The RISKS Digest
Volume 9 Issue 12

Thursday, 17th August 1989

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

RISKS IS FINALLY MOVING TO CSL.SRI.COM!
PGN
Flaws in calculations, computer models in Trident failures
Jon Jacky
Voyager 2 software faults at launch, 1977 Aug 20 10:29
David B. Benson
Info on RISKS (comp.risks)

RISKS IS FINALLY MOVING TO CSL.SRI.COM!

Peter G. Neumann <Neumann@KL.SRI.COM>
Thu, 17 Aug 89 09:07:12 PDT
This should be the last issue of RISKS that you will receive from the KL.
Subsequent issues should appear without interruption from the CSL.  As has
already been noted in the masthead for many months, all RISKS mail should be
directed to RISKS@CSL.SRI.COM or RISKS-Request@CSL.SRI.COM, depending on
whether you have a contribution or an out-of-band message, respectively.
Please send mail to the latter address ONLY IF YOU DO NOT RECEIVE a message
from RISKS@CSL.SRI.COM within 24 hours of your receiving this issue.  That
message from CSL will be identified by

  "From RISKS Forum <RISKS@CSL>SRI.COM>
   Subject: RISKS IS NOW ABOUT TO MOVE.  NO ACK REQUIRED IF YOU RECEIVE THIS."

    [The DEC 2065 and its staff have been very good to RISKS for the past
    four years.  Many thanks to Steve Milunovic for all his help.  PGN]


Flaws in calculations, computer models implicated in Trident failures

Jonathan Jacky, University of Washington <JON@GAFFER.RAD.WASHINGTON.EDU>
Thu, 17 Aug 1989 9:21:56 PDT
Here are excerpts from a story that appeared on the front page of the
Thursday, August 17, 1989 NEW YORK TIMES:

DESIGN FLAW SEEN AS FAILURE CAUSE IN TRIDENT 2 TESTS --- by Andrew Rosenthal

WASHINGTON --- The Navy believes designers made a fundamental miscalculation
in building its biggest nuclear missile, the Trident 2, which has failed in
two of its three undersea tests, a Navy official said yesterday.

The first missile exploded on March 21, four seconds after it was launched
from a submarine off the east coast of Florida.  The second test, on August 2,
went largely according to plan, but the third blew up Tuesday.

Rear Adm. Kenneth C. Malley, head of the Navy's ballistic missile program, said
that despite computer simulations, engineers seriously underestimated how much
pressure is on the Trident 2 as it hurtles up through the water from its
submarine launcher.  He said they had also failed to anticipate the effect of
"water jets" caused by the missile's movement. ...

The Trident 2, which is 44 feet long and weighs 130,000 pounds at launching, is
much longer and nearly twice as heavy as the Trident 1 [...which is now in
service and which Trident 2 is scheduled to replace...].  Although engineers
expected the larger missile to create more turbulence than the Trident 1 as it
passed through the water, they miscalculated how much more and what effect that
would have on the Trident 2's rocket engines.  ...  During testing "water jets"
caused by the missile's movement contributed to the turbulence.  After
reviewing the tests of the Trident 1, the Navy said, such jets were present,
but had gone unnoticed because they had not affected the smaller missile's
flight.  ...

The first time the missile was tested at sea, Admiral Malley said, the
unexpectedly strong pounding from the water jet caused the (missile's rocket)
nozzles to malfunction as soon as they fired above the water's surface.  The
missile began spinning in a spectacular cartwheel until it self-destructed. ...

In the third test, ... instead of spinning end-over-end, (the missile) began
flying on what at first seemed to be a normal trajectory ... "Then it appeared
to be losing some thrust control and it self-destructed."  Admiral Malley said
he had not yet studied the full body of data from the test.  But he said it
appeared that the aft-end pressure had severed electrical connections...

Asked whether the failures were a result of a design error or of a flaw in
manufacturing that left the rocket weaker than it should have been, Admiral
Malley said, "The device was built to specification.  There is no question that
it was designed the way it was intended to be designed."

As a result of the miscalculation, Malley said in an interview, the original
nozzles on the missile's first-stage rocket were not strong enough to withstand
the additional turbulence, and they had to be redesigned after the first test
missile exploded.  The Navy now must go back to the laboratories to determine
why the rebuilt nozzles failed Tuesday, Malley said. ...

