My point still stands. There is no reason for a warning system for Russia, China, or any other country. We are not at war.
This is some pretty interesting logic, you don't need a warning system until after you are attacked. Considering the efficiencey of nucs as far as killing goes, that's a little late.
What a well reasoned posting, I especially like the respectful way you describe the people involved in a system you have no f-ing clue how it operates.
And no, that thinking isn't the problem which should be obvious if you spent some seconds thinking about it - assuming you have an IQ higher than an amoeba.
Speaking of respectful. Wanna talk about fail safe systems? Use the big words - I might just understand a lot more than you think I do.
There's your challenge, Accepted? Prove that a software only system is fail safe.
Ask the people aboard Flight 800.
Oh, wait...
And the Airbus too. Remember the early flight where the computer insisted that the plane fly below treetop level? "Fortunately" there were not that many on board.
Ot the one over in Europe where there was a strike that damaged thte engines on takeoff? Yeah, the SOP is to reduce power to as low as possible and return to land the plane while you still have engines. But apparently pilots would often throttle back shortly after takeoff to lower noise level in nearby developments. Well, that was considered bad by some folk, so they inserted some new software that wouldn't allow you to throttle back. You could play with the throttle all you want, but it didn't matter. They didn't bother to tell the pilots either. So the poor schmedlocks were desperately trying to reduce engine RPMs to save the engines enough to land, while the computer destroyed them by running at full power. They crashed in a field a few miles from the airport. Fortunately no one was killed. There were plenty of injuries though.
Hey, it's probably a Windows-based system. We're lucky it didn't just decide to do a "Critical Update" at that moment!
I heard on one news report that the reason it took so long to cancel the Alert was that the Application that was supposed to do that "wasn't loaded"
(Now was it CANCEL.EXE, OR CANCEL1.EXE...?)
It is REALLY amazing we haven't had a bug-related missle launch in all this time...
We'ce come so close to accidentally incinerating ourselves on multiple occasions. Sensors fail, computers have software issues. In these cases, a human managed to believe something was askew when the computers were skwacking at them to start WW3. The scariest one was the Soviet satellite problem where it insisted the US had launched 5 nuc tipped missiles, and the funniest Strangelovian moment was when we almost ednded th eworld as we know it when a moonrise over Norway became a Soviet missile launch. https://www.nytimes.com/2018/0... Seriously, North Korea has nothing on the Nuclear Follies.
But to be serious, we might be in a situation now where caution won't be exercised. We have NK and the Present Occupant in a weenie waving contest, and said occupant does seem to want to use these big boys, which might cement his position in history pretty solid. So I for one, take accidental incoming missile strike oppsies pretty seriously, just for the potential escalation. It isn't likely to happen, a reality check should show no launch signatures, but these are not normal times.
You need a mechanical physical switch with a switch guard. The very fact that an actual alert would be triggered by a menu item, indicates a completely incompetent design. I seldom call for people's jobs, but I'll make an exception in this case..
I thought the same thing about the keyswitch/switchgaurd.
But even a simple, glaring-red "ARE YOU SURE?!?" Confirmation Dialog would have probably prevented this frickin' FIASCO!!!
Probably. But it's still a computer driven thing, and if there is one thing I've learned it's that peoople trust computers too much. If they really worked all that well, they'd be the ones launching missiles automatically, no human intervention needed.
You need a mechanical physical switch with a switch guard.
No, you DON'T!
If you had such a switch, pushing it would have to be part of the test. Otherwise you've created a single point of failure that causes the live function to fail even though the test psses - and you don't find out until the missiles are inbound.
If you don't have feedback you don't even have a system. You know, it's like you turn the key in the ignition, and the car starts, In this case, the computer notes that the emergency message has been sent. This isn't rocket surgery. Worst built in feedback case that I'd use - although it would be ground truth - would be looking at a phone to see that it had the emergency alert on it.
Of course it would have feedback, and it's point of failure is no more a single point than the computer's. And go ask an engineer what is more reliable, a computer or a high quality on off switch. Seems that they use them for serious things like launching boomy candles.
