Maybe folks will start to realize that an EDG (Emergency Diesel Generator) without critical support systems is useless.
I was just reading about the Fukushima accident, and how most of the EDG's failed because they were water-cooled, and while the EDG's were located out of harms way, the pumps for providing cooling water were located on low ground and were damaged by the tsunami. http://fukushima.ans.org/report/accident-analysis
Yesterday I saw a story about the Datagram data center in NYC having to shut down. From their reports about the damage (http://www.datagram.com):
"As of 5pm on October 29, 2012, Datagram had thoroughly tested its emergency systems at 33 Whitehall, NYC fully staffed and awaiting the storm to hit Manhattan's shores. Once ConEd lost power to Lower Manhattan, Datagram's emergency systems kicked on maintaining power to Datagram's datacenter. Unfortunately, within a couple hours of the storm hitting Manhattan's shores, the building's entire basement, which houses the building's fuel tank pumps and sump pumps, was completely filled with water and a few feet into the lobby. Due to electrical systems being underwater the building was forced to shut down to avoid fire and permanent damage."
It's pretty obvious that, despite all the disaster planning done in the past, Datagram (and TEPCO, and others) have really neglected to appreciate the potential modes of failure for their backup power systems. In both cases, they misunderstood the threat to critical backup power infrastructure. If your EDG is on the roof but the fuel pumps and electrical switchgear is in the basement, what will happen during a flood? If your EDG's are on high ground but the pumps to cool them are not, what happens during a tsunami?
Unfortunately, physics dictates this setup. To get to a top floor generator (which is generally necessary for ventilation), you have to pump from the bottom. For most buildings, that means from the basement, where the fuel tanks are placed for other obvious reasons. (Consider if one started leaking, would you want it dripping down to all of the floors below it?)
These data centers are well designed, but it's impossible to cover every disaster scenario.
It's easy for you to sit here after the fact and snipe at them. If you really think you can do better, go start designing them yourself. If you succeed, you'll do quite well for yourself.
As someone who designs these sorts of things for a living, there are a host of problems with having diesel fuel on the room. For one thing, fire codes limit the amount of diesel fuel you can store on the roof (for obvious reasons). For another thing, the trucks that carry in the diesel fuel to refill the tanks are located on the street. One way or another you're going to have to pump fuel from the street up to the roof, which is going to leave the pumps that do so susceptible to flooding.
I would have thought Tropical Storm Allison in 2001 was the teaching moment for the data center business, when all the underground infrastructure of downtown Houston was completely flooded. Apparently planners had not realized that critical backup power systems (or research animals, or symphony archives, or ...) shouldn't be below the level of potential flooding. Houston is 25 miles from the Gulf, so this wasn't a storm surge, just a huge steady rain event. I guess the lesson will be repeated until building management learns.
It's hard to call the diesel generators "useless" when this company is successfully using them to power its facilities. The bucket brigade is clearly not an optimal solution, but it is a solution that is working so far.
Do you have better suggestions? (Not being a troll - you make a fair point and I'm genuinely interested to hear what you have to say if you would have done it differently)
Here is some information on the setup @ 75 Broad St:
"The 17th and 18th floors of 75 Broad have been reserved for generator farms that can accommodate as many as 40 machines. Big doors will be installed in the facade of both floors so the generators can be rigged into the building.
A 41,000-gallon fuel tank is being installed in the basement, with a separate generator and three redundant pumps to supply the generators on the 17th and 18th floors. Each tenant will own its own generator -- E-Spire already has one installed outside on the setback on the 17th floor -- but the building will sell them fuel."
This shows great dedication on behalf of the team to provide a temporary solution to a more permanent problem. Well done.
More importantly, though - and not to discredit any of the hard work that's been done - hopefully the companies take a look at why the problem was created in the first place. For instance: why were the generators on the 17th floor? Why were the pumps below ground? Why was the datacenter built in a floodzone in the first place?
