The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 3 Issue 89

Tuesday, 28 October 1986

Contents

o Airplanes and risks
Alan Wexelblat
o TSE, Air Canada
Matthew Kruk
o Big Bang
Robert Stroud
o Physicists on SDI and engineering..
Herb Lin
o ABM, SDI, and Freeman Dyson
Peter Denning
o Info on RISKS (comp.risks)

Airplanes and risks

Alan Wexelblat <wex@mcc.com>
Tue, 28 Oct 86 11:23:52 CST
Today's paper has a couple of airplane-related items that got me to thinking.

One item is a story on how the FAA is going to adopt strict rules for small
aircraft in busy airspaces and establish a system to find an punish pilots
who violate these rules.  The question this brought to mind is: is this the
right approach for the FAA's problem?  How about for computer systems?  Can
(or should) we manipulate the user so that he uses the system the way we
designers intended it to be used?  Is training the answer (as suggested by
the Navy emergency stories)?

The next item is an analysis of the emergency aboard the Thai jet.  Apparently
the fault is similar to the one that doomed the JAL 747 that crashed recently
in Japan.  The factor that made the difference -- according to Hiroshi Fujiwara
who is deputy chief investigator of Japan's Aviation Accident Investigation
Commission -- was that the Thai Airbus A-300 retained hydraulic control of
the flaps and rudder on the tail.

Both the 747 and the A-300 have triply-redundant hydraulic systems, but on the
747 all three pass through the rear bulkhead in the same opening.  Thus all
three were ruptured at once.  On the A-300 there are three separate
openings and while two of the systems were ruptured in the Thai jet, the
third remained usable.

The related question is: can we make use of this feature in computer systems
(hardware or software)?  That is, if a program has three ways of doing
something can we isolate them so that a bug somewhere doesn't simultaneously
cripple all three?  Can we (given needs like security) separate computer
hardware so that it is much more difficult to simultaneously destroy primary
and backup hardware?

Comments and discussion welcomed.

Alan Wexelblat
ARPA: WEX@MCC.ARPA or WEX@MCC.COM
UUCP: {seismo, harvard, gatech, pyramid, &c.}!ut-sally!im4u!milano!wex


TSE, Air Canada

<Matthew_Kruk%UBC.MAILNET@MIT-MULTICS.ARPA>
Mon, 27 Oct 86 10:46:30 PST
No doubt you will hear more about these items from better informed sources. I
merely heard brief summaries on the morning news today (Monday, 27th).

1. The Toronto Stock Exchange computer went down for about 5 minutes this
   morning. No cause given (yet).

2. A fire in a building, which houses the main computer (reservations?) of Air
   Canada, in Montreal. An Air Canada official cannot predict the effect on
   people holding advance registration. Damage cost estimates run in the
   millions.

Presumably there will be more information in tonight's paper. I'll try to get
a summary out as soon as I can.


Big Bang [Also noted by Martin Minow. Thanks.]

Robert Stroud <robert%kelpie.newcastle.ac.uk@Cs.Ucl.AC.UK>
Tue, 28 Oct 86 19:42:40 gmt
Yesterday, October 27th, was the day of the Big Bang in the City - a revolution
in the way in which the Stock Exchange is organised. Basically, three things
happened - the market was opened to foreigners, the distinction between jobbers
(who trade on their own account) and brokers (who buy and sell on behalf of
clients) was abolished (thereby introducing potential conflicts of interest
and necessitating the erection of so-called Chinese Walls to prevent this),
and finally, guaranteed minimum commissions were removed, making things much
more competitive. Wall Street went through something like this on May Day a few
years ago.

Anyway, these three changes led to the introduction of new computing systems
developed in something of a rush to meet yesterday's deadline. Most
important of these was the Stock Exchange Automated Quotation system (SEAQ)
which several companies had to switch to by default at the last minute when
they realised that their in-house systems would not be working in time. SEAQ
provides information over the Topic network to 10,000 terminals about share
prices - dealing is still done manually (at least until next year) although
the SEAQ system is supposed to be updated continuously to reflect the
trading.

There was a full-scale rehearsal last week when the Stock Exchange opened on
a Saturday for the first time in its history. Not everything went smoothly
and there were complaints about prices not being updated for as long as 20
minutes, making it possible to buy at one price and simultaneously sell at
another.  However, as late as Sunday afternoon, the chairman of the Stock
Exchange Council was defiantly challenging anyone to demonstrate that this
was still a problem.

Well, I'm sure that RISKS readers can guess what happened on Monday morning.
The system lasted half an hour before it broke down at 8.30am! Although it
was later up and running, and the problem was with the antiquated Topic
network rather than the SEAQ system itself, there are fears that it could
happen again under crisis. Apparently, this failure was caused by curiosity
- everybody wanted to try out the new system at once, and it couldn't cope.

Curiosity is an interesting example of human behaviour causing a computer
system to fail. I believe the telephone companies have a similar problem on
Mother's Day when the pattern of usage is abnormal.

