The RISKS Digest
Volume 2 Issue 3

Saturday, 1st February 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o The possible vs the impossible
Dave Parnas
o RISKS generalizations
Jim Horning
o Challenger speculation
Henry Spencer
o Possible triggering of the self-destruct mechanism
Don Wegeng
o Redundancy in the Shuttle's Computers
Mark S. Day
o Galileo Plutonium power
Herb Lin
o Icing the Shuttle
Jim McGrath
o Info on RISKS (comp.risks)

Re: The possible vs the impossible

Dave Parnas <vax-populi!>
Sat, 1 Feb 86 08:52:11 pst
In response to an off the cuff remark by an unnamed physicist, Sean Malloy
writes, "Too many scientists over history have declared something impossible
or impractical that is commonplace today to reject some line of research
because of such pronouncements."  It is equally true that, too many
scientists over history have declared to be possible or practical something
that was later found to be impossible or impractical to pursue some line of
research or development because of such pronouncements."  There have been
countless schemes to build perpetual motion machines, faster than light
transport, 600 user time-sharing systems, world champion chess programs,
unbreakable codes, impregnable forts, unsinkable ships, etc. etc.

We cannot reject a negative prediction simply because earlier negative
predictions have been wrong just as we cannot reject a positive prediction
simply because earlier positive predictions have been wrong.  To have
credence any prediction must be supported by detailed argumentation.  If
nobody can produce a convincing refutation of that argumentation, it is
foolish not to act on the prediction.  I would not support any effort to build
faster than light rockets until someone shows me the flaw in Einstein's
reasoning.  Any researchers who hope to execute the following algorithm,
"for I:=1 step 1 until 10,000 do `build rocket with n stages using DoD
funding' should begin with a serious study of relativity, not with an SDI
proposal to build a national totem pole center.

David L. Parnas

RISKS generalizations

Jim Horning <horning@decwrl.DEC.COM>
1 Feb 1986 1339-PST (Saturday)
Thanks for the digest of the digest. In following Risks from day to
day, it was easy to lose sight of the general principles illustrated by
all the specific cases and discussions. I guess that I would add to
your list just one more generalization, concerning our ability to predict

  If a system is complex, it is practically impossible to predict its
  sources of catastrophic failure. This is especially true in well-
  engineered systems, since good engineers make allowance for the
  problems that they foresee.

Jim H.
       [Jim, That is perhaps the most important of all.  Thanks.  Peter]

Re: Challenger speculation

Sat, 1 Feb 86 05:11:33 PST
Herb Lin writes:

> If you are into pure, unadulterated speculation, another possibility
> is that a bullet was fired into an SRB while it was on the ground, and
> lodged there.  When the fuel burned to that point, a jet leaked out,
> and triggered an explosion.

Alas for this particular speculation, the SRB fuel burns outward from the
booster axis rather than upward along the booster.  Combustion starts from
a hole running the full length of the axis, and reaches the outer casing
only at the very end of the burn.  There may well be a few places near the
ends where casing is progressively uncovered — I don't have drawings at
hand to check on this — but this imposes much more severe constraints on
aim.  All in all, it seems implausible.  All the more so because the SRBs
continued on after the explosion, reasonably intact with no signs of any
marked side thrust or substantial extraneous exhaust jets.

                Henry Spencer @ U of Toronto Zoology

Re: Possible triggering of the self-destruct mechanism

Don Wegeng <Wegeng.Henr@Xerox.COM>
1 Feb 86 12:24:16 EST (Saturday)
I heard on CNN last night that one of the latest theories about the
cause of the shuttle accident is that flames from a leak in an SRB may
have set off the explosives which are part of the ET self-destruct
mechanism. Not knowing anything about explosives, this seems plausible
to me.

On the other hand, PBS interviewed someone last night (the editor of an
aviation magazine, I believe) who said that a fuel leak in an SRB would
have probably caused it to immediately stray wildly from its previous
trajectory, but that the video of the launch seems to show both of them
continuing on in the same general direction after the explosion. I
believe that Range Safety did not destroy the SRBs until about 20
seconds after the explosion.


Redundancy in the Shuttle's Computers

Sat 1 Feb 86 12:58:03-EST
A submission in RISKS-2.2 was concerned about a Stratus-like comparator
mechanism being a single point of failure in the Space Shuttle's operations.
However, the space shuttle's redundant set doesn't use a comparator
mechanism.  Instead, the actuators are controlled by a hydraulic
"force-fight" mechanism, with each computer sending independent commands on
independent buses.  If one computer of four fails, the other three can exert
enough force to overpower its (presumably bad) commands.  If this pressure
differential persists for long enough, the overpowered one is hydraulically

For more details, see "Case Study: The Space Shuttle Primary Computer System"
by Al Spector and Dave Gifford in CACM 27 #9 (September 1984).


Galileo Plutonium power

Sat, 1 Feb 86 11:15:38 EST
    From: Martin Schoffstall 

Icing the Shuttle

Sat 1 Feb 86 19:16:42-EST
   From: Werner Uhrig  <CMP.WERNER@R20.UTEXAS.EDU>
   From TV-news coverage, I have the impression as if there might not
   have been adequate attention paid to icing which is supposed to
   have occurred this morning on the launch-pad.

My understanding was that the shuttle launch was delayed for more than
an hour due to the icing.  Since they delayed the launch specifically
because of the weather, I strongly doubt that they would have delayed
it for too short a period (if they are going to be yelled at by the
media for being overly cautious, then they might as well delay for the
full required time).

      [This subject drifts somewhat from the computer-related risks.
       However, because we have to train ourselves to think about
       vulnerabilities overall, I have included Jim's message.
       Jim, note the various reports of icicles.  PGN]

Please report problems with the web pages to the maintainer