British Airways Says IT Collapse Came After Servers Damaged By Power Problem

A huge IT failure that stranded 75,000 British Airways passengers followed damage to servers that were overwhelmed when the power returned after an outage, the airline said on Wednesday. From a report: BA is seeking to limit the damage to its reputation and has apologised to customers after hundreds of flights were canceled over a long holiday weekend. The airline provided a few more details of the incident in its latest statement on Wednesday. While there was a power failure at a data center near London's Heathrow airport, the damage was caused by an overwhelming surge once the electricity was restored, it said. "There was a total loss of power at the data center. The power then returned in an uncontrolled way causing physical damage to the IT servers," BA said in a statement. "It was not an IT issue, it was a power issue."

Not IT... Riiiight...

Pretty sure UPS's and backup power supplies kinda do fall under that...

Re:Not IT... Riiiight...

[Tailhook]

Not to mention fail over to alternative sites.

These are transparent lies. The real issue is well known now, but it's unconformable for all involved so they're making stuff up.

Re:Not IT... Riiiight...

[sycodon]

Well, India has a notoriously unreliable electrical grid.

Re:Not IT... Riiiight...

[HornWumpus]

When they _fire_ the CEO, CTO and Director of IT. They should publicly announce 'It wasn't a management issue, it was power.'

Re:Not IT... Riiiight...

[ShanghaiBill]

Well, India has a notoriously unreliable electrical grid.

If the power goes down daily or weekly, you learn to deal with it, and your backup generators and fail-over systems become robust. If power goes done once a decade, it causes bigger problems.

Re:Not IT... Riiiight...

I think he forgot the sarcasm tag...

You know...their IT was outsourced to India?...

Come on, does everything have to be explained?

Re:Not IT... Riiiight...

I haven't been there yet, but I do believe they haven't switched to wireless yet--at least for electrical.

Re:Not IT... Riiiight...

Correct. The actual problem is that their newly Indian outsourced IT guys could properly managed the situation, which includes properly initiating the backup systems.

Basically, Indian outsourcing cost them millions of dollars in lost revenue. Just chalk it up to the billions lost by outsourcing.

Re: Not IT... Riiiight...

[thundercattt]

That was my first thought. A setup that size would have to have UPS backup setups upon backups. Baloney.

Re:Not IT... Riiiight...

[rholtzjr]

I am pretty sure it was the lack of in this case. Even if a power surge happens, PDU/UPS pretty much handle any power related issues. This sounds more like someone was dinking around in the data center and pulled/shorted the wrong wire(s). Even if this did not happen, PDU/UPS equipment was designed to prevent what happened, so yea it WAS AN IT PROBLEM.

Re:Not IT... Riiiight...

And lets face it, Power Buffering was never applied to the computers at BA because BA still uses computers from the late 1970's. Those Z80's are still working hard at 4 MegaHertz and 64K of RAM. One of the India subcontractors was tasked to go get a Power Buffer outlet for $6.00 at the Fry's Electronics and the problem was solved. Thank visnew for BA's outsourced talent.

Re:Not IT... Riiiight...

[dgatwood]

The problem is, AFAIK, like most legacy airlines, all of those critical systems tie into a central mainframe. Redundancy is supposed to be built into the mainframe hardware itself, and replication is infeasible because the mainframe-based databases don't really provide that capability. And like many companies, rather than spend the extra money to increase IT staffing so that they can properly transition to redundant clusters that are actually long-term-maintainable, they took the "If it ain't broke, don't fix it" approach, assuming that as long as the system was working, nothing more than minimal maintenance would be required, and outsourced their IT.

I'd like to believe that this will force them to rethink that strategy and invest in systems that go between the front-end systems and the mainframe to let them slowly replicate it onto more standard hardware, along with people trained to handle such a large-scale IT task, but I'm not holding my breath. Give it another ten years, and it will happen again, but next time, the damage will be too severe and they'll be down for a year while they rebuild all their systems from scratch.

Re:Not IT... Riiiight...

[rholtzjr]

I already went through this once for a big insurance company back in 2003. We had setup a remote fail over site that was at most only an hour time frame from replacing in the event of a catastrophic failure. This is not really rocket science. This included a mainframe component (with data replication) and all the other supporting systems ranging from Windows, and UNIX systems with multiple flavors of databases (all replicating data). When the primary site went down for what ever reason (we assumed the worst to be total destruction of primary site), the router detected the failure and rerouted all traffic to remote site. We even went with two different carriers for the network redundancies. The only single point of failure would have been if the entire network infrastructure in the country went down. But we still had functionality at a different location and could relocate any employees from anywhere in the country to the new sight. We even practiced the failure event once a year.

No, this is just not doing due diligence on having a viable High Availability/Disaster Recovery response plan.

Re:Not IT... Riiiight...

[DontBeAMoran]

O'BRIEN: In order to bring the system up to Starfleet code, I had to pull out the couplings to make room for a secondary backup.
GILORA: Starfleet code requires a second backup?
O'BRIEN: In case the first backup fails.
GILORA: What are the chances that a primary system and its backup would both fail at the same time?
O'BRIEN: It's not likely, but in a crunch, I wouldn't want to be caught without a second backup.

Re: Not IT... Riiiight...

[Brockmire]

For future reference, it deserved a whoosh.

Power of the almighty dollar

[mfh]

We all know that this outage was caused by bad faith outsourcing to unqualified persons. Who are they kidding?

https://www.theguardian.com/bu...

Oh yeah, power surges are to blame! haha no.

Re: Power of the almighty dollar

From your linked article: "BAâ(TM)s chairman and chief executive, said on Monday that the surge was âoeso strong that it rendered the back-up system ineffectiveâ

Hahahaha they didn't even have off site backups? They can offshore their IT workers but NOT the backups.

Re:Power of the almighty dollar

[wyHunter]

Pound?

Re:Power of the almighty dollar

[jellomizer]

A proper IT staff would have built in safeguards against power outages and power surges.
For a company the size of British airways I would expect that they would have a hot fail over in a different country. Or at least a different geographic location.

In short they cheeped out on IT and now they are paying for it.

Re:Power of the almighty dollar

[Maxo-Texas]

An ill-considered plan to save a few dimes has cost them several dollars.

The CEO should have foreseen this and should be let go. As should other executives who approved the offshoring plan.

Offshoring can work- but excessive staffing cuts to save a few extra dollars are begging for something like this to happen.

Infrastructure people should be located on site with the hardware and there should be multiple hardware systems *with* fail over testing on a monthly basis. (not quarterly. that fails. only monthly is often enough that the failover is seamless and there is a good argument for doing a daily failover.)

Re:Power of the almighty dollar

[sycodon]

This is what happens when you treat your IT staff like your Janitorial staff.

Re:Power of the almighty dollar

[rikkards]

This is what happens when you outsource, you lose control of what is outside your grasp and you take them at face value.
CEO who did the right thing would have been pushed out because he was costing the shareholders too much money before that

Re:Power of the almighty dollar

[AC5398]

And yet, if you laid your janitorial staff off you'd up to your neck in filth and garbage in no time at all.

Management who don't rise through the ranks typically have absolutely no respect for the work that 'the ranks' perform.

Re:Power of the almighty dollar

I bet it was in the Risk Register!

Re:Power of the almighty dollar

[sycodon]

This is true.

Re:Power of the almighty dollar

Contractors can certainly a part of the failure even if it was a alleged power issue. Managers love to shop for an answer they like. At one company I worked at, we had a infrastructure architect that designed one heck of a great network with the proper level of redundancy and failover capability. The senior managers loathed to pay for equipment and capacity that mostly sat idle when not used for surge demand or brought up during maintenance windows. When things did fail, everything happened transparently and no one ever saw so much as a blip in availability.

