Difference between revisions of "Fail-safe"

From Marspedia
Jump to: navigation, search
(cat+)
 
(13 intermediate revisions by 9 users not shown)
Line 1: Line 1:
Due to the hostile [[environmental conditions]] on [[Mars]], human visitors to the planet would have to rely heavily on artificial environments in order to survive.  Their [[habitat]]s' [[life support]] equipment must therefore run 100% reliably. This article describes the principles of '''fail-safe''' engineering.
+
Due to the hostile [[environmental conditions]] on [[Mars]], human visitors to the planet would have to rely entirely on artificial environments in order to survive.  Their [[habitat]]s' [[life support]] equipment must therefore run 100% reliably. This article describes the principles of '''fail-safe''' engineering.
  
The basic premise of fail-safe behaviour is to ensure that if a system or subsystem fails, it should do so in a "safe" manner; that is, no single failure should be able to place those who use or maintain it in danger.
+
The basic premise of fail-safe behavior is to ensure that if a system or subsystem fails, it should do so in a "safe" manner; that is, no single failure should be able to place those who use or maintain it in danger. Even if parts of the system fail, the system as a whole must continue working. A full breakdown of a vital system would be catastrophic for the colony and can mean a complete [[failure of the colony]]. In this case all settlers would die.  Fail-safe design must avoid [[w:Single_point_of_failure|single points of failure]].
  
The following systems are considered:
+
However, even in the case of a complete system wide failure of the settlement, there may be ways of rescuing the settlers, if the transportation system is adequate or if more than one settlement is built.
* Life support systems ([[oxygen]], [[temperature]])
 
* Production and [[food preservation|storage]] of [[food]]
 
* Production, distribution and storage of [[energy]]
 
* Telecommunication network
 
* [[building]]s
 
  
 +
==Systems to be considered==
 +
 +
*Life support systems ([[oxygen]], [[temperature]])
 +
*Production and [[food preservation|storage]] of [[food]]
 +
*Production, distribution and storage of [[energy]]
 +
*Telecommunication network
 +
*[[building]]s structure
  
 
==Redundancy==  
 
==Redundancy==  
Every system is built twice or more, where each can work independent from the other. The capacity of each system is big enough to support the full service in case of failure of one system. In normal operation both systems are running in parallel with half load. This principle provides the best reliability for the whole function.  
+
Every system is built twice or more, where each can work independent from the other. The capacity of each system is high enough to support the full service in case of failure of one system
 +
 
 +
In another example the number and size of [[solar panel]]s could be at least twice as large as actually needed for vital system operation. In normal operation mode the surplus energy generated could be used for additional production with energy storage systems.
 +
 
 +
Redundancy requirements can be reduced using modular systems. For example, rather than doubling the number of solar panels, we can design the system so that redundancy is at the component level.  In an extreme case, where each solar panel has redundant connections, a single extra solar panel would provide the required redundancy (n+1).
  
<strong>Example:</strong> The number and size of [[solar panel]]s is at least twice as big as actually needed for vital system operation. In normal operation mode the surplus energy can be used for additional convenience.  
+
If losing solar power is a possibility, for example during a dust storm, the redundancy at a system level would require a separate power source, such as nuclear reactors, or stored power in various forms.  
  
 
==Interconnectivity==
 
==Interconnectivity==
Services must be available, also in case of local failure. Therefore, the service providing systems are interconnected.
+
Services must also be available in the case of local failure. Therefore, the service providing systems should be interconnected.
  
<strong>Example:</strong> If system A and system B have their own air supply system then people in building A can get air from building B in case of a failure in the air supply system of their own building.
+
<strong>Example:</strong> If habitat A and habitat B have their own air supply system, then people in building A can get air from building B in case of a failure in the air supply system of their own building.  To be able to provide this, the air systems of A and B must be significantly overbuilt.
  
 
==Grid instead of chain==  
 
==Grid instead of chain==  
The whole system must be available independent from the failure location, even in catastrophic situations. The interconnection must allow normal functioning of the whole system even if one system part is completely destroyed. For the connection of more than two systems a grid is better than a chain.
+
Fow power systems, the whole system must be available independent from the failure location, even in catastrophic situations. The interconnection must allow normal functioning of the whole system even if one system part is completely destroyed. For the connection of more than two systems a grid is better than a chain.
  
