[FAIL-SAFE] Technical discussion about fail-safe modes; HVAC
'In article <01bd7e93$7c1cdac0$3b0470c3@ecom>, "dru"
<dry-kerry@NOSPAMbucksnet.co.uk> wrote:
> To a degree, most embedded systems can be divided into control
> systems or data gathering/monitoring systems. Few data
> gathering/monitoring systems impact operationally on plant and
> equipment (yes, a simplistic generalisation fraught with hazard but
> you have to start somewhere) so let me concentrate on controls.
Controls are a good place to start focussing on, but remember that data
gathering/monitoring systems usually feed back into control systems. Hence
the example of the power plant glitch when a data logger fed false
information into a integrator and shut down a thermal device.
> All control systems break down, with or without Y2K. So all control
> systems have a fail safe method of operation. In a factory or
> process engineering environment, this fail safe is STOP. Plant and
> equipment winds down in a controlled manner, or by crashing
> instantaneously to an abrupt halt where "e-stops" (emergency stop)
> are in operation. There is an obvious potential for progressive or
> fail-creep and this sort of ripple effect is far more likely if the
> failure is factory-wide and more-or-less instantaneous (albeit random
> and effecting perhaps only a percentage of the embedded systems) as
> with Y2K.
Yes, you are probably right that most Y2K glitches will force a "Stop" or
"Fail-Safe" condition. Most, but not all.
However, the problem immediately shifts--and this is the killer--to "Now what?"
After all, when the machines hit "Stop" or "Fail-Safe," they'll remain
that way until the software fixes or workarounds are made. (Actually, I
suppose the machines could be started, then glitched, then started, then
glitched, unendingly. Most of the recognized Y2K problems are not centered
on the particular instant "12 midnight, 1/1/2000," but are related to
subtracting one date from another and suchlike. And those problems will of
course persist.)
> How can it be more benign in buildings?
I don't think most people think the Y2K problem will be terribly serious
in buildings. The concern is more for factories and distribution systems,
financial systems, etc., with dozens or thousands of interacting parts.
(Though I wouldn't want to have to walk up and down stairs in a 20-floor
building, or breathe unrecirculated air, and so on. But, as you say, many
of these systems will have workarounds. On the other hand, fixing tens of
thousands of elevators and building air units will take time...expect a
lot of buildings to be temporarily disabled for days or weeks after
1/1/2000. This alone could cause financial troubles in many urban
centers.)
> First and foremost, in fail safe operation the essential services
> remain operational at all costs (the heart of the matter, but bear
> with me). Non-essential services fail-safe differently. A building
> is unlikely to immediately endanger lives or associated equipment
> when a given piece of equipment fails. So much of the fail safe
> operation is "keep running". The equipment that fails safe with
> STOP, does within a design that keeps the building running - albeit
> in a sort of stand by mode. Holistically the building goes into "at
> ease". Not particularly comfortable, nor particularly efficient,
> but still operational. Lifts will "work to rule" so you wait longer.
> Thermostatic feedback to HVAC (heating ventilation and air
> conditioning) fails so you can get hot(ter) or cold(er) depending on
> external ambient conditions. But ventilation continues.
I'll trust your expertise on how modern buildings work than my own
non-expertise. But it might be useful to think about how designers _may_
(I am speculating) used the computer and microcontroller capabilities to
add extra functionality such that their buildings _are_ knocked out for
much longer times. For example, I would not at all be surprised if some
modern engineering marvel in LA or NYC is in fact made unusable for weeks
or even months.
> These conditions will certainly stress out the building's facilities
> management, but we simply set the equipment running parameters
> manually. Sounds simplistic and understated? Yep. But one way or
> another I think most buildings could be made tenantable a little
> quicker than the dissolution of society - if all we had to concern
> ourselves with was keeping plant going that was previously
> operational.
You are probably generally right about this. I don't think the "doors
won't open and so everybody is going to starve" version of the Y2K Scare
was ever all that plausible anyway.
Much more probable concerns are that parts of the electric grid will be
out, and for longer than the building's emergency generators have fuel for
and can keep running.
> I have been ruminating on generic worst case scenarios from a(n)
> holistic building systems perspective but some themes first. (These
> are off-the -cuff descriptions not text book theory.)
(Much detailed stuff elided)
> Any comments on the above?
>
Very impressive.
One of your points, that many systems will "fail safe" or "stop" is a
point that will likely be heard in other industries, too. However, as I
think I adequately made the case for, this will be of little use in
restarting things.
Like others, I expect the weeks or months after 1/1/2000 to be a time of
great panic and emergency fixes. The number of qualified technicians,
programmers, and engineers will be too small to fix in a few days or weeks
what had not gotten fixed in the years leading up to 1/1/2000.
(Though many of the post-1/1/2000 fixes will be frantic workarounds,
defeatings of safety mechanisms, and manual operation where feasible.)
Restarting all of the safely stopped equipment will not be easy. And
especially not easy in a matter of a few days.
--Tim May
--
Just Say No to "Big Brother Inside"
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May | Crypto Anarchy: encryption, digital money,
ComSec 3DES: 408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets,
Higher Power: 2^3,021,377 | black markets, collapse of governments.
___
Subject:
Re: Essential (embedded) systems and glitched buildings
Date:
Wed, 13 May 1998 11:21:02 -0700
From:
tcmay@got.net (Tim May)
Organization:
Cypherpunks
Newsgroups:
comp.software.year-2000
References:
1 |
