Editor’s note: To complement Bill Schweber’s blog Beware the unintended consequences of more-efficient design, author Aubrey Kagan has submitted his blog which was previously posted on EETimes Microcontroller Central.
In South Africa the fire protection sprinkler system has a different model to the one used in North America. When the sprinkler system is activated, a pump must start up to keep the water network pressurized. When the Fire Department arrives at a fire the first thing they do is to shut off the mains to the building, so there must always be a diesel engine. This is dictated by the regulations set up by some umbrella organization established by the insurance industry. An electric motor is permissible, but not necessary.
The philosophy of protection consisted of attempting to start the diesel engine, and keep it running at all costs when a was detected. The diesel engine had two batteries and the start process was to crank using one battery for a period. If the engine did not start there would be a short delay and then an attempt would be made to crank using the other battery with the same delays. If the engine was not running the crank sequence would be repeated so there were 3 attempts on each battery. Six failed crank attempts would generate an alarm. If the engine started up, but then failed the whole process would be repeated. With an electric motor driving a second pump, keeping the system pressurized was a lot more elegant, rather than having the diesel start up all the times as the pressured decayed.
The whole system was activated by a drop in pressure of one or more water pressure sensors in the water line. The sprinkler heads in South Africa work differently to those demonstrated on Hollywood cinema screens. Each head consists of a valve held shut by a glass bulb. In the glass bulb is a liquid that expands significantly when heated and that breaks the bulb allowing the water to start flowing. This means that for a small heat source, only one sprinkler may be activated.
When we started designing this product, the industry worked around relay logic for the controllers. We decided that a micro would be the better way to go, provided we managed to pass the safety tests. This was the start of my interest in watchdog timers and other techniques for robust operation of a microcontroller based system. I designed a single board built around the 8748 family which included three lead-acid battery chargers (the third for the system standby battery), a fairly large LED driver matrix for about 20 LEDs relays and drivers to crank the motor and drive klaxons and input circuitry for engine RPM and water pressure. Later we changed to an 8051 with an on board LED matrix display to reduce the wiring.
The original design in its panel. There was quite a bit of wiring associated with the front panel LEDs.
The panel connected to the diesel engine. The visible silver shaft on the engine would be coupled to the water pump on site. Despite the fact that this particular unit was installed in an oil refinery, note the attached fuel tank.
The revised design with the LEDs on the PCB. In this approach the whole controller was mounted on the door of the panel. Note the dual LEDs for redundancy.
The product proved remarkably successful since it was being included as part of a package offered by the pump and piping manufacturer. In one installation the water supply was drawn from a Braithwaite tank (a water tank built from panels and then waterproofed with bitumen). It used a large Caterpillar engine with some instrumentation (oil pressure, water temperature etc.) mounted directly on the engine block. There was no additional electric motor driven pump.
As far as we know the sprinkler system had a small leak, but in any event the pressure dropped and the diesel sprang into action. Unfortunately some bitumen was sucked into the water outlet from the tank and the water supply was blocked. The design was such that the water was circulated through the engine (as cooling) before being pumped into the sprinkler pipes. I am sure you feel the tingle of impending doom! With no water pressure the diesel started up and then after a short while would overheat and shut down (of its own accord). Once stopped, our system cranked it again and it started up again getting ever hotter until the engine seized completely. The gauges on the block literally melted resembling Salvador Dali’s painting “The Persistence of Memory” (The Persistence of Memory by Salvadore Dali ). All of this of course was forensically determined, but while it was being assessed we were terrified as to where the responsibility lay.
Have you ever been visited by the Law of Unintended Consequences?