So what did the manager do? Fired the architect and brought in a contact company. Things work perfectly right? What's the harm in saving a few bucks? The south Asian contractors said yes and nodded their heads to every idea to cut costs here and there. After all, they wanted to keep the customer happy. Then one night, there was a catastrophic failure. Sure enough, things crumbled and cratered. Rather than having in house folks with knowledge and skin in the game to get things running again, indifferent techs 10 time zones away took their time trying to figure things out. The 5 day outage costs a hell of a lot more money than was saved. The company never really recovered and has been downhill ever since.

Re:Power of the almighty dollar

[MangoCats]

Why do you think it took them this long to come out with an explanation?

Re: Power of the almighty dollar

So it would be right to treat janitorial staff like this? Unless we accept that NO ONE should be treated like this, we will ALL be treated like this.

Re: Power of the almighty dollar

More or less the same now.

Re: Power of the almighty dollar

#solidarity

Tech workers, are we ready for a union yet? Or do we want to keep getting shat upon by MBA bean counters?

Re:Power of the almighty dollar

[billybiro]

This is what happens when you treat your IT staff like your Janitorial staff.

It's often worse than this. I rarely see Janitorial staff having to "make do" with old threadbare mops and having to wash floors with water with no detergent. They are usually very well stocked for the specific things that they need to get their jobs done. IT staff? Not so much.

Re:Power of the almighty dollar

[billybiro]

The CEO should have foreseen this and should be let go. As should other executives who approved the offshoring plan.

Yes, they'll probably be "let go". Right after they collect their multi million golden parachute, receive a hearty slap on the back from fellow members of the old boys network and walk right into another high paying CxO position in another multi-national organisation with nary a drop of ink to blot their copybook.

Re: Power of the almighty dollar

[Brockmire]

In case you missed it, this is about outsourcing, not layoffs. Janitors get changed like underwear. No one notices. It's not exactly a skill, so much as no better option.

"It wasn't me, it was the one armed man!"

"It was not an IT issue, it was a power issue."

Assuming it was not a lightning strike, It's still your fuckup if "power issues" can damage/take down your IT.

Re:"It wasn't me, it was the one armed man!"

[TWX]

Yep.

We have a Caterpillar generator the size of a schoolbus (and given its coloring I've had to restrain myself from sticking a stop-sign on the side as a prank) and a sophisticated transfer switch with power monitoring. When we lose power the batteries hold the DC over until the generator kicks in, and then when power is restored we do not switch back to grid immediately. I am not the person that deals with the power, but as I understand it, the generator and transfer switch monitors the grid for some time before switching back to grid, and there are power conditioners in between. On top of that, the system monitors grid power continuously and will intentionally island the system if there's a significant enough fault.

This is not for something as critical as an airline's control system either. I do not find any reasonable excuse to blame power; you're supposed to assume that power is dirty and unreliable and to work around it.

Re:"It wasn't me, it was the one armed man!"

[jellomizer]

A proper IT infrastructure can deal with a direct lightning strike as well.

Re:"It wasn't me, it was the one armed man!"

Sounds great...when it works. I bet you've never looked at the code that controls a big automated transfer switch. I have. It's a mess. It's so bad that the very first install Eaton did with our new model, which was in Digital Forest in Tukwila, WA near Seattle, we had three failures in the first ninety days due to bad software. It shut an entire data center down even though utility power was not down, battery power good, and generator working. The guy we dispatched the third time had spent two years in Uganda so he was experienced with bad power. He claimed that power from Seattle City Light was worse than Uganda. The power was so bad that the software in the ATS decided to disconnect everything.

The second time power was restored, because of the bad software, it switched to generator power before the generator was running fully. The voltage dropped and took out quite a few older pieces of equipment and stalled the engine. In other words, the opposite problem BA had.

Re:"It wasn't me, it was the one armed man!"

[TWX]

Depends. Unfortunately airline stock tends to perform almost regardless of what an airline does simply because when people need to travel there are only so many options and among all airlines across the planet there are only so many seats going so many directions. As long as people want or need to travel the airlines will generate revenue, even those that make terrible mistakes or do terrible things to passengers from time to time, so long as they manage to get flying again.

Re:"It wasn't me, it was the one armed man!"

[drinkypoo]

The guy we dispatched the third time had spent two years in Uganda so he was experienced with bad power. He claimed that power from Seattle City Light was worse than Uganda. The power was so bad that the software in the ATS decided to disconnect everything.

Probably true. When the first grid-tie inverters were invented, they kept shutting themselves off because as it turned out, the utilities were totally incapable of producing power as clean as they claimed they were, and as they were demanding that the inverter provide. Making better power than utilities in the US is trivial.

Re:"It wasn't me, it was the one armed man!"

I worked in a center that had a big diesel-powered UPS unit the size of a shipping container. It was there about 3 years before we had a power outage. It detected it and span up, engaged the clutch and ... the drive belt snapped. Oops. Under voltage. So rev faster. Still undervoltage, so MOAR revs. Now, in addition to the power outage we've got a big UPS that's on fire.

Re: "It wasn't me, it was the one armed man!"

Quackbot short-circuited. Issue does not correlate to political ideology. doubleplusungood.

Re:"It wasn't me, it was the one armed man!"

[citylivin]

Until your voltage regulator starts dying and only gives your equipment 80volts and no one notices the under voltage condition during normal maintenance and testing of the generator.

The facilities maintenance people test the generators monthly, but it was not standard practice to test the voltage every single time the generator was tested.

It is now.

But the point is that systems fail in all sorts of fun ways in the real world. You learn, you change, you adapt, as im sure BA is doing. All it takes is one major incident to stop people from dragging their feet. I'm sure that is occurring now at british airlines.

Re:"It wasn't me, it was the one armed man!"

[amorsen]

[..]sophisticated transfer switch with power monitoring[..]

Those break. Way more than they should. Often with interesting results that aren't just "power went off".

And you fundamentally can't make them redundant. You can have two of them on completely separate feeds of course, feeding into different power supplies on the servers. That sometimes helps, except when the overvoltage is sufficiently great to get through the protections of the power supply.

Re:"It wasn't me, it was the one armed man!"

[Thelasko]

I am not the person that deals with the power, but as I understand it, the generator and transfer switch monitors the grid for some time before switching back to grid, and there are power conditioners in between.

I used to design the diesel engines used in some of those systems, and have seen them in use. Although your system may monitor the grid to ensure reliability, it's most likely making sure it's not switching between two power sources that are out of phase.

When we would connect one of our gensets to the power grid, we had to match the phase before we could close the switches. To do this, the engine speed was modified to run the generator at slightly above or below the frequency of the grid. If the phase wasn't matched, the power grid would try to force the generator into phase suddenly. It's assumed the power available from the grid is infinite in these types of systems. Therefore an incredible amount of current would flow through the generator and also provide a mechanical jerk to the engine if the switches were closed out of phase. Something will break in a spectacular fashion if this isn't done carefully.

Honestly, this could be what happened to BA.

Re:"It wasn't me, it was the one armed man!"

[aaarrrgggh]

Sounds like 365 Main, the problem was in multiple small blips which were each too small to start the engine, but in aggregate depleted the flywheel below the minimum to start the engine.

Re:"It wasn't me, it was the one armed man!"

[TWX]

We test monthly. It's also a way to replenish the fuel before it becomes nonviable.

Re:"It wasn't me, it was the one armed man!"

Working in a govt building we had a big diesel generator set up to handle power failures. Every once in a while it would be switched on and everything run off diesel to make sure it all worked. Testing procedures is a good thing.

One day someone forgot to switch it back and no one noticed. The generator ran all night untill morning when it was noticed. When it ran out of diesel.

