4-Sep-86 12:47:48-PDT,11322;000000000000 Mail-From: NEUMANN created at 4-Sep-86 12:45:52 Date: Thu 4 Sep 86 12:45:52-PDT From: RISKS FORUM (Peter G. Neumann -- Coordinator) Subject: RISKS-3.49 Sender: NEUMANN@CSL.SRI.COM To: RISKS-LIST@CSL.SRI.COM RISKS-LIST: RISKS-FORUM Digest, Thursday, 4 September 1986 Volume 3 : Issue 49 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Human Error (Dave Parnas, Bill Anderson) Machine errors - another point of view (Bob Estell) Flight simulators (Eugene Miya) F-16 software (Henry Spencer) Terminal (!) lockup (Ken Steiglitz) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@CSL.SRI.COM, Requests to RISKS-Request@CSL.SRI.COM) (Back issues Vol i Issue j available in CSL.SRI.COM:RISKS-i.j. Summary Contents in MAXj for each i; Vol 1: RISKS-1.46; Vol 2: RISKS-2.57.) ---------------------------------------------------------------------- Date: Wed, 27 Aug 86 09:16:44 EDT To: neumann@SRI-CSL Subject: human error ReSent-To: RISKS@CSL.SRI.COM [JUST RECEIVED FROM DAVE PARNAS AFTER MAILER DIFFICULTIES] When people use the phrases "human error" and "computer error" they are simply trying to distinguish between situations in which "the cause" of the accident was a human action that happened about the time of the accident and the situations in which "the cause" of the error was a human action much earlier. Obviously, we cannot make a hard black/white distinction based on this continuum of possibilities. Only humans cause accidents because only humans provide the problem statements that allow one to talk about an accident or a failure. Dave ------------------------------ Date: 3 Sep 86 09:57 EDT From: WAnderson.wbst@Xerox.COM Subject: Re: RISKS-3.46: Human Error To: LIN@XX.LCS.MIT.EDU cc: RISKS@CSL.SRI.COM Herb Lin writes: "no user should approach a computer system as though its behavior is predictable and/or sensible under all circumstances ...." Stanislaw Lem has written some very amusing and thought provoking stories about the relations between people and technology (including automata) in the Tales of Pirx the Pilot (2 volumes, paperback). Pirx is just an ordinary space pilot who learns to approache the computer systems he must use with a good deal of common sense. Bill Anderson ------------------------------ Date: 3 Sep 86 12:19:00 PST From: "SEFB::ESTELL" Subject: Machine errors - another point of view To: "risks" I'm not satisfied with the notion that computers don't make errors; that they ONLY suffer mechanical failures that can be fixed. "Deep in a computer's hardware are circuits called arbiters whose function is to select exactly one out of a set of binary singnals. If one of the signals can change from '0' to '1' while the selection is being made, the subsequent behavior of the computer may be unpredictable. It appears fundamentally impossible to construct an arbiter that can reliably make its selection within a bounded time interval." Peter J. Denning, in AMERICAN SCIENTIST 73, no. 6 (Nov-Dec 1985) [also reprinted in RIACS TR 85.12] I'm not a hardware guru, nor a scholar in theoretical computer science; but my practical experience says that Peter is right. I've gotten very close to the internals of only two computers; both were IBM second generation machines, the 7074, and the 1401. I programmed both in assembly and machine code; even wrote diagnostics for the 7074. I can guarantee that those machines, much simpler in design than today's multi-processors, and also much slower, were somewhat unpredictable. We found some nasty situations that required special code loops to mask/unmask interrupts, so that the machine could run. A "machine" as seen by the applications programmer, is already several layers [raw hardware, microcode, operating system kernel, run-time libraries, compiler]; and each layer is perhaps nearly a million pieces [IC's, lines of (micro)code] that may interact with nearly a million other pieces in other layers. What I suspect here is a "problem of scale" akin to the well know idea that there are real limits to what one can build with a given material; e.g., bones can't support animals much over 100 feet tall; because the internal tensile and sheer stresses will at some point destroy the molecular integrity of the materials. We can analyse the few hundred lines of code, in the kernel of an I/O driver, running on naked second generation hardware; I did that. But can we examine the millions of lines of code that comprise the micro-instructions, the operating system, and the engineering applications on a multi-processor system, and hope to understand ALL the possible side-effects? Color me skeptical. Thus, because we put machines "in control" of significant events in our lives [ATM's, FFA stuff, weapons simulators, etc.]; and because EVEN AFTER we've made our best personal and professional attempt to eleminate the errors; and even after the system has run "a thousand test cases" it still has errors - not necessarily "hard failures" that the C.E. can fix, but "transients" that are sensitive to timing ; for all these reasons, I'll argue that "machines make errors" in much the same sense that people mispronounce words or make mistakes driving. It's not that we don't know better; it's not that we've suffered