Another example of human behaviour has been the reaction of the dealers to
the new system, to some extent invalidating the whole concept. Only time
will tell whether this is just suspicion of a new technology or a real
problem. However, at present the dealers are rather wary and are therefore
only offering small deals on the system (up to 1000 shares) so that the big
deals (100,000) are still negotiated over the telephone. This is partly a
defensive move because the system is (rightly or wrongly) perceived as being
slow, making it possible to offer unrealistic prices not in line with the
market - the real market is off the screen. Equally, some market makers "are
playing complicated games to test their competitors and this is likely to
become a feature of the new markets".  One dealer has even gone so far as to
describe the SEAQ terminals as "useless".  [This paragraph extracted from an
interesting article in today's Times entitled "New screens 'fail to catch
full deals'" by Richard Thomas]

Naturally, there has been a wealth of material about all this in the media
recently, and today, all the papers are competing with each other for puns
on Big Bang! When the dust settles on this most public of failures, RISKS
archaeologists will have plenty of relics to excavate. Here is one of the
more technical articles, reproduced without permission from today's Times,
(28th October p.21)

Robert Stroud,
Computing Laboratory,
University of Newcastle upon Tyne.

ARPA robert%cheviot.newcastle@ucl-cs.ARPA (or cs.ucl.ac.uk if you trust domains!)
UUCP ...!ukc!cheviot!robert

             ++++++++++++++++++++++++++++++++++++++++

            "Big Bang shambles as computer breaks down - 
             Goodison blames Topic subscriber's curiosity"

by Michael Clark

(c) Times Newpapers PLC

Yesterday's disastrous debut for the Stock Exchange Automatic Quotations
system was a prime example of Murphy's Law: "If something can go wrong, it
will". But the problems encountered by dealers on the trading floor stemmed
from technical problems at Topic, the Stock Exchange's own tried-and-tested
screen-based information system.

Topic went off the air at 8.30am - a crucial time for traders hoping to
establish the price of stocks ahead of the official start of dealings at 9am
- and stayed down for more than an hour, apart from one intermission. The
break also resulted in all operations on SEAQ being suspended for the same
period.

Stock Exchange officials blamed a breakdown in the link between Topic and
SEAQ.  Market-makers feed their prices into the SEAQ computer which are then
updated and displayed on the 10,000 Topic terminals situated in the City
offices of brokers and fund managers.

Sir Nicholas Goodison, chairman of the Stock Exchange Council, described
Topic as the world's eye on the market and said that although it had enjoyed
a high level of reliability, it was six years old and considered fairly
antiquated by today's standards.

A Stock Exchange spokesman quickly blamed curiosity for the failure: "The
system cannot handle all the Topic sets being used at the same time."

Topic was operating at maximum capacity yesterday, receiving 12,000 page
requests a minute, or 200 per second. [SEAQ itself is designed to handle 40
transactions per second, but the maximum demand yesterday was 22 per
second.] Sir Nicholas said that the system had suffered a small setback
which had been put right. He said that Topic had been overwhelmed by the
number of page changes which, normally, it would not have to cope with. Most
of it was simply curiosity by subscribers.

"If you want to put a monkey, or a dodo in a zoo, everyone will want to look
at it on the first day," he said.

But it is still possible the breakdown could happen again. SEAQ encourages
dealers and fund managers to use its screens more and a sudden surge of
business may overload Topic.

The Stock Exchange's technical officers say there are only a few adjustments
that can be made to Topic. One may be to introduce an automatically
triggered queuing system which limits the number of subscribers using the
system at any one time.  But many dealers fear this could lose them
business.

Meanwhile, there were still complaints from market makers about the time it
took for a price change to appear on Topic after dealing. There were reports
of delays up to one hour. Sir Nicholas said these would be checked but still
blamed market makers' own internal systems for the delay.


Physicists on SDI and engineering..

<LIN@XX.LCS.MIT.EDU>
Mon, 27 Oct 1986 20:01 EST
    From: decvax!utzoo!henry at ucbvax.Berkeley.EDU

    Hmmm.  If a group of aerospace and laser engineers were to express an
    opinion on, say, the mass of the neutrino, physicists would ridicule them.
    But when Nobel Laureates in Physics and Chemistry express an opinion on a
    problem of engineering, well, *that's* impressive.

I simply point out that the Manhattan Project was run by a bunch of
physicists.  The H bomb was transformed from an 80 ton clunker to a
practical device by physicists.  These were "mere" engineering
problems too.


ABM, SDI, and Freeman Dyson

Peter Denning <pjd@riacs.edu>
Tue, 28 Oct 86 11:10:29 pst
In RISKS 3.83, Ken Dymond noted that the ABM (anti ballistic missile
system) debate of the early 1970s is similar to the SDI debate of the
mid 1980s, and asked for sources that might shed light on the past
debate.  Here's one source known to me:

Chapter 7 in Freeman Dyson's WEAPONS AND HOPE is an excellent analysis
of the ABM debate.  He compares that debate with the ``star wars''
debate and finds both similarities and differences.  He sees a role
for (nonnuclear) ABM systems in a nuclear-free world, and expresses
the hope that the ABM debate will one day be reopened.  In contrast,
he considers ``star wars'' a technical folly, for reasons having
little to do with the reliability of the software systems.

Peter Denning

Please report problems with the web pages to the maintainer

Top