Forum on Risks to the Public in Computers and Related Systems
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Volume 8: Issue 68
Monday 8 May 1989
Contents
Low-Probability / High-Consequence Accidents -- and the Midland 737?- PGN
- "Probing Boeing's crossed Connections"
- Werner Uhrig
- An Atlantis spacecraft computer problem resolved nicely
- PGN
- "Life's Risks: Balancing Fear Against Reality of Statistics"
- Marc Rotenberg
Jerry Leichter - Hear No Evil
- Kevin Driscoll
- Computer Ethics Course/Resource Volunteers Wanted (long)
- Bob Barger
- Info on RISKS (comp.risks)
Low-Probability / High-Consequence Accidents -- and the Midland 737?
Peter Neumann <neumann@csl.sri.com>
Mon, 8 May 1989 8:34:12 PDT
I would like to consider here a class of problems that has not been addressed specifically in RISKS, although its components are familiar. The RISKS Forum has addressed alarm systems that could not adequately be debugged under truly real circumstances. There was also the example of the earliest Antarctic ozone depletion data, which was systematically rejected by the analysis program for being *too* anomalous. The potential for a combination of these two types of problems might occur in aircraft monitoring during flight, as follows. Sensitive sensors in hostile environments (such as engines) sometimes report unrealistic or off-scale readings due to noise or interference. Consequently software monitoring the sensor may be programmed to ignore values beyond a certain threshold, on the grounds that such extreme readings must be the results of extraneous events. If the ignored sensor reading was "real", however, other more remote sensors might pick up -- and accept -- less extreme readings. This appears to be a potential problem in a variety of control systems. In the absence of any definitive information about the British Midland 737 crash, such a hypothesis seems just as plausible as any other. The *left* engine was reportedly vibrating wildly (possibly due to a broken fan blade), but the pilots for some reason(s) shut off the (good) right engine. The extreme vibration in the left engine might indeed have produced hitherto unexperienced sensor readings that designers -- or the software folks -- felt would have to be impossible. The vibration from the left engine would have been transmitted -- much attenuated -- through the entire airframe, and might have been reported at a much more "reasonable" intensity by the vibration sensors of the right-hand engine. It does not take much of a leap in imagination for the computer program to conclude that it was the *right* engine that was malfunctioning. In any event, this possible fault mode represents another case of LOW-PROBABILITY / HIGH-CONSEQUENCE ACCIDENTS [1], and thus deserves explicit attention. Unfortunately it is just one more such combinatory fault mode. [1] See Koshland's editorial (title above, in CAPS) in Science, vol 244 no 4903, 28 April 1989, p. 405, discussing the Exxon Valdez spill and conclusions that should be drawn from it.
``Probing Boeing's crossed connections''
Werner Uhrig <werner@rascal.ics.UTEXAS.EDU>
Mon, 8 May 1989 4:53:45 CDT
[The title is that of an article in IEEE Spectrum, May 1989, pp. 30-35,
subtitled ``Misconnected circuits and hoses found on 94 in-service Boeing
aircraft raise concern about design, test, and maintenance of aircraft
safety systems''. Author is Karen Fitzgerald.]
At the very end of the article is a further reference of interest to this
group:
For a minute-by-minute account of the British Midland crash from knowledge
gathered to date, see Special Bulletin S2/89 of the Air Accidents
Investigation Branch of the Department of Transport in Farnborough, England,
March 20, 1989.
[I recommend the Spectrum article, and
would like to see the Bulletin. PGN]
An Atlantis spacecraft computer problem resolved nicely
Peter Neumann <neumann@csl.sri.com>
Mon, 8 May 1989 12:13:25 PDT
One of Atlantis' main computers (one of the processors in the two pairs of the 2x2 + 1 backup architecture) failed on 7 May. For the first time ever the astronauts made repairs -- in this case by substituting a spare processor. It took them about 3.5 hours to gain access to the computer systems by removing a row of lockers on the shuttle mid-deck, and another 1.5 hours to check out the replacement computer. It is ironic that such a replacement was so difficult, but not surprising. My old friend Al Hopkins, who at MIT Instrumentation Lab (now Draper Lab) designed the Apollo on-board guidance computer, told me years ago how carefully they had planned the packaging so that the astronauts would be able to make repairs on the fly (as it were). NASA officials would have none of it, and buried the computer several layers underneath other equipment. Apparently that tradition has continued. Perhaps the success of the Atlantis crew will change things. During STS-9, Nov-Dec 83, multiple primary computers on the Columbia failed at the same time, and delayed the return to earth. On one hand, the calculations say that losing three processors would be a rare event. However, here we have another example of a low-probability / high-consequence accident -- especially if it involved the backup and one of each of the pairs. Furthermore, since the software is the same in all four of 2x2 the main processors, they would all have failed consistently, and been deemed correct. (And we just reported the serious problem in the Magellan software caught before Atlantis' launch, noted in RISKS-8.67!) In the case of pairwise disagreement among both pairs, there is always the fifth, backup, computer, separately programmed. As far as I know, the shuttles have never had to rely on the backup computer software, so it might be preferable to make processor replacements among the main four rather than resort to the backup...
