The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 5 Issue 60

Wednesday 18 November 1987

Contents

o Swedish trains collide
Rick Blake
o Hardware and configuration control problem in a DC-9 computer
Nancy Leveson
o Ethics, Liability, and Responsibility
Gene Spafford
o Blackhawks and Seahawks
Mike Brown
o Mobile Radio Interference With Vehicles
Peter Mabey
o VW Fastbacks/RFI/EFI
David Lesher
o CB frequencies and power
John McLeod
o Signs of the Times
Robert Morris
o The Mercaptan goes down with the strip
Burch Seymour
o Re: Reach out and (t)ouch
Michael Wagner
o Info on RISKS (comp.risks)

Swedish trains collide

RICK BLAKE (on Essex DEC-10) <rick@ESSEX.AC.UK>
Wednesday, 18-Nov-87 13:31:53-GMT
From The Times, Tuesday 17th November 1987 (reproduced without permission)

    "Gothenburg (AP) - Two Swedish express trains collided at high speed
    in a suburban station at Lerum yesterday, setting a locomotive and
     a carriage on fire and trapping some passengers in the wreckage
    for more than two hours.

    At least nine people were killed and 100 injured. Two carriages
    were so badly twisted that they were sealed shut. The automatic
    system designed to prevent trains from being on the same track
    had apparently been shut off while work was done."

The last sentence points up a possible Risk that has been discussed before
in these columns; what happens when automated systems that are designed to
prevent human error are disabled? Clearly it is too early to draw any
conclusions from this incident until more facts are known, but it is quite
possible that, if the system worked reliably, the train controllers may have
lost familiarity with the manual procedures. Alternatively, perhaps news of
the service withdrawal was not adequately disseminated.  The fact remains
that withdrawal of automated systems may of itself constitute a Risk.

Rick Blake, Computing Service, University of Essex, Wivenhoe Park, COLCHESTER C
+44 206 872778


Hardware and configuration control problem in a DC-9 computer

Nancy Leveson <nancy@commerce.UCI.EDU>
Tue, 17 Nov 87 06:51:08 -0800
Mike DeWalt of the FAA Certification Office in Seattle sent me a copy of
the Federal Register of August 7, 1987 which contains a notice of a proposed
airworthiness directive, applicable to certain McDonnell Douglas Model
DC-9-81, -82, -83 series airplanes, that would require inspection and
modification, if necessary, of certain Honeywell Digital Air Data Computers
(DADC).  It reports that "This proposal is prompted by reports of
erroneous information being transmitted to the Digital Flight Guidance
Computer from the DADC.  This condition, if not corrected, could lead to
an aircraft stall close to the ground during an automatic pilot or flight
director go-around maneuver."

It goes on to explain in more detail:  "During an automatic go-around
maneuver on a McDonnell Douglas Model DC-9-80 series airplane demonstration
flight for the FAA, a simulated engine loss resulted in an electrical
transient, which caused the Honeywell P/N HG280D80 Digital Air Data
Computer (DADC) to send an erroneous low value of computed air speed to
the Digital Flight Guidance Computer (DFGC).  The DFGC used this value
as a go-around speed reference and generated a large pitch-up command when
it compared the actual airspeed to the erroneous reference airspeed.  The
automatic go-around demonstration was terminated by the pilot when the
stick shaker was activated by the stall warning system."

"Investigations by Honeywell indicated that a complementary metal oxide
semiconductor random access memory chip installed on Microcomputer Circuit
Card Assembly (CCA) A1 could output erroneous computed airspeed, Mach,
and total pressure data, without a failure warning, in the event of a
power interrupt to the DADC.  Modification 8 to the DADC, which consists 
of the addition of a transitor to the circuitry on CCA A1, prevents this 
from occurring.  This transistor had been previously incorporated by
Honeywell as a product improvement on DADC manufactured since May 1983,
but no marking of any kind was put on the DADC to identify it as having
incorporated the transister.  DADC manufactured after February 1987,
however, have the transistor incorporated and the modification is
identified by a Modification 8 marking on the DADC."

The notice goes on to describe the directive which would require 
inspection and modification, if necessary, of the implicated DADC
on -81, -82, and -83 series DC-9s (McDonnell Douglas started inspection
and modification of the DC-9-80 series airplanes in March 1987) within 
12 months of the effective date of the directive.


Ethics, Liability, and Responsibility

"Gene Spafford" <spaf@purdue.edu>
Tue, 17 Nov 87 11:06:43 EST
Sometime in the next few semesters I hope to be offering a seminar
course tentatively entitled "Ethics, Liability, Responsibility and the
Software Engineer."  This course is intended to foster some discussion
about the impact of computer technology on society (for good or bad),
and explore some of the legal and ethical problems involved.

