RISKS-LIST: RISKS-FORUM Digest Thursday 17 August 1989 Volume 9 : Issue 12 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: RISKS IS FINALLY MOVING TO CSL.SRI.COM! (PGN) Flaws in calculations, computer models in Trident failures (Jon Jacky) Voyager 2 software faults at launch, 1977 Aug 20 10:29 (David B. Benson) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, and nonrepetitious. Diversity is welcome. CONTRIBUTIONS to RISKS@CSL.SRI.COM, with relevant, substantive "Subject:" line (otherwise they may be ignored). REQUESTS to RISKS-Request@CSL.SRI.COM. **** FTPable ARCHIVES WILL REMAIN ON KL.sri.com until 4 September 1989. **** **** Sometime before then, the archives will appear on CRVAX.SRI.COM. **** FOR VOL i ISSUE j, ftp KL.sri.com[CR]login anonymous (ANY NONNULL PASSWORD)[CR] get stripe:risks-i.j ... (OR TRY cd stripe:[CR]get risks-i.j Vol summaries (i.j)=(1.46),(2.57),(3.92),(4.97),(5.85),(6.95),(7.99),(8.88). ---------------------------------------------------------------------- Date: Thu, 17 Aug 89 09:07:12 PDT From: Peter G. Neumann Subject: RISKS IS FINALLY MOVING TO CSL.SRI.COM! This should be the last issue of RISKS that you will receive from the KL. Subsequent issues should appear without interruption from the CSL. As has already been noted in the masthead for many months, all RISKS mail should be directed to RISKS@CSL.SRI.COM or RISKS-Request@CSL.SRI.COM, depending on whether you have a contribution or an out-of-band message, respectively. Please send mail to the latter address ONLY IF YOU DO NOT RECEIVE a message from RISKS@CSL.SRI.COM within 24 hours of your receiving this issue. That message from CSL will be identified by "From RISKS Forum SRI.COM> Subject: RISKS IS NOW ABOUT TO MOVE. NO ACK REQUIRED IF YOU RECEIVE THIS." [The DEC 2065 and its staff have been very good to RISKS for the past four years. Many thanks to Steve Milunovic for all his help. PGN] ------------------------------ Date: Thu, 17 Aug 1989 9:21:56 PDT From: JON@GAFFER.RAD.WASHINGTON.EDU (Jonathan Jacky, University of Washington) Subject: Flaws in calculations, computer models implicated in Trident failures Here are excerpts from a story that appeared on the front page of the Thursday, August 17, 1989 NEW YORK TIMES: DESIGN FLAW SEEN AS FAILURE CAUSE IN TRIDENT 2 TESTS --- by Andrew Rosenthal WASHINGTON --- The Navy believes designers made a fundamental miscalculation in building its biggest nuclear missile, the Trident 2, which has failed in two of its three undersea tests, a Navy official said yesterday. The first missile exploded on March 21, four seconds after it was launched from a submarine off the east coast of Florida. The second test, on August 2, went largely according to plan, but the third blew up Tuesday. Rear Adm. Kenneth C. Malley, head of the Navy's ballistic missile program, said that despite computer simulations, engineers seriously underestimated how much pressure is on the Trident 2 as it hurtles up through the water from its submarine launcher. He said they had also failed to anticipate the effect of "water jets" caused by the missile's movement. ... The Trident 2, which is 44 feet long and weighs 130,000 pounds at launching, is much longer and nearly twice as heavy as the Trident 1 [...which is now in service and which Trident 2 is scheduled to replace...]. Although engineers expected the larger missile to create more turbulence than the Trident 1 as it passed through the water, they miscalculated how much more and what effect that would have on the Trident 2's rocket engines. ... During testing "water jets" caused by the missile's movement contributed to the turbulence. After reviewing the tests of the Trident 1, the Navy said, such jets were present, but had gone unnoticed because they had not affected the smaller missile's flight. ... The first time the missile was tested at sea, Admiral Malley said, the unexpectedly strong pounding from the water jet caused the (missile's rocket) nozzles to malfunction as soon as they fired above the water's surface. The missile began spinning in a spectacular cartwheel until it self-destructed. ... In the third test, ... instead of spinning end-over-end, (the missile) began flying on what at first seemed to be a normal trajectory ... "Then it appeared to be losing some thrust control and it self-destructed." Admiral Malley said he had not yet studied the full body of data from the test. But he said it appeared that the aft-end pressure had severed electrical connections... Asked whether the failures were a result of a design error or of a flaw in manufacturing that left the rocket weaker than it should have been, Admiral Malley said, "The device was built to specification. There is no question that it was designed the way it was intended to be designed." As a result of the miscalculation, Malley said in an interview, the original nozzles on the missile's first-stage rocket were not strong enough to withstand the additional turbulence, and they had to be redesigned after the first test missile