Panic stations. In the process of getting power back to the building they fried a series of boards that handed it. So here is a large government building, with a data center and help desk blacked out. That data center happened to provide the data for every DMV in the state. So they were knocked offline too. They then fried the boards that were used to replace the first set.

We all went home for the day and wondered who was going to carry the can for that one.

Re:"It wasn't me, it was the one armed man!"

[nwf]

A proper IT infrastructure can deal with a direct lightning strike as well.

At what cost? I doubt it's worth it for most businesses. There are too many disasters to plan for: lightening, flood, earthquake, tornado, high winds, several combined. It's probably impossible to protect against everything unless you have Federal Government money.

I've yet to see a surge suppression system that's affordable to a mid-scale business that can take a direct hit, anyway. Plus you get EM induced voltage that fries networking and other stuff, including the power system control circuitry. I've seen that myself.

Re:"It wasn't me, it was the one armed man!"

Honestly, this could be what happened to BA.

It still doesn't excuse them. If this is actually a mission critical system, so crucial to the operation of the whole company that it may not operate and generate revenue without it, it's supposed to be engineered to fail over to another site, a safe distance away (to rule out both getting knocked out by a catastrophe).

They've been in business for what, 40 years? They still haven't bothered to build a reliable backbone for their business - or, rather, the redundancies do exist, and the new staff doesn't even know how to operate it. 100% inexcusable, and blaming a power outage amounts to SCREAMING to any minimally technically savvy person in the planet HEY WE'RE INCOMPETENT.
I'm amazed their planes don't fall out of the sky. Oh yeah, can't pilot them from Bangalore, that's why.

Please do the needful, BA CEO, fuck off.

Re:"It wasn't me, it was the one armed man!"

[gweihir]

Yep.

We have a Caterpillar generator the size of a schoolbus (and given its coloring I've had to restrain myself from sticking a stop-sign on the side as a prank) and a sophisticated transfer switch with power monitoring. When we lose power the batteries hold the DC over until the generator kicks in, and then when power is restored we do not switch back to grid immediately. I am not the person that deals with the power, but as I understand it, the generator and transfer switch monitors the grid for some time before switching back to grid, and there are power conditioners in between. On top of that, the system monitors grid power continuously and will intentionally island the system if there's a significant enough fault.

This is not for something as critical as an airline's control system either. I do not find any reasonable excuse to blame power; you're supposed to assume that power is dirty and unreliable and to work around it.

That is how it is done. It is well-known that power often comes back up "unclean" after a failure.

Re:"It wasn't me, it was the one armed man!"

[gweihir]

It is in fact a standard scenario.

Re:"It wasn't me, it was the one armed man!"

[phorm]

Strange, in the last place I worked with a big DC, they regularly tested the generator (I think monthly, and even from floors away you could *hear* it), and UPS systems. In my five years there, I'd not heard of an outage due to any of the many power failures in our area.

Re:"It wasn't me, it was the one armed man!"

transfer switch monitors the grid for some time before switching back to grid

Even my cheap no-name desktop UPS does that

Re:"It wasn't me, it was the one armed man!"

[kevmeister]

And sometimes **it happens.

I worked as a Senior Network Engineer for a large national backbone provider to the US DOE. At the facilities we owned WE were in charge of oversight of the power system and regular testing. We had one experienced power engineer on staff to oversee everything, though the facility's plant engineering people did all of the actual heavy work.

Back in 2009 we had just completed our annual full transfer test where we switched over to UPS, let the generator fire up, transferred to generator power, and then reversed the process. Everything worked perfectly. The following week we lost power. UPS kicked in, but the generator refused to start. One week earlier everything worked perfectly in the test case where we could have backed out before UPS died. No such luck that day. Our staff lost the ability to monitor the network and the laboratory where we were located lost Internet connectivity as did several other smaller facilities in the area. Took us about an hour to get a trailered generator in place and get things back on-line.

No matter how carefully you plan and test, sometime you still lose.

Re:"It wasn't me, it was the one armed man!"

[dbIII]

Indeed - good idea.
Sometimes Murphy is still against you.
A power station I did some work at had a 20MW emergency generator (old jet engine) to kick things off (conveyors and crushers require a lot of juice) and it was tested monthly for around 25 years and maintained carefully. The only time it was needed (due to a fairly rare set of circumstances) it didn't work. A second one was installed later as a backup to the backup but neither was needed again for the remaining life of the power station.
I think those two little 20MW gas turbines were adjusted to run on natural gas are still in use from time to time to cover peaks. They may be old but running time is what matters.

Re:"It wasn't me, it was the one armed man!"

[dbIII]

But the point is that systems fail in all sorts of fun ways in the real world. You learn, you change, you adapt, as im sure BA is doing.

Yes, and by outsourcing to someone who has not learned your lessons you have to get through all those mistakes a second time.

Re:"It wasn't me, it was the one armed man!"

Old, well-tested automatic transfer switches plus sane utility power makes that an easy goal to accomplish. In our office building in downtown Seattle, we see 60 Hz slips which is typically unheard of in first world countries. That makes it very difficult to meet uptime goals. We had to disable all of the safeties on our ATC to keep from having outages. Don't assume everyone is as lucky as you when it comes to utility power.

In addition, due to moisture we've had dozens of batteries short-out which reduced our expected uptime on batteries. With the last utility power outage we had, our batteries hit 11.8V which is discharged beyond what you typically want to do since it greatly reduces battery life.

Re:"It wasn't me, it was the one armed man!"

When we would connect one of our gensets to the power grid, we had to match the phase before we could close the switches.

EE here. I've only dealt with small to medium generators- you know, 500W to 100KW. I've never heard of connecting a backup generator to the power grid. The small to medium sized transfer switches most absolutely definitely do not do this, and in fact, have large gaps between the contacts to insure that never happens. I can't envision why anyone would want to try to sync a generator to the power grid, unless you're part of and powering the grid, but never for a backup generator.

Re:"It wasn't me, it was the one armed man!"

[tibit]

It's almost as if they could save money by pushing their shit out to a competent datacenter. I don't really see why BA, of all people, needs their own. Their shit could run on AWS just fine I'm sure. It's not magic. They deal with the same shit they dealt 5 decades ago when it ran on slow big iron.

Re:"It wasn't me, it was the one armed man!"

[marcansoft]

All of those disasters are trivial to plan for.

Step 1: have two datacenters in different locations
Step 2: test that you can fail over to the other site regularly

That's it. That takes care of every single disaster you have listed, with one solution. There is no excuse to not have two sites for a company as big as BA.

Re:"It wasn't me, it was the one armed man!"

[CharlieG]

Back when I was a kid, I got taken on a tour of a "high reliability" data center. Mind you, this is in the era a drum memory. The setup for this company was, frankly, insane

Walked into the data center - TWO mainframes, side by side, totally redundant. I thought that was cool, as either machine could cover for the other, with NO loss in performance. The guy laughed and said "Well there is another data center with two machines across town, so if this building goes down, we're good,(NYC)". He said there were another two data centers in London, Chicago, Frankfurt, Berlin, Tokyo, Hong Kong, and finally Alice Springs, ALL redundant. Yes, performance would take a hit if too many went down, but he was saying the DR plan included limited global nuclear war, which was why the data center in Alice Springs. I gather there were regular tests. Never heard of them losing any data

Re:"It wasn't me, it was the one armed man!"

[Agripa]

When we would connect one of our gensets to the power grid, we had to match the phase before we could close the switches.

EE here. I've only dealt with small to medium generators- you know, 500W to 100KW. I've never heard of connecting a backup generator to the power grid. The small to medium sized transfer switches most absolutely definitely do not do this, and in fact, have large gaps between the contacts to insure that never happens. I can't envision why anyone would want to try to sync a generator to the power grid, unless you're part of and powering the grid, but never for a backup generator.

