RISKS-LIST: RISKS-FORUM Digest Wednesday 18 November 1987 Volume 5 : Issue 60
FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
Swedish trains collide (Rick Blake)
Hardware and configuration control problem in a DC-9 computer (Nancy Leveson)
Ethics, Liability, and Responsibility (Gene Spafford)
Blackhawks and Seahawks (Mike Brown)
Mobile Radio Interference With Vehicles (Peter Mabey)
VW Fastbacks/RFI/EFI (David Lesher)
CB frequencies and power (John McLeod)
Signs of the Times (Robert Morris)
The Mercaptan goes down with the strip (Burch Seymour)
Re: Reach out and (t)ouch (Michael Wagner)
The RISKS Forum is moderated. Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious. Diversity is welcome.
Contributions to
[email protected], Requests to
[email protected].
For Vol i issue j, FTP SRI.COM, CD STRIPE:<RISKS>, GET RISKS-i.j.
Volume summaries for each i in max j: (i,j) = (1,46),(2,57),(3,92),(4,97).
----------------------------------------------------------------------
From: RICK BLAKE (on Essex DEC-10) <
[email protected]>
Date: Wednesday, 18-Nov-87 13:31:53-GMT
To:
[email protected],
[email protected]
Subject: Swedish trains collide
From The Times, Tuesday 17th November 1987 (reproduced without permission)
"Gothenburg (AP) - Two Swedish express trains collided at high speed
in a suburban station at Lerum yesterday, setting a locomotive and
a carriage on fire and trapping some passengers in the wreckage
for more than two hours.
At least nine people were killed and 100 injured. Two carriages
were so badly twisted that they were sealed shut. The automatic
system designed to prevent trains from being on the same track
had apparently been shut off while work was done."
The last sentence points up a possible Risk that has been discussed before
in these columns; what happens when automated systems that are designed to
prevent human error are disabled? Clearly it is too early to draw any
conclusions from this incident until more facts are known, but it is quite
possible that, if the system worked reliably, the train controllers may have
lost familiarity with the manual procedures. Alternatively, perhaps news of
the service withdrawal was not adequately disseminated. The fact remains
that withdrawal of automated systems may of itself constitute a Risk.
Rick Blake, Computing Service, University of Essex, Wivenhoe Park, COLCHESTER C
+44 206 872778
------------------------------
To: risks%
[email protected]
Subject: Hardware and configuration control problem in a DC-9 computer
Date: Tue, 17 Nov 87 06:51:08 -0800
From: Nancy Leveson <
[email protected]>
Mike DeWalt of the FAA Certification Office in Seattle sent me a copy of
the Federal Register of August 7, 1987 which contains a notice of a proposed
airworthiness directive, applicable to certain McDonnell Douglas Model
DC-9-81, -82, -83 series airplanes, that would require inspection and
modification, if necessary, of certain Honeywell Digital Air Data Computers
(DADC). It reports that "This proposal is prompted by reports of
erroneous information being transmitted to the Digital Flight Guidance
Computer from the DADC. This condition, if not corrected, could lead to
an aircraft stall close to the ground during an automatic pilot or flight
director go-around maneuver."
It goes on to explain in more detail: "During an automatic go-around
maneuver on a McDonnell Douglas Model DC-9-80 series airplane demonstration
flight for the FAA, a simulated engine loss resulted in an electrical
transient, which caused the Honeywell P/N HG280D80 Digital Air Data
Computer (DADC) to send an erroneous low value of computed air speed to
the Digital Flight Guidance Computer (DFGC). The DFGC used this value
as a go-around speed reference and generated a large pitch-up command when
it compared the actual airspeed to the erroneous reference airspeed. The
automatic go-around demonstration was terminated by the pilot when the
stick shaker was activated by the stall warning system."
"Investigations by Honeywell indicated that a complementary metal oxide
semiconductor random access memory chip installed on Microcomputer Circuit
Card Assembly (CCA) A1 could output erroneous computed airspeed, Mach,
and total pressure data, without a failure warning, in the event of a
power interrupt to the DADC. Modification 8 to the DADC, which consists
of the addition of a transitor to the circuitry on CCA A1, prevents this
from occurring. This transistor had been previously incorporated by
Honeywell as a product improvement on DADC manufactured since May 1983,
but no marking of any kind was put on the DADC to identify it as having
incorporated the transister. DADC manufactured after February 1987,
however, have the transistor incorporated and the modification is
identified by a Modification 8 marking on the DADC."
The notice goes on to describe the directive which would require
inspection and modification, if necessary, of the implicated DADC
on -81, -82, and -83 series DC-9s (McDonnell Douglas started inspection
and modification of the DC-9-80 series airplanes in March 1987) within
12 months of the effective date of the directive.