 
[[Image:mesh.gif]]
 
[[Image:mesh.gif]]
Line 32: Line 38:
 
<strong>Example:</strong> The [[Internet]] is (partially) constructed in a grid architecture. Despite the fact that it is the most complex artificial thing men have ever constructed it has never failed as a whole.
 
<strong>Example:</strong> The [[Internet]] is (partially) constructed in a grid architecture. Despite the fact that it is the most complex artificial thing men have ever constructed it has never failed as a whole.
  
==Backup systems==  
+
==Standby systems (back-up)==  
 
A standby system is automatically powered up, or can be manually brought into operation shortly. Advantage: The system is not subject to full maintenance effort during standby mode. Risk: If not checked in regular intervals the backup system may not be able to work if needed.  
 
A standby system is automatically powered up, or can be manually brought into operation shortly. Advantage: The system is not subject to full maintenance effort during standby mode. Risk: If not checked in regular intervals the backup system may not be able to work if needed.  
  
 +
A typical application is diesel generators in standby mode, that are activated if grid power fails.  However, the switch between the generator set and the grid may be the failing component  Therefore a second diesel generator, with a second switch, may be added for full redundancy. 
  
[[category:concepts]]
+
[[category:Health and Safety]]
[[category:technology]]
 
[[category:safety]]
 

Latest revision as of 08:15, 24 October 2022

Due to the hostile environmental conditions on Mars, human visitors to the planet would have to rely entirely on artificial environments in order to survive. Their habitats' life support equipment must therefore run 100% reliably. This article describes the principles of fail-safe engineering.

The basic premise of fail-safe behavior is to ensure that if a system or subsystem fails, it should do so in a "safe" manner; that is, no single failure should be able to place those who use or maintain it in danger. Even if parts of the system fail, the system as a whole must continue working. A full breakdown of a vital system would be catastrophic for the colony and can mean a complete failure of the colony. In this case all settlers would die. Fail-safe design must avoid single points of failure.

However, even in the case of a complete system wide failure of the settlement, there may be ways of rescuing the settlers, if the transportation system is adequate or if more than one settlement is built.

Systems to be considered

Redundancy

Every system is built twice or more, where each can work independent from the other. The capacity of each system is high enough to support the full service in case of failure of one system.

In another example the number and size of solar panels could be at least twice as large as actually needed for vital system operation. In normal operation mode the surplus energy generated could be used for additional production with energy storage systems.

Redundancy requirements can be reduced using modular systems. For example, rather than doubling the number of solar panels, we can design the system so that redundancy is at the component level. In an extreme case, where each solar panel has redundant connections, a single extra solar panel would provide the required redundancy (n+1).

If losing solar power is a possibility, for example during a dust storm, the redundancy at a system level would require a separate power source, such as nuclear reactors, or stored power in various forms.

Interconnectivity

Services must also be available in the case of local failure. Therefore, the service providing systems should be interconnected.

Example: If habitat A and habitat B have their own air supply system, then people in building A can get air from building B in case of a failure in the air supply system of their own building. To be able to provide this, the air systems of A and B must be significantly overbuilt.

Grid instead of chain

Fow power systems, the whole system must be available independent from the failure location, even in catastrophic situations. The interconnection must allow normal functioning of the whole system even if one system part is completely destroyed. For the connection of more than two systems a grid is better than a chain.

Mesh.gif

The chain architecture (bad) bears the risk of a complete cut-off for system parts. The grid architecture (good) ensures a continuous interconnection of the remaining systems.

This applies for buildings, as well. In the case of chain architecture, a drop in air pressure in building Y separates the people in X and Z.

Example: The Internet is (partially) constructed in a grid architecture. Despite the fact that it is the most complex artificial thing men have ever constructed it has never failed as a whole.

Standby systems (back-up)

A standby system is automatically powered up, or can be manually brought into operation shortly. Advantage: The system is not subject to full maintenance effort during standby mode. Risk: If not checked in regular intervals the backup system may not be able to work if needed.

A typical application is diesel generators in standby mode, that are activated if grid power fails. However, the switch between the generator set and the grid may be the failing component Therefore a second diesel generator, with a second switch, may be added for full redundancy.