Program error caused death of robot operator

Download 143.07 Kb.
Size143.07 Kb.
  1   2   3








Silicon Valley, USA
Jane McMurdock, Prosecuting Attorney for the City of Silicon Valley, announced today the indictment of Randy Samuels on charges of manslaughter. Samuels was formerly employed as a programmer at Silicon Techtronics, Inc., one of Silicon Valley's

newest entries into the high technology arena. The charge involves the death of Bart Matthews, who was killed last May by an assembly line robot.

Matthews, who worked as a robot operator at Cybernetics, Inc., in Silicon Heights, was crushed to death when the robot he was operating malfunctioned and started to wave its "arm" violently. The robot arm struck Matthews, throwing him against a wall and

crushing his skull. Matthews died almost instantly in a case which shocked and angered many in Silicon Valley. According to the indictment, Samuels wrote the particular piece of computer program which was responsible for the robot malfunction. "There's a smoking gun!", McMurdock announced triumphantly at a press conference held in the Hall of Justice. "We have the hand-written formula, provided by the project

physicist, which Samuels was supposed to program. But, he negligently misinterpreted the formula, leading to this gruesome death. Society must protect itself against programmers who make careless mistakes or else no one will be safe, least of all our

families and our children", she said. The Sentinel-Observer has been able to obtain a copy of the hand-written formula in question. Actually, there are three similar

formulas, scrawled on a piece of yellow legal pad paper. Each formula describes the motion of the robot arm in one direction: east-west, north-south and up-down.

The Sentinel-Observer showed the formulas to Bill Park, a Professor of Physics at Silicon Valley University. He confirmed that these equations could be used to describe the motion of a robot arm. The Sentinel-Observer then showed Professor Park the program

code, written by the accused in the C programming language. We asked Professor Park, who is fluent in C and several other languages, whether the program code was correct for the given robot arm formulas. Professor Park's response was immediate. "By Jove! It looks like he misinterpreted the y-dots in the formulas as y-bars and he made the same mistake for the x's and the z's. He was supposed to use the derivatives, but he took the averages instead! He's guilty as hell, if you ask me." The Sentinel-Observer was unable to contact Samuels for comment. "He is deeply depressed about all this", his live-in

girlfriend told us over the phone. "But, Randy believes he will be acquitted when he gets a chance to tell his side of the story."




Silicon Valley, USA
by Mabel Muckraker
The Sentinel-Observer learned today that Randy Samuels and others who worked on the 'killer robot' project at Silicon Techtronics were under tremendous pressure to finish the robot software by January 1 of this year. According to an informed source, top level

management warned killer robot project staffers that "heads would roll" if the January 1st deadline was not met. Randy Samuels, a Silicon Techtronics programmer, was indicted

last week on charges of manslaughter in the now famous 'killer robot case'. Samuels wrote the flawed software which caused a Silicon Techtronics Robbie CX30 industrial robot to crush and fatally injure its operator, Bart Matthews. Matthews was a robot

operator at Cybernetics, Inc. According to Silicon Valley Prosecuting Attorney Jane McMurdock, Samuels misinterpreted a mathematical formula, "turning harmless Robbie into a savage killer".

Our informed source, who wishes to remain anonymous and whom we shall call 'Martha' for the rest of this article, has intimate knowledge of all aspects of the Robbie CX30 project. Martha told the Sentinel-Observer that there was an enormous amount of

friction between Robotics Division Chief Ray Johnson and the Robbie CX30 Project Manager Sam Reynolds. "They hated each others' guts", Martha told the Sentinel-Observer in an exclusive interview.

"By June of last year the robot project had fallen six months behind schedule and Johnson went through the roof. There were rumors that the entire Robotics Division, which he headed, would be terminated if Robbie [the CX30 robot] didn't prove a commercial success. He [Johnson] called Sam [Reynolds] into his office and he really chewed Sam out. I mean you could hear the yelling all the way down the hall. Johnson told Sam to finish Robbie by the first of January or 'heads would roll'." "I'm not saying that Johnson was ordering Sam to cut corners", Martha added. "I think the idea of cutting corners was implicit. The message was, 'cut corners if you want to keep your job'". According to documents which Martha provided the Sentinel-Observer, twenty new programmers were added to the Robbie CX30 project on June 12th of last year. This was just several days

after the stormy meeting between Johnson and Reynolds which Martha recounted.