exploded. The Navy now must go back to the laboratories to determine why the rebuilt nozzles failed Tuesday, Malley said. ... Until the test failures, the Trident 2 was the one element of the Defense Department's nuclear modernization program that was moving along smoothly, having successfully completed 16 of 19 test firings from land... Because there are so many Navy officials and subcontractors involved in the Trident 2 program, it is impossible at this point to assess when or by whom the miscalculations were made. The prime contractor is Lockheed Corp. ... ------------------------------ Date: Wed, 16 Aug 89 12:35:15 PDT From: dbenson@cs2.WSU.EDU (David B. Benson) Subject: Voyager 2 software faults at launch, 1977 Aug 20 10:29 Exerpts from: "Voyager and the Grandest Tour Ever: Catching the Wave of the Century", by Bruce Murray, California Institute of Technology's , Summer 1989, (no volume number). This article is itself exerpted from "Journey into Space: The First Three Decades of Space Expolration", by Bruce C. Murray, publ. W.W.Norton & Co., 1989. [Except for inadventent typos, the following is an exact quotation from the article, including the misused quotation marks. I shall refrain from other remarks, leaving such to our Gentle Editor.] ... Voyager 2's gyroscopes and electronic brain were alive during the Titan/Centaur launch, monitoring the sequence of events in order to take control upon separation. But here the unexpected happened: Voyager 2's brain experienced robotic "vertigo." In its confusion, it helplessly switched to backup sensors, presuming its "senses" to be defective. Still no relief from its disorientation. Mercifully, the panicky robot brain remained disconnected from Voyager's powerful thrusters, so it did not cause damage to the launch. The Centaur attitude-conrol system -- under its normally behaving brain -- stayed in charge, suffering no "vertigo" and, as planned, electronically correcting the disequilibriam of Voyager's brain just before separation. From the control center John Casani and his terse engineers helplessly watched (though mostly they listened, because there were not enough monitors available to us in Florida) the antics of Voyager 2's disoriented brain. One hour and 11 minutes after lift-off, Voyager 2 fired for 45 seconds its own special solid rocket to provide the final push it needed to get to Jupiter. One and a half minutes after Voyager's key rocket burn ended, a ten-foot arm holding the television camera and other remote-sensing instruments was unlatched and deployed as planned. Then, more trouble. Voyager's anxious brain once again sensed an emergency. This time it switched thrusters and actuated valves to control the tiny bursts of gas used to stablize its orientation. Voyager's robotic "alter ego" (its executive program) then challenged portions of its own brain in a frantic attempt to correct the orientation failure it sensed. Next, Voyager followed the procedures JPL engineers had installed to cope with the most dreaded emergency for a robot in deep space -- spacecraft attitude disorientation. (In August 1988 the Phobos 1 spacecraft of the Soviet Union succumbed to such an emergency after receiving an erroneous ground command, and in March 1989 Phobos 2 evidently met a similar fate.) Voyager shut down most communications with Earth in order to begin its reorientation. Seventy-nine minutes passed while Voyager 2 stuggled alone and unaided to find the sun and establish a known orientation. Finally, it radioed confirming data. For the moment, Voyager 2 was stable. It was all work and no celebration that afternoon in the dimly lit High Bay Conference Room, where, just days earlier, a seemingly healthy Voyager 2 had checked out perfectly. Were the redundant sensors malfunctioning? Was the state-of-theart brain defective? The technical discussion in the room was poorly illuminated too. All the new, supersophisticated fault protection in Voyager's electronic brain operated on the now-painful presumption that it would be triggered by a hardware failure billions of miles from Earth. In that event Voyager would be unable to establish even emergency communications with its human handlers, who could not help it much at that distance in any case. As a consequence Voyager had been programmed virtually to shut off communications with Earth during such emergencies and to fix itself. But, somehow, these deep-space procedures had been triggered right after the launch. Now, because of those disrupted communications, we were not receiving the useful flow of engineering-status measurements. We simply lacked enough information to figure out the causes of Voyager's mysterious behavior, even though the spacecraft was so close to Earth that communications normally would have been feasible under any emergency. ... ... There had been no hardware problems in the brain -- just a slight but serious missetting of computer parameters. ... ------------------------------ End of RISKS-FORUM Digest 9.12 ************************