This is not unlike a lot of problems we face in software - developers bearing the consequences of poor planning.
Particularly important is that they're just in Zone C, i.e. apocalyptic flooding required. They also kept hefty onsite fuel reserves, i.e. at one point a reported 30 hours before they needed their first delivery, then 5 days....
This site, the/a main one for the Huffington Post (Datagram), they're all in Zone A, when Zone B flooding was considered to be likely :-( http://project.wnyc.org/news-maps/hurricane-zones/hurricane-... ). I'm sure Manhattan Island datacenter space in Zones A and B cost less, but....
(I too use them for email and their siting has always been one of my biggest concerns.)
Why are the backup generators on the 17th floor and not the 3rd floor? Assuming there is a very good reason for that,
Why wasn't there an additional pumping room on the 3rd floor, pre-built, with a legal amount of diesel in reserve, and a additional pumps to take over from the basement pumps when those fail, thus saving your bucket brigade 14 floors of climbing?
Why are you carrying diesel in the open in 5 gallon buckets and not in fuel containers that were purchased years ago?
Generators are placed on the top floor to simplify the exhaust path, which must terminate at the roof.
Pumps are placed next to the fuel because pumping liquid over any significant vertical distance requires the pump to "push" rather than "pull". The fuel is placed in the basement because nobody wants to sit next to a tank full of diesel.
Can you use the elevators? If the generator doesn't have the extra power to run them, offer some customers credit and a mention in the post-mortem if they'll let you shut them down temporarily to power the elevators. Then you can bring fuel up in drums instead of buckets.
The elevator equipment is also in the basement, which is flooded with sea water and diesel fuel. Even if they had power, there's no running them until everything is cleaned up.[1]
With all of this effort put into keeping the data center running, I've been wondering about a few things.
Was it actually connected to the outside world throughout the storm?
I have a hard time imaging that with the power out in large sections of the city some key router on the line wouldn't have also lost power.
If that's the case, the effort was put in just to keep the computers warm to prevent unplanned shutdown, not to actually provide uninterrupted service to the customer?
I'm not familiar with data center operation. If you're already cut off from the larger network at what point does it make sense to keep the machines running vs. shutting them down?
Or perhaps i'm just mistaken and they were actually connected throughout. In which case I find it amazing that the water knocked out pumps and necessitated other shutdowns but their network wasn't damaged in some way.
Yes, it's still connected to the outside world, and has been continuously thus far. Example of a site still being served from machines at Peer1: http://blog.squarespace.com/
Fiber can be underwater with no problems so it's really just the end points you have to worry about. Honestly, I would be surprised if most networks had much issue with this storm as they generally last until the first time you need to refill the generators. That said available bandwidth is probably significant issue, I had a lot of network issues though the storm, but slow is often a lot better than down.
This story reminds me of the efforts one guy in New Orleans went through to keep his data center running after Katrina. There were some tales of diesel hauling in that blog as well.
Some numbers: a 1 megawatt generator burns 70 gallons / hour. If someone can carry 10 gallons (60 lbs), they need to make 7 trips / hour up 17 stories. I think one soldier could manage it.
Columbia Tower in Seattle, Firefighter Stairclimb event (I think you could agree a firefighter is probably on par with a soldier for fitness) - 63 stories carrying 50ish pounds of gear, average finish time, 48 minutes.
7 trips an hour up and down 17 stories = 119 stories.
Oh, and the firefighters are exhausted, drenched in sweat, require cooling down and up to an hour in rehab for each climb, with legs near collapse, burning like fire...
If I had to do this, I'd be going with the bucket brigade, every time (spoken as someone who has completed that stairclimb event).
Compared to the amount of work involved after unscheduled power loss in a data centre yes. Been there done that, and I would defiantly haul buckets of diesel for 12 hours rather than spent the next months sorting out systems that had not restarted cleanly.