According to Martha, the new hirees were a disaster. "Johnson unilaterally arranged for these new hires, presumably by shifting resources from other aspects of the Robbie [CX30] project. Reynolds was vehemently opposed to this. Johnson only knew about manufacturing hardware. That was his background. He couldn't understand the difficulties that we were having with the robotics software. You can't speed up a software project by adding more people. It's not like an assembly line."
According to Martha and other sources inside the project, the hiring of twenty new programmers led to a staff meeting attended by Johnson, Reynolds and all members of the Robbie CX30 software project. "This time it was Sam [Reynolds] who went through the roof. He complained that the project didn't need more people. He argued that the main problem was that Johnson and other management people did not understand that Robbie CX30 was fundamentally different from earlier versions of the robot". These sources tell the Sentinel-Observer that the new hirees were not fully integrated into the project, even six months later, when ten Robbie CX30 robots, including the robot which killed Bart

Matthews, were shipped out. According to Martha, "Sam just wanted to keep things as simple as possible. He didn't want the new people to complicate matters. They spent six months reading manuals. Most of the new hirees didn't know diddly about robots and Sam wasn't about to waste his time trying to teach them". According to Martha, the June 12th meeting has become famous in Silicon Techtronics corporate lore because it was at that meeting that Ray Johnson announced his "Ivory Snow Theory" of software design and development. According to Martha, "Ray [Johnson] gave us a big multi-media presentation, with slides and everything. The gist of his 'Ivory Snow Theory' is simply that Ivory Snow is 99 and 44/100 per cent pure and there was no reason why robotics

software had to be any purer than that. He stated repeatedly that 'Perfect software is an oxymoron'".
Martha and the other insiders who came forward with information, consistently portrayed Johnson as a manager in desperate need of a successful project. Earlier versions of Robbie, the CX10 and the CX20, were experimental in nature and no one expected them to be commercial successes. In fact, the Robotics Division of Silicon Techtronics was operating heavily in the red since its inception six years ago. Either CX30 would succeed or Silicon Techtronics would be out of the industrial robotics business altogether. "The earlier Robbie robots got a lot of press, especially here in Silicon Valley", said another source, who also wishes to remain anonymous. "Robbie CX30 was going to capitalize on the good publicity generated by the earlier projects. The only thing was that Robbie CX30 was more revolutionary than Johnson wanted to admit. CX30 represented a gigantic step forward in terms of sophistication. There were a lot of questions about the industrial settings that the CX30 would be working in. Much of what we had to do was entirely new, but Johnson couldn't bring himself to understand that. He just saw us as unyielding perfectionists. One of his favorite quotes was 'Perfection is the enemy of the good'".



Silicon Valley, USA
by Mabel Muckraker
Randy Samuels, the former Silicon Techtronics programmer who was indicted for writing the software that was responsible for the gruesome 'killer robot' incident last May, was apparently a 'prima donna' who found it very difficult to accept criticism, several of his co-workers claimed today.
In a free-wheeling interview with several of Samuels' co-workers on the 'killer robot' project, the Sentinel-Observer was able to gain important insights into the psyche of the man who may have been criminally responsible for the death of Bart Matthews, robot operator and father of three small children.
With the permission of those interviewed, the Sentinel-Observer allowed Professor Sharon Skinner of the Department of Software Psychology at Silicon Valley University to listen to a recording of the interview. Professor Skinner studies the psychology of programmers and other psychological factors which impact upon the software development process.
"I would agree with the woman who called him a 'prima donna'", Professor Skinner explained. "This is a term used to refer to a programmer who just cannot accept criticism, or more accurately, cannot accept his or her own fallability". "Randy Samuels has what we software psychologists call a task- oriented personality, bordering on self-oriented. He likes to get things done, but his ego is heavily involved in his work. In the programming world this is considered a 'no-no'", Professor Skinner added in her book-lined office.
Professor Skinner went on to explain some additional facts about programming teams and programmer personalities. "Basically, we have found that a good programming team requires a mixture of personality types, including a person who is interaction-oriented, who derives a lot of satisfaction from working with other people, someone who can

help keep the peace and keep things moving in a positive direction. Most programmers are task-oriented, and this can be a problem if one has a team in which everyone is task- oriented."

