cmh-issc-lessons (Раздаточные материалы)

Appears in the Proceedings of the 17th International System Safety Conference, August 1999, pp. 598-607From Bridges and Rockets, Lessons for Software SystemsC. Michael Holloway; NASA Langley Research Center; Hampton, VirginiaKeywords: safety, high integrity systems, software engineering, accident analysis, historyAbstractAlthough differences exist between buildingsoftware systems and building physicalstructures such as bridges and rockets, enoughsimilarities exist that software engineers can learnlessons from failures in traditional engineeringdisciplines.

This paper draws lessons from twowell-known failures—the collapse of the TacomaNarrows Bridge in 1940 and the destruction ofthe space shuttle Challenger in 1986—andapplies these lessons to software systemdevelopment.The following specificapplications are made: (1) the verification andvalidation of a software system should not bebased on a single method, or a single style ofmethods; (2) the tendency to embrace the latestfad should be overcome; and (3) the introductionof software control into safety-critical systemsshould be done cautiously.IntroductionArticles and books abound warning about theinadequacies of software development practices(refs.

1-9).Often, these inadequacies areattributed primarily to differences betweensoftware engineering and traditional engineeringdisciplines. Differences commonly cited includethe following: the inherently discontinuousbehavior of software as opposed to theinherently continuous behavior of physicalsystems, the fact that software does not wear outlike physical components, and the relative youthof software engineering as compared totraditional disciplines.Differences such as these exist, but do notjustify the attitude that software is so differentthat nothing can be learned from traditionalengineering disciplines. There is much that canbe learned, as others have recognized. Forexample, in a 1994 article Nancy Leveson drewparallels between the early development of highpressure steam engines and current softwareengineering. She wrote, “Risk induced bytechnological innovation existed long beforecomputers; this is not the first time that humanshave come up with an extremely useful newtechnology that is potentially dangerous.

Wecan learn from the past before we repeat the samemistakes” (ref. 10).This paper is based on a similar premise, butuses a different approach. Instead of looking atthe development of a particular technology, welook at two specific failures from two verydifferent technologies: bridges and rockets.Studying failures was chosen because, as HenryPetroski has written, the lessons learned fromfailures “can do more to advance engineeringknowledge than all the successful machines andstructures in the world” (ref.

11). Bridges androckets were chosen for two reasons. First,building bridges is one of the oldest engineeringactivities, and building rockets is one of theyoungest. Second, the collapse of the TacomaNarrows Bridge in 1940 and the destruction ofthe space shuttle Challenger in 1986 are two ofthe most widely known engineering failures ofthis century.The discussion of both failures will benecessarily brief and incomplete, and willcontribute nothing new to the understanding ofeither. The paper’s contribution is in the directapplication of lessons from these failures tosoftware engineering.The structure of the remainder of the paper issimple.First, the Tacoma Narrows Bridgecollapse is described, and four lessons from it areexplained.

Second, the Challenger accident isdescribed; how this accident reinforces lessonsfrom Tacoma Narrows is explained; and oneadditional lesson is added. Third, applications ofthe lessons are made to software systems.Finally, brief concluding remarks are made.Tacoma Narrows Bridge FailureBackground: The first bridge connecting theOlympic Peninsula with the mainland ofWashington was completed in 1940.Thesuspension bridge was built by the WashingtonToll Bridge Authority to provide an alternative totaking ferries across Puget Sound to get to andfrom the Olympic Peninsula.

Constructing thebridge took only nineteen months, at a cost of$6.4 million, which was financed by a grant fromthe Public Works Administration and a loan fromthe Reconstruction Finance Corporation. With amain span of 2800 feet, the bridge was the thirdlongest suspension bridge in the world at thattime. Only the George Washington Bridge inNew York, and the Golden Gate Bridge in SanFrancisco were longer (ref.

12 is the source forthe material in this section, unless otherwisenoted).The bridge was designed by Leon Moisseiff,who was one of the world's top authorities onbridge design. Moisseiff had been called in todesign the bridge after the design proposed bythe Washington Department of Highways wasrejected as being too expensive.TheDepartment’s design called for 25-foot deepstiffening trusses on both sides of the roadwayto protect the structure from the strong windsthat blew in the Narrows.

Projected constructioncosts were $11 million.Along with his partner Fred Lienhard, Moisseiffhad developed a mathematical theory forcalculating load and wind forces for suspensionbridges. This theory, called deflection theory,was originally devised by the Austrian JosefMelan, but Moisseiff and Lienhard put it intopractice. The underlying idea of the theory wasthat the “dead load of a suspension structuresubstantially moderates structural distortionsunder live load.” (ref.

13) Using deflectiontheory, Moisseiff was able to justify stiffeningthe bridge with only eight-foot deep plategirders, instead of the 25-foot deep trussesproposed by the Department of Highways. Thischange was a substantial contributor to thedifference in the projected costs of the designs.Because the amount of traffic over the bridgewas expected to be fairly light, the bridge hadonly two lanes.

As a result, the bridge was only39 feet wide. This was quite narrow, especially inrelation to its length. With only the eight-footdeep plate girders providing additional depth,the bridge was also shallow. The resultingsilhouette was thought to be both dramatic andgraceful.The narrow, shallow bridge was flexible, moreflexible than any other existing suspensionbridge.

This flexibility was noticed by thebuilders during construction, and it was alsonoticed by drivers as soon as the bridge openedto toll-paying traffic on 1 July 1940. At times thebridge undulated so much that drivers would beunable to see cars in front of them as thepavement rose and fell. Some travelers werereported to have even gotten “seasick” whencrossing the bridge. The bridge quickly wasnicknamed “Galloping Gertie”.

Traffic on thebridge in its first two weeks was twice what hadbeen expected, perhaps because it attracted notonly those who needed to make the crossing, butalso the area's roller coaster aficionados.To reduce the amplitude of the bridge's wavemotion, various checking cables and deviceswere added to it, as they had been to othersuspension bridges with greater than expectedoscillations. Also, The Washington Toll BridgeAuthority contracted with the engineeringdepartment at the University of Washington tostudy how to reduce the bridge's movements.Professor F. B.

Farquharson led theinvestigation, which experimented with a scalemodel of the bridge in a wind tunnel.Farquharson and his students issued a reportsuggesting that the bridge could be stabilized byadding additional cables, attaching curved winddeflectors, and drilling holes in the girders to letwind pass through. Disaster struck before therecommendations in the report could beimplemented (ref . 14).The Accident: On 7 November 1940, the clampsholding one of the added checking cablesslipped in a wind of about 40 miles per hour.When this happened Galloping Gertie began tomove in a new way. Instead of just oscillating upand down as it had before, it started twistingabout its centerline.