The more we know, the less we know, and that's a problem for electronics and society
In his dotage, my old man (a chemistry Ph.D) used to say, as he slowly stirred his martini with a crooked finger, “the more we know, the less we know.”
As systems become increasingly complex because we overcome old technological hurdles, they also become more unpredictable.
One recent example is report that NHTSA and the NASA Engineering and Safety Center (NESC) published regarding unintended acceleration of Toyota automobiles. Michael Barr has an excellent report on it. In short, NASA said it couldn’t rule in but couldn’t rule out software problems as a culprit in the unintended acceleration problem.
And Stanford, via its Facebook page, has described how engineers are addressing the "aeroelastic flutter" problem, a complicated, unpredictable phenomenon. (P.S. don't watch this video if you happen to be on a plane with WiFi).
The more complex the software (and hardware), the harder it is to model and find corner cases. We seem to be falling behind in assessing the known unknowns and we’re completely in the dark about how to approach unknown unknowns.
We race up the abstraction ladder to try to keep our arms around design complexity, but that creates other issues. I attended the annual meeting of college engineering departments recently in Phoenix and one questioner from industry stood before a panel of academics shaking his head. It’s great to turn out really smart kids who know theory and can deal with abstraction, but if they struggle with basic engineering concepts, companies need to train (or retrain, perhaps) them.
How are we going to get better at anticipating the unknown unknowns? It is formal methods? It is impossible?
Please forgive the following snide comment: "What? Are there known unknowns?"
OK, I'm over it! Seriously - my experience has been that understanding basic concepts and seeing those concepts in action, or better yet, working with them in a "real world" manner will probably be of greatest benefit. Theoretical exercises certainly can work to demonstrate the fundamental concepts, but the real world is full of nth-order effects and dependencies that often seem to contradict theory, because the theoretical model is incomplete or incorrect. Read National Semi guru Bob Pease's work if you want to know how often theory (specifically SPICE models and simulation) do not match real world fact.
Models are just that - models. It is kind of like going into war battles per the model(s) on the planning room table, and wondering why it didn't actually work out the way it was planned. Not only is the real world different than models, real people in real time/world situations don't give a damn about a model when reality is staring them in the face.
I should have mentioned that story that emerged this week as part of the BP oil-leak investigation. The well apparently has a device whose sole purpose is to clamp the pipe shut in case of an emergency. The explosion shifted the pipe slightly so that the two opposing parts of the clamp couldn't form a tight fit.
You'd think they would have factored in potential misalignment of the pipe in an explosion, but maybe not.
To KD's point, models are models. And I supposed if we could factor in all the potential outcomes, we'd never move forward for fear of catastophe.
The moral of the story being that in the case of oil wells that can pump the sea full of oil, or nuclear reactors that can pump the atmosphere full of radioactivity, a backup system is not enough. You have to have backups of backups. And that's where we always seem to go wrong.
I have not observed the oil or nuclear industries pursuing perfection of health and safety. Their fiduciary responsibility is to maximize shareholder profits, and as long as society is the de facto ultimate re-insurer, insurance costs for rare, but statistically inevitable catastrophes, will not be realistically high enough to give health and safety a good ROI. (Society pays later so that well connected industries won't have to pay now.)
And it's not just industry. Consider earthquake insurance in California. Why don't the majority of people buy it, and why don't mortgage companies require it? Partly wishful thinking, of course, but more importantly, they assume that if there's another SF earthquake, the government will pick up a huge part of the reconstruction tab.
To paraphrase Bob Pease, the results can never be more accurate than the model used. An incomplete model can produce very pretty results that are very wrong, although they may appear to be correct over some small range. With the failed blowout preventer on the oil well, the device is supposed to be locked onto the well so that no shift is possible.
As for taking control of the big screen, would you want that capability to fall into the hands of those internet folks trying to sell us viagra? Just think about that "unintended consequence."
Back ups to back ups may not be a bad idea as long as that redundent back up does not rely on something that can or will fail in a catastrophic failure. Oh , about blow out preventers, didn't there instruments indicate there was an issue?
Yes, we need backups of humans.
The initial comments coming out at the time indicated that there were a number of cases where instruments were warning of problems but were ignored by the higher-ups, management dictated short-cuts from normal petroleum engineering standards, etc.
