undefined | Better HN

0 pointscoder5433y ago0 comments

Defense in depth? With this safety feature inoperable, the margin of safety is reduced.

Other systems that might normally provide safety critical redundancy could be providing the sole measure of safety, with no other redundancy available in case one of those fails.

“Unsafe” is always defined based on context.

0 comments

throwaway0a5e3y ago

What's the point of having redundancy if you can't use it to avoid an impact to service?

Edit: and to be clear, we're not talking about holding down a resetable circuit breaker to avoid being late, we're talking about the rail network of an entire nation being inoperable for a day.

coder543OP3y ago

The point is to still have it when you didn’t know you needed it. That’s the purpose of all redundant safety systems. The redundancy isn’t there to keep the service operating; it’s to keep people from dying.

You can never know if the primary safety system is functioning perfectly, so you need other systems to be there to step in when the primary fails unexpectedly.

If you detect the primary system has failed, isn’t it reasonable that you should stop operation as quickly and safely as possible, and be thankful nothing bad happened while you lacked redundancy? Any SPoF could be fatal for hundreds of people.

throwaway0a5e3y ago

I'm not going to write the wall of text that's required to properly describe the situation but that's just not how these systems work. Industrial automation has all sorts of feedback loops so they people operating it know if they can trust it. The people using it are pretty much always trained in how to run the various systems manually so that an errant sensor doesn't turn into a clogged up rail line or waste whatever is in your process equipment that happens to be mid-cycle.

This isn't some consumer appliance where you have to stupid proof every inch of it. These systems are bespoke and their architecture is mostly a matter of business decisions and not at all a matter of the internet peanut gallery trying to figure out how safe they can make it.

1 more reply

throwawayboise3y ago

A passenger aircraft can still fly with a failed engine, but it must land at the nearest suitable airport. Because at that point, another failure could not be accomodated. This sort of redundancy is about preventing disaster, not about avoiding service disruptions or keeping to a schedule.

j / k navigate · click thread line to collapse

0 comments

throwaway0a5e3y ago

What's the point of having redundancy if you can't use it to avoid an impact to service?

Edit: and to be clear, we're not talking about holding down a resetable circuit breaker to avoid being late, we're talking about the rail network of an entire nation being inoperable for a day.

coder543OP3y ago

You can never know if the primary safety system is functioning perfectly, so you need other systems to be there to step in when the primary fails unexpectedly.

throwaway0a5e3y ago

1 more reply

throwawayboise3y ago

j / k navigate · click thread line to collapse