I don't think so. At work we set up some servers on the west coast to take over in case our main provider on the east coast went down.
I'd say the chance of one of their people getting hurt isn't really worth anyone's uptime.
Also all the single site prep in the world doesn't help if that one site is taken out completely. Keeping multiple servers in multiple areas is a must if 100% uptime, even during events like this, is key.
The long-term correct solution to this problem is cloud infrastructure with multi-provider failover. If you have a server in California hosted by Amazon and a server in Texas hosted by Rackspace it's unlikely that you'll find yourself hauling diesel fuel up a staircase.
This got mentioned on an irc channel a few hours ago and my response was: "Why don't they build a pulley? They're nerds, they have the skills". Obviously shifting diesel about has some risks involved but a basic pulley system would help save a lot of time.
Actually a pulley might be slower when you think about it, lets say you have 10 guys trudging up the stairs each with 4gal in a bucket, that is 40gallons going up stairs, as opposed to one 4gallon bucket being pulled up, then emptied, then dropped down, then pulled up. So the question is how long the load / unload cycle is relative to the bucket brigade cycle.
When constructing my earthquake preparedness kits I spent some time looking at what happened when folks were in earthquakes both in reasonable infrastructure places (Chile) and less reasonable (Haiti) and non-existant (Turkey). That led to having a 'suture kit' in my day pack because one of the common themes was that there were emergency personnel around who were trying to help but they were often without or short on basic supplies to treat severe lacerations. I have no illusions about being able to suture myself up if I needed it, but I do have hope that I could find someone with the skills to do so. And by having distributed emergency supplies with lots of people, it means that as more people collect the better supplied the resulting group will be.
So back to our flood, a number of buildings include a lift system on the roof for moving heavy things in and out of the building that can't go by elevator. One preparedness solution would be to have a way to utilize that system with a bunch of buckets that would let people do this without carrying up the water directly. If it could be made part of the regular gear that they have on site for doing lifts, that might be a positive thing overall.
A pulley system would save manpower but manpower wasn't the limiting factor last night. It was buckets and throughput.
Pulley system wouldn't work inside. There isn't a gap in the stairwells and it's not a straight shot up. Going over the side of the building would potentially work but there'd need to be a boom to get it off the side of the building and without some sort of power winch it's a matter of hauling one or two buckets up manually and I think that'd be lower throughput than the brigade system where you get 1-2 buckets in the time it takes to walk up two flights of stairs.
Building a pulley system would take some significant time and requires finding the necessary tools and resources. The bucket brigade is much simpler and immediately available.
Any bets as to whether they will still be singing that common 'implementation efficiency doesn't matter, you can always scale horizontally' tune afterwards?
I imagine that spilling diesel down the stairs would be hazardous. At the very least, it's extremely viscous (slippery). In addition, that's probably one of the fire escape routes.
[+] [-] JagMicker|13 years ago|reply
I was just reading about the Fukushima accident, and how most of the EDG's failed because they were water-cooled, and while the EDG's were located out of harms way, the pumps for providing cooling water were located on low ground and were damaged by the tsunami. http://fukushima.ans.org/report/accident-analysis
Yesterday I saw a story about the Datagram data center in NYC having to shut down. From their reports about the damage (http://www.datagram.com):
"As of 5pm on October 29, 2012, Datagram had thoroughly tested its emergency systems at 33 Whitehall, NYC fully staffed and awaiting the storm to hit Manhattan's shores. Once ConEd lost power to Lower Manhattan, Datagram's emergency systems kicked on maintaining power to Datagram's datacenter. Unfortunately, within a couple hours of the storm hitting Manhattan's shores, the building's entire basement, which houses the building's fuel tank pumps and sump pumps, was completely filled with water and a few feet into the lobby. Due to electrical systems being underwater the building was forced to shut down to avoid fire and permanent damage."
