The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 10 Issue 18

Thursday 9 August 1990

Contents

o Roller Coasters scarier - but safer - than ever
Bob Felderman
o Risks of de facto standards
Michael L. Littman
o Re: 90% of research experiments fail, Risks of Statistics
Jeremy Grodberg
o Re: British Rail signalling software problem
Clive Feather
o Re: A Tough Roach ...
David Collier-Brown
o Info on RISKS (comp.risks)

Roller Coasters scarier - but safer - than ever (????????)

Bob Felderman <feldy@CS.UCLA.EDU>
Fri, 3 Aug 90 00:22:47 -0700
Excerpted from TIME magazine August 6, 1990

Two risks I noticed in the article:

In regards to the design of the coasters:

    To achieve these extremes, designers create computer-simulation
    models that show the effects of high speed and sudden force on the
    riders, the cars and the structure. This enables the engineers to
    build roller coasters with the steepest possible inclines and most
    sharply banked curves to create the illusion of breakneck speed.

Regarding the operation of the coasters:

    Most rides are directed by two sets of programmed logic controllers
    encased in small bunker-like rooms beneath the stations where the
    riders board the cars. The computers monitor the distances between
    trains by means of solid-state sensors embedded in the rails. If a
    train slows or stops, others behind it are halted. Multiple sets of
    pneumatic brakes can automatically slow a train down midway through
    a course. By allowing the new coasters to run three of more trains
    at the same time (as opposed to one on the old rides), the elec-
    tronics have boosted rider capacity from an average of 500 people
    an hour to more than 2,000.
          Park operators say the technology has also improved safety.
    Some coasters, like nuclear-missile launchers, require two attendants,
    pushing separate buttons, to dispatch a train. [text deleted]
          Operator error has been eliminated," asserts Richard Kinzel,
    president of Ohio's Cedar Point park. Says Paul Ruben, editor of
    "RollerCoaster!" magazine: "If people really knew how safe they are,
    roller coasters would lose a lot of their thrill."

Bob Felderman, UCLA Computer Science    ...!{rutgers,ucbvax}!cs.ucla.edu!feldy


Risks of de facto standards

Michael L. Littman <mlittman@breeze.bellcore.com>
Sat, 4 Aug 90 08:47:01 -0400
Richard Stallman of the Free Software Foundation (the GNU folks) recently
announced on the gnu.announce mailing list that the Lempel-Ziv-Welch algorithm
on which "compress", "uncompress", and "zcat" may be covered by a patent
assigned to Unisys.  Unisys claims that people should not be running these
programs without their permission.

Since "compress" is the de facto standard method for moving big files across
the net cheaply (and I believe for high speed modems as well), this could
create some serious problems.  For one thing, if people stop using compress it
could really put a strain on the network.

On the other hand, sending people compressed files could put them in the
potentially legally precarious position of running uncompress without
permission.  This is the position the GNU folks seem to be taking.  They will
either find a new data compression algorithm or send around uncompressed files
(as soon as they can find the disk space to store the uncompressed tar files!)

If the POSIX committee is not able to license the algorithm, they will drop
these utilities from the next draft of the standards (according to a draft of
the POSIX user portability extension standard P1003.2a).

Depending on your political orientation, this can be viewed as a RISK of
software patents or a RISK of dependence on a de facto standard.  In either
case, life may be a little tougher without "compress".

Michael L. Littman [MRE 2L-331 x-5155]   mlittman@breeze.bellcore.com


Re: 90% of research experiments fail, Risks of Statistics

Jeremy Grodberg <jgro@apldbio.com>
3 Aug 90 04:31:07 GMT
In Risks 10.16, Eugene N. Miya <eugene@wilbur.nas.nasa.gov> claims that 90% of
research experiments fail.  I trust he is using a different definition of
failure than most scientists.

An experiment is a test designed to discover something not yet known.  An
experiment fails only when nothing is learned.  It is usually (some would
say definitively) the result of improper design of the experiment.

It is a matter of lore that Thomas Edison tried over 1000 different materials
for making light bulb filiments before finding tungsten.  I view that (as I
believe most scientists would) as 1000 successful experiments, 999 showing that
certain materials won't work, and probably giving some indication as to why.  I
expect the 90% failure rate Mr. Miya speaks of is from the point of view that
this was 999 failures and 1 success.  I also suspect that this figure was more
or less invented ("estimated" is the conventional euphemism) by someone,
although probably not Mr. Miya.

The Hubble (which is what started all this) is a (partial) failure because its
mirror problems are keeping parts of the telescope from providing anything
useful; it is not discovering anything not previously known.  This is quite
different from having a perfect Hubble showing us that the view from up there
looks exactly like the view from down here; that would be very surprising and
educational indeed!

Improper use of statistics is one of the greatest problems we face today.
Most often, their use is misleading just as in this example, where vague
terms obscure the actual meaning of the statistic.  If 90% of government
funded experiments fail (as I take the meaning of failure), this is a very
serious problem calling for overhaul of the whole government funding system.
If, however, the 90% just don't yield the hoped for outcome, who cares?