Until the test failures, the Trident 2 was the one element of the Defense
Department's nuclear modernization program that was moving along smoothly,
having successfully completed 16 of 19 test firings from land...

Because there are so many Navy officials and subcontractors involved in the
Trident 2 program, it is impossible at this point to assess when or by whom
the miscalculations were made.  The prime contractor is Lockheed Corp. ...


Voyager 2 software faults at launch, 1977 Aug 20 10:29

David B. Benson <dbenson@cs2.WSU.EDU>
Wed, 16 Aug 89 12:35:15 PDT
Exerpts from: "Voyager and the Grandest Tour Ever:  Catching the Wave of
the Century", by Bruce Murray, California Institute of Technology's
<Engineering & Science>, Summer 1989, (no volume number).  This article
is itself exerpted from "Journey into Space:  The First Three Decades of
Space Expolration", by Bruce C. Murray, publ. W.W.Norton & Co., 1989.

[Except for inadventent typos, the following is an exact quotation
from the article, including the misused quotation marks. I shall refrain
from other remarks, leaving such to our Gentle Editor.]

    ...
    Voyager 2's gyroscopes and electronic brain were alive during
the Titan/Centaur launch, monitoring the sequence of
events in order to take control upon separation.  But here the unexpected
happened: Voyager 2's brain experienced robotic "vertigo."  In its confusion,
it helplessly switched to backup sensors, presuming its "senses" to be
defective.  Still no relief from its disorientation.  Mercifully, the
panicky robot brain remained disconnected from Voyager's powerful thrusters,
so it did not cause damage to the launch.  The Centaur attitude-conrol
system — under its normally behaving brain — stayed in charge,
suffering no "vertigo" and, as planned, electronically correcting the
disequilibriam of Voyager's brain just before separation.
    From the control center John Casani and his terse engineers
helplessly watched (though mostly they listened, because there were not
enough monitors available to us in Florida) the antics of Voyager 2's
disoriented brain.  One hour and 11 minutes after lift-off, Voyager 2
fired for 45 seconds its own special solid rocket to provide the final
push it needed to get to Jupiter.
    One and a half minutes after Voyager's key rocket burn ended, a
ten-foot arm holding the television camera and other remote-sensing
instruments was unlatched and deployed as planned.  Then, more trouble.
Voyager's anxious brain once again sensed an emergency.  This time it
switched thrusters and actuated valves to control the tiny bursts of
gas used to stablize its orientation.  Voyager's robotic "alter ego"
(its executive program) then challenged portions of its own brain in
a frantic attempt to correct the orientation failure it sensed.  Next,
Voyager followed the procedures JPL engineers had installed to cope with
the most dreaded emergency for a robot in deep space — spacecraft
attitude disorientation.  (In August 1988 the Phobos 1 spacecraft of
the Soviet Union succumbed to such an emergency after receiving an
erroneous ground command, and in March 1989 Phobos 2 evidently met a
similar fate.)  Voyager shut down most communications with Earth in
order to begin its reorientation.
    Seventy-nine minutes passed while Voyager 2 stuggled alone and
unaided to find the sun and establish a known orientation.  Finally,
it radioed confirming data.  For the moment, Voyager 2 was stable.
    It was all work and no celebration that afternoon in the dimly
lit High Bay Conference Room, where, just days earlier, a seemingly
healthy Voyager 2 had checked out perfectly.  Were the redundant
sensors malfunctioning?  Was the state-of-theart brain defective?
    The technical discussion in the room was poorly illuminated too.
All the new, supersophisticated fault protection in Voyager's electronic
brain operated on the now-painful presumption that it would be triggered
<only> by a hardware failure billions of miles from Earth.  In that
event Voyager would be unable to establish even emergency communications
with its human handlers, who could not help it much at that distance
in any case.  As a consequence Voyager had been programmed virtually to
shut off communications with Earth during such emergencies and to fix itself.
But, somehow, these deep-space procedures had been triggered right after
the launch.
    Now, because of those disrupted communications, we were not
receiving the useful flow of engineering-status measurements.  We
simply lacked enough information to figure out the causes of Voyager's
mysterious behavior, even though the spacecraft was so close to Earth
that communications normally would have been feasible under any emergency.
    ...
    ... There had been no hardware problems in the brain — just a
slight but serious missetting of computer parameters.
    ...

Please report problems with the web pages to the maintainer

x
Top