[ppml] EPO
Robert Bonomi
bonomi at mail.r-bonomi.com
Wed Jul 25 21:44:15 EDT 2007
> From owner-nanog at merit.edu Wed Jul 25 15:53:45 2007
> Date: Wed, 25 Jul 2007 12:10:11 -0700
> To: nanog at merit.edu
>
>
> Leo Bicknell wrote:
> > I was complaining to some of the power designers during the building
> > of a major facility that the EPO button represented a single point
> > of failure, and effectively made all of the redundancy built into
> > the power system useless. After all, what's the point of having
> > two (or more) of anything, if there's one button somewhere that
> > turns it all off?
>
It seems to me -- without digging into 'code' compliance reqirements -- that
one could profit from some of the 'positive control' designs used in
missle silos, nuclear submarines, and the like.
Where, to trigger the function, *two* 'buttons' must be pushed. And the
buttons are located such that a single person cannot reach both simultaneously.
Requiring '2 of 2' buttons to trigger eliminates false positives, but
doubles the risk of 'false negatives' if a button malfunctions. This
issue can be ameliorated by providing 'more than 2' buttons, while requiring
only two buttons pushed to trigger. '2 of 3' will work properly unless there
is a _double_ failure -- intentional or accidental.
Particularly for a building-wide 'kill' switch, this would seem to be a
prudent design.
A passive design turns out to be fairly simple. Requirements, in minimal form
is a DPDT swith in each box, and 3-wire daisy-chain interconnect.
Use 'ring' wiring, with both ends tied to the master control, and even a
break (single) in the wiring does not a failure make.
More information about the ARIN-PPML
mailing list