I just checked out the 'Aerostatic Flutter' link.
Cool stuff! Though the solution that was presented seemed too simplistic for all the aeronautical engineers to have not considered as yet. I would love to hear what NASA had to say about their models.
NASA can model, simulate, make, launch the Messenger satellite to orbit mercury after making it travel for more than 6 years and billions of miles . That disproves the uncertainty principle. Uncertainty of performance, uncertainty of quality etc is actually built by the product designer or implementer by overlooking some aspects. That 'let-go' thing is yhe root cause of all those uncertainties. In case of a mission like sending the satellite to Mercury such 'let-go' attitude is not tolerated and hence the project becomes successful.
In a similar light, the less I know about the origin of Kopi Luwak amd Chorizo, the better I enjoy my breakfast with my favorites: scramble eggs and coffee. One has to enjoy the result that proven good sources of nurishment and flavor. By the same token, one has to understand at a high-level the implications of complex organic chemistry, and know alergy potential, the same way that basic modeling provides an estimate. Not necessarily a detailed and inclusive analysis of significant n-th order effects. Just an observation.
Uncertainty in design is inversely proportional to time and money spent the original design as well as the design of the backup systems. There is an included factor that prevents uncertainty from actually reaching zero.
In theory, the more mission critical / life-critical a system is, the more time and money it gets put on redundancy and back-up systems. Reality doesn't always match up with theory in this case either though.
Without models, you can't design extremely complex machinery in the first place. The trick is to know when to leave the model behind and confront reality directly. Don't blame the models nor the modeling when it's human judgment that's often the root cause of a problem.
On books, first read C. Perrow's book Normal Accidents, which points out the commonalities (and seemingly near-inevitability) of accidents such as nuclear plants, but then read Chiles' book, which also points out that for every Big Accident, there are ten near-misses that would have also been Big Accidents but for the timely intervention of some enlightened person who saw what was happening in time to take action.
@crwilliams and @rpcy... I would love it if you'd write up reviews of the books you referenced. They sound like worthy additions to the Engineer's Bookshelf section.
If you're game, just send me your review to my email and i'll post straight away: firstname.lastname@example.org.
Thanks for the comments!
What isn't mentioned here is reasoning with uncertainty. Often models don't include it either. The simplest model in the world can be used if it can tell you the boundaries of its accuracy. This is one of the key issues with SPICE. It often uses approximations. If instead of reporting them as gospel, it would tell you the answer was between two limits and always be right on that account, you could then decide if that was an adequate answer or more investigation was needed.
And to NevadaDave, there are known limits to existing knowledge and models. When we go outside those, we know that we are in unknown territory.
This thread takes on new meaning in the wake of the failure of the fuselage aboard the Southwest Airlines flight.
The USA Today article states the obvious: "Holes in planes rare but pose deadly risk"
I have to think, though, that as circuits shrink and get weaved into more and more materials, that our ability to be alerted to material stress and the like through sensors increases. That's a nice insurance policy when modeling falls short.
I have a feeling that simple designs are not possible or allowed anymore. It has to be cramped with features, applications, extensions and connections that make them unnecessary complex. If I look to software most people rarely use 15% of the capabilities of f.i. word processors. I know that in the name of progress and profit a lot of the complexity is actually a need that is artificially created by clever campaigns from manufactures and not consumer demanded. And ther is also the learning curve for each product that becomes steeper when getting older. There is no relation anymore with the look and feel of the old product you replaced (f.i. Cell phones) A more baffling evolution is that simple products become more expensive due to there limited market potential (f.i. Cell phones for elderly people) The “Back to basics” although a good slogan has sometimes a strange side effect.
Better tools. That is how we have managed each technological step. As industry became dependent on electricity, no-one said 'Let's a'make all our manufacuring systems more fragile', they said 'Look how much more productive we are with this new machinery!' Then, by trial and error, with factories failing every now and then, tools were developed to make reliable electricity generation, monitoring, and usage.
Whether this attitude will work as we abstract our software-dependent systems still further from our caveman roots, remains to be seen. But I suspect that the best use of computer power will be found to be in software manufacture, in removing the human element from every part of the process that doesn't need it.
But that initiative won't come from the software community, will it?