------------------------------
Date: Tue, 17 Nov 87 11:06:43 EST
From: "Gene Spafford" <
[email protected]>
To:
[email protected]
Subject: Ethics, Liability, and Responsibility
Sometime in the next few semesters I hope to be offering a seminar
course tentatively entitled "Ethics, Liability, Responsibility and the
Software Engineer." This course is intended to foster some discussion
about the impact of computer technology on society (for good or bad),
and explore some of the legal and ethical problems involved.
Related to that:
1) The book I've been examining for the primary text should be of
interest to the readers of this forum. It contains selected essays on
the role of professional ethics (including the full texts of the ACM,
IEEE, and other association codes of ethics), the difficulties with
litigation for computer-related problems, and the role of computers in
"power" systems (economic, political, etc.). The book is:
Ethical Issues in the Use of Computers
D. G. Johnson and J. W. Snapper
1985, Wadsworth Publishing, Belmont CA
ISBN 0534-04257-0
The book is available in paperback and I definitely recommend it.
2) I would appreciate suggestions from RISKS readers for other texts,
essays and articles which would be appropriate for such a seminar class.
I hope to compile a reading and resource list for the class, then have
students pick items to study and present to the others. If you have
any suggestions for such items, I'd appreciate hearing about them;
actual copies would be especially welcome. I would also welcome
suggestions from anyone who has taught a similar course. You can send
me your suggestions via e-mail (
[email protected]) or:
Gene Spafford
Software Engineering Research Center
Dept. of Computer Sciences
Purdue University
W. Lafayette, IN 47907-2004
Anyone sending me SURFACE MAIL requesting a copy of the resource list
will get a copy sometime in the next academic year when I teach the
class; that may not be until January 1989, so let me know if
you want a partial list sooner.
------------------------------
Date: Mon, 16 Nov 87 16:12:38 est
From:
[email protected]
To:
[email protected]
Subject: Blackhawks and Seahawks
In Risks 5.58, Brint Cooper writes about the EMI problems with the Blackhawk
and asks why the Seahawk has a shielded control module while the Blackhawk
does not. I suspect that the Seahawk's shielding is a result of the Navy's
stringent testing in the areas of Electromagnetic Vulnerability and EMI.
The Navy's operational environment is generally very "dirty" from the EMI
standpoint with all of the high power radiators aboard the ships. It is
critical that, during the crucial landing phases on a moving deck, the ship-
board transmitters not interfere with the electronics. This could be
accomplished by shutting down the transmitters (EMCON) but this is not
acceptable from an operational standpoint. Therefore, the helo has to
withstand this environment.
I rather suspect that the Army's lack of shielding is a pure and simple
weight vs. benefit issue. If you can save a few pounds in the design of
the system, you have more available payload capacity. Often this translates
into this kind of a problem. In order to meet design (e.g. payload) require-
ments, things like "unnecessary" EMI shielding are done away with. When
delivered, the helo meets requirements for payload and it's only later that
problems like this surface. The shielding is added, the usable payload
reduced, and everyone is happy (well, almost). Conversely, we can have
occurrences where the original system may have satisfactorily performed in
high EMI environments but an upgraded system using computers does not. The
relatively low voltage, rapid response time circuits are sensitive to the
EMI whereas the high voltage, slow response analog circuits did not. This
is a critical issue that has to be addressed in applications where computers
are used to replace analog controls.
Mike Brown
[Also noted by "pat" and Henry Spencer.]
------------------------------
From: Peter Mabey <
[email protected]>
Date: Wed, 18 Nov 87 10:14:10 GMT
To:
[email protected]
Subject: Mobile Radio Interference With Vehicles (Re: RISKS-5.58)
>RISKS-LIST: RISKS-FORUM Digest Sunday, 15 November 1987 Volume 5 : Issue 58
>Subject: Mobile Radio Interference With Vehicles (RISKS-5.57)
>From: Ian G Batten <
[email protected]>
>There was some trouble a year or so ago I read of in one of the Car
>magazines with engine management systems on several makes of car...
This reminds me that when the Home Chain of radar stations was being
set up in 1939, it was rumoured that the mysterious transmitting
pylons being constructed were for a secret weapon that would stop the
engines of the German bombers. There were reports of car engines
unaccountably stalling and refusing to restart till a technician from
an adjacent hut came out, noticed what had happened, and returned
inside. This was long before electronic engine management, and I
doubt that the pulsed signals would have been able to have the
reported effect on a conventional ignition system, so I suspect that
the reports were 'disinformation' spread to put spies on the wrong
track. (You never heard the stories at first hand, it was something
like ...'our milkman said it happened to a friend')
Peter Mabey (phm@stl ...!mcvax!ukc!stl!phm +44-279-29531 x3596)
Standard Technology Ltd., London Road, Harlow, Essex CM17 9NA, U.K.
