The RISKS Digest
Volume 3 Issue 40

Thursday, 21st August 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o QA on nuclear power plants and the shuttle
Eugene Miya
Ken Dymond
o CAD, Simulation, Armored Combat Earthmover, and Stinger
Mary C. Akers
o Risks Distribution List — Private-Copy Subscribers PLEASE READ!
o Could computers launch a nuclear attack?
Jeff Myers
o Info on RISKS (comp.risks)

Re: QA on nuclear power plants and the shuttle (re "portary"-als)

Eugene Miya <eugene@AMES-NAS.ARPA>
20 Aug 1986 1045-PDT (Wednesday)
> Date: Tue, 19 Aug 86 11:50:39 edt
> From: allegra!phri!roy@seismo.CSS.GOV (Roy Smith)
> ... I watched "The China Syndrome" on TV... moderately-trashy movie...
> Anyway at one point, the hero exclaims, "but our quality control
> is second only to NASA's!"  Shows you the RISKS of making comparisons,
> doesn't it?  Do nuclear plants have O-rings?
>             [No, but they do have lots of reports of equipment failures 
>              and human errors that don't seem to get wide public view.  PGN]

Risks of films?

I saw China Syndrome the day TMI occurred.  It is a reasonably accurate
film, with a minimum of dramatic license (the "vibration" is an example of
this as control rooms tend to be more isolated.).  I don't regard the film
as trashy.  There are deliberate attempts by film makers to be "realistic",
and this film was well researched.  In contrast, War Games looked trashy to
computer people.  The screenplay writers gave a talk about the film at the
Palo Alto CPSR meeting.  They deliberately used obsolete hardware so that
companies like A*e might not sue them.

Sorry, Peter, you are wrong.  Reactors do use O-rings.  Your car uses
O-rings; one just failed in my VW Rabbit.  The problem of reporting is
historical and dates back to the late 40s and the "mysticism" on about
nuclear information.  It is very easy to classify nuclear information:  for
instance, it is not forbidden to have civilians in any nuclear control room
(they are not much different from coal fired plants in layout).  This was
driven by the concern for nuclear terrorism in the late 1970s.  It boils
down to whether nuclear power should be under civilian or military control:
I know civilian physicists at LLNL who think the original decision in the
1940s was a mistake.  (They feel it should have been kept a military secret.)

NASA's QA.  I've not worked on QA.  The problem might be in the Q:
The paperwork for individual Shuttle tiles weigh more than the tiles
themselves.  There is a photo in Scott Crossfield's autobiography (1964?)
showing paperwork for the X-15 exceeding 3 times the weight of the X-15.
We must not mistake quantity for real quality.  Maybe software should have
more paper....  Let's not confuse quantitative assurance and qualitative.

Lastly, (here's the nerve you hit), Hans Mark (currently head of the U of
Texas) gave a talk at Ames on Monday on Challenger and Chernobyl.  Hans is
and was in a unique position to talk about both.  He was a chief at LLL,
taught nuclear engineering at UCB for 10 years, ran Ames, ran the Air Force,
#2 man at NASA and made flight decisions for the first dozen flights (O-ring
charring on fights 2, 8 and later).  He was interviewed by the Rogers
Commission.  "O-rings, did not seem like that much of a problem in contrast
to other problems like nozzle burn thru..."  Mark has decided to write an
article based on this talk.

He feels somewhat responsible even though he is no longer with NASA.  He had
scheduled a review regarding O-rings during a period when he took his
new U-Texas job.  The review never took place.  (Lame duck administrator,
in his words.)  The men who made the final launch decisions were
and still are friends of his.  The Chernobyl portion was a recapping of known
information.  In both cases, Mark cites the need for communication
between management and workers.

--eugene miya
  NASA Ames Research Center

    [I saw it the NIGHT BEFORE TMI! But I asked Gene about whether 
     those other O-rings also had problems at low temperatures.  (PGN)
     This was Gene's reply:]

        Cars: Mine was 8 years old.  It was an external seal, it failed at
        80 degs F.

        Power plants: probably not.

        I would think antarctic snow cars have O-rings and fan belts and all
        sorts of things that snap.


Re: QA at Nuclear Plants

"DYMOND, KEN" <dymond@nbs-vms.ARPA>
21 Aug 86 09:41:00 EDT
    PGN comments in RISKS 3-39 on "QA on nuclear power plants and the shuttle":

         >No, but they [nuclear power plants] do have lots of reports
         >of equipment failures and human errors that don't seem to
         >get wide public view.