And while we're harping on the design and installation, why isn't there a "FALSE ALARM DISREGARD LAST ALERT" message button, for when this does happen?
The guy who sent out the alert was just a person making a mistake on fatally flawed software.
The guy who sent out the alert should have noted the design flaw and made accommodation. He also should have notified his superiors of the situation, requesting an update. Clearly he wasn't fit for the job.
Clerly you haven't worked in this sort of system. Input from the user is seldom accepted. If the guy on th efront liine knew what they were doing, they would be in charge. At least that's what the people in charge think.
Sort of like "California" blend of unleaded gasoline. It's cheaper in other states. They DO make a different version just for CA. Same thing for handguns and rifles. CA gets special "more saferest" version or something.
And here in Pennsylvania we pay a good deal more for gasoline. The extra goes for road maintenance.
Whatever, I'll take good roads over cheap as possible gasoline.
Indeed. Setting a trigger this loose is asking to get shot. Only the truly incompetent do this.
My guess is that the decision was made on a financial basis, perhaps some suits in a conference room. It really indicates a lacl of knowledge about programming and computers in general.
Perhaps it wasn't considered a life critical system. I'd differ given that it scared the crap out of a lot of people, hopefully no one was injured or killed.
But we've all accidentally hit a wrong menu item, especially when using a mouse. An emergency system needs anumber of attributes
It needs good accuracy - we don't know about that in this system
It needs flexibility - I suspect it has it.
It needs an effort to trigger it. - This system fails miserably in that aspect. Activating a test is almost identical to activating the system.
Their design and implementation indicates either a lack of knowledge of life critical systems
Who says the system remains in the vanilla state that existed when it was released? Maybe the labels are under user control, or the user specifically requested these labels, or they came out in different releases, etc. Given that this is likely custom government software, it was probably built on a set of skimpy requirements and not analyzed by anyone who might have known better.
Well My failsafe is that switch, or Key to activate the system. If that was removed, I'd consider that a criminal act.
I agree! And I also seldom call for people to be fired.
But, just to be totally clear -- the person/people who should be fired is NOT the operator who selected the wrong drop-down box on the badly-designed UI. And NOT the one who coded it, either.
The real culprit here is whoever reviewed, and approved the architecture. Probably a _much_ higher level person than the one who will most likely be blamed -- given what I know about typical government and corporate scapegoating habits.
Exactly. The person who accidentally activated the alarm was almost blameless, the programmers were just working with their marching orders.
I'm expecting the guy who empties the trash cans and mops the floors to be the chosen culprit.
A system like this should be engineered to have some set of distinct modes like "Standby", "Testing" and "Live".
In order to put the system into "Live." should require a physical interconnect such as a key.
Bingo! "Sokath, his eyes opened"
All critical systems I have worked with need that key or guard, which closes a switch. Which goes someplace, which activates the final step, whatever that is. Previously it was activating some machinery which might kill people if it started when they were around it. Now it isn't usch an issue on present systems.
I would see this system as one enabling the computerized message to go out to everyone. Activate the key which is the switch, and the computer knows it is go time. Sends out the emergency message for whatever emergenct message is chosen via the software.
In what case does a company not NEED to sell its product???
Exactly. There is money in electrical power generation, but you have to sell it to make it. And those turbines and generators and other equipment don't come cheap.
And given all the extra steps that coal needs, like pulverizing the coal and burning it and maintaining the burners (since NatGas is a lot cleaner) the coal stations which are also older, have a lot of extra maintenance going on. They really need the money. Coal is getting harder to get, it is dirty, and Natural gas is cleaner and a lot less maintenance as well. Topped off with customers who don't want to use coal, the death knell for coal power is being tolled.
And even if we subsidized the bejabbers out of it, all of those promised jobs aren't happening. Today's coal mining is a few guys and a supervisor, some explosives, a dragline and some big ass trucks. Most of the coal jobs are gone and won't ever come back. There are operations north of where I live, and it is amazing how much is done by just a few people.
Except the surrounding states probably don't NEED to sell electricity to CA.
Then the demand goes down. If a coal plant doesn't need the money, then it all balances out.