some damage; it's that we aren't perfect; neither are our computers. And sometimes there's "nothing wrong" that can be fixed. If we continue this discussion long enough, we'll approach the metaphysical notion of "free will and determinism." I don't think that's necessary; I think our current systems have already exceeded our ability to predict them 100.0%, even in theory. Bob ------------------------------ From: eugene@AMES-NAS.ARPA (Eugene Miya) Date: 3 Sep 1986 1714-PDT (Wednesday) To: neumann@sri-csl.ARPA, risks@sri-csl.ARPA Subject: Flight simulators [I thought that by now these simulators were designed so that they could be driven by the same software that is used in the live aircraft ... Don't forget that very few aircraft use "software." Software is a radically new concept to aircraft designers: F-16, F-18, X-29A, and so forth. change in one place would be reflected by the same change in the other, although changing the application code without having to modify the simulator itself. Maybe not... PGN] The problem comes when it's asked "What do you simulate?" The view? The feeling? Handling characteristic?->based on aerodynamics->computational fluid dynamics->??? True, those games your can buy for an apple two are simulators, and we have a $100 million test facility (6 stories high) which is a simulator. But there are limits to simulation: we don't know how to simulate the flight characteristics of a helicopter, we don't know how to automate a helicopter: (any one know of a microprocessor which can withstand 800-1600 Gs?). Anyway, Peter, you are invited to talk to our simulator people if you want to answer this one, as I don't have the time. Danny Cohen has been here. Another thought: as simulators become more "real" [as in some of ours] they require increasing amounts of certification BEFORE you can use a simulator [does this sound like a paradox in some ways? hope so]. I saw an experienced pilot told they he could not use a simulator in some mode (motion base). --eugene miya, NASA Ames Research Center {hplabs,hao,dual,ihnp4,decwrl,allegra,tektronix,menlo70}!ames!aurora!eugene ------------------------------ Date: Wed, 3 Sep 86 23:59:56 PDT From: allegra!utzoo!henry@ucbvax.Berkeley.EDU To: allegra!CSL.SRI.COM!RISKS Subject: F-16 software Phil Ngai writes: > It sounds very funny that the software would let you drop a bomb on the wing > while in inverted flight but is it really important to prevent this? ... This issue actually is even more complex than it sounds, because it may be *desirable* to permit this in certain circumstances. The question is not whether the plane is upside down at the time of bomb release, but which way the bomb's net acceleration vector is pointing. If the plane is in level flight upside-down, the vector points into the wing, which is a no-no. But the same thing can happen with the plane upright but pulling hard into a dive. Not common, but possible. On the other side of the coin, some "toss-bombing" techniques *demand* bomb release in unusual attitudes, because aircraft maneuvering is being used to throw the bomb into an unorthodox trajectory. Toss-bombing is common when it is desired to bomb from a distance (e.g. well-defended targets) or when the aircraft should be as far away from the explosion as possible (e.g. nuclear weapons). Low-altitude flight in rough terrain at high speeds can also involve quite violent maneuvering, possibly demanding bomb release in other than straight- and-level conditions. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry ------------------------------ Date: Wed, 3 Sep 86 01:34:17 EDT From: princeton!ken@seismo.CSS.GOV To: csl!risks@seismo.CSS.GOV Subject: Terminal (!) lockup From the User's manual for the Concept AVT terminal, p. 3-52 (Human Designed Systems, Inc., 3440 Market Street, Philadelphia, PA 19104): "Note: since the Latent Expression is invoked automatically, it should not contain any command that resets the terminal, either implicitly or explicitly. If any such command is included in the Latent Expression, the terminal will go into an endless loop the next time it is reset (implicitly or explicitly) or powered up. The only way to break out of this loop is to disassemble the terminal and physically reset Non-Volatile Memory. ... " Having a sequence of keystrokes that will physically disable a terminal seems to me a bad thing. For one thing it makes me awfully nervous when I'm changing the Latent Expression. For another, it opens up the possibility of having my terminal physically disabled by people or events outside my control. (I don't know whether this effect can also be caused by a sequence of bits sent to the terminal.) I wonder: How common is this property of terminals (or other equipment)? Does the phenomenon have a (polite) name? Is it so hard to avoid that we should be satisfied to live with it? Is it clear how to test for the possibility? Does anybody have any experience with this phenomenon? [You have found the tip of the iceberg of Trojan horses that can take over your terminal, processes, files, etc. PGN] Ken Steiglitz, Dept. of Computer Science, Princeton Univ., Princeton, NJ 08544 ------------------------------ End of RISKS-FORUM Digest ************************ -------