It may depend on how interested the public is.  These reports (and probably
PGN is referring to the Licensee Event Reports or LERs which are compiled by
the NRC from plants, i.e. holders of licenses to make electricity from
nuclear power) are matters of public record.  The NRC distributes them to
all plants as notices of the kinds of things that happen and should be
watched for.  They are also maintained in the NRC's public documents room in
the D.C. area and in a local public documents room near every nuclear plant.
I know of at least one public library (Wiscasset, Maine) that keeps LERs on
file because of public interest in the Maine Yankee plant nearby.

Most of the time LERs don't make exciting reading. I haven't seen an LER for
a while but a representative incident that comes to mind occurred at a plant
where the fuel tanks for the emergency diesel generators were allowed to get
300 gallons low (out of 3000 or 30000 gals., can't remember).  Some fuel is
used up in the weekly test of making sure the generators start and operate
and I guess the tanks are supposed to be topped up.  The 10 percent or so
shortfall of fuel would have been remedied at the next (I think it was
weekly) scheduled visit from the oilman.  I don't remember whether the NRC
levied a fine in this case.

The LERs serve as a record of errors in the industry, something that would
be a great help if it existed for software engineering.  Civil and
structural engineers investigate structural failures and publish detailed
results of the investigations in their literature, another practice that
software engineers might consider.

The LERs are supposed to be exhaustive and one thing the resident NRC
inspector at every plant does is to make sure that all events required by
regulations to be reported do get reported.  If the story about the
defective welds is true, it should be in an LER somewhere.

                                          Ken Dymond

CAD, Simulation, Armored Combat Earthmover, and Stinger

"Mary C. Akers" <>
Thu, 21 Aug 86 10:26:23 EDT
Recently the Risks list had a short discussion on the excessive use of CAD
systems.  The September 1986 issue of Discover Magazine has an article by
Wayne Biddle on the use and abuse of computer modeling and simulation.  It
is entitled "How Much Bang for the Buck?"  Here are a few interesting quotes:

     "I want to replace sterile computers simulations with more
     realistic testing under combat conditions," says Representative
     Charles Bennett of Florida, [...]"Weapons testing should ensure
     that our weapons work in combat, not just in the laboratory."  With
     that statement, Bennett zeroes in on the main bone of contention
     among those concerned with weapons design and testing: whether
     computer simulation and modeling can take the place of live
     trails with real equipment."

     "The thing we worry about most is validating our simulations (that 
     is, proving they're realistic), and validation is lagging, for sure.
     Without test data, an unvalidated simulation is all we have."

     "Simulated Flying is so different from real flying that the Navy
     finds that working in a simulator can be a detriment to safe
     operation of an airplane."

Some of the examples used in the article include:

     The Army's Armored Combat Earthmover (ACE) - "...which underwent
     18,000 hours of testing without ever being operated under field
     conditions.  [When it finally under went live trails at Fort Hood]
     ...the tests revealed that the ACE's transmission cracked, that is
     muffler caught fire, that the driver's hatch lid was too heavy to lift,
     and that doing certain maintenance work "could endanger the operator's

     "The Stinger, a 'man-portable' ground-to-air missile, proved too heavy
     for soldiers to carry on long marches; gunners must hold their breath
     after firing to avoid noxious fumes."

Risks Distribution List — Private-Copy Subscribers PLEASE READ!

Peter G. Neumann <Neumann@CSL.SRI.COM>
Wed 20 Aug 86 11:04:45-PDT
One of our readers asked to be removed from the RISKS list, forwarding this
somewhat heavy-handed note from an administrator at his institution:

  "Please unsubscribe from the lists you have joined.  At [...] individuals
  do not join mailing lists directly.  There will be a way for you to read
  the full distribution of lists in the fall.  For now I must ask you to
  stop receiving your own copies of everything."

When RISKS began a year ago, the initial intent was to provide individual
subscriptions only until appropriate BBOARDs could be set up.  For the
convenience of some individuals, we have continued to provide private
copies.  The local mailer overhead attributable to RISKS is nontrivial --
although the new intelligent mailers cut down on net traffic.  Disk storage
is now approaching 800 DEC-20 pages for the full collection to date.
Maintenance of the RISKS list continues to be a problem with all the address
changes, incessant notifications of individual nondeliveries (sorry if we
overflow your disk quotas!), host outages, etc.  [Welcome back, Dockmaster
-- which took months to recover from lightning hitting their IMP.]
Unfortunately, various BBOARDs have allocated enough space for only a few
recent back issues (presumably on the assumption that the earlier issues can
be FTPed or that they lose their timeliness).