In most cases, the operator of the plant would really like to get money for the power they are generating. And if a big customer is giving preferential treatment to a different supplier, that has an impact on the bottom line.
These power generating schemes don't just spring up overnight, with the power stopping at the borders. When the generation statinos were built, they were sized with the intention of being able to supply power to whoever was willing to pay. So a power distribution outfit in one state might want to purchase X number of MW hours from a particular operator. That's money coming in.
There was a criminal scheme a few years back by Enron, who engineered a power crisis in California. They gamed the system, and got caught. Unless the New America enables such gaming again, it will be a pretty well run system. Buy the power, provider generates the power. Everyone is happy. But if no one is buying your available power, you aren't making as much as you would like. What's worse, since they can buy power off anyone they like, that supply and demand will up the money taken in by the gas powered energy providers.
What a well reasoned posting, I especially like the respectful way you describe the people involved in a system you have no f-ing clue how it operates.
And no, that thinking isn't the problem which should be obvious if you spent some seconds thinking about it - assuming you have an IQ higher than an amoeba.
Speaking of respectful. Wanna talk about fail safe systems? Use the big words - I might just understand a lot more than you think I do.
There's your challenge, Accepted? Prove that a software only system is fail safe.
The larger blame lies with the government and the (I hate the term, but it's so applicable here.) sheeple who call for this sort of a warning system.
There is no legitimate reason to have this sort of warning in place. None! North Korea has established that it can hit the ocean with its missiles most of the time.
Warning systems are not just for North Korea. Russia and America also have some big boomy candles. My guess is that both Hawaii and the west coast are in the targets. These systems were in place a long time ago. Russia has early warning systems as well.
I don't know. In my experience every design choice has unintended (although hopefully not unaccounted-for) consequences.
You have to add up all the foreseeable failure modes of a system with a mechanical switch -- including but not limited to a mechanical failure when you actually need to use it -- weighted by the probabilities of those failure modes. Just throwing a mechanical switch into a system because you had a failure is not engineering.
In no way shape or form is the idea to "throw a mechanical switch into a system:" because you had a failure. The mechanical switch should have been in the initial engineering design from teh very beginning, because it will prevent a failure. A failure that happened because people who don't know any better thought that the entire thing could have been controlled without failure by menu items.
But that didn't happen did it? If this system was part of the launch system for nuclear missliles the world would have been in an interesting state today, would it not?
In engineering you don't just focus on the desired result of a feature.
I'm not saying that a physical arming switch isn't the best option, but designing a solution to this problem is a job for someone with experience dealing with human factors in systems.
Right, now just google "The man who saved the world". This will bring you to a very interesting story about one Stanislav Petrov, who after receiving commands to launch nuclear tipped missiles via a satellite problem, he reasoned that the US wouldn't be likely to launch only the 5 missiles th esatellite indicated were heading to the Soviet Union. He probably saved the world from a very interesting future. That is Human Factors by definition. And a needed disconnect from people's trusting of all things computerized.
I suspect having distinct armed/test modes is a good idea, but a switch alone isn't going to be enough, you'd need to have other indications the system is live -- e.g. klaxons and flashing lights.
The switch isn't replacing the computer. And wouldn't be used in the test mode at all. (note I'm not certain of the exact details, but for the test of the system, a menu item would suffice).the physical switch means go time. But its something that is external and connected to the computerized system.
This is not dissimilar to launching systems for ICBMs. They have multiple physical keys that actuate switches. Do you have a software only solution that you would propose that would be more reliable?
Plain old mechanical mercury switch is good for around 70-90 years after the initial test, and require no secondary yearly testing as long as the mercury hasn't leaked. And that it can along with the wiring be checked with a spot inspection. They're still used in a lot of stuff, that require one-off emergency trip fails. One of the heavy industry companies I worked for exclusively used them as part of the auto-stop system in the event of an emergency. Because they always work, sure mercury is toxic, it hurts the environment. But when you want a 99.99999% of there being zero failure? Sometimes old tech is still best tech.
I'm having fun here arguing with people who think that software is more dependable than things like mercury switches. Even more so, they are arguing the superiority of a system that has already demonstrated failure.