Related to that:

1) The book I've been examining for the primary text should be of
interest to the readers of this forum.  It contains selected essays on
the role of professional ethics (including the full texts of the ACM,
IEEE, and other association codes of ethics), the difficulties with
litigation for computer-related problems, and the role of computers in
"power" systems (economic, political, etc.).  The book is:
    Ethical Issues in the Use of Computers
    D. G. Johnson and J. W. Snapper
    1985, Wadsworth Publishing, Belmont CA
    ISBN 0534-04257-0
The book is available in paperback and I definitely recommend it.

2) I would appreciate suggestions from RISKS readers for other texts,
essays and articles which would be appropriate for such a seminar class.
I hope to compile a reading and resource list for the class, then have
students pick items to study and present to the others.  If you have
any suggestions for such items, I'd appreciate hearing about them;
actual copies would be especially welcome.  I would also welcome
suggestions from anyone who has taught a similar course. You can send
me your suggestions via e-mail (spaf@cs.purdue.edu) or:
    Gene Spafford
    Software Engineering Research Center
    Dept. of Computer Sciences
    Purdue University
    W. Lafayette, IN 47907-2004
Anyone sending me SURFACE MAIL requesting a copy of the resource list
will get a copy sometime in the next academic year when I teach the
class; that may not be until January 1989, so let me know if
you want a partial list sooner.


Blackhawks and Seahawks

<mlbrown@nswc-wo.ARPA>
Mon, 16 Nov 87 16:12:38 est
In Risks 5.58, Brint Cooper writes about the EMI problems with the Blackhawk
and asks why the Seahawk has a shielded control module while the Blackhawk
does not.  I suspect that the Seahawk's shielding is a result of the Navy's
stringent testing in the areas of Electromagnetic Vulnerability and EMI.
The Navy's operational environment is generally very "dirty" from the EMI
standpoint with all of the high power radiators aboard the ships.  It is
critical that, during the crucial landing phases on a moving deck, the ship-
board transmitters not interfere with the electronics.  This could be 
accomplished by shutting down the transmitters (EMCON) but this is not
acceptable from an operational standpoint.  Therefore, the helo has to 
withstand this environment.

I rather suspect that the Army's lack of shielding is a pure and simple
weight vs. benefit issue.  If you can save a few pounds in the design of
the system, you have more available payload capacity.  Often this translates
into this kind of a problem.  In order to meet design (e.g. payload) require-
ments, things like "unnecessary" EMI shielding are done away with.  When 
delivered, the helo meets requirements for payload and it's only later that
problems like this surface.  The shielding is added, the usable payload
reduced, and everyone is happy  (well, almost).  Conversely, we can have 
occurrences where the original system may have satisfactorily performed in
high EMI environments but an upgraded system using computers does not.  The
relatively low voltage, rapid response time circuits are sensitive to the
EMI whereas the high voltage, slow response analog circuits did not.  This
is a critical issue that has to be addressed in applications where computers
are used to replace analog controls.
                        Mike Brown
[Also noted by "pat" and Henry Spencer.]


Mobile Radio Interference With Vehicles (Re: RISKS-5.58)

Peter Mabey <mcvax!stl.stc.co.uk!phm@uunet.UU.NET>
Wed, 18 Nov 87 10:14:10 GMT
>RISKS-LIST: RISKS-FORUM Digest  Sunday, 15 November 1987  Volume 5 : Issue 58
>Subject:       Mobile Radio Interference With Vehicles (RISKS-5.57)
>From:          Ian G Batten <BattenIG@CS.BHAM.AC.UK>
>There was some trouble a year or so ago I read of in one of the Car
>magazines with engine management systems on several makes of car...

This reminds me that when the Home Chain of radar stations was being
set up in 1939, it was rumoured that the mysterious transmitting
pylons being constructed were for a secret weapon that would stop the
engines of the German bombers.  There were reports of car engines
unaccountably stalling and refusing to restart till a technician from
an adjacent hut came out, noticed what had happened, and returned
inside.  This was long before electronic engine management, and I
doubt that the pulsed signals would have been able to have the
reported effect on a conventional ignition system, so I suspect that
the reports were 'disinformation' spread to put spies on the wrong
track. (You never heard the stories at first hand, it was something
like ...'our milkman said it happened to a friend')

Peter Mabey  (phm@stl  ...!mcvax!ukc!stl!phm +44-279-29531 x3596)
Standard Technology Ltd., London Road, Harlow, Essex CM17 9NA, U.K.