Samuels' co-workers were very reluctant to lay the blame for the robot disaster at his feet, but when pressed to comment on Samuels' personality and work habits, several important facts emerged. Samuels worked on a team consisting of about a dozen analysts, programmers and software testers. (This does not include twenty programmers who were later hired and who never became actively involved in the development of the robotics software.) Although individual team members had definite specialties, almost all were involved in the entire software process from beginning to end.
"Sam Reynolds has a background in data processing. He's managed several software projects of that nature", one of the team members said, referring to the manager of the Robbie CX30 project. "But, his role in the project was mostly managerial. He attended all important meetings and he kept Ray [Ray Johnson, the Robotics Division Chief] off our

backs as much as possible ." Sam Reynolds, as was reported in yesterday's Sentinel-Observer, was under severe pressure to deliver a working Robbie CX30 robot by January 1 of this year. Sam Reynolds could not be reached for comment either about his role in the incident or about Samuels and his work habits.

"We were a democratic team, except for the managerial guidance provided by Sam [Reynolds]", another team member observed. In the world of software development, a democratic team is a team in which all team members have an equal say in the decision-making process. "Unfortunately, we were a team of very ambitious, very talented - if I

must say so myself - and very opinionated individualists. Randy [Samuels] was just the worst of the lot. I mean we have two guys and one gal with masters degrees from CMU who weren't as arrogant as Randy."

CMU refers to Carnegie-Mellon University, a national leader in software engineering education. One co-worker told of an incident in which Samuels stormed out of a quality assurance meeting. This meeting involved Samuels and three 'readers' of a software module which he had designed and implemented. Such a meeting is called a code review. One of the readers mentioned that Samuels had used a very inefficient algorithm (program) for achieving a certain result and Samuelson "turned beet red". He yelled a stream of obscenities and then left the meeting. He never returned. "We sent him a memo about the faster algorithm and he eventually did use the more efficient algorithm in his module", the co-worker added.
The software module in the quality assurance incident was the very one which was found to be at fault in the robot operator 'murder'. However, this co-worker was quick to point out that the efficiency of the algorithm was not an issue in the malfunctioning of the robot. "It's just that Randy made if very difficult for people to communicate their concerns to him. He took everything very personally. He graduated tops in his class at college and later graduated with honors in software engineering from Purdue. He's definitely very bright."
"Randy had this big computer-generated banner on his wall", this co-worker continued. "It said, 'YOU GIVE ME THE SPECIFICATION AND I'LL GIVE YOU THE COMPUTATION'. That's the kind of arrogance he had and it also shows that he had little patience for developing and checking the specifications. He loved the problem-solving aspect, the programming itself".
"It doesn't seem that Randy Samuels caught on to the spirit of 'egoless programming' ", Professor Skinner observed upon hearing this part of the interview with Samuels' co-workers. "The idea of egoless programming is that a software product belongs to

the team and not to the individual programmers. The idea is to be open to criticism and to be less attached to one's work. Code reviews are certainly consistent with this overall philosophy."

A female co-worker spoke of another aspect of Samuelson's personality - his helpfulness. "Randy hated meetings, but he was pretty good one on one. He was always eager to help. I remember one time when I ran into a serious roadblock and instead of just pointing me in the right direction, he took over the problem and solved it himself. He spent nearly five entire days on my problem". "Of course, in retrospect, it might have been better for poor Mr. Matthews and his family if Randy had stuck to his own business", she added after a long pause.