A mechanical switch is prone to failure so will need to be tested regularly, and runs the risk of being tested with the system in "live-fire" mode.
Everything is susceptable to failure. Mechanical switches caan certainly be more reliable than a software program.
The switch output is going to be converted to a software signal anyway, so it makes the system more complicated for no real benefit.
So are you positing that all mechnical switches and keys be removed from nation's nuclear arsenals because a computer only system is safer?
So these computer thingies. They don't have any switches in them? Computer keyboards and on off switches will be prone to malfunctions, certainly more so than a heavy duty industrial quality. There are inputs and outputs like Ethernet connectors as well.
fail safe does not mean that no errors or failures will occur. What it means is that a failure is isolated and ends up in a safe condition. Such an external switch is no disconnected from a computer either. It's just the last step in activating a life critical system.
There's no reason why a software trigger can't be protected with a confirmation dialog, like "You are about to send a live missile alert, type 'YES' to continue"
You mean kind of like what they had, and what was ignored? This is my whole point. And yet here we are people arguing to the system that failed. That dialog box, Would you be willing to bet your life that the software is so good, so well tested that it will never ever have a problem? That the software is so perfect that it is 100 percent impossible that it will not be activated by a software problem? I suspect you will answer no, and if yes, you need to study history of the software events of the nuclear age.
At very best, perhaps a blinking rde screen, and a klaxon horn at 120 decibles might alert the person actiuvating the menu item might help, but that won't cure accidental software provided auto activation.
How about 2 for wild fires (one actual, one test), then there would be 2 more for mud slides. I guess tornado warnings would require two as well. What about civil disturbance - should that require a physical switch?
I'm not defending GP's idea of using a switch, but this is obviously not what he meant. One switch for all live alerts would serve the purpose. There are plenty of reasons to criticize that as a bad idea without getting silly.
if you have a fail safe in the system, it does not cut the computer out. You simply select the message to be sent, then use the mechanical switch to send it. The concept is that a physical action of raising the guard is a step that makes you think foro a second - am I sure? then the last step is the switch - am I really really sure??
I understand this is a tech site, where many people believe in the infallibility of computers, and that humans are considered the weak link. I would suggest that they do some study on Stanislav Petrov, known as "The man who saved the world." https://www.theatlantic.com/te...
Had he relied on the computing facilities and launched, the world would be a quite different place. It was a matter of throwing a switch or switches, but the control was outside the computer. Imagine if y'alls presumably much superior menu item launch with it's proven mistake prone operation was in control.
Here's the challenge show how a completely menu driven system controlled only by software will be more fail safe than a system that makes you think hard about activating it. Since y'all know I am wrong - you must have the right way to do this ready to implement.
Wow. What an ignorant statement. Let me guess - you have never worked in an emergency setting. So how many physical switches do you want? You already want 2 for missile alerts. How about 2 for wild fires (one actual, one test), then there would be 2 more for mud slides. I guess tornado warnings would require two as well. What about civil disturbance - should that require a physical switch? Then there's any type of hazmat incident.
Why don't you learn a bit about emergency management before you make an ass of yourself!
I am a technical consultant for Emergency communication systems. And I have to say, little Coward - you would be escorted to the front door as your last involvement with that 'tude. Rather than just an argument which has nothing to do with what I posted, you are at best amusing, but have no place in emergency management.
Arguing for a system that has failed, and we know why it has failed, is a pretty weak starting point. It was going to happen, it was going to happen because it was a menu item for activation besice a menu item for testing, and by golly, it happened. It was the opposite of a fail safe system. All of the intermediate steps I propose of Mechanical switches and Switch guards are fail safes.
And if you don't understand what a fail safe is, you might do some studying before you claim that others need to learn a bit. Just sayin'
Slashdot Mirror
My point still stands. There is no reason for a warning system for Russia, China, or any other country. We are not at war.
This is some pretty interesting logic, you don't need a warning system until after you are attacked. Considering the efficiencey of nucs as far as killing goes, that's a little late.
I live in south central PA; the roads, highways, bridges, and infrastructure fucking suck here.
