains, however, that US policy already does continuously use launch-on-warning capability by any normal interpretation of the word ``policy,'' but this denial means only that a formal decision will not be made until a button is pushed when the warning occurs. Indeed, a highly sophisticated set of procedures and programs for a launch-on-warning is in continuous operation, guarding against a feared ``bolt-from-the-blue'' attack by short-range submarine-launched ballistic missiles. The Single Integrated Operational Plan consists of a menu of nuclear ``attack options'' -- lists of targets with assignments of weapons to hit them. The plan contains launch-on-warning options, and procedures now in operation permit the selection of a launch-on-warning option in response to a surprise attack. In support of Johnson's suit, Computer Professionals for Social Responsibility (CPSR) emphasize the inevitability of some computer error in a system as complex as a launch-on-warning system. The most dangerous computer errors are not failures of the device itself (hardware errors), but of the programming (software errors), stemming ``not from inadequacies in the technology, but rather from the inability of human beings to formulate totally adequate plans (programs) for dealing with complicated, poorly understood situations,'' says CPSR. CPSR is ``concerned that the government is pursuing a launch-on-warning capability, in the mistaken belief that computer technology can safely be entrusted with important decisions regarding the release of nuclear weapons. If this course is allowed to continue unchecked, it is only a matter of time before a catastrophic error occurs.'' GROUPS IN SUPPORT Though not an attorney, Johnson filed suit on his own behalf, and will argue his own case through the resolution of government motions to dismiss the suit, on which hearings are expected this fall. However, he will need to hire a lawyer if the case goes to trial, and the Lawyer's Alliance for Nuclear Arms Control (LANAC) and the Center for Constitutional Rights have agreed to help at the appellate level. In addition to CPSR, support has come from peace groups and from former aerospace engineer Robert Aldridge, coauthor of ``First Strike'' and co-editor of ``The Nuclear Time Bomb,'' and constitutional scholar Arthur Miller. Johnson had filed a similar suit in 1984. He lost in district court when the judge ruled that it was a political matter, not for the judiciary to decide. His appeal was rejected, not by upholding the lower court's reasoning, but by ruling that since he then claimed only that the government had a launch-on-warning capability, not necessarily a launch-on-warning policy, the unused capability was not a threat over which he could sue. Johnson's current suit includes sensitive information he had deliberately excluded from his earlier suit, such as evidence that the Strategic Air Command possesses the authorization codes needed to launch a nuclear attack. ``I've gone back, I've done my homework, I say we've got launch-on-warning now and I'm prepared to prove it,'' said Johnson. ``We're at peace, so why risk my neck?'' ------------------------------ End of RISKS-FORUM Digest ************************ -------