------------------------------
From:
[email protected] (David Lesher)
Subject: VW Fastbacks/RFI/EFI (Re: RISKS-5.59)
Date: 18 Nov 87 04:48:39 GMT
Organization: NetSys Public Access Network,Germantown, MD
I remember a VW mechanic across the street from the local gas station the
police frequented asking me why the pancake engine (i.e., Fastbacks+Squareback)
models stalled when the police transmitted. I explained it to him. This was
on 150 mhz @ 100 watts out. BTW those fuel injection controls were all
discrete transistor...Nobody had heard the words IC-opamp.
------------------------------
Date: Wed, 18 Nov 87 15:51:06 EST
From:
[email protected] (John McLeod)
To:
[email protected]
Subject: CB frequencies and power
CB's run at 4 Watts. Their wavelength is 436 inches. (~11m).
JOHN MCLEOD Georgia Insitute of Technology, Atlanta Georgia, 30332
uucp: ...!{akgua,allegra,amd,hplabs,ihnp4,seismo,ut-ngp}!gatech!gitpyr!jm7
------------------------------
Date: Tue, 17 Nov 87 15:17 EST
From:
[email protected]
Subject: Signs of the Times [1984? and Information Vending]
To:
[email protected]
A sign on Route 95 in Delaware to be seen just after passing the toll
booths for the Delaware Memorial Bridge reads "Information Police".
A sign on Route 95 in Pennsylvania just north of the Delaware border
reads "Weather Info Vending Machines".
------------------------------
Date: Mon, 16 Nov 87 22:02:27 EST
From:
[email protected] (Burch Seymour)
To:
[email protected],
[email protected]
Subject: The Mercaptan goes down with the strip
[OK, this isn't really computer related, but I thought it might be
interesting as it's sort of high tech related.... and I kept it short too!]
The December 1987 Discovery magazine reports that the Baltimore, Maryland
utility commission sent out their "Energy News" bulletin with a special
addition. To help promote public recognition they added a scratch and sniff
strip that smelled of mercaptan, the chemical added to natural gas to make
it smell. Natural gas is odorless; the smell is added as a safety feature
so users can notice potentially explosive leaks. There was a problem. The
smell penetrated the unopened envelopes, causing hundreds of customers to
call the fire department to report gas leaks. "People were panicking at
first. They really thought they were having problems."
The brochures were shelved.
-Burch Seymour- ...sun!gould!bseymour or something like that
------------------------------
Date: 17 Nov 87 18:48:34
To:
[email protected]
From: Michael Wagner <WAGNER%
[email protected]>
Subject: Re: Reach out and (t)ouch (RISKS DIGEST 5.58)
> BONN, West Germany - An elderly West German woman ... received a
> whopping telephone bill for $2,3000.
Wie, bitte? The number actually printed in the article has some
sort of problem, since people in North America don't normally
write a number that way. I tried to figure out what amount this
really was. $23,000 is completely out of line. If it is $2,300,
I can't reconcile this with the information in the story (10
hours) and the rate schedules I have here. I'm currently trying
to find out more details of this story.
[Add to that the fact that 2,3000 auf deutsch is 2.3000 auf englisch. PGN]
> The meter ran 10 hours.
To me, this points out the 'brittleness' of some of our
'high-tech' services. Older services, like electricity and water
service, intrinsically limit the amount of resource which can be
consumed in a short time to some 'small' multiple of the 'normal'
usage. This little old woman probably calls her relatives in
Nairobi once a month for 10 minutes. For those 10 hours that her
phone was off the hook, she was responsible for 4000 times her
normal usage. I don't think you can get 4000 times normal water
flow for 10 hours out of your tap, and I don't think you could get
that much electricity out of the wall without melting your
entrance fuses.
I must admit that those limits are the results of physical
properties that are built into the delivery mechanism (friction in
the pipes; heating of the wires and fuses in the service
entrance). The telephone is somehow 'better' because it doesn't
have the non-linearities that give rise to these phenomina.
However, those very non-linearities often serve a useful purpose
in 'turning back the curve' in situations where a fault has
occured.
One hopes, for instance, that if they bring the electricity to the
house of the future with superconductors, they remember to use
some 'normalconductors' in the service entrance to limit the total
possible consumption to reasonable limits, for safety and billing
reasons.
Similarly, phone systems and computer systems should contain some
reasonableness checks to detect outlying situations and alert
staff to them.
> She then petitioned Parliament, which ruled this week that she
> would have to pay one-third of the bill for carelessness.
I asked a friend about this; they were surprised that she got off
so lightly. It is somewhat unusual that she was 'excused' from
her full liability. The telephone system is an incredibly
powerful institution here in Germany (and more or less in all of
Europe, I gather). They do, with alarming regularity, make
billing mistakes. And, being a part of the executive branch of
the government, they have the muscle to make people pay the bills,
even when the bill is under dispute.
Michael
------------------------------
End of RISKS-FORUM Digest
************************
