The nature of risk

From: Rob Seaman <>
Date: Wed, 25 Jan 2006 10:52:03 -0700

Poul-Henning Kamp says:

> If we abandon leapseconds today to avoid getting computer problems,
> we still have several hundred years of time to decide how to deal
> with any long term effects.

Two other points to add to earlier replies:

1) If UTC is preserved similar to its current definition (but perhaps
with changes to leap second scheduling and notification
infrastructure, for instance), we can indeed later decide to cease
issuing leap seconds at any point. It ain't so easy to put Humpty
back together again, though. If our grandchildren were to decide to
reintroduce mean solar time seventy five years from now, the only
option would be to issue an awkward correction of - say - 113
seconds. Try explaining that one to the public.

We can take as long as we want - now - before making a major change
to civil timekeeping. Such a change should be regarded as irreversible.

2) How do we know that only astronomers will be affected? Am baffled
at the resistance to the suggestion that a risk analysis be undertaken.

A risk scenario: Concerns are raised about possible disruptions leap
seconds may cause every few years to navigation by air and sea. Leap
seconds are halted. Civil time as used by the aviators and mariners
(call it NT for "Navigation Time") begins to diverge from UT.

First risk - do all airlines and shipping lines automatically hew to
NT for all purposes? Or will UT time signals persist for some some
subsystems of some planes and ships from some countries under some
circumstances? A lack of imagination of how this might occur is no
protection - only an inventory similar to, but perhaps even more
invasive than, Y2K will suffice.

Second risk - a later change to fundamental assumptions made during
the design of a complicated system often reveals contingent errors in
components that depend on those assumptions. We have the issue of
DUT1 exceeding 0.9s, of course, but other algorithmic assumptions may
have been made. For instance, use of UTC for calculating intervals
requires a table of leap seconds. We're given to understand that
this is subject to error. Those errors are as likely to be revealed
by the absence of leap seconds as by their continued presence.
Simply introducing interval time doesn't guarantee that interval
calculations are bug free.

Third risk - UT or GMT permit the use of simple closed form
algorithms for converting between local and standard, mean and
apparent time (for example). This is precisely the area of
remediation that will cause astronomers to incur significant costs -
we would have to add DUT1 corrections to our many assorted systems.
Navigation applications face similar remediation - even if only for
backup systems in the case of a GPS outage. Will all airlines, all
shipping companies, all air and seaports, all national and
international air and sea traffic control systems, all communications
channels carry out this remediation - and carry it out perfectly?
Won't the DUT1 term be added in some instances where it should have
been subtracted? Such an error might only be revealed years later
when DUT1 passes some threshold. The phrase "ticking time bomb"
comes to mind.

Fourth risk - sabotage, or simply stale data structures. NT will
often need to be corrected using DUT1. Values for DUT1 change and
must be maintained in some tabular data structure. That table must
be loaded with some cadence using some strategy - perhaps the values
are downloaded when needed from the internet - perhaps they are
preloaded into firmware. In either case, the values may be incorrect
due to either intentional or unintentional mischief. The behavior of
two otherwise similar systems may diverge simply because their data
structures or strategies for updating these differ.

Ignore all of the many other misadventures that could result from
clock errors - do I really need to spell out the possibility of
midair or sea collisions from any of these risks? A primary, well
tested, system goes out for some obscure radio beacon, for instance.
The secondary system has a bug whose genesis is risk 1, 2, 3 or 4. A
plane from one airline uses that beacon - another airline's aircraft
is flying a parallel track in the opposite direction (as I am assured
they do to high precision) but is guided by a different navigation
system without the same bug. Their intended paths never cross, their
actual paths do. Or an oil tanker runs aground, or an owner piloted
sailboat misses landfall in the middle of the Pacific, or...

High precision systems - systematically inaccurate.

Even the most well-conceived and carefully planned incremental change
to civil timekeeping might require a deployment schedule allowing for
very lengthy stages of remediation and testing. But in this case a
dramatic change is proposed to the core philosophy of timekeeping -
we would be moving from a phenomenologically coherent situation (mean
solar time kept up to date via small corrections) - to an even
interval time scale in which any conversion to Earth orientation
would have to be introduced explicitly.

Leap seconds are asserted to be a risk. Does their lack present
fewer risks? Prove it.

Rob Seaman
Received on Wed Jan 25 2006 - 09:52:18 PST

This archive was generated by hypermail 2.3.0 : Sat Sep 04 2010 - 09:44:55 PDT