Jeff Rodbard is an old-school engineer. The kind of person who likes nothing better than to disappear into his workshop with a defunct hairdrier motor, a couple of bits of scrap metal and the innards of a toaster, only to reappear a few hours later clutching an ingenious contraption and bearing a victorious smile.

You can't help but feel that it was probably from just such a scenario that his mind turned to buildings and power security - or rather the lack of it. Rodbard's contention is that many offices are very vulnerable and should one small part of the power supply go down "the building falls over". Faced with such a tantalising dilemma his solution was to turn to his old stomping ground, aeronautical development at Hawker Siddeley.

Aircraft systems work on the triplex principle; triplicated circuitry that produces a two-out-of-three priority system such that no one failed component can adversely effect the operation of the aircraft. In simple terms, if one circuit fails, or tells the aircraft to do something different from the other two circuits, then the aircraft ignores it.

Rodbard set up his own company, Triplex Power Control (TPC), to devise similar solutions for buildings. He came up with his proprietary TPC control circuit, a system based on conventional hard-wired relays, timers and phase failure relays, but triplicated and powered by three separate dc supplies.

Rodbard had been in discussions with Ove Arup for some time when he discovered that Chase Manhattan was unhappy about its own power security provision in its London Wall offices. Chase called in the consultants to come up with a solution, and Ove Arup pro-posed Rodbard's idea. The client bought the solution, and in so doing became the first major client to apply triple-redundancy principles to a building's control circuitry.

"Financial institutions are a classic case," says Rodbard. "For them the consequences of any power loss are immense, having to shut down the power at somewhere like Chase Manhattan is going to cost them at least £4 million. All they are interested in is keeping computers up and running."

As you would expect, the offices at 125 London Wall had a full uninterruptible power supply, with around 20 minutes of battery power and standby generators ready to kick in if necessary. Despite this convention, Rodbard believes that the approach has intrinsic problems.

"Should the changeover circuit fail in any way, generator power cannot be used, however many generators are installed," he says. "And where one generator of a pair or more fails when in use, some predetermined amount of load must be shed quickly. Any problem can cause loss of the remaining generator power through overload."

While on the face of it engineers have 20 minutes to locate the fault, Rodbard says that the actual window is much shorter. At Chase Manhattan it takes a full 15 minutes to complete a shutdown of the computer systems, that means the engineers must decide after just five minutes whether to close down or try and fix the problem.

The offices have an available supply provided by one 2-5 MVA and two 2-35 MVA generators, all located at high level and connected to the five rising busbars each rated at 3000 A. Normal mains supply is fed into the lower end of the busbars and the top and bottom switches are electrically interlocked.

The new system was initially installed without connection to the main switchboards, the old wiring left in place. "Chase Manhattan wanted to minimise downtime," recalls Rodbard, "They were very clear about that." The TPC fault diagnosis system monitors each of the three circuits at various points, looking for any differences that may be present at one point compared with two similar points on the other circuits. It also checks the control circuit supplies.