Silicon Valley, USA
by Mabel Muckraker
Two groups, committed to different software development philosophies, nearly came to blows during the initial planning meetings for Robbie CX30, the Silicon Techtronics robot which killed an assembly line worker last May. At issue was whether the Robbie CX30 project should proceed according to the 'waterfall model' or the 'prototyping model'.
The waterfall model and the prototyping model are two common methods for organizing a software project. In the waterfall model, a software project goes through definite stages of development. The first stage is requirements analysis and specification, during which an attempt is made to arrive at an agreement concerning the detailed functionality of

the system. As the project passes from one stage to the next, there are limited opportunities for going back and changing earlier decisions. One drawback of this approach is that potential users do not get a chance to interact with the system until very late in the system's life cycle.

In the prototyping model, great emphasis is placed on producing a working model or prototype early during the life cycle of a system. The prototype is built for the purpose of arriving at a final specification of the functionality of the proposed system. Potential users interact with the prototype early and often until the requirements are agreed upon. This approach affords potential users the opportunity to interact with a prototype system early during the development cycle and long before the final system is designed and coded.
In a memo dated December 11th of the year before last, Jan Anderson, a member of the original Robbie CX30 project team, bitterly attacked the decision of the project manager, Sam Reynolds, to employ the waterfall model. The Sentinel-Observer has obtained a copy of Anderson's memo, which is addressed to Reynolds, and Anderson verified the authenticity of the memo for this reporter. Reynolds fired Anderson on December 24th, just two weeks after she wrote the memo.
The Anderson memo refers to an earlier meeting at which an angry exchange occurred relating to software development philosophy. Anderson underlined the following passage in her memo: "I did not intend to impugn your competence at our meeting yesterday, but I must protest most vehemently against the idea that we complete the Robbie CX30 software following the waterfall model which you have used in previous projects. I need not remind you that those were data processing projects involving the processing of business transactions. The Robbie CX30 project will involve a high degree of interaction, both between robot components and between the robot and the operator. Since operator interaction with the robot is so important, the interface cannot be designed as an afterthought."
Randy Samuels, who has been charged with manslaughter in the death of robot operator Bart Matthews, father of three, was in attendance at the December 11th meeting.
In a conversation with this reporter, Anderson said that Samuels did not have much to say about the waterfall-prototyping controversy, but she did state that she would give her 'eye teeth' to have Samuels exonerated. "The project was doomed long before Samuels misinterpreted those formulas", Anderson stated emphatically, in the living room of

her suburban townhouse.

In her conversation with this reporter, Anderson did her best to explain the waterfall-prototyping controversy in lay terms. "The main issue was really whether we could agree on the system requirements without allowing actual robot operators to get a feel for what we had in mind. Reynolds has been in the data processing business for three decades and he's good at that, but he never should have been made manager of this project."
According to records obtained by the Sentinel-Observer, Silicon Techtronics moved Sam Reynolds from the Data Processing Division, which took care of inventory and payroll, to the Robotics Division just three weeks before the December 11th meeting alluded to in Anderson's memo.
Reynolds was moved to the Robotics Division by Silicon Techtronics president Michael Waterson. Reynolds was replacing John Cramer, whomanaged the earlier Robbie projects, CX10 and CX20. Cramer was placed in charge of CX30, but he died unexpectedly in a sky-diving accident. In placing Reynolds in charge of the CX30 project, our sources tell us that Waterson was going against the advice of Ray Johnson, Robotics Division Chief. According to these sources Johnson strongly opposed Reynold's choice as head of the Robbie CX30 project. These sources tell the Sentinel-Observer that Waterson's choice of Reynold's was purely a cost-saving decision. It was cheaper to move Reynolds to the Robotics Division than to hire a new project leader from outside the corporation.
The anonymous source that the Sentinel-Observer calls 'Martha' described the situation in this way: "Waterson thought it would be cheaper to move Reynolds to robotics rather than try to find a new manager for the Robbie project from outside. Also, Waterson tended to be suspicious of people from the outside. He often sends down memos about how long it takes people to master 'the Silicon Techtronics way of doing things'. In Waterson's view, Reynolds was a manager and he was moved to his new position in Robotics as a manager and not as a technical expert. Clearly, Reynolds saw himself as both a manager and as a technical expert. Reynolds was not aware of his own technical