They might synchronize but not ever connect to the grid to support large rotating loads. All of my UPSes either always synchronize or in some cases have a selectable optional mode where synchronization is not done.

when you're too cheap...

to buy surge protectors...

If a power surge took out your servers...

Then it is an IT issue. Infrastructure should have equipment in line to prevent this kind of situation. It was poor IT management and planning that caused this.

Not an IT Issue

It absolutely is an IT issue if you cannot automatically recover from power events in a single data center...

Don't UPSes also act as surge protectors?

[Jamlad]

How big a current spike was this? Don't UPSes act as surge protectors and filters too?

Re:Don't UPSes also act as surge protectors?

[Pascoea]

How big a current spike was this?

1.21 Jiggawatts, and it sent them back to 1985.

Re:Don't UPSes also act as surge protectors?

[ChumpusRex2003]

They should do, but it depends a lot on the precise design of the UPS, and the nature of the power transient.

While many industrial UPS systems are dual conversion systems (essentially, the critical load is powered from the battery bus/inverter, and fails over to mains in the event of an inverter/battery malfunction), they are sometimes operated in standby mode (the critical load is powered from mains, and fails over to the battery bus/inverter in the event of a mains failure) as this saves energy due to improved energy efficiency and lower cooling demand in this mode.

Even so, dual conversion UPS systems are not necessarily immune to mains voltage fluctuation (even when operated in dual conversion mode) - depending on whether they try to follow mains voltage, or whether the voltage transient exceeds design limits.

If you are interested in some of the dynamics of this, it's worth looking at the incident at the Forsmark nuclear power plant in Sweden. In this case, unexpectedly large grid voltage fluctuations resulted in the double conversion UPSs suffering an output bus overvoltage, which resulted in triggering of output overvoltage protection and disconnection of the critical loads. A less well protected device could have exposed critical loads to a prolonged overvoltage. This incident required particular design changes for nuclear grade UPS systems, such that mains voltage fluctuations, even beyond the anticipated range, should not result in a critical load disconnection.

Re: Don't UPSes also act as surge protectors?

The BA chairman was quoted as saying "great Scott, getting a telsa to go 85 MPH is no easy task."

Re:Don't UPSes also act as surge protectors?

[Salgak1]

Great Scott!!

Re: Don't UPSes also act as surge protectors?

85 mph won't cut it. Gotta get that baby up to 88!

Re:Don't UPSes also act as surge protectors?

Only if you buy expensive ones. There are also separate stabilisers that you can put on the power feed. Kinda like big insulation transformers.... but nobody has room for that in their budgets nowadays, I means; How big are the chances?

Re:Don't UPSes also act as surge protectors?

[CrAlt]

>UPS undersized
>Power fails, UPS quickly die
>power comes back or comes back with problems (open neutral,flipped phase,over voyage,etc)
>idiots try and bring back everything at once
>UPS trips from inrush from cold start
>or UPS says there is a power problem they ignore
>idiots flip big lever from "UPS" to "BYPASS"
>all protection...bypassed
Boom

I've seen this scenario play out a few times.

Re:Don't UPSes also act as surge protectors?

[bruce_the_loon]

They do, but some surge protection devices have a limited number of surges they can absorb before they have to be replaced. If there were a number of surges, it's certainly feasible for the protection chain to fail at some point.

An anecdote from a few weeks ago with a data center I help manage. It has a backup generator, automatic switch gear and a Schneider Electric Galaxy double conversion UPS. Yes we don't have two, but we ain't an airline. We do have another data center on another site to take over if needed though.

So a few weeks back our phones go wild with texts fired off by the UPS tossing SNMP traps around. One sprint later, the UPS console is showing no input power and our in-house electricians lay rubber from one end of the campus to the other to get to the sub in time. As we wait for the UPS to hit that magic 5 minutes when it triggers the auto-shutdown sequences on the servers, the sparkies discover the sub's output is fine and the generator isn't running.

Then all shit breaks loose, ten power cycles on the UPS input, some lasting long enough to switch from battery to mains, some not. With ten minutes left on the batteries, the UPS gives up, shuts the inverter and charger down and switches the load to static bypass. Room goes silent except for the UPS alarms, and then the eleventh return cycle comes and goes in about three seconds. We hear PSU fans starting and then winding down. I dropped the master breaker on the DB and isolated the room from the UPS. Down until the sparkies figure it out. There goes three hours of our lives.

Turns out that the automatic switch gear had some arc damage on the utility-side contactor feeding the control boards, probably caused by the eight months of load-shedding (read utility driven power cuts to ration power) we had experienced two years ago. That was enough to drop the voltage in one sensor to below the trigger threshold and caused that contactor and the main load contractor to open. Before it could start the generator up, the control board then decided the utility had returned, so it closed the contractors again. And open again, and close again. The sound of a 3-phase 480V 500A contactor switching twice a second is enough to make the sparkies use words a sailor would be proud of.

We had to lock out the sensors, rig a temporary bypass on the contactors to power the room from the generator feed side and replace the damaged contactors before we were fully safe again. We lost 2 PSUs out of 90 and no data. We were lucky.

I relate this to show that no matter how good the power protection architecture is, multiple UPSes, twin feeds etc, shit can and does happen. We were lucky we had people on the site who knew what trouble sounds like and were willing to isolate the room.

So I'm willing to accept that BA lost a data center to power problems. But I'm not willing to accept that the loss of a single data center can shut down global operations. BA must have multiple redundant data centers with a seamless failover mechanism. And that is a failure of IT pure and simple.

Re: Don't UPSes also act as surge protectors?

I hope they don't come back to the future...

Re:Don't UPSes also act as surge protectors?

[phorm]

"We were lucky we had people on the site who knew what trouble sounds like and were willing to isolate the room"

You weren't lucky, it's called having good, well-trained/practised staff on-site. And based on what everyone has been saying this is something that was severely lacking at BA

Re:Don't UPSes also act as surge protectors?

[dbIII]

BA must have multiple redundant data centers with a seamless failover mechanism

While that's how you would do it reality of what BA did seems to be less sensible.

Re:Don't UPSes also act as surge protectors?

[Anne+Thwacks]

BA must have multiple redundant data centers with a seamless failover mechanism.

AND test them every month.

Not just to make sure the hardware works, but to make sure EVERYONE involved knows what a failure of electrical failover looks like, but that the dual-redundancy also works, and everyone knows where all the controls are, and what they do (hardware and software).

It may be expensive relative to your pay grade, but in the greater scheme of the world's largest airlines, its totally piddling. Have you seen the price of a new aeroplane? Or the even annual fuel bill for flying a transatlantic route? Hell, you could buy a compete redundant data centre for cost of flying Trump across DC! (Unless you buy your data centres from the wrong guy).

So many things wrong with this

If the power was out and the system was running on standby power, it should not switch back until mains power is up and is stable. Also, certainly a large power surge would certainly have damaged other systems in the surrounding area, right? No, no, it was absolutely an IT issue and heads need to roll here for poor management decisions with regard to staffing and outsourcing. Make no mistake, you don't get to the upper echelons of management without a gift for deflecting blame - we cannot allow that to happen here. Keep digging.

Direct cause

The power surge was the direct cause. The fundamental cause was the failure of management to ensure they had an appropriate disaster recovery plan.

Re:Direct cause

British Airways is up and running today. Their disaster recovery plan has worked just fine. What they were lacking was a sufficient incidence response plan.

Re:Direct cause

You mean business continuity. Sounds like their Disaster Recovery Plan worked fine. They are online.

IT issue?

Some might argue that good IT would have redundant servers in more than one location for mission critical infrastructure.

