The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 34

Saturday, 9 August 1986


o Non-Flying Airplanes and Flying Glass
Jim Horning
o Failure Recovery, Simulations, and Reality
Danny Cohen
o Ottawa Power Failure
Dan Craigen
o Liability for Software Problems
Peter G. Neumann
o Ozone hole
Hal Perkins
o Re: Survey of Trust in Election Computers
Chris Hibbert
o Nondelivery of RISKS-2.38 (8 April 1986) and other mail
Communications Satellite [and PGN]
o Info on RISKS (comp.risks)

Non-Flying Airplanes and Flying Glass

Jim Horning <horning@src.DEC.COM>
Fri, 8 Aug 86 14:45:04 pdt
A number of people sent me information about the myth that the design flaw
in the Electras wasn't caught because of an undetected overflow.  (The most
detailed information came from someone who wishes to remain anonymous.)
Putting it all together, I am now convinced that the problem was not
undetected overflow.  Rather, it was a failure to simulate a dynamic effect
(gyroscopic coupling) that had never been significant in piston-engined
planes. So another myth bites the dust.  But the true story should remind us
that simulations are only as good as the assumptions on which they are based.

I solicit similar clarification of the story of the (then) new John Hancock
Building in Boston (the one that resonated and shed many of its exterior
glass panes when the wind came from a certain direction).  I know that there
was litigation about who was responsible for the additional costs: replacing
the glass; installing a huge lead deadweight mounted on shock absorbers in
an upper story to damp the oscillation; etc.  I don't recall the final
outcome. I do remember reading that there was a very narrow range of wind
directions that would excite the resonance, and that the simulations of the
design had unluckily missed that range.  Maybe some readers of Risks know the
details? Has there been a book or magazine article that explored the
computer angle (if indeed there is one)?

Jim H.

Failure Recovery, Simulations, and Reality

8 Aug 1986 18:38:58 PDT
In RISKS-3.27 Stephen Little, Computing & Information Studies, of
Griffith Uni, Qld, Australia. reported that:

     I have been told of one major accident in which the pilot followed 
     the drill for a specific failure, as practiced on the simulator, 
     only to crash because a critical common-mode feature of the system
     was neither understood, or incorporated in the simulation.

Being a pilot I find this report most important and interesting.

I am sure that the readers of RISKS would be better served by having
evidence to support such reports.  Major (and responsible) newspapers
have a verification procedures.  Since RISKS cannot afford this I'd be
delighted to help this process.

The best way to verify such a report is by a reference to the official
accident investigation report.  I'd be delighted to pursue this
reference myself if anyone can give me details like the date
(approximately), place (country, for example), or the make and type of
the aircraft.

This is a plea to provide me with this information.

                            Danny Cohen.

          [This is a very nice offer, and I hope someone can 
           provide enough details to take you up on it!  PGN]

Date: Sat 9 Aug 86 14:47:36-CDT
From: Dan Craigen  <CMP.CRAIGEN@R20.UTEXAS.EDU>
Subject: Ottawa Power Failure
To: risks@CSL.SRI.COM

    A brief fire at Ottawa Hydro's Slater Street station on the morning of
August 7th resulted in a loss of power to a substantial section of the
downtown core.  Even after 48 hours of effort, sections of the city were
still without power.

[From the Ottawa Citizen (Friday, 8 August 1986)]

     Top officials from Ontario and Ottawa Hydro today [Friday] are
  re-examining long accepted system reliability standards...
     Ottawa Hydro engineering manager Gordon Donaldson said ``the system is
  built to be 99.99 per cent reliable ... now we will be looking at going to
  another standard of reliability -- 99.999 per cent.''
     He also said that the cost would be huge -- many times the $10 million
  cost of the Slater Street station -- and hydro customers may not be prepared
  to accept the cost. ...
     The Slater station is the biggest and was considered the most reliable of
  the 12 across the city. It has three units, each of which is capable of
  carrying the whole system in an emergency.
     But ... all three were knocked out. ...
     The culprit, an Ontario Hydro board [called a ``soupy board''] which
  monitors the equipment at the substation, didn't even have anything directly
  to do with providing power to the thousands of people who work and live in
  the area.
     ... its job is to make the system safer, cheaper and more reliable....
     The board is considered so reliable that it doesn't have its own backup
  equipment. [!]

The economic costs of the power failure are expected to be in the millions of
dollars. It is unlikely that the Ottawa birthrate will increase. As columnist
Charles Lynch noted: ``The Ottawa power failure took place during the
breakfast hour, not normally a time when Ottawans are being polite to one
another, let alone intimate.''

We, at I.P. Sharp (Ottawa), lost both our VAXs; I have been unable to get onto
Tymnet for the past two days; ATMs as far as a 100 miles distant from
Ottawa were knocked out of commission -- the central computer that controls
them is in the area of outage; Many traffic signals are still out; and
a number of businesses still shut.
                                               Dan Craigen

      [Add this to the growing collection of problems in which a redundant
      system failed because of a weakest link in the redundancy itself!  PGN]

Liability for Software Problems

Peter G. Neumann <Neumann@CSL.SRI.COM>
Sat 9 Aug 86 11:48:40-PDT
All week long I have been waiting for either someone else to submit it or
for me to have a few spare moments to enter it:  an item from the Wall
Street Journal of last Monday, 4 August 1986, "Can Software Firms Be Held
Responsible When a Program Makes a Costly Error", by Hank Gilman and William
M. Bulkeley.  A few excerpts are in order.