THere is so much that it takes time to fix them all.
What a well reasoned posting, I especially like the respectful way you describe the people involved in a system you have no f-ing clue how it operates.
And no, that thinking isn't the problem which should be obvious if you spent some seconds thinking about it - assuming you have an IQ higher than an amoeba.
Speaking of respectful. Wanna talk about fail safe systems? Use the big words - I might just understand a lot more than you think I do.
There's your challenge, Accepted? Prove that a software only system is fail safe.
Ask the people aboard Flight 800.
Oh, wait...
And the Airbus too. Remember the early flight where the computer insisted that the plane fly below treetop level? "Fortunately" there were not that many on board.
Ot the one over in Europe where there was a strike that damaged thte engines on takeoff? Yeah, the SOP is to reduce power to as low as possible and return to land the plane while you still have engines. But apparently pilots would often throttle back shortly after takeoff to lower noise level in nearby developments. Well, that was considered bad by some folk, so they inserted some new software that wouldn't allow you to throttle back. You could play with the throttle all you want, but it didn't matter. They didn't bother to tell the pilots either. So the poor schmedlocks were desperately trying to reduce engine RPMs to save the engines enough to land, while the computer destroyed them by running at full power. They crashed in a field a few miles from the airport. Fortunately no one was killed. There were plenty of injuries though.
Hey, it's probably a Windows-based system. We're lucky it didn't just decide to do a "Critical Update" at that moment!
I heard on one news report that the reason it took so long to cancel the Alert was that the Application that was supposed to do that "wasn't loaded"
(Now was it CANCEL.EXE, OR CANCEL1.EXE...?)
It is REALLY amazing we haven't had a bug-related missle launch in all this time...
We'ce come so close to accidentally incinerating ourselves on multiple occasions. Sensors fail, computers have software issues. In these cases, a human managed to believe something was askew when the computers were skwacking at them to start WW3. The scariest one was the Soviet satellite problem where it insisted the US had launched 5 nuc tipped missiles, and the funniest Strangelovian moment was when we almost ednded th eworld as we know it when a moonrise over Norway became a Soviet missile launch. https://www.nytimes.com/2018/0... Seriously, North Korea has nothing on the Nuclear Follies.
But to be serious, we might be in a situation now where caution won't be exercised. We have NK and the Present Occupant in a weenie waving contest, and said occupant does seem to want to use these big boys, which might cement his position in history pretty solid. So I for one, take accidental incoming missile strike oppsies pretty seriously, just for the potential escalation. It isn't likely to happen, a reality check should show no launch signatures, but these are not normal times.
You need a mechanical physical switch with a switch guard. The very fact that an actual alert would be triggered by a menu item, indicates a completely incompetent design. I seldom call for people's jobs, but I'll make an exception in this case..
I thought the same thing about the keyswitch/switchgaurd.
But even a simple, glaring-red "ARE YOU SURE?!?" Confirmation Dialog would have probably prevented this frickin' FIASCO!!!
Probably. But it's still a computer driven thing, and if there is one thing I've learned it's that peoople trust computers too much. If they really worked all that well, they'd be the ones launching missiles automatically, no human intervention needed.
You need a mechanical physical switch with a switch guard.
No, you DON'T!
If you had such a switch, pushing it would have to be part of the test. Otherwise you've created a single point of failure that causes the live function to fail even though the test psses - and you don't find out until the missiles are inbound.
If you don't have feedback you don't even have a system. You know, it's like you turn the key in the ignition, and the car starts, In this case, the computer notes that the emergency message has been sent. This isn't rocket surgery. Worst built in feedback case that I'd use - although it would be ground truth - would be looking at a phone to see that it had the emergency alert on it.
Of course it would have feedback, and it's point of failure is no more a single point than the computer's. And go ask an engineer what is more reliable, a computer or a high quality on off switch. Seems that they use them for serious things like launching boomy candles.
And while we're harping on the design and installation, why isn't there a "FALSE ALARM DISREGARD LAST ALERT" message button, for when this does happen?
That is definitely needed.
