[ppml] EPO

> From owner-nanog at merit.edu  Wed Jul 25 15:53:45 2007
> Date: Wed, 25 Jul 2007 12:10:11 -0700
> To: nanog at merit.edu
>
>
> Leo Bicknell wrote:
> > I was complaining to some of the power designers during the building
> > of a major facility that the EPO button represented a single point
> > of failure, and effectively made all of the redundancy built into
> > the power system useless.  After all, what's the point of having
> > two (or more) of anything, if there's one button somewhere that
> > turns it all off?
>

It seems to me -- without digging into 'code' compliance reqirements -- that
one could profit from some of the 'positive control' designs used in 
missle silos, nuclear submarines, and the like.

Where, to trigger the function, *two* 'buttons' must be pushed.  And the
buttons are located such that a single person cannot reach both simultaneously.

Requiring '2 of 2' buttons to trigger eliminates false positives, but 
doubles the risk of 'false negatives' if a button malfunctions.  This
issue can be ameliorated by providing 'more than 2' buttons, while requiring
only two buttons pushed to trigger.  '2 of 3' will work properly unless there 
is a _double_ failure -- intentional or accidental.

Particularly for a building-wide 'kill' switch, this would seem to be a
prudent design.

A passive design turns out to be fairly simple. Requirements, in minimal form
is a DPDT swith in each  box, and 3-wire daisy-chain interconnect.
Use 'ring' wiring, with both ends tied to the master control, and even a
break (single) in the wiring does not a failure make.