According to Martha, Reynolds was very reluctant to manage a project which would not use the waterfall model which had served him so well in data processing. He attached prototyping as a "fad" at the meeting on December 11th and after a few verbal exchanges back and forth things got pretty personal.
"Anderson was especially vocal", Martha recalled. "She had lots of experience with user interfaces and from her perspective, the operator-robot interface was critical to the success of CX30 since operator intervention would be frequent and at times critical." In her interview with the Sentinel-Observer, Jan Anderson commented on this aspect of the December 11th meeting: "Reynolds was vehemently opposed to 'wasting time' - to use his words - on any kind of formal analysis of the user interface and its human factors

properties. To him, user interfaces were a peripheral issue."

"Anything new was a 'fad' to him [Reynolds]", Anderson added. "Computer interfaces were a fad, object-oriented design was a fad, formal specification and verification techniques were a fad, and most of all, prototyping was a fad."
Exactly one week after the December 11th meeting, the Robbie group received a memo from Sam Reynolds concerning the project plan for the Robbie CX30 project. "It was the waterfall model, right out of a textbook", Anderson told this reporter as she reviewed a copy of the project plan memo. "Requirements analysis and specification, then architectural design and detailed design, coding, testing, delivery and maintenance. In Reynold's view of things, there was no need to have any user interaction with the system until very, very late in the process."
The Sentinel-Observer has learned that the very first operator to actually use the Robbie CX30 robot in an industrial setting was Bart Matthews, the man who was killed in the killer robot tragedy. This initial use of Robbie CX30 in an industrial setting was covered by the media, including this newspaper. In a great irony, the Silicon Techtronics Annual Report for Shareholders, published last March, has a picture of a smiling Bart Matthews on its glossy front cover. Matthews is shown operating the very same Robbie CX30 robot which crushed him to death barely two months after the photograph was taken.





Silicon Valley, USA
by Mabel Muckraker
At a news conference this afternoon, a ragtag group of programmers who call themselves the "Justice for Randy Samuels Committee", distributed documents which show that Silicon Techtronics had obligated itself to deliver robots which would "cause no bodily injury to the human operator". Randy Samuels is the programmer who has been charged with manslaughter in the infamous 'killer robot' case.
"We cannot understand how the Prosecuting Attorney could charge Randy with manslaughter when, in fact, Silicon Techtronics was legally bound to deliver a safe robot to Cybernetics", said committee spokesperson, Ruth Witherspoon. "We believe that there is a cover-up going on and that there is some kind of collusion between SiliTech [Silicon

Techtronics] management and the Prosecuting Attorney's office. Michael Waterson was a major contributor to Ms. McMurdock's re-election campaign last year". Michael Waterson is President and CEO of Silicon Techtronics. Jane McMurdock is the Prosecuting Attorney for the city of Silicon Valley. The Sentinel-Observer has confirmed that Waterson made several large contributions to the McMurdock re-election campaign last fall.