It's pretty obvious that, despite all the disaster planning done in the past, Datagram (and TEPCO, and others) have really neglected to appreciate the potential modes of failure for their backup power systems. In both cases, they misunderstood the threat to critical backup power infrastructure. If your EDG is on the roof but the fuel pumps and electrical switchgear is in the basement, what will happen during a flood? If your EDG's are on high ground but the pumps to cool them are not, what happens during a tsunami?
[+] [-] tghw|13 years ago|reply
These data centers are well designed, but it's impossible to cover every disaster scenario.
It's easy for you to sit here after the fact and snipe at them. If you really think you can do better, go start designing them yourself. If you succeed, you'll do quite well for yourself.
[+] [-] imgabe|13 years ago|reply
[+] [-] lesterbuck|13 years ago|reply
http://en.wikipedia.org/wiki/Tropical_Storm_Allison
[+] [-] jordanb|13 years ago|reply
[+] [-] TallGuyShort|13 years ago|reply
[+] [-] hollerith|13 years ago|reply
[+] [-] derfniw|13 years ago|reply
[+] [-] fr0sty|13 years ago|reply
"The 17th and 18th floors of 75 Broad have been reserved for generator farms that can accommodate as many as 40 machines. Big doors will be installed in the facade of both floors so the generators can be rigged into the building.
A 41,000-gallon fuel tank is being installed in the basement, with a separate generator and three redundant pumps to supply the generators on the 17th and 18th floors. Each tenant will own its own generator -- E-Spire already has one installed outside on the setback on the 17th floor -- but the building will sell them fuel."
http://www.nytimes.com/1999/10/10/realestate/commercial-prop...
[+] [-] dfj225|13 years ago|reply
http://blog.squarespace.com/ http://status.squarespace.com/
[+] [-] adanto6840|13 years ago|reply
[+] [-] bjornsteffanson|13 years ago|reply
More importantly, though - and not to discredit any of the hard work that's been done - hopefully the companies take a look at why the problem was created in the first place. For instance: why were the generators on the 17th floor? Why were the pumps below ground? Why was the datacenter built in a floodzone in the first place?
This is not unlike a lot of problems we face in software - developers bearing the consequences of poor planning.
[+] [-] minikites|13 years ago|reply
http://www.nyistatus.com/
[+] [-] hga|13 years ago|reply
This site, the/a main one for the Huffington Post (Datagram), they're all in Zone A, when Zone B flooding was considered to be likely :-( http://project.wnyc.org/news-maps/hurricane-zones/hurricane-... ). I'm sure Manhattan Island datacenter space in Zones A and B cost less, but....
(I too use them for email and their siting has always been one of my biggest concerns.)
[+] [-] mkr-hn|13 years ago|reply
[+] [-] jerrya|13 years ago|reply
Why wasn't there an additional pumping room on the 3rd floor, pre-built, with a legal amount of diesel in reserve, and a additional pumps to take over from the basement pumps when those fail, thus saving your bucket brigade 14 floors of climbing?
Why are you carrying diesel in the open in 5 gallon buckets and not in fuel containers that were purchased years ago?
All in all seems somewhat half-assed.
[+] [-] jmillikin|13 years ago|reply
Pumps are placed next to the fuel because pumping liquid over any significant vertical distance requires the pump to "push" rather than "pull". The fuel is placed in the basement because nobody wants to sit next to a tank full of diesel.
[+] [-] mkr-hn|13 years ago|reply
edit: Nope. http://news.ycombinator.com/item?id=4723814
:(
[+] [-] tghw|13 years ago|reply
[1] http://news.ycombinator.com/item?id=4720894
[+] [-] eropple|13 years ago|reply
And I doubt anyone who's in that building needs "credit" or "a mention in the post-mortem" more than they need the uptime they've paid for.
[+] [-] anigbrowl|13 years ago|reply
[+] [-] mkr-hn|13 years ago|reply
[+] [-] Pyrodogg|13 years ago|reply
Was it actually connected to the outside world throughout the storm?
