The RISKS Digest
Volume 3 Issue 32

Wednesday, 6th August 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


DC-10 Crash
Chuck Weinstock
Earthquake Reporting
The Recent Near-Disaster for the Shuttle Columbia
Peter G. Neumann
Traffic lights in Austin
Alan Wexelblat
Re: Laserprinter dangers
Graeme Hirst
Info on RISKS (comp.risks)

DC-10 Crash

6 Aug 1986 09:19-EDT
I have also heard the stories about pilots following the procedures in the
manual not being able to save the aircraft.  In the case of the American
Airlines DC-10 accident, the pilot executed the correct maneuver for loss of
engine power, but the effects of the missing engine caused it to go into a
stall.  However, the correction for the stall is 180 degrees different from
the correction for the loss of engine power, and thus the plane was lost.
The pilot possibly could have saved the aircraft had he known what was going
on.  The reason the pilot didn't correct for the stall is that he didn't
know about it (or knew too late) — because the missing engine supplied
power to the stall warning device.

Interestingly, at the time stories were circulating that some airlines
(e.g., United) had ordered their DC-10's with dual-redundant stall-warning
devices, powered off of multiple engines.

(I'm afraid I don't have a reference.  Probably Aviation Week and Space


Earthquake Reporting

Peter G. Neumann <Neumann@CSL.SRI.COM>
Wed 6 Aug 86 11:55:55-PDT
From the AP, Tuesday, 5 August 1986, Los Angeles:

  Three of five earthquakes that state agencies said rattled California on
  Sunday never happened, officials acknowledged yesterday.  The false reports
  by California's Office of Emergency Services and Department of Water
  Resources were blamed on static in the microwave system that transmits data
  from monitoring devices around the state to Sacramento.  Don Irwin, deputy
  director of Emergency Services, said his agency was trying to decide whether
  to change procedures and stop publicizing what he termed ``preliminary,
  unofficial information''.

  U.S. Geological Survey seismologists said yesterday that three small quakes
  shook the state on Sunday, two near San Jose and a third in the eastern
  Sierra Nevada.  No damage or injuries were reported.  The state agencies
  never reported one of the San Jose-area quakes, and reported three others
  that did not happen.

The Recent Near-Disaster for the Shuttle Columbia

Peter G. Neumann <Neumann@CSL.SRI.COM>
Wed 6 Aug 86 13:22:33-PDT
From the San Francisco Chronicle, Wednesday, 6 August 1986:

      WASHINGTON - The space shuttle Columbia (the launch preceding the
  Challenger disaster) came within 31 seconds of being launched without
  enough fuel to reach its planned orbit on January 6 after weary Kennedy
  Space Center workers mistakenly drained 18,000 gallons of liquid oxygen
  from the craft, according to documents released yesterday by the White
  House panel that probed the shuttle program.  Although [NASA] said at 
  the time that computer problems were responsible for the scrubbed 
  launch, Representative Bill Nelson, D-Fla., who flew on the mission, said
  yesterday that he was informed of the fuel loss while aboard the
  spacecraft that day...

    According to the appendix [to the panel report], Columbia's brush with
  disaster ... occurred when Lockheed Space Operations Co. workers 
  "inadvertently" drained super-cold oxygen from the shuttle's external tank
  5 minutes before the scheduled launch.  The workers misread computer
  evidence of a failed valve and allowed a fuel line to remain open.  The
  leak was detected when the cold oxygen caused a temperature gauge to drop
  below approved levels, but not until 31 seconds before the launch was the
  liftoff scrubbed.

    NASA said then that the liftoff was scrubbed [until January 12] because
  computer problems delayed the closing of a valve.  Space agency
  spokeswoman Shirley Green said yesterday that the fuel loss did not become
  apparent until much later.

The NY Times (same day) noted that the potentially catastrophic launch of the
Columbia without adequate fuel to reach its intended orbit could be blamed
on human error caused by fatigue.  "Investigators also concluded that many
key people working for NASA and its contractors work an excessive amount of 
overtime that has the potential for causing catastrophic errors in judgment."

The Chronicle article goes on to state, quoting the panel report, that
fatigue may also have contributed "significantly" to the disputed decision
by NASA and Thiokol officials to launch the Challenger in cold weather --
despite strong evidence that the O-ring booster seals were ineffective.  The
panel said "certain key managers obtained only minimal sleep the night
before the teleconference" in which the fatal decision was made.
Furthermore, a study of 2900 workers' timecards in the weeks before that
showed an "unusally high amount of overtime", during which time there were
five aborted launches and two actual launches.

I am astounded to look back over my list of computer-related disasters (an
update will appear in RISKS at the beginning of Volume 4 — it is now up to
5 pages) and find only one other space/missile/defense/aviation case that
could easily have been linked to fatigue.  That case was the KAL 007, whose
real cause is still a matter of much speculation.  (See ACM Software
Engineering Notes 9 1 and 10 3.)  One would expect that to be a more common

Traffic lights in Austin

Alan Wexelblat <>
Wed, 6 Aug 86 14:01:12 CDT
Yesterday, Austin experienced a sudden thunderstorm and some small power
failures.  One of the things knocked out by the power loss was the central
computer that coordinates the traffic lights in the downtown area.

The central controller is backed up by isolated controllers at each
intersection.  By my guesstimate, there are about 125 of these
intersections.  Two of the site controllers failed to operate, causing the
light at those two intersections to go out.

Is this a success or a failure for the system as a whole?  Of course we'd
like it if the backup was 100%, but is 2% an acceptable failure rate?

(Side note: the only adverse effect of the two failures was that humans
-- policemen - were required to stand in the downpour and direct traffic.)

Alan Wexelblat
UUCP: {ihnp4, seismo, harvard, gatech, pyramid}!ut-sally!im4u!milano!wex

    [Success — like failure — is relative.  Even the greatest successes
     can be disasters if we become overconfident.  Even the worst disasters
     can have some benefits if we learn from them.  In this case, the 
     result was clearly a qualified success, but would have been quite
     different if someone had been killed when the lights went out at one
     intersection.  PGN]

Re: Laserprinter dangers

Graeme Hirst <>
Tue, 5 Aug 86 15:27:52 edt
> Increasingly, large and "official" organisations [...] are using laser 
> printers to print the bills and other requests for money [...]

I cannot believe this will be a serious problem.  In fact, most organizations
are still using pre-printed stock, even if they use the laser printer to
do smarter things on it.  For example, my Ontario motor vehicle registration
is laser-printed on banknote-style paper.  My credit card bills and bank
statements are laser-printed on pre-printed paper that is virtually identical
in design to the paper used when they were impact-printed.  (This also has
programming advantages.)

Similarly, a new ATM at my bank prints its receipts on a role of paper like
that of a cash register, instead of the pre-printed cards used by older
models.  But the paper used has the bank's logo printed on the back to
prevent easy forgery.

The one exception I can think of is my city tax and water bills, which have
(on plain colored paper) the most ornate laser-printing imaginable — which
required some amazing hacking on the Xerox 9700.  Duplicating this would be of
the same level of complexity as forging pre-printed stock — which was
always possible even in the days of hand-writing and typewriters.

\\\\   Graeme Hirst    University of Toronto    Computer Science Department
////   utcsri!utai!gh  /   /  416-978-8747

Please report problems with the web pages to the maintainer