Others might argue that mission critical IT includes line conditioning power would handle surges.

Oh puleeze! Pull the other one!

They were hacked, but have to deny it, for strategic reasons, I'm sure...

B-b-b-b-bullpoop

The issue was caused by the outage. Bringing up all of the affected servers at once caused more damage, and was the result of poor planning. The DR site's data was inconsistent with production so it could not be brought online.

Therefore the production site needed to be repaired and data restored to the last known good state. And that takes a lot longer than whatever RTO/RPO that BA claims they would be able to meet.

No, Where we REALLY screwed up was this:

[bbsguru]

So instead of being incompetent at software, they are claiming to be incompetent at hardware.
And the difference is...?

Anyone whose Server Farm can be brought down from a power outage does NOT know what they are doing, or care enough about it to bother.

How would this 'admission' make anyone more comfortable about this business?

Re:No, Where we REALLY screwed up was this:

[Tailhook]

How would this 'admission' make anyone more comfortable about this business?

The business doesn't have to worry about that. It's safe regardless; too-big-to-fail public+private yada yada. This is BA we're talking about.

These "stories" are just the public narrative writing process, guided to affix/deflect blame to/from the appropriate parties as the scapegoats are singled out. The BA execs know they have maybe 72 hours or so before this story falls out of the news cycle so they're using that window to make the headlines they need to muddy the waters. Until now the only narrative that has had any play is the "outsourcing did it" one, and that hits too close to management, so they're making this stuff up and putting it out through their MSM channels.

Re:No, Where we REALLY screwed up was this:

Anyone whose Server Farm can be brought down from a power outage

Not power outage, but uncontrolled power:
"The power then returned in an uncontrolled way causing physical damage to the IT servers." The power probably switched the servers on, then off, then on... until the hard disks on the servers were toast.

Poor disaster recovery plan.

[bob4u2c]

Power issues of this kind are IT issues.

When designing a server location you must take power into consideration; ie, do I have enough battery to keep all critical servers and supporting hardware up until the generator has kicked in, plus extra just in case the generator has a glitch or two of it's own. Is the battery rated at the correct surge protection to keep systems from glitching when the power does return? Is the generator more than enough to power everything between re-fuelings? Is the generator rated enough to run everything at less than 80% load? Have I staged non-critical servers and equipment to power down and power backup to spread the need for power out? Is there a backup facility that I can spin up or switch to; for this kind of operation you would want to switch to a new site in minutes to prevent business loss.

Again, these are IT problems.

Now a battery going dead, a power supply frying, circuit breakers tripping; these are power issues. Poor disaster recovery plans are not.

Re:Poor disaster recovery plan.

the generator

??? If one is relying on the site to stay up (vs. failover to backup sites) shouldn't one have N generators with enough power so one can power critical servers/hardware with the output of N-x where N>x>=1?

Redundant System

[Roger+W+Moore]

Even if UPS and surge protection do not count, having a redundant system in a different data centre ready to take over regardless of the cause of the outage definitely does fall under IT. It is insane that a major company like BA did not have any such redundancy for such an important, mission critical application. It would have cost far less than the £100 million estimated cost of this incident not to mention avoiding the appalling publicity.

Re: Redundant System

[tysonedwards]

Come on... It's apparent, the power surge was so severe it crossed the VPN Tunnels when they re-opened and traveled into another city and damaged those systems too!

Re:Redundant System

DR sites are useless when production data isn't being mirrored over correctly. That's one of the issues here.

Re: Redundant System

[sound+vision]

"An innovation in Power-over-IP"

Re:Redundant System

[GameboyRMH]

This. The BA outage is the second most hilariously inept cause of an outage I've ever seen, after a local government office that was down for over a week because one rackmount server was dropped in transit.

Re:Redundant System

[bmk67]

...which is also an IT issue.

Re: Redundant System

[oobayly]

What about the RBS banking outage?

https://en.m.wikipedia.org/wik...

Re:Redundant System

[lactose99]

Then its not DR, one of the core facets of DR includes testing it to ensure recovery is actually recovery.

Re:Redundant System

[anegg]

They obviously only got around to implementing the first half of their Disaster Recovery solution. They will implement the Recovery half next year.

Re:Redundant System

[aaarrrgggh]

I would give 10:1 odds that they had a voltage dip, transferred to generator and failed coming back because their batteries were no good. Unclear if they lost power once or twice, or if it was the servers auto restarting, but the kind of damage they allude to typically is when you are 7 years into your "10-year" VRLA batteries. Also known as cost cutting...

Re:Redundant System

[Afty0r]

It would have cost far less than the £100 million estimated cost of this incident

I agree that they should do it, but it is unlikely that the one-off cost of implementing always-on redundant systems would be this cheap, the scale and scope of the IT systems involved in the airline industry is enormous and it's likely it would cost significantly more than that. There are also ongoing costs to consider. Source: Work in software development, have seen projects in organisations way smaller and simpler than British Airways with projected costs higher than that for less benefit.

Re:Redundant System

[MangoCats]

Ticketing and scheduling systems are not life-safety critical, therefore they don't get the budget for double redundancy. It's aerospace-think come to the company comptroller's office, imposed on IT that made this failure happen.

Also, that "£100 million estimated cost of this incident" is less than the development, rollout and ten years of additional maintenance costs of a full double redundant geographically diverse scheduling system. For an industry that can't even make a baggage sorting system work properly, there's a lot of fear about "upgrading" anything. Historically, big failures like this come around less than once a decade.

Re: Redundant System

What about it, those bones have been picked clean.

Re:Redundant System

[gweihir]

It is pretty clear that BA leadership screwed up massively here and yes, it is most decidedly an IT problem. The described power-outage scenario is a complete standard one and competent planning prepares for it. Now they are trying to misdirect (i.e. lie) in order to make it appear like this was a natural disaster and of course, they could not have done anything about that. Dishonorable, untrue, but nicely demonstrates the defective characters of the people in power at BA.

The only right thing to do is kick out the ones responsible (including the CEO) with a performance review that makes sure they never get any other leadership position. Otherwise these people will continue to do damage.

Re:Redundant System

[gweihir]

"most hilariously inept" covers it well.

Re:Redundant System

This is what happens when an air-liner doesn't use a could.

Re:Redundant System

Ya, these numbers are way to big to count; right? Oh, wait a minute, I've got a spread sheet in my phone that can do this.

Re:Redundant System

[Zaelath]

It's always fun trying to sell a DR failover test to a 24/7 company.

- So what's this for?
- To make sure you can recover quickly in the event of a disaster.
- What if that fails, worst case?
- Well, your warm site fails to take over, so you have a planned outage now instead of an unplanned outage later.
- How long an outage?
- Well, if we fail to bring up the warm site, and fail to fall back to the current production site, there may be some lost transactions and we'd need to shut down long enough to make sure the databases are correct. Say, a day?
- You want to shut down for a day? How likely is this disaster we're talking about?
- Well, you have RAID, clustering, UPS, generator backup, probably a 1 in 10 year event?
- Ok, then no. We'll take the day outage in 10 years.
- Wait.. I said ...
- Thanks, goodbye.

Re:Redundant System

[LinuxIsGarbage]

Doesn't everyone use closed transition (make before break) transfer switches these days? Failing that even with shit batteries I'd think a break before make transfer switch should be able to be absorbed by weak batteries on a double conversion UPS, or by power supplies on the computer hardware running with UPS in bypass (or a standby UPS).

I have seen the following oddities with emergency power devices (oddly all Eaton):
~10 years ago an Eaton(IIRC) closed transition transfer switch with a firmware bug. There was planned work taking utility power down, so the generator (2MVA) was fired up, load shifted to generator, then when utility lost power it crashed and the load lost generator power.