I have a hard time imaging that with the power out in large sections of the city some key router on the line wouldn't have also lost power.
If that's the case, the effort was put in just to keep the computers warm to prevent unplanned shutdown, not to actually provide uninterrupted service to the customer?
I'm not familiar with data center operation. If you're already cut off from the larger network at what point does it make sense to keep the machines running vs. shutting them down?
Or perhaps i'm just mistaken and they were actually connected throughout. In which case I find it amazing that the water knocked out pumps and necessitated other shutdowns but their network wasn't damaged in some way.
[+] [-] madkangas|13 years ago|reply
(I am a Squarespace employee)
[+] [-] Retric|13 years ago|reply
[+] [-] gallerytungsten|13 years ago|reply
http://interdictor.livejournal.com/57475.html http://interdictor.livejournal.com/40720.html
http://en.wikipedia.org/wiki/Interdictor_%28blog%29
[+] [-] tlb|13 years ago|reply
[+] [-] FireBeyond|13 years ago|reply
Columbia Tower in Seattle, Firefighter Stairclimb event (I think you could agree a firefighter is probably on par with a soldier for fitness) - 63 stories carrying 50ish pounds of gear, average finish time, 48 minutes.
7 trips an hour up and down 17 stories = 119 stories.
Oh, and the firefighters are exhausted, drenched in sweat, require cooling down and up to an hour in rehab for each climb, with legs near collapse, burning like fire...
If I had to do this, I'd be going with the bucket brigade, every time (spoken as someone who has completed that stairclimb event).
[+] [-] ryan_s|13 years ago|reply
[+] [-] ollybee|13 years ago|reply
[+] [-] Moto7451|13 years ago|reply
I'd say the chance of one of their people getting hurt isn't really worth anyone's uptime.
Also all the single site prep in the world doesn't help if that one site is taken out completely. Keeping multiple servers in multiple areas is a must if 100% uptime, even during events like this, is key.
[+] [-] asher_|13 years ago|reply
[+] [-] qq66|13 years ago|reply
[+] [-] nicholassmith|13 years ago|reply
[+] [-] ChuckMcM|13 years ago|reply
When constructing my earthquake preparedness kits I spent some time looking at what happened when folks were in earthquakes both in reasonable infrastructure places (Chile) and less reasonable (Haiti) and non-existant (Turkey). That led to having a 'suture kit' in my day pack because one of the common themes was that there were emergency personnel around who were trying to help but they were often without or short on basic supplies to treat severe lacerations. I have no illusions about being able to suture myself up if I needed it, but I do have hope that I could find someone with the skills to do so. And by having distributed emergency supplies with lots of people, it means that as more people collect the better supplied the resulting group will be.
So back to our flood, a number of buildings include a lift system on the roof for moving heavy things in and out of the building that can't go by elevator. One preparedness solution would be to have a way to utilize that system with a bunch of buckets that would let people do this without carrying up the water directly. If it could be made part of the regular gear that they have on site for doing lifts, that might be a positive thing overall.
[+] [-] grayrest|13 years ago|reply
Pulley system wouldn't work inside. There isn't a gap in the stairwells and it's not a straight shot up. Going over the side of the building would potentially work but there'd need to be a boom to get it off the side of the building and without some sort of power winch it's a matter of hauling one or two buckets up manually and I think that'd be lower throughput than the brigade system where you get 1-2 buckets in the time it takes to walk up two flights of stairs.
[+] [-] eropple|13 years ago|reply
[+] [-] wukkuan|13 years ago|reply
Not nearly as much fun, though.
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] mindslight|13 years ago|reply
[+] [-] activepeanut|13 years ago|reply
[+] [-] pyre|13 years ago|reply
[+] [-] dsl|13 years ago|reply
[+] [-] tlrobinson|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] smackfu|13 years ago|reply
[+] [-] grayrest|13 years ago|reply