"Life's Risks: Balancing Fear Against Reality of Statistics"
Excerpted from today's New York Times: Is the slight risk of contracting cancer from Alar too high a price to pay for crisper apples? Is the dramatic increase in milk production available through genetically engineered growth hormones worth the unknown risk to children's health? If a few aging aircraft suffer explosive decompressions, should all old airlines be grounded? Risks to health and safety and the complex questions of public policy they create are seemingly everywhere these days. And while there is little statistical evidence that the hazards of daily life are on the rise, a wide range of academic and business experts believe that American's perception of increased peril is stifling technology, wasting billions of dollars, and, ironically, making it more difficult to contain the most serious risks. ... by broad statistical measures, Americans have never been safer ... Even the high-profile threats have not changed the risks of untimely death or injury. The skies may be crowded, the planes aging and the pilots inexperienced, but the trend in aircraft fatalities is downward. ... Life-saving medicines have been less dramatically affected, but even here, the measures to compensate for risk can radically change the economic of distribution ... The Environmental Protection Agency also regards itself as handicapped by Congressional and public misperception of relative risk. ... What explains the public's decreasing tolerance of some risks and apparent indifference to others? ... perceived risk is not always related to the probability of injury. Easily tolerated risks include ones that people can choose to avoid (chain saws, skiing), that are familiar to those exposed (smoking), or that have been around for a long term (fireworks). Poorly tolerated risks are involuntary (exposure to nuclear waste), have long delayed effects (pesticides), or unknown effects (genetic engineering). ... nuclear and chemical technologies fare especially badly in such subjective rankings. Indeed the general acceleration of technical change and integration of new technology in products helps to explain the increase in public anxiety about risk. ...
Life's Risks ...
LEICHTER-JERRY@CS.YALE.EDU <"Jerry Leichter>
Mon, 8 May 89 17:17 EDT
Today's New York Times (Monday 8 May) has a front-page article title "Life's
Risks: Balancing Fear Against Reality of Statistics". It's the first of two
articles on "risk and public policy".
The article is ... well worth reading. Here's an interesting quotation:
Peter W. Huber, and engineer, lawyer and author of "The Legal Revolution and
its Consequences" notes that ... "safety taxes" [extra costs charged by
suppliers to pay for potential lawsuits] are added to the price of thousands
of ... goods and services, distorting production and reducing living
standards. By Mr. Huber's reckoning, the safety tax represents 30 percent of
the cost of a step ladder, one-third the cost of a ride on a Long Island tour
bus and $300 of the cost of giving birth in New York City.
-- Jerry
Hear No Evil
Kevin Driscoll <driscoll@draco.src.honeywell.com>
7 May 89 22:44:01 GMT
On a recent flight, the cabin crew was a bit late in starting the in-flight movie. The flight took less time than expected, so the movie's climactic showdown scene began just after plane touched down. Many of the passengers became noticeably irritated at the flight attendants pre- and post-landing announcements which interrupted the movie's audio. This was a tow-in gate so the engines were shut down well before arriving at the gate. Without engine power, an APU supplies electrical power. On the switch-over, however, the power glitch reset the audio channel controllers to the default channel (8) which is silent. It is common on commercial aircraft to have "unimportant" control systems (such as the individual seat lighting and audio) reset on power glitches. This is not a safety problem. Is it? When the audio went dead on this flight, most of the passengers didn't know what happened and pushed their flight attendant call buttons. Same of the more irate passengers repeatedly pushed it, causing the alert tone to sound almost continuously. (This was what I could see in first class. I can only imagine what was happening in the coach cabin where passengers had to explicitly pay extra for headsets and where there were more passengers.) I would suspect that the official justification for the flight attendant call button system is to alert the crew to emergencies. During this incident, any signaling of an emergency would not have been noticed. I also suspect that a failure analysis of the audio system did not foresee the implications of a power glitch reseting the channel. This is an example of the most common reason for safety problems; the designers don't see all the possible circumstances that the design will face, particularly where people are involved. The fix to this problem is trivial; make the default channel one with some material on it, preferably one of the movie channels (1 through 4). I wonder if the current design was to save some small amount of power. Another disconcerting observation was that the cabin crew did not seem to understand what had happened either. They seemed unable to help the passengers. They made repeated visits to the passengers who contined to re-press their call buttons. All that had to be done was to switch the channel back to where it had been. Disclaimer: I don't represent Honeywell, neither should Don Dodgen. Kevin R. Driscoll, Principal Research Scientist (612) 782-7263 FAX: -7438 POST: Honeywell M/S MN65-2500; 3660 Technology Drive; Mpls, MN 55418-1006
Computer Ethics Course/Resource Volunteers Wanted
Bob Barger <CFRNB@ECNCDC.BITNET>
Wed 03 May 1989 13:51 CDT
Two drafts of the following course were previously printed in RISKS digests.
These brought a host of suggestions from readers. Almost all these suggestions
were incorporated into the final version below. Volunteers are now being sought
to participate in the course this Fall (see Section 3. b. 2. below). These
volunteers could contribute items relating to computer ethics for posting on the
class bulletin board, correspond by e-mail with individual students on course
topics, and/or comment on students' postings on the class bulletin board.