If you receive a private copy and could conveniently be reading RISKS on a 
local BBOARD, please ask me to remove you from the list.  Thanks...  Peter

Could computers launch a nuclear attack?

Jeff Myers <>
Thu, 21 Aug 86 09:41:49 cdt
                 [NEW ARTICLE ON OLD TOPIC.  Earlier followers of this 
                  story may wish to read the last three paragraphs.  PGN]

[from the August 20 *Guardian*, p. 9]
By Dave Kadlecek, *Guardian* Bureau

SAN FRANCISCO — A Stanford University computer professional has sued
Secretary of Defense Caspar Weinberger, claiming that government plans
allowing computers to automatically launch a nuclear attack are

Clifford Johnson, a manager in Stanford's Information Technology Services,
filed the suit in federal district court in San Francisco June 17.  He
charged that the US government has a policy of operating a launch-on-warning
capability, under which the US would launch a retaliatory nuclear attack
against the USSR on the basis of a warning that Soviet missiles are on the
way, before unequivocal confirmation that an attack actually occurred.  Due
to the short times involved, such a launch capability relies upon
computerized warning systems which are prone to error and cannot allow for
meaningful human intervention in a launch decision.

This automatic decision illegally usurps congressional powers and delegates
presidential powers.  Thus, Johnson's suit argues, the resulting
``likelihood of a nuclear counterstrike and global environmental damage''
would deprive Johnson of life and property without due process of law,
giving him standing to sue now, since it would not be possible to do so
after a nuclear war.  He asked that the court declare that the secretary of
defense's oath of office ``obligates him to forthwith cease and desist from
operating his launch-on-warning capability.''

Under a cautious assumption that launch-on-warning is in continuous use only
during crisis situations, a number of studies have predicted that an
accidental nuclear war is statistically likely within the next 30 years.

Johnson maintains, however, that US policy already does continuously use
launch-on-warning capability by any normal interpretation of the word
``policy,'' but this denial means only that a formal decision will not be
made until a button is pushed when the warning occurs.  Indeed, a highly
sophisticated set of procedures and programs for a launch-on-warning is in
continuous operation, guarding against a feared ``bolt-from-the-blue''
attack by short-range submarine-launched ballistic missiles.  The Single
Integrated Operational Plan consists of a menu of nuclear ``attack options''
-- lists of targets with assignments of weapons to hit them.  The plan
contains launch-on-warning options, and procedures now in operation permit
the selection of a launch-on-warning option in response to a surprise

In support of Johnson's suit, Computer Professionals for Social
Responsibility (CPSR) emphasize the inevitability of some computer error in
a system as complex as a launch-on-warning system.  The most dangerous
computer errors are not failures of the device itself (hardware errors), but
of the programming (software errors), stemming ``not from inadequacies in
the technology, but rather from the inability of human beings to formulate
totally adequate plans (programs) for dealing with complicated, poorly
understood situations,'' says CPSR.  CPSR is ``concerned that the government
is pursuing a launch-on-warning capability, in the mistaken belief that
computer technology can safely be entrusted with important decisions
regarding the release of nuclear weapons.  If this course is allowed to
continue unchecked, it is only a matter of time before a catastrophic error


Though not an attorney, Johnson filed suit on his own behalf, and will argue
his own case through the resolution of government motions to dismiss the
suit, on which hearings are expected this fall.  However, he will need to
hire a lawyer if the case goes to trial, and the Lawyer's Alliance for
Nuclear Arms Control (LANAC) and the Center for Constitutional Rights have
agreed to help at the appellate level.

In addition to CPSR, support has come from peace groups and from former
aerospace engineer Robert Aldridge, coauthor of ``First Strike'' and
co-editor of ``The Nuclear Time Bomb,'' and constitutional scholar Arthur

Johnson had filed a similar suit in 1984.  He lost in district court when
the judge ruled that it was a political matter, not for the judiciary to
decide.  His appeal was rejected, not by upholding the lower court's
reasoning, but by ruling that since he then claimed only that the government
had a launch-on-warning capability, not necessarily a launch-on-warning
policy, the unused capability was not a threat over which he could sue.

Johnson's current suit includes sensitive information he had deliberately
excluded from his earlier suit, such as evidence that the Strategic Air
Command possesses the authorization codes needed to launch a nuclear attack.

``I've gone back, I've done my homework, I say we've got launch-on-warning
now and I'm prepared to prove it,'' said Johnson.  ``We're at peace, so why
risk my neck?''

Please report problems with the web pages to the maintainer