The guy who sent out the alert should have noted the design flaw and made accommodation. He also should have notified his superiors of the situation, requesting an update. Clearly he wasn't fit for the job.
Clerly you haven't worked in this sort of system. Input from the user is seldom accepted. If the guy on th efront liine knew what they were doing, they would be in charge. At least that's what the people in charge think.
Yup, those subsidies for coal aren't creating jobs but enriching the owners and executives.
Of course. But the people who think they are for jobs are useful for votes.
Sort of like "California" blend of unleaded gasoline. It's cheaper in other states. They DO make a different version just for CA. Same thing for handguns and rifles. CA gets special "more saferest" version or something.
And here in Pennsylvania we pay a good deal more for gasoline. The extra goes for road maintenance.
Whatever, I'll take good roads over cheap as possible gasoline.
Indeed. Setting a trigger this loose is asking to get shot. Only the truly incompetent do this.
My guess is that the decision was made on a financial basis, perhaps some suits in a conference room. It really indicates a lacl of knowledge about programming and computers in general.
Perhaps it wasn't considered a life critical system. I'd differ given that it scared the crap out of a lot of people, hopefully no one was injured or killed.
But we've all accidentally hit a wrong menu item, especially when using a mouse. An emergency system needs anumber of attributes
It needs good accuracy - we don't know about that in this system
It needs flexibility - I suspect it has it.
It needs an effort to trigger it. - This system fails miserably in that aspect. Activating a test is almost identical to activating the system.
Their design and implementation indicates either a lack of knowledge of life critical systems
Who says the system remains in the vanilla state that existed when it was released? Maybe the labels are under user control, or the user specifically requested these labels, or they came out in different releases, etc. Given that this is likely custom government software, it was probably built on a set of skimpy requirements and not analyzed by anyone who might have known better.
Well My failsafe is that switch, or Key to activate the system. If that was removed, I'd consider that a criminal act.
I agree! And I also seldom call for people to be fired.
But, just to be totally clear -- the person/people who should be fired is NOT the operator who selected the wrong drop-down box on the badly-designed UI. And NOT the one who coded it, either. The real culprit here is whoever reviewed, and approved the architecture. Probably a _much_ higher level person than the one who will most likely be blamed -- given what I know about typical government and corporate scapegoating habits.
Exactly. The person who accidentally activated the alarm was almost blameless, the programmers were just working with their marching orders.
I'm expecting the guy who empties the trash cans and mops the floors to be the chosen culprit.
Most likely the responsible guys are not the programmers but the "product managers".
I definitely agree. The programmers get their directions from the managers.
A system like this should be engineered to have some set of distinct modes like "Standby", "Testing" and "Live". In order to put the system into "Live." should require a physical interconnect such as a key.
Bingo! "Sokath, his eyes opened"
All critical systems I have worked with need that key or guard, which closes a switch. Which goes someplace, which activates the final step, whatever that is. Previously it was activating some machinery which might kill people if it started when they were around it. Now it isn't usch an issue on present systems.
I would see this system as one enabling the computerized message to go out to everyone. Activate the key which is the switch, and the computer knows it is go time. Sends out the emergency message for whatever emergenct message is chosen via the software.
In what case does a company not NEED to sell its product???
Exactly. There is money in electrical power generation, but you have to sell it to make it. And those turbines and generators and other equipment don't come cheap.
And given all the extra steps that coal needs, like pulverizing the coal and burning it and maintaining the burners (since NatGas is a lot cleaner) the coal stations which are also older, have a lot of extra maintenance going on. They really need the money. Coal is getting harder to get, it is dirty, and Natural gas is cleaner and a lot less maintenance as well. Topped off with customers who don't want to use coal, the death knell for coal power is being tolled.
And even if we subsidized the bejabbers out of it, all of those promised jobs aren't happening. Today's coal mining is a few guys and a supervisor, some explosives, a dragline and some big ass trucks. Most of the coal jobs are gone and won't ever come back. There are operations north of where I live, and it is amazing how much is done by just a few people.
Except the surrounding states probably don't NEED to sell electricity to CA.
Then the demand goes down. If a coal plant doesn't need the money, then it all balances out.
