A power cut at home is annoying. In a large data centre or bank, it can cost millions. For this reason, large financial businesses incorporate control systems that switch critical supplies automatically to alternative sources.

However, a risk remains - the risk that a fault might occur in the control system itself. It may not respond correctly when required, or, more commonly, it operates unnecessarily, interrupting the supply.

It doesn't matter how many uninterruptible power supplies and gensets are available, if they are not switched into the building distribution correctly, they are next to useless.

HSBC's world headquarters, at Canary Wharf in London, is the first building of its kind equipped to avoid this risk. A small company from the Isle of Wight - Triplex Power Control, owned by Jeff Rodbard and Roger Wortley - did an essential part of the work. Triplex makes the power control equipment that manages the backup power supply to the building, ensuring that, if there is a problem, the supply to all the critical equipment is maintained.

TOLERANCE

The usual answer to concerns about backup power supply is to add redundancy. If you increase the number of gensets, or UPSs, then you should increase the reliability of the alternative power - purely because it is unlikely that everything will go wrong at once. For Rodbard, though, the answer to reliability problems lies not in increasing the amount of redundant equipment, but through "fault tolerance".

The problem with systems that attempt to improve reliability through redundancy, according to Rodbard, is that there is always a weak point that could, potentially, bring the whole operation down. "All normal systems have a single point of failure," he says.

Another problem with redundancy is that, with several intelligent systems in a building, there can be confusion. For example, if you increase the number of programmable logic controllers so that two are doing the same job, what happens if they disagree? A fault on a system could have any number of different sources, but a PLC will always process the information it receives according to its program. If an unforeseen input occurs, or if the program is written badly, the PLC can be misled.

"The most common reason for operational failure is incorrect information to a PLC,"says Rodbard. As buildings become more complex, and as the number of critical loads in any development increases, these problems are becoming more significant, but they are not new.

SIMILAR PROBLEMS

In the 1960s, the aircraft industry had similar problems. Several companies developed automatic landing systems, but they could not prove they were reliable enough to be used commercially. The reason was the number of single points of failure. If the automatic landing system malfunctioned, the plane would crash and, regardless of the amount of redundancy added, the Civil Aviation Authority would not accept the risk. An alternative control method was needed, and the successful three-channel solution became known as a triplex system, Triplex systems have been used in all aircraft landing control systems ever since, and in other applications.

Triplex Power Control was formed in 1998 to exploit triplex principles in power control for buildings. For instance, rather than having one sensing circuit that detects when backup power is necessary, there are three, each connected to a separate system.

The control outputs of the three systems feed into a voting unit at all the points they are controlling. The voting units always accept a majority - if two circuits say one thing, and the third disagrees, the voting unit concludes that the third is malfunctioning, ignores it, and reports that there is a "mismatch" of signals.

If the system is designed properly, any fault that is likely to occur will affect only one circuit, and not cause any problems - hence, "fault tolerance". "If you do it right you can avoid all single points of failure in a control system," says Rodbard. Triplex has installed its equipment for clients such as JP ChaseMorgan and the Greater London Authority, but the HSBC contract was different for a number of reasons.

The most obvious is the scale of the project. The building is 43 storeys high and, when it is full, millions of transactions will pass through it every day. The physical size of the building, and its importance, complicated the job.

From a technical perspective, the installation is also different - it was the first time Triplex used PLCs rather than relays. This made the commissioning easier, meant the panels could he smaller, and will also make it easier to alter the system if necessary.

A pair of substations supply the building. They feed 14 1MW transformers that distribute the power around it. backup power comes from five 2.5MV Wartsila diesel gensets, and the usual complement of UPSs bridge the gap between mains failure and the gensets coming on line.

The first line of defence against power failure is the two substations. They are on different networks, so it is unlikely that both will fail at the same time. Normally the supply to critical loads is shared between two transformers connected to different supplies - if one fails, the other automatically takes on the extra critical loads.

If for some reason both mains supplies fail at once, or a board or automatic transfer switch fed from a single transformer loses its supply, the gensets come on line. There are two pairs, with the fifth set as a spare. If one of the gensets fails, the fifth one takes its place.

If there are any further problems, the load has to be reduced. There isn't enough backup power to meet the maximum demand of the whole building, but more than enough to keep the most important systems running. Rodbard says there is always a limit to how reliable a system can be, but in this case HSBC has gone to great lengths to make the supply as secure as possible. If the Triplex system detects a problem, it automatically alters the way power is distributed so it goes to the key loads, and brings any necessary backup online.

There are three such systems, each feeding back to a central board with a PLC. The circuits are kept separate, and the main boards are on different floors, so if there is a physical problem in one area it can only damage one circuit, and will not affect the entire system.

A fourth PLC monitors the other three. It records the operation of the system and notes any disagreement between the other PLCs. If so, it sends an alert to the maintenance staff saying there may be a problem on one of the channels.

It also keeps the system running by unfreezing PLCs that have jammed waiting for a response. When a PLC sends a command, it waits for a response before continuing. If for some reason it doesn't receive that response, it will freeze. The fourth PLC can see if the command has been obeyed by the other two, so for the next stage of operations it will make the frozen PLC catch up with the other two. As a result, the system overall will tolerate a series of faults.

COUNTING THE COST

The theory behind Triplex is sound, but increased reliability usually comes at a price. Installing everything three times docs increase the price of the ]ob, although Wortley's careful design has kept costs down.

Rodbard says the declining cost of PLCs has also made Triplex cheaper, and that for a large contract, such as HSBC, the cost of Triplex is "a tiny traction" of the overall contracting costs. He also points out that for HSBC it is well worth paying for extra security: "It's peanuts compared to what they would lose if it went wrong," he says.

As the electrical systems in buildings become more elaborate, there will be an increasing demand tor more complex control systems. Some of the devices that Triplex Power Control is using, many of which have been borrowed from industrial control systems, could have a bright future in buildings - so long as the lights stay on at HSBC.