Eaton Powerware... not the 9155 but looks close to it, maybe 9355?. Anyways 10kVA double conversion UPS with external bypass switch and included 460-120 stepdown transformer:

-With utility failure shit batteries cause the breaker to trip shortly after switching to battery, and the UPS to fault. Upon restoration of utility power, the load fails to come up until manual intervention on the UPS.

-Eaton service guy comes to service the UPS. Places the external bypass switch to bypass (I think it was on transition to bypass, may have been transition from bypass), UPS dumps the load. Bypass should have been activated on the soft keys on the menu to match the desired state before throwing the manual switch. If it was going back to normal, I think it was switching from bypass, to service is fine (which allows control power to the UPS), allow it to power up, put the soft menu to bypass, then move the switch to normal, then move soft keys from bypass to normal.

Regardless even an event like that shouldn't cause a multi-hour failure.

Re:Redundant System

[HornWumpus]

I know a utility that saved a little money on the power that ran the electric natural gas pumps for their biggest generator (pumps were in another utilities area) by putting the pumps on a curtailable contract (like 'peak corps' and other programs, that cut off your AC power when demand is highest).

So that means, when the demand was highest, that utility shutdown the supply pumps to PG&^H^H^H a large utilities biggest generator. Brilliant!

Re:Redundant System

[wlj]

I remember hearing about something like this happening at the University I went to - but it happened back in the 1960s! Does anybody use motor-generator systems any more?

Re: Redundant System

DR and hot-standby are two completely different sets of problems. Hot standby of multiple SANs, databases, servers, and applications doesn't scale the same way for very large systems as for medium-size systems

Re:Redundant System

[AHuxley]

"hospitals backup power to be reviewed" (Oct 11, 2016)
"... failed in the blackout because of a fuel pump issue"
http://www.news.com.au/nationa...

Re:Redundant System

The budget was left shorting and thus prevented the solution arc to be completed.

Re:Redundant System

[stoatwblr]

The powercos in the area have come out and categorically stated there was no form of power hit, dip or other problem on the public side of the meters.

Re:Redundant System

[stoatwblr]

"Ticketing and scheduling systems are not life-safety critical"

Loading, aircraft balancing (centre of gravity) and fuel load calculations ARE.

All of these were affected. Plus BA's entire VOIP system.

Re:Redundant System

[RockDoctor]

costs of a full double redundant geographically diverse scheduling system.

The system(s) under discussion were not geographically diverse. They're all somewhere a little SW of London - probably fairly close to but not at Heathrow. Just one data centre.

Cheapskates.

Re:Redundant System

[RockDoctor]

Loading, aircraft balancing (centre of gravity) and fuel load calculations ARE.

And unless I misunderstood the lessons of that plane which came down because of loading X pounds of fuel which the pilot logged as X kilograms of fuel ... it is the absolute duty of the pilot commanding to personally check such calculations. Whether they do it with an abacus, or with a piece of chalk on the runway, it's their responsibility to check the sums are right. and if the IT system that usually does it is up shit creek, then you-the-pilot still have the personal responsibility to do the calculations some other way and get it right. Or don't take off. Don't even taxi anywhere.

Planes have weight sensors in the wheel mounts. Because that is the data that the pilot needs for doing those calculations.

The flight incident (a.k.a "good landing") was the Gimli Glider.

Re: Redundant System

That energy relay stuff is all Star Trek technology.

Re:Redundant System

[dgatwood]

Ticketing and scheduling systems are not life-safety critical ...

Tell that to the cancer patient who misses his/her chemo appointment at some regional cancer center because of a flight cancellation. When you have enough people depending on a service, if an outage lasts long enough, every service becomes life-safety critical, though perhaps somewhat less so in a country like England that is geographically small enough to not depend on air travel to get from one part of the country to another (and even less so post-Brexit).

Re:Redundant System

[aaarrrgggh]

Almost every time we have seen major issues, it is auto-restart of systems followed by a power failure during boot. (Almost) Everything is designed to survive the first hard crash, but crashing during boot or initialization often leaves systems in an unstable condition.

Taking hours to do an orderly restoration is not uncommon; even for a simple system you might need to bring your network core up first, restore DHCP services, get domain controllers up and synchronized, and audit all your filesystems before secondary systems boot... It becomes an order of magnitude more complex when you have some hardware failures and data corruption. Still shows they had a crap business continuity plan, but hey...

(While Eaton makes crap transfer switches, their UPSs are generally better than Schneider/APC/MGE or Liebert/Emerson/Vertiv in my experience. Closed transition switches, even when properly commissioned and tested, can create a number of issues, especially when you have neutrals on the switch as you would in Europe.)

Re:Redundant System

[OffTheWallSoccer]

Well said!

Re:Redundant System

[stoatwblr]

Yes, but the BA systems were supposed to measure mass of everything _before_ loading and allow sensible placement to ensure CoG limits are OK, etc.

Having to do it the long way can take hours if you're totally dependent on the automated system and have to break out manual methods, now multiply that out by a few hundred flights and you've got severe gate gridlock.

As you say, you can't even taxi until you have this all sorted and if you can't do that _until_ all the baggage, freight and squishies are onboard - when the system won't let them on because boarding passes aren't being printed, then you have a version of mexican standoff on your hands.

Re:Redundant System

[RockDoctor]

Having to do it the long way can take hours if you're totally dependent on the automated system and have to break out manual methods,

I didn't say it would be easy.

In my business, I have done the job manually in the past, and will probably have to do it again in the future. It's harder - for sure - but doable. It scares the pants off the sprogs (those with less than 20 years experience) when their computers go down leaving them with a sharp pencil and a notepad (dead-tree variety). And they protest that the rest of the operation will have to stop until their computerised data-acquisition system gets fixed (which they're not taught how to do - it's go to be a technician visit) ... which their Boss promptly revokes when told that if the rest of the operation stops working, their company will be billed for the down-time. Which would be between 1 and 2 million USD/day. Then they learn pretty damned quick.

It _was_ an IT issue

[matthiasvegh]

If the power wouldn't have come back at the datacenter, would that still be a power issue? If an earthquake destroys the datacenter is that an earthquake issue? If your system collapses when a datacenter goes offline (for whatever reason), you're at fault, not the datacenter. This seems like a classic case of having a single point of failure.

Re:It _was_ an IT issue

BA has a DR site independent of the primary that suffered the power issue. But volume groups were not being mirrored correctly to the DR site. When they brought the DR site online, they were getting 3 or more destinations when scanning boarding passes. And since the integrity of the DR site was an issue, it could not be used.

Then the only option is to fix the primary DC, which would have involved installing new servers / routers / switches / etc, configuring them, restoring the data to the last known good state and then bringing it back online. Good luck to anyone trying to deploy new/replacement equipment en masse during the chaos of a disaster. And then restoring data!

Takes days, not hours... unlike whatever RTO/RPO they claimed to be able to meet.

Re:It _was_ an IT issue

[Chris+Mattern]

Okay, they weren't flaming incompetents that didn't have a failover site. They were flaming incompetents that had a failover site that didn't work, because apparently they never tested it. Glad we cleared that up.

Re:It _was_ an IT issue

[fluffernutter]

But volume groups were not being mirrored correctly to the DR site.

Ok I know I'm late to the party but that tells me that it was an IT issue right there.

Re:It _was_ an IT issue

[stoatwblr]

"But volume groups were not being mirrored correctly to the DR site. When they brought the DR site online, they were getting 3 or more destinations when scanning boarding passes"

The interesting part is that this part of the problem started happening on FRIDAY - around 18 hours BEFORE the total outage caused by the supposed power outage/surge.

Multibillion dollars in revenue - cant afford UPS?