In most cases, the operator of the plant would really like to get money for the power they are generating. And if a big customer is giving preferential treatment to a different supplier, that has an impact on the bottom line.
These power generating schemes don't just spring up overnight, with the power stopping at the borders. When the generation statinos were built, they were sized with the intention of being able to supply power to whoever was willing to pay. So a power distribution outfit in one state might want to purchase X number of MW hours from a particular operator. That's money coming in.
There was a criminal scheme a few years back by Enron, who engineered a power crisis in California. They gamed the system, and got caught. Unless the New America enables such gaming again, it will be a pretty well run system. Buy the power, provider generates the power. Everyone is happy. But if no one is buying your available power, you aren't making as much as you would like. What's worse, since they can buy power off anyone they like, that supply and demand will up the money taken in by the gas powered energy providers.
What a well reasoned posting, I especially like the respectful way you describe the people involved in a system you have no f-ing clue how it operates.
And no, that thinking isn't the problem which should be obvious if you spent some seconds thinking about it - assuming you have an IQ higher than an amoeba.
Speaking of respectful. Wanna talk about fail safe systems? Use the big words - I might just understand a lot more than you think I do.
There's your challenge, Accepted? Prove that a software only system is fail safe.
The larger blame lies with the government and the (I hate the term, but it's so applicable here.) sheeple who call for this sort of a warning system.
There is no legitimate reason to have this sort of warning in place. None! North Korea has established that it can hit the ocean with its missiles most of the time.
Warning systems are not just for North Korea. Russia and America also have some big boomy candles. My guess is that both Hawaii and the west coast are in the targets. These systems were in place a long time ago. Russia has early warning systems as well.
I don't know. In my experience every design choice has unintended (although hopefully not unaccounted-for) consequences.
You have to add up all the foreseeable failure modes of a system with a mechanical switch -- including but not limited to a mechanical failure when you actually need to use it -- weighted by the probabilities of those failure modes. Just throwing a mechanical switch into a system because you had a failure is not engineering.
In no way shape or form is the idea to "throw a mechanical switch into a system:" because you had a failure. The mechanical switch should have been in the initial engineering design from teh very beginning, because it will prevent a failure. A failure that happened because people who don't know any better thought that the entire thing could have been controlled without failure by menu items.
But that didn't happen did it? If this system was part of the launch system for nuclear missliles the world would have been in an interesting state today, would it not? In engineering you don't just focus on the desired result of a feature.
I'm not saying that a physical arming switch isn't the best option, but designing a solution to this problem is a job for someone with experience dealing with human factors in systems.
Right, now just google "The man who saved the world". This will bring you to a very interesting story about one Stanislav Petrov, who after receiving commands to launch nuclear tipped missiles via a satellite problem, he reasoned that the US wouldn't be likely to launch only the 5 missiles th esatellite indicated were heading to the Soviet Union. He probably saved the world from a very interesting future. That is Human Factors by definition. And a needed disconnect from people's trusting of all things computerized.
I suspect having distinct armed/test modes is a good idea, but a switch alone isn't going to be enough, you'd need to have other indications the system is live -- e.g. klaxons and flashing lights.
The switch isn't replacing the computer. And wouldn't be used in the test mode at all. (note I'm not certain of the exact details, but for the test of the system, a menu item would suffice).the physical switch means go time. But its something that is external and connected to the computerized system.
This is not dissimilar to launching systems for ICBMs. They have multiple physical keys that actuate switches. Do you have a software only solution that you would propose that would be more reliable?
Plain old mechanical mercury switch is good for around 70-90 years after the initial test, and require no secondary yearly testing as long as the mercury hasn't leaked. And that it can along with the wiring be checked with a spot inspection. They're still used in a lot of stuff, that require one-off emergency trip fails. One of the heavy industry companies I worked for exclusively used them as part of the auto-stop system in the event of an emergency. Because they always work, sure mercury is toxic, it hurts the environment. But when you want a 99.99999% of there being zero failure? Sometimes old tech is still best tech.
