Redundancy is always tricky and the circumstances under which redundancy is expected to operate are always limited. For example, had the first system suffered a hardware failure, then the backup would have been a useful backup, ready for switch-over. Since the information needs to be synchronized the fact that a change to one was made to the other is the intended behavior. To make it fully independent would mean that synchronization would be sacrificed.
In the main power vs. generator - suppose the failure was the main breaker box was on fire. Tough to get power through the melted breakers. It's also not workable to wire up an entirely separate breaker box to the same outlets as the main power - that would lead to the generator possibly electrifying the power lines and killing electrical workers if the power goes out from a downed line.
Complaining about redundancy is easy. Providing it in a way that it doesn't bite in an unexpected way is very difficult.
from
The RISKS Digest Volume 19 Issue 15
Re: Power system loss, despite multiple redundancy (Sheen, R-19.13)"Ray Todd Stevens" <
[email protected]>
Mon, 12 May 1997 20:58:51 +0000
In most places by building and electric codes there must be a shut off.
That shut off must shut off all power sources including backup power. I
remember an incident where a new employee at a local computer center shut
off the power to the center. The required power switch was one of the
familiar red large buttons on the wall. It was protected from accidental
access by a plexiglass shield that you had to reach under and up into to
press the shut off. However, by code it was located next to the main exit
door. The guy thought it was the door open switch.
Ray Todd Stevens Senior Consultant Stevens Services R.R. # 14 Box 1400
Bedford, IN 47421 (812) 279-9394
[email protected]