Some anti-abortionists claim they have surveys indicating a vast majority
of Americans "support some restrictions on abortion."  This could conceivably
mean that most Americans feel that women should have to wait at least 4 hours
between the time they ask for an abortion and the time it is performed, to
give them a chance to change their mind.  Obviously the intent is to make
people think that most people are opposed to people having abortions.
Please no flames on abortion politics, this is just about the statistical
claim, which I believe was made to support AT&T's decision to withdraw its
support from Planned Parenthood.

I wish there were some way we could reduce the risks to society of statistics.
We have drug testing, sobriety checkpoints, tax systems, and all sorts of other
government programs which are sold to the public on the basis of just such
statistics.  A recent Scientific American article refuted the claim that
mandatory testing of employees for drugs is beneficial, by reexamining the
studies and what their results can show; these results were often used in a
misleading way by citing only some statistical findings.  Other researchers
have determined that there is no sound basis for the cholesterol-lowering
treatment regimens many people are put on to reduce the risk of heart attack;
the studies indicate a correlation between high cholesterol and risk of heart
attack, but do not show that lowering cholesterol by the amounts normally
achieved with "conventional" treatment have *any* effect on heart disease.
(There is a brand new study which shows some beneficial effects of a
comprehensive therapy which reduces cholesterol among other benefits, but that
study reduces cholesterol much more than "conventional" therapies, and they do
not even claim that the cholesterol reductions are the reason for the therapies
success, since some people in the study had very high levels even after the
reduction.)

So be very skeptical of statistics, and try to find a solution to this problem.
Meanwhile remember, as some net-person reminds us in his signature,

  97.43% of all statistics are made up.

Jeremy Grodberg


Re: British Rail signalling software problem

Clive Feather <clive@x.co.uk>
Tue, 7 Aug 90 06:40:54 bst
In Risks 10.15 Peter Mellor quotes an article from the Guardian about
signalling problems in British Rail.

I would like to add a few comments on this material lest Risks readers get the
wrong ideas.

>From the descriptions in the article, and from memory, the area is fitted with
what is known as an NX signalling system with a VDU and tracker-ball based
user interface. These systems consists of two independent parts - the
interlocking and the control system.

The interlocking is relay based circuitry which actually controls points and
signals. In computer terms, its input are push buttons and hardware train
detectors (usually track circuits, which detect trains because they connect
the rails together electrically), and its outputs are signal lamps, points
motors settings, and display lamps.

The interlocking is a safety-critical system, and is designed accordingly.
The system must be proof, for example, against any combination of relays
failing normally, and against an earth fault at any single point. It is the
responsibility of the interlocking to ensure that two trains cannot be
signalled on colliding paths, for example.

> A BR spokesman said newly installed software, responsible for flashing up the
> position of trains on the indicator screens of signal operators at Wimbledon,
> has been found to contain two technical faults.

In older installations, the push buttons and display lamps mentioned above
are physically present; a route is set for a train by pressing two buttons,
and a train's presence is indicated by a magenta light. In newer systems,
including I believe the one in question, the displays and controls are
computer and VDU based. The display system is *not* safety critical, as any
malfunction can only cause bad commands to be sent to the interlocking.

A third part is the train identification system. This takes information from
the interlocking and from manual input, and displays train identities on the
control panel or screen. It has no input back to the interlocking, and so is
also not safety critical. BR has used computers in these systems for thirty
years.

It would appear from the quote that one of these two failed.

> An internal investigation began after an operator found
> that the system was providing "the wrong information". Realising that he had
> lost track of train movements, the operator immediately turned all signals to
> red.

A bit drastic ! The trains would all be following safe and valid routes.

> A spokesman said that at no time was any train at risk. "What happened caused
> concern to the signalman."
True.

> The lights told him that something was different to what was happening
> [outside]." ...
> The software faults were found inside the panel in the train indicator box in
> a system responsible for operating the lights. ...
> BR conceded that the faulty equipment served a vital function ...

Vital, but not safety critical.

Paul asks:

> It would be nice to know *how* the signalman knew that he was being given
> wrong information, and what would have happened if he had not been so alert,
> and continued to operate the network with the wrong information.

Depending on which sub-system failed, perhaps he was seeing routes set which
cross each other, or train 1E23 on his panel (this train is never less than
200km from Waterloo). Trying to operate the system blind (assuming the
push-button simulator wasn't malfunctioning as well) would be awkward, but
certainly less difficult than operating with all signals at red and trains
moved through verbal orders.

> If, as the manufacturer states, the system is under test, why was it being run
> to control live traffic without any back-up system?

First you test it on a model railway. Then you hook in the display system in
parallel with the existing one, and see what happens. Eventually, however, you
have to go live.

Clive D.W. Feather, IXI Limited, 62-74 Burleigh St., Cambridge   CB1 1OJ UK
Phone: +44 223 462 131


Re: A Tough Roach ... [RISKS-10.17]

David Collier-Brown <davecb@nexus.yorku.ca>
Fri, 3 Aug 90 11:53:16 EDT
  In "Design for the Real World" (author forgotten!) televisions for hot
third-world countries are discussed briefly: they're sealed, with a largish
heat-sink making up part of the case.
  Purchasing a computer in New York is therefor a RISK, since they don't
realize they're a third-world county and take requisite steps...

--dave (:-)) c-b

David Collier-Brown, 72 Abitibi Ave., Willowdale, Ontario, CANADA. 416-223-8968

Please report problems with the web pages to the maintainer

Top