"Randy is being made the scapegoat for a company which had lax quality control standards and we are not going to stand for it!" Witherspoon shouted in an emotional statement to reporters. "We believe that politics has entered this case." The documents which were distributed by the Justice for Randy Samuels committee were portions of what is called a "requirements document".
According to Ruth Witherspoon and other committee members, this document proves that Samuels was not legally responsible for the death of Bart Matthews, the unfortunate robot operator who was killed by a Silicon Techtronics robot at Cybernetics, Inc. in Silicon Heights last April. The requirements document amounts to a contract between Silicon Techtronics and Cybernetics, Inc.
The requirements document spells out in complete detail the functionality of the Robbie CX30 robot which Silicon Techtronics promised to deliver to Cybernetics. According to Witherspoon, the Robbie CX30 robot was designed to be an "intelligent" robot which would be capable of operating in a variety of industrial settings. Separate requirements documents were required for each corporate customer since Robbie CX30 was not an "off-the-shelf" robot, but a robot that needed to be programmed differently for each application.
However, all requirements documents which were agreed upon under the auspices of the Robbie CX30 project, including the agreement between Silicon Techtronics and Cybernetics, contain the following important statements: "The robot will be safe to operate and even under exceptional conditions (see Section 5.2) the robot will cause no bodily injury to the human operator." "In the event of the exceptional conditions which potentially contain the risk of bodily injury (see Section 5.2.4 and all of its subsections), the human operator will be able to enter a sequence of command codes, as described in the relevant sections of the functional specification (see Section 3.5.2), which will arrest robot motion long before bodily injury can actually occur."
"Exceptional conditions" include unusual events such as bizarre data from the robot sensors, erratic or violent robot motion or operator error. It was exactly just such an exceptional condition which led to the death of Bart Matthews.
These paragraphs were extracted from the portion of the requirements document which dealt with "non-functional requirements". The non-functional requirements list in complete detail the constraints under which the robot would be operating. For example, the requirement that the robot be incapable of harming its human operator is a constraint and Silicon Techtronics, according to Ruth Witherspoon, was legally obligated to satisfy this constraint. The functional requirements portion of the requirements document covers (again in complete detail) the behavior of the robot and its interaction with its environment and its human operator. In particular, the functional requirements specified the behavior of the robot under each and every anticipated exceptional condition.
In her statement to reporters at the news conference, Witherspoon explained that Bart Matthews was killed when exceptional condition arose. This involved an exceptionally violent and unpredictable robot arm motion. This condition required operator intervention, namely the entering of the command codes mentioned in the

document, but apparently, Bart Matthews became confused and could not enter the codes successfully. "Although Randy Samuels' program was in error - he did misinterpret the robot dynamics formulas, as reported in the media - exceptional condition was designed to protect against just this sort of contingency", Witherspoon told reporters. "The robot motion values generated by Randy's program correctly set off this exceptional condition and the robot operator received due warning that something was wrong".

Witherspoon claimed that she has a signed affidavit from another Cybernetics robot operator to the effect that the training sessions offered by Silicon Techtronics never mentioned this and many other exceptional conditions. According to Witherspoon, the robot operator has sworn that neither she nor any other robot operator was ever told that the robot arm could oscillate violently.
Witherspoon quoted the affidavit at the news conference. "Neither I not Bart Matthews was ever trained to handle this sort of exceptional condition. I doubt that the Bart Matthews had any idea what he was supposed to do when the computer screen started flashing the error message on the screen".
Exceptional conditions requiring operator intervention cause an error message to be generated at the operator console. Silicon Valley Police confirm that when Bart Matthews was killed, the reference manual at his console was opened to the page of the index which contained entries for "errors". Witherspoon then quoted sections of the requirements document which obligated Silicon Techtronics (the vendor) to adequately train robot operators:
"The vendor shall provide forty (40) hours of operator training. This training shall cover all aspects of robot operation including exhaustive coverage of the safety procedures which must be followed in the case of exceptional conditions which potentially contain the risk of bodily injury.”
"The vendor shall provide and administer appropriate test instruments which shall be used to certify sufficient operator understanding of robot console operations and safety procedures. Only employees of customer who have passed this test shall be allowed to operate the Robbie CX30 robot in an actual industrial setting.”
"The reference manual shall provide clear instructions for operator intervention in all exceptional situations, especially and including those which potentially contain the risk of bodily injury."
According to Witherspoon, sworn affidavits from several robot operators at Cybernetics, Inc., state that only one work day (approximately eight hours) was spent in operator training. Furthermore, almost no time was spent discussing potentially dangerous exceptional conditions.
"The written test developed by Silicon Techtronics to certify a robot operator was considered a 'joke' by Cybernetics employees", Witherspoon asserted. "Silicon Techtronics obviously did not give much thought to the training and testing procedures mandated by the requirements document according to the evidence in our possession".
reprinted with permission of ROBOTICS WORLD

the premiere journal of ROBOTICS AND ROBOTICS


Download 143.07 Kb.

Share with your friends:
  1   2   3

The database is protected by copyright © 2024
send message

    Main page