VW Fastbacks/RFI/EFI (Re: RISKS-5.59)

David Lesher <hadron!netsys!wb8foz@uunet.UU.NET>
18 Nov 87 04:48:39 GMT
I remember a VW mechanic across the street from the local gas station the
police frequented asking me why the pancake engine (i.e., Fastbacks+Squareback)
models stalled when the police transmitted. I explained it to him.  This was
on 150 mhz @ 100 watts out. BTW those fuel injection controls were all
discrete transistor...Nobody had heard the words IC-opamp.


CB frequencies and power

John McLeod <jm7@pyr.gatech.edu>
Wed, 18 Nov 87 15:51:06 EST
CB's run at 4 Watts.  Their wavelength is 436 inches.  (~11m).

JOHN MCLEOD         Georgia Insitute of Technology, Atlanta Georgia, 30332
uucp: ...!{akgua,allegra,amd,hplabs,ihnp4,seismo,ut-ngp}!gatech!gitpyr!jm7


Signs of the Times [1984? and Information Vending]

<RMorris@DOCKMASTER.ARPA>
Tue, 17 Nov 87 15:17 EST
A sign on Route 95 in Delaware to be seen just after passing the toll
booths for the Delaware Memorial Bridge reads "Information Police".

A sign on Route 95 in Pennsylvania just north of the Delaware border
reads "Weather Info Vending Machines".


The Mercaptan goes down with the strip

Burch Seymour <sun!gould!augusta!bs@ucbvax.Berkeley.EDU>
Mon, 16 Nov 87 22:02:27 EST
[OK, this isn't really computer related, but I thought it might be
interesting as it's sort of high tech related.... and I kept it short too!]

The December 1987 Discovery magazine reports that the Baltimore, Maryland
utility commission sent out their "Energy News" bulletin with a special
addition.  To help promote public recognition they added a scratch and sniff
strip that smelled of mercaptan, the chemical added to natural gas to make
it smell.  Natural gas is odorless; the smell is added as a safety feature
so users can notice potentially explosive leaks. There was a problem. The
smell penetrated the unopened envelopes, causing hundreds of customers to
call the fire department to report gas leaks. "People were panicking at
first. They really thought they were having problems."

The brochures were shelved.

-Burch Seymour-  ...sun!gould!bseymour or something like that


Re: Reach out and (t)ouch (RISKS DIGEST 5.58)

Michael Wagner <WAGNER%DBNGMD21.BITNET@CNUCE-VM.ARPA>
17 Nov 87 18:48:34
> BONN, West Germany - An elderly West German woman ... received a
> whopping telephone bill for $2,3000.

  Wie, bitte?  The number actually printed in the article has some
  sort of problem, since people in North America don't normally
  write a number that way.  I tried to figure out what amount this
  really was.  $23,000 is completely out of line.  If it is $2,300,
  I can't reconcile this with the information in the story (10
  hours) and the rate schedules I have here.  I'm currently trying
  to find out more details of this story.

  [Add to that the fact that 2,3000 auf deutsch is 2.3000 auf englisch.  PGN]

> The meter ran 10 hours.

  To me, this points out the 'brittleness' of some of our
  'high-tech' services.  Older services, like electricity and water
  service, intrinsically limit the amount of resource which can be
  consumed in a short time to some 'small' multiple of the 'normal'
  usage.  This little old woman probably calls her relatives in
  Nairobi once a month for 10 minutes.  For those 10 hours that her
  phone was off the hook, she was responsible for 4000 times her
  normal usage.  I don't think you can get 4000 times normal water
  flow for 10 hours out of your tap, and I don't think you could get
  that much electricity out of the wall without melting your
  entrance fuses.

  I must admit that those limits are the results of physical
  properties that are built into the delivery mechanism (friction in
  the pipes; heating of the wires and fuses in the service
  entrance).  The telephone is somehow 'better' because it doesn't
  have the non-linearities that give rise to these phenomina.
  However, those very non-linearities often serve a useful purpose
  in 'turning back the curve' in situations where a fault has
  occured.

  One hopes, for instance, that if they bring the electricity to the
  house of the future with superconductors, they remember to use
  some 'normalconductors' in the service entrance to limit the total
  possible consumption to reasonable limits, for safety and billing
  reasons.

  Similarly, phone systems and computer systems should contain some
  reasonableness checks to detect outlying situations and alert
  staff to them.

> She then petitioned Parliament, which ruled this week that she
> would have to pay one-third of the bill for carelessness.

  I asked a friend about this; they were surprised that she got off
  so lightly.  It is somewhat unusual that she was 'excused' from
  her full liability.  The telephone system is an incredibly
  powerful institution here in Germany (and more or less in all of
  Europe, I gather).  They do, with alarming regularity, make
  billing mistakes.  And, being a part of the executive branch of
  the government, they have the muscle to make people pay the bills,
  even when the bill is under dispute.

Michael

Please report problems with the web pages to the maintainer

Top