  Early last year, James A. Cummings Inc. used a personal computer to prepare
  a construction bid for a Miami office-building complex.  But soon after the
  bid was accepted, the Fort Lauderdale firm realized that its price didn't
  include $254,000 for general costs.  Cummings blamed the error on the
  program it had used, and last October filed suit in federal court in Miami
  against the software maker, Lotus Development Corp.  The suit, which seeks
  $254,000 in damages, contends that Lotus' "Symphony" business program didn't
  properly add the general expenses, resulting in a loss in completing the

  Lotus, based in Cambridge, Mass., disputes that contention, araguing that
  Cummings made the error.  The case, however, has had a chilling effect on
  the software industry.  For the first time, industry officials say, a case
  ma go to court that could determine if makers of software for personal
  computers are liable for damages when the software fails.  Some software
  makers also worry that such a case, regardless of the outcome, may lead
  to other suits by disgruntled consumers.  [...]

  Software makers are particularly concerned about paying for damages
  resulting from faulty software -- rather than just replacing the software.
  Such "consequential" damages have been awarded in suits involving larger
  computers.  Other types of damages from computer disputes "come from
  saying what benefits you were supposed to get compared with what benefits
  you didn't get," says Richard Perez, an Orinda, Calif., lawyer.  Mr. Perez
  won a $2.3 million judgment against NCR Corp. for Glovatorium, Inc., a dry
  cleaner that said its computers didn't work as promised.

The article goes on to note that most PC software comes on an "as-is" basis,
which doesn't provide for correction of errors.  Under the limited
warranties, the buyer does not even "own" the program.  Illinois and
Louisiana have passed "shrink-wrap" laws which imply that when you open the
package, that is equivalent to signing a contract that lacks guarantee and
prevents copying.

In the case of Cummings, they noticed they had left out the general costs,
and added them as the top line of a column of figures.  The new entry showed
on the screen, but was not included in the total.  Keep your eyes open for
whether the blame is placed on a naive user not following his instructions,
or on the software not doing what it was supposed to (or both).

Ozone hole

Hal Perkins <>
Fri, 8 Aug 86 03:17:48 EDT
In response to PGN's request for sources on the ozone hole...

The New York Time's Science Times section on July 29, 1986 had a long
story on this (it starts on page C1).  The gist of the story is that
there's a big hole in the ozone layer over the south pole, nobody knows
how it got there, nobody knows what it means, it could be a very
serious problem, and scientists are investigating the situation.

As for computers and such, here are a couple of relevant paragraphs:

"The initial report of the hole by British scientists in March 1985
caused little excitement, partly because the British team in Antarctica
was not well known among atmospheric scientists.  Also, since their
data came from ground instruments measuring the ozone in a direct line
upward, they did not show the extent of the hole.

"But later last year, scientists at the National Aeronautics and Space
Administration produced satellite data confirming the British findings
and showing how big the hole was.  NASA scientists found that the
depletion of ozone was so severe that the computer analyzing the data
had been suppressing it, having been programmed to assume that
deviations so extreme must be errors.  The scientists had to go back
and reprocess the data going back to 1979."

Re: Survey of Trust in Election Computers

Fri, 8 Aug 86 10:30:03 PDT
I'm afraid your questions are too vague for me to give yes or no answers.
(I hope you'll give a count of non-respondents when you tell us how many
YESes and NOs you got.)  I'm not at all sure what it would mean for a voting
system to allow me to monitor how it worked.  Would it print out a trace of
its execution?  Would it let me know the running total of votes it had

What would it mean for the system to allow me to inspect the ballot it
cast for me?  Does that mean the "computerized" aspect is merely a
printer for ballots that will be counted later by hand or some other
computer?  Or does that mean that before I accept my votes it displays a
summary for me to approve, and it then adds them into its running total?

I'm not convinced I would ever trust a system that only kept running
tallys in software.  If there aren't paper ballots printed, then there
is no way to recheck the results.  In this situation, the machine that
later counts the paper ballots is much more important, and your
questions don't address this part of the process.

        [We await Kurt Hyde's results...]

[Nondelivery of RISKS-2.38 (8 April 1986) and other mail]

Communications Satellite <COMSAT@MC.LCS.MIT.EDU>
Fri, 8 Aug 86 19:43:54 EDT
============ A copy of your message is being returned, because: ============
"HEWITT-RISKS" at MC.LCS.MIT.EDU is an unknown recipient.
============ Failed message follows: ============
Received: from MX.LCS.MIT.EDU by MC.LCS.MIT.EDU via Chaosnet; 8 AUG 86  19:42:12 EDT
Date: Tue 8 Apr 86 21:15:55-PST
From: RISKS FORUM    (Peter G. Neumann, Coordinator) <RISKS@SRI-CSL.ARPA>

                                             [REST OF MESSAGE TRUNCATED...]

   [For the past week or so, I have been getting sequential notices of
    undeliverable mail from "Communications Satellite" -- four months after
    the original mailings of RISKS, and just another risk of running a forum.

    There was a news item last week about an entire bag of US mail from aboard
    the Liberty Ship Caleb Strong from World War II (May 1944) that was just 
    found undelivered by an exterminator in an attic in North Carolina.
    The Postal Service is trying to find the addressees, but was quick to add
    that it did not happen on their shift! (It blamed a soldier, who has since
    died.)  Here are two related items that I just happen to have filed away.

      Herb Caen's SF Chron column of 18 December 1973 noted a 1940 calendar
      mailed in 1939 to a customer in Utah that was returned "Addressee
      Unknown" during that week in 1973.

      The Martha's Vineyard Gazette of 30 March 1973 noted a postcard mailed
      in Asbury Park NJ, postmarked 11 August 1914, addressed to West Summit
      NJ and forwarded to Edgartown, Mass.  It arrived at that post office
      on 26 March 1973.

    With sleet and snow and dark of night, now computers are doing it,
    too -- and they don't even need to find excuses.  PGN]

Please report problems with the web pages to the maintainer