Strange, In my data centers we run diesel generators for power backup when utility is down. Would be fairly impossible for a power disruption to do something to our equipment. Sounds fake as fuck to me. I mean any half assed IT ,manager would have thought of redundant power source, be it diesel or battery.

Power? Really?

[Hydrian]

It's amazing how many 'power' issues there are with remote Indian support centers. If it truly is the power issues, way are aren't there rigorous disaster plans because these power issues are so common. If they are in place, and they still aren't helping, then why are building these data centers / support centers there anyway? If the country has an unstable power grid or is prone to natural disaster that cause issues, once again, why are there data centers there in the first place?

It sounds like someone is blowing smoke up someone's butt. The question is, where is that smoke starting....

Re:Power? Really?

The DC wasn't in India. The staff operating that DC (i.e patching, configuring, monitoring) were in India. The Indian support staff I work with follow instructions to the letter, so if the instructions are not completely accurate it falls on the team who made the instructions. Garbage In = Garbage Out.

Re:Power? Really?

That team no longer exists., sorry. Gone after last layoff.

Next excuse....

[__aaclcg7560]

"Those union electricians told us we could run all these servers without upgrading the circuit breakers. It's not an IT problem, it's a union problem!"

Re:Next excuse....

[IMightB]

dont really think you can blame this on unions.... whats your agenda? Most of the time issues like this are caused by management thinking "we already spent X million dollars for server clusters on one site. But it costs X much more for each server to have dual power supplies, then X much more for each DataCenter power bus and redundant backups, then you telling me we have to spend X times 2 for an additional DataCenter?!?!?! and testing etc etc. I thought this is what a HA cluster is for!"

Re:Next excuse....

dont really think you can blame this on unions.... whats your agenda?

WOOOSH!

Re:Next excuse....

[IMightB]

Umm yeah, reread it indeed WOOSH... I'm going to blame it on Obama... Thanks Obama!

Re:Next excuse....

Fake excuse, because everyone knows that union electricians would never, ever tell you that less work was needed.

ID10Ts

[U8MyData]

Really? So, they are completely illustrating that their IT efforts are a "cost center" and that IT is a "necessary evil" that they provide minimal effort to. Everyone knows that a serious "Data Center" has multiple protective measures in place, so who is this service provider? I wonder how they treat their aircraft? This is so blatantly obvious it hurts those who know IT. Forget about the outsourcing questions.

Re:ID10Ts

[Fire_Wraith]

Outsourcing is part of the problem, but you're right, it derives from the mentality that IT is a cost center that must be minimized at every possible turn. It's outdated thinking, going back to the days where if your office network went down, there'd be a bit of inconvenience, but the planes still flew, and it wasn't a big deal. Today, IT is a business critical area, because when your network goes down, the planes stop flying, and you stop making money, never-mind the lingering effects from the terrible publicity or the angry customers. It's not something you can afford to skimp on, on any level.

Unfortunately it will probably take several shocks like this, and some high level careers ending as a result, before they start to wise up.

Re:ID10Ts

That stems from customers considering services as a cost to be minimized at every possible turn, what with family budgeting and all. It's outdated thinking, going back to the days where if the tv went down, there'd be a bit of inconvenience, but there'd still be the newspaper and landline phone, and it wasn't a big deal. You'd still get a hardcopy ticket through the post.

But what *was* an IT issue...

[Chris+Mattern]

was the fact that you apparently have no redundancy on extremely mission-critical servers.

You have *got* to be kidding...

[whitroth]

Every server wasn't connected to a UPS? And the return of the power overwhelmed the UPSes?

And just how did management decide to "save money" on the power for the servers?

Re:You have *got* to be kidding...

[whoever57]

And the return of the power overwhelmed the UPSes?

No, they appear to be saying that turning the power on somehow damaged the computers:
"The power then returned in an uncontrolled way causing physical damage to the IT servers"

I don't believe this. The CEO is just protecting his own ass after outsourcing IT.

Re:You have *got* to be kidding...

[sconeu]

No, they appear to be saying that turning the power on somehow damaged the computers:
"The power then returned in an uncontrolled way causing physical damage to the IT servers"

Right, which says that the servers weren't connected to UPSes. Because if they were, then the UPS would have filtered the power surge.

Re:You have *got* to be kidding...

[whoever57]

If I read this right, they are claiming that putting a huge load on the system (bringing up power to too many servers at once) resulted in excessive voltage on the power rails.

In my understanding of physics, increasing the current usually results in reduced voltage. So where did the over-voltage come from?

Or are they saying their their UPS generators were somehow incapable of limiting their output voltage? Pretty strange generators, not suitable for the task?

None of this sounds right, which is why I reject it outright as a CYA claim by the CEO. I expect that the technicians responsible for rebuilding have been told that, if they talk about it, they will find that their own jobs have been outsourced. But still, perhaps some anonymous leaks will happen.

Sounds like an IT probelm to me.

[pz]

I worked as a dev for a pretty big social network company. We were a not-quite also-ran, peaking at Alexa 108 globally, and for a while we were beating the pants off of Facebook. This was in the pre-AWS days when startups still ran their own servers. Early on, we had apparent power failures on two successive Saturday nights. Right when our database scrubbing processes started.

I suggested to our sysadmins that *maybe* it was because all of the disk heads were starting to move at once, and *maybe* it would go away if we staggered the processes across servers.

Yep, problem solved. Our power feeds were rated for average power draw, not peak power draw on all servers in a rack, and peak power came when all of the disks started seeking simultaneously.

It seems the same thing happened at BA, except no one thought to stagger-start the servers. For us, this was the first big system we ever built, so, OK, chalk it up to growing pains (and the problem never, ever happened again). But BA? Shame on them.

HOLY CRAP

[Moblaster]

In other words: "We used $10 MILLION WORTH OF EXPENSIVE SERVERS like a CHILD would use a PAPER CLIP IN AN ELECTRIC SOCKET."

Comment removed

[account_deleted]

Comment removed based on user account deletion

I run a machine that was installen in 1989....

It has none of these problems. Stabilizers on the power (and UPSs (Unicorns of Perplexing Size?) of cause),surge protection on every I/O port. And... A FUCKING REDUNDANT SYSTEM! It is the 2100 century, how hard can is be? (and, yes; It has a pretty big database (well, about 9 Gig since its from the 80s. It was amazingly massive back then) sampling/storing thousands of signals in real time. and, no; its NOT stinking SQL)

Pretty hard it seems, you CHEAP bastards... Instead of buying that personal yacht you are never going to use you should have given the IT guys the budget they wanted!

it's not our DC so we don't deal with the power

[Joe_Dragon]

it's not our DC so we don't deal with the power part it's the DC that we outsourced to that does the power part.

Not sure that means what you think it means.....

[Lord_Rion]

The fact that this company even says that makes me question whether they understand what IT is and how to fix this going forward.

Most companies have a plan (or should have) to handle a location taking a hit... especially a company this large. The fact that a single DC collapse could bring this company to it's knee's is so bad it's almost negligent IMO.

Last year...

[Muckluck]

Delta tried this last year and got called to the carpet on it. BA needs to learn from other's mistakes...

BIG DC power systems are not really IT guys more

[Joe_Dragon]

BIG DC power systems are not really IT guys more like Infrastructure / electricians and some of that stuff is not easy swap even more so if an fail safe tripped and killed all power.

So basically the same problem as Fukushima

[Solandri]

Fukushima was precipitated because although there were multiple backup generators, they were all located in the same place (basement) and all relied on a single fuel supply. When the tsunami flooded the basement and contaminated the fuel, all that redundancy was useless. Likewise, BA had multiple backup servers, but they all relied on a single power supply which fried the backup servers when it went bad.