The course will run from late August to early December. No money is presently
available as compensation for this service, but I will gladly contribute
letters of appropriate recognition for those who participate as resource persons
in all or part of the course. If interested, send a brief "vita" to Bob Barger
at CFRNB@ECNCDC.BITNET.
SENIOR SEMINAR
EASTERN ILLINOIS UNIVERSITY
1. Catalog Description
a. Course Number: EIU 4050
b. Title: Computer Ethics
c. Credit: 2-0-2 [2 hrs per week/one semester]
d. Term to be offered: On Demand
e. Short title: Computer Ethics
f. Course Description: The course will investigate current
ethical issues involving computers. While it is not a "computer
course," students will make frequent use of postings on the
electronic bulletin board of the ECN mainframe computer to
research and discuss ethical issues.
g. Prerequisites: 75 Semester Hours and previous experience
with computers. [Class size limit = 15 students for Fall, 1989,
semester].
h. Exclusions: None.
2. Outline of topics :
Week Topic
1 Orientation to the course (introduction,
explanation of course content, class procedures,
and evaluation methodology). Consideration of
ethical theory: examination of the metaphysical
bases and resultant ethical norms of the idealist
and naturalist theories.
2 Consideration of ethical theory (continued):
examination of the metaphysical bases and
resultant ethical norms of the consequentialist
and existentialist theories.
3 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
4 Consideration of professional ethics:
responsibilities between employer/employee,
client/professional, professional/peer, and
professional/society.
5 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
6 Consideration of liability for software design,
manufacture, and use: legal liability; truth-in-
advertising; contracts; warranties; software as
product or service?
7 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
8 Consideration of privacy issues: individual
privacy rights; institutional "right-to-know"
concerns; system security concerns; data-banking
concerns.
9 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
10 Consideration of power/control issues: the
computer as agent of centralization or
decentralization? the computer as agent of
conservation or change? the computer as agent of
alienation?
11 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
12 Consideration of ownership and theft issues:
copyrights; fair usage; patents; trade secrecy and
competition; considerations unique to the computer
market.
13 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
14 On-line reading of the "Discussion of Ethics in
Computing" list, the "Forum on Risks to the Public
in Computers and Related Systems" digest, and the
"Computers and Society" list (all are available on
the ECN bulletin board); written reactions to
these readings, and written commentary on other
students' reactions. [The instructor will insure
that these activities equate to the activities of
a traditional two hour class meeting].
15 Seminar members will reconvene as a group for the
last meeting to allow for group reflection on the
seminar experience and course evaluation.
Exam week Final examination
Writing component
Students will type thirteen 30-to-50 line (i.e., one-to-two
page) reactions to the on-line electronic bulletin board
readings. Students will "post" these reactions (i.e.,
electronically send them to the mainframe computer bulletin
board set aside for members of this seminar). In their
reactions, students will: 1) identify the particular
publication or publications to which they are reacting, 2)
identify the particular issue or issues raised in the
publication(s), 3) identify the ethical implications of the
issue or issues, 4) identify the ethical paradigm used by the
author, 5) add their own reasons for agreement or disagreement
with the viewpoint of the publication's author, 6) and,
finally, offer an alternative solution or viewpoint to that
presented by the author, or present other appropriate
considerations not raised by the author or covered in their
own (i.e., the student's own) previous comments. The
instructor will send weekly, by confidential electronic mail,
a grade on the student's posted reaction, together with
whatever comments the instructor thinks helpful. The student's
original posted reaction will also be open to public comment
by the other students in the seminar [this is accomplished by
posting notes to the bulletin board, referencing the original
posted reaction]. These latter comments by the other students
in the seminar will be considered along with classroom
discussion in computing the "participation" factor of the
student's semester grade.
Evaluation
Each student's semester grade for the seminar will be
calculated according to the following weighted formula:
- 13 posted reactions (at 5% each) = 65%
- Participation (based on class
discussion and posted comments
on other students' reactions) = 20%
- Final Exam = 15%
3. Implementation :
a. This course will be taught by: Robert N. Barger, Ph.D.
b. Materials in the course will include:
1) Texts:
a) Deborah Johnson, Computer Ethics (Englewood
Cliffs, NJ: Prentice Hall, 1985)
b) Notes on Systematic Philosophies from Dr. Barger's
Philosophy 1800 class (furnished without charge to
seminar members)
c) Postings on the above-mentioned ECN electronic
bulletin board lists.
2) Resource people: Computer professionals (e.g.,
administrators, systems analysts, programmers, etc.) will
be utilized as guest contributors to the class. This will
be accomplished by personal appearances, as well as by
electronically mediated conferencing (e.g., postings, e-
mail, relay round-tables, etc.).
c. Exceptional costs: None, unless the student wishes to use a
modem to access the computer. In this case the student will
be responsible for any personal equipment costs and/or long
distance phone charges.
d. Effective date: Fall, 1989.
Date approved by Senior Seminar Committee: February 24, 1989.
Date approved by Council on Academic Affairs: April 20, 1989.
Report problems with the web pages to the maintainer