I'm having fun here arguing with people who think that software is more dependable than things like mercury switches. Even more so, they are arguing the superiority of a system that has already demonstrated failure.
Not a routine looking one anyway. But a strangely shaped bright red dialog box that only appears in this context might be a good idea.
Or better yet, some unusual additional but easy to perform action that is also hard to do accidentally like "type in user name".
That still doesn't negate software failure. Need a human in the loop who is willing to think.
A mechanical switch is prone to failure so will need to be tested regularly, and runs the risk of being tested with the system in "live-fire" mode.
Everything is susceptable to failure. Mechanical switches caan certainly be more reliable than a software program.
The switch output is going to be converted to a software signal anyway, so it makes the system more complicated for no real benefit.
So are you positing that all mechnical switches and keys be removed from nation's nuclear arsenals because a computer only system is safer?
So these computer thingies. They don't have any switches in them? Computer keyboards and on off switches will be prone to malfunctions, certainly more so than a heavy duty industrial quality. There are inputs and outputs like Ethernet connectors as well.
fail safe does not mean that no errors or failures will occur. What it means is that a failure is isolated and ends up in a safe condition. Such an external switch is no disconnected from a computer either. It's just the last step in activating a life critical system.
There's no reason why a software trigger can't be protected with a confirmation dialog, like "You are about to send a live missile alert, type 'YES' to continue"
You mean kind of like what they had, and what was ignored? This is my whole point. And yet here we are people arguing to the system that failed. That dialog box, Would you be willing to bet your life that the software is so good, so well tested that it will never ever have a problem? That the software is so perfect that it is 100 percent impossible that it will not be activated by a software problem? I suspect you will answer no, and if yes, you need to study history of the software events of the nuclear age.
At very best, perhaps a blinking rde screen, and a klaxon horn at 120 decibles might alert the person actiuvating the menu item might help, but that won't cure accidental software provided auto activation.
How about 2 for wild fires (one actual, one test), then there would be 2 more for mud slides. I guess tornado warnings would require two as well. What about civil disturbance - should that require a physical switch?
I'm not defending GP's idea of using a switch, but this is obviously not what he meant. One switch for all live alerts would serve the purpose. There are plenty of reasons to criticize that as a bad idea without getting silly.
if you have a fail safe in the system, it does not cut the computer out. You simply select the message to be sent, then use the mechanical switch to send it. The concept is that a physical action of raising the guard is a step that makes you think foro a second - am I sure? then the last step is the switch - am I really really sure??
I understand this is a tech site, where many people believe in the infallibility of computers, and that humans are considered the weak link. I would suggest that they do some study on Stanislav Petrov, known as "The man who saved the world." https://www.theatlantic.com/te...
Had he relied on the computing facilities and launched, the world would be a quite different place. It was a matter of throwing a switch or switches, but the control was outside the computer. Imagine if y'alls presumably much superior menu item launch with it's proven mistake prone operation was in control.
Here's the challenge show how a completely menu driven system controlled only by software will be more fail safe than a system that makes you think hard about activating it. Since y'all know I am wrong - you must have the right way to do this ready to implement.
Wow. What an ignorant statement. Let me guess - you have never worked in an emergency setting. So how many physical switches do you want? You already want 2 for missile alerts. How about 2 for wild fires (one actual, one test), then there would be 2 more for mud slides. I guess tornado warnings would require two as well. What about civil disturbance - should that require a physical switch? Then there's any type of hazmat incident.
Why don't you learn a bit about emergency management before you make an ass of yourself!
I am a technical consultant for Emergency communication systems. And I have to say, little Coward - you would be escorted to the front door as your last involvement with that 'tude. Rather than just an argument which has nothing to do with what I posted, you are at best amusing, but have no place in emergency management.
Arguing for a system that has failed, and we know why it has failed, is a pretty weak starting point. It was going to happen, it was going to happen because it was a menu item for activation besice a menu item for testing, and by golly, it happened. It was the opposite of a fail safe system. All of the intermediate steps I propose of Mechanical switches and Switch guards are fail safes.
And if you don't understand what a fail safe is, you might do some studying before you claim that others need to learn a bit. Just sayin'