A possible method for making systems safe
George Westinghouse was not a theoretician, but was one of the great inventors of the 1800’s. He is most famous, perhaps, for the invention of the train air-brake in 1869. More on this in a moment.
Today I plan on talking about generalizations of Westinghouse’s ideas, and a role that they might play in computer science.
Train Brakes
The first trains were called Wagonways and were used in Germany as early as 1550. The power to move these trains was supplied by horses, until 1804 when Richard Trevithick, funded by Samuel Homfray, used a steam engine to haul 10 tons of iron and 70 men for 9 miles. This was the beginning of modern trains.
Almost immediately a critical problem developed: how to stop a train? Stopping the engine alone was insufficient once trains became long and moved fast; there was too much momentum for the engine, by itself, to stop a train. The first method used was simple: have an operator assigned to each car—they would pull on a hand brake when signaled to do so by the engineer. This quickly gave way to the direct air-brake system. In this system when the engineer wished to stop the train, he opened a valve that sent compressed air to each car—the air forced a brake against the car’s wheels. The train then stopped. Pretty neat.
Almost immediately another critical problem developed: how to stop a train reliably? The direct air-brakes worked well, when they worked. But if the compressed air tank was empty, or the pressure was too low, or there was a leak in the lines, the brakes would fail. Then the train would not stop. This was a problem.
Westinghouse’s genius was to solve this by inventing the reverse air-brake system. His brilliant idea was to use compressed air to make the train go, not to stop the train. Here is how his system worked. Each car had brakes that were held against the car’s wheels by a strong spring. In this position the train could not move. If the engineer wanted the train to move, he released compressed air that forced the brakes away from the wheels of all the cars. This allowed the train to move.
This, I think, is extremely clever. Notice if the compressed air tank was empty, or the pressure was too low, or there was a leak in the lines, the train would stop. The brakes would not fail, since all the brakes will be forced against the wheels by the springs.
This system is still in use today. I was once on an Amtrak train that was going from D.C. to Princeton when it just stopped in the middle of nowhere. It was late at night and we all wanted to get home, so someone asked the conductor, as he walked by us, what had happened? He answered in technical jargon:
The choo-choo she no go.
We later found out the train had broken an air hose and all the brakes were pressed on. We sat there for about an hour until they go a new hose and restored the integrity of the air system.
Elevators
Elevators are even older than trains, they may date back to ancient times. Only in the middle of the 1800’s, as tall buildings became possible, did elevator safety become a critical issue. As long as buildings were six stories or less, safety was not a major issue—although I would not want to be in an unsafe elevator even at this low height. However, in order to build tall buildings, elevators needed to be not only be safe, but to appear to be safe. Otherwise, people would be afraid to use them.
In 1853 Elisha Otis solved the safety problem of elevators. He invented a mechanism that would stop a falling elevator, even if its supporting ropes broke. The key was as long as the rope was taut the elevator’s brake was kept in, but if the rope became slack then the brakes would be released and they would stop the fall.
Otis’ brilliant insight was not an instant success. He finally realized a live demonstration of the braking mechanism would be needed to get the public to feel safe. During the first American world’s fair in 1854 Otis built an open elevator shaft. Several times a day he would get on the elevator, be hoisted up, and then cut the rope. Since the shaft was open in front all the spectators could see him do this. As the elevator began to fall, his mechanism would bring him to a safe, if sudden, stop. He is reported to have said each time:
All safe, gentlemen, all safe.
This live demo to thousands eventually made his company a success, and made tall buildings possible.
The General Principle
I think there is a powerful principle in use in both the train and elevator safety systems. They are both designed so that no positive action is required. Instead the safety is built into the physics of the system:
- In the train case: no air in the line, then springs stop the train.
- In the elevator case: no rope holding the elevator up, then brakes spring out and stop the elevator from falling.
The key principle seems to be: do not rely on an action, but on the structure of the system. Make the default, a passive state, a safe state so that when the system fails, it gets to the safe state by default.
I have always liked these systems, and have often wondered if we could use the same type of passive methods to build better computing systems. Could we, for example, make a system that is safe from worm attacks and uses a passive system? Is there a formal model of passive vs active systems that we could use to reason about whether such systems are even possible?
Open Problems
Is there any way to exploit the power of the passive methods used by Westinghouse and Otis to solve computer questions?
"
No hay comentarios:
Publicar un comentario
Nota: solo los miembros de este blog pueden publicar comentarios.