Reliability does not come from redundancy per se. It comes from keeping all possible modes of equipment failure independent of each other. Adding redundant equipment can help achieve this, but redundancy is undone if that equipment is all vulnerable to a single mode of failure. When the Space Shuttle's solid rocket boosters showed signs of burning through the two O-rings sealing each mated section, NASA tried to fix it by increasing redundancy by adding a third O-ring. But they completely failed to account for an outside factor (cold weather) affecting all three O-rings simultaneously. And the Challenger blew up.

Re:So basically the same problem as Fukushima

Read the report. The problem wasn't contaminated fuel but salt water in the power systems. Electricity works bad if it does not know where to go...
This problem had nothing in common with Fukushima... Well, except that there were a "surge" in both places.

Re:So basically the same problem as Fukushima

The problem with Fukushima is they couldn't run a 220v extension cord 1 mile in 3 days.

I'm not buying it

[zerofoo]

Our small school was able to cobble together enough money to afford an APC RM6000 to protect our small data room.

We recently had an intermittent power leg (it was broken at the service pole cut-offs). The wind would blow the cable and cause arcing - and lots of power weirdness on that leg.

Our UPS simply did what it needed to do to keep reliable power going to our IT systems. If we had a generator, we would have failed-over onto that until the power company fixed the service.

Surely an organization the size of BA can afford better and more redundant systems than this.

I suspect BA is passing the buck here.

Re:I'm not buying it

[Cesare+Ferrari]

A report I read suggested they had around 500 cabinets of machines (not sure if this was across both sites or the primary). Estimating 2KW/cabinet brings you into MW territory for the lot, so this is a non-trivial amount of machinery to keep running in a power failure situation. The failure description suggested that it was a surge issue, so it's not clear if this was just stupids on their behalf (not staggering restart) or something else going wrong within the site (bad failure to generators etc).

Either way, their IT infrastructure wasn't up to the job, and clearly their DR planning didn't get them out of the hole quickly. However, their DR planning did get them running again within a few days which is more than most companies can manage. Well done to the guys actually doing the work - lots of long shifts and stress, and let's hope they get traction with management to put some decent process in place for the future.

Re:I'm not buying it

[Shimbo]

However, their DR planning did get them running again within a few days which is more than most companies can manage.

Most companies wouldn't manage to recover in a few days from an actual disaster. However, all that seems to have happened is that they fried a few servers. Doesn't take a lot of planning to get some spares in and recover some toasted machines. Not knocking the guys on the ground, who probably had to work quite hard to do it but trying to fixup the primary site because the failover was dysfunctional is no evidence at all for a good DR plan.

Also, we don't know where the surge came from, or how it was able to break any local redundancy. That all looks like poor FM.

some DC's have there own sub station's and it may

[Joe_Dragon]

some DC's have there own sub station's and it may of been some thing in the side the DC's power system that failed.

Bullshit.

[sethstorm]

Offshore IT is what led to this mess.

amazing how airlines are all having issues

[WindBourne]

Seriously, I have not seen so many issues in Airline computers except for the last 2 years. What is different? Why outsourcing to India.

Here's a shovel

[ilsaloving]

I don't think he's digging his hole fast enough. Feel free to borrow my shovel.

Or, perhaps a better solution would be for someone else at BA to clonk him over the head from behind with a little statuette or something so he just stops talking.

Yes, because small scale deployments always map up

[mveloso]

"I was able to protect my puddly shit at my workplace with equipment I bought at Frys, so BA should have been able to protect its 12,000 servers just like I did."

Scaling up is hard. Just because you were able to do it with your install doesn't mean it would be just as easy for a larger install.

That said, they should have done a better job at BA. Even though testing power isn't part of a smaller DC's MO, it should be for a company the size of BA...at least in their dev environment.

Really?

I call bullshit on the "it was not an IT problem" as it was DEFINITELY an "IT Management Problem".

How do you even BUILD a large data center (or co-locate it a Commercial NOC like AT&T) without massive UPS and stand-by Generators to handle power issues?

A full power outage should cause ZERO downtime in a large Data Center. If it doesn't, FIRE THE IT MANAGEMENT who approved the shitty design to "save a few pounds" because the DC owner/operator has guaranteed 5 - 9's SLA IN THE CONTRACT (which isn't worth the paper it is printed on without these capabilities.)

You only pay for the Power Used (and square footage) in large data center leases anyway (unless you have huge bandwidth requirements) and the UPS and Generators normally do not count against that. Unfortunately when you co-locate with someone like AT&T it states in the contract that THEY ALONE determine if they meet the 5-9's SLA, and for some reason they NEVER miss that mark (funny that.)

This reeks of IT Management covering their asses for bad decisions with the Board of Directors.

The Reason Is Architectural Bloat

[ud0]

Sometimes a meteor strike takes out your data center, it happens. The answer is to design smaller, smarter systems that are more resilient.

BA carries about 50M passengers per year, less than 135k per day. Over a 8 business hour day, that's about 20k bookings per hour. Let's say one booking consists of 100 datasets written to the database, and maybe 10 times that in reads. This works out to abut 500 writes and 5000 reads (most of which can be cached) per second. Actual average loads are going to be even lower. I'm not talking about extended services or analytics, which can happen on machines of lesser importance, this is just about the core business of taking a reservation and issuing a ticket.

It's not a high transaction volume, and it's not a lot of data. You do not need an entire data center for this. One server with a stock DB can do that. The structure of this core is simple enough so you could replicate it to hot spares around the globe. Heck, you could even lower the load by caching reads at the airport and at the web server.

There is no unavoidable technical reason this power failure had to be that catastrophic.

Re:The Reason Is Architectural Bloat

Let me guess. You are the type of person who starts a project with, "How hard can it be? Everyone else has no idea what they are talking about." 6 months after your original deadline, you are 3x overbudget after hit 38% of your original goals. Of course you did lose a few weeks here and there after trips to the ER.

Airline reservation systems are very complicated. It's not just sticking a person in a seat. They need to manage schedules, connections, inventory, codeshares, GDS integration, security, etc. No, you can't just go down to Best Buy and slap a gaming system in place of things.

Re:The Reason Is Architectural Bloat

There's a lot more to getting an airplane off the ground than just scanning boarding passes. There are systems for fueling, maintenance, baggage, catering, flight plans, crew scheduling, and more things I haven't even thought of.

It's pretty naive to think that all you need is a reservations system in order to run an airplane.

dom

Bullshit

No Single Point of Failure is a basic, and possibly the most important principle of engineering. When this fondamental principle has not been followed, then it IS and IT problem.

Re:Yes, because small scale deployments always map

The point they were making is they were a "puddly shit" shop and even they recognized the value of investing in power infrastructure. They weren't stating that infrastructure was easy or BA should do the same as them, merely that one would think they would also understand the value proposition of investing in infrastructure and proper DR execution.

I really think DR solutions should be pitched as IT insurance. Businesses wouldn't operate their offices without insurance against fires, etc so why do so many companies run their IT infrastructure with hedged bets for when their systems go down?

Uncontrolled RETURN of power?

[petes_PoV]

So what would have actually happened?

First, there is a cut in mains power to the data centre. No biggie, the batteries take the load. The backup generators then start to spin up and then supply power and the datacentre keeps running.
No lights went off, no computers crashed, business kept running.

But then, mains power is available again. How do you transition from your own generated power back to grid power? You can't just flick a switch. For a start you should ensure that the phase of the two power sources match - on all 3 phases. If you don't do that, I can imagine a power surge would be very likely.

But just like every outfit tests its backups - but very few test their restores, I guess BA had tested their failover process - but never got around to failing back. Or that the one time they did fail-back they got lucky.

Re:Uncontrolled RETURN of power?

[aaarrrgggh]

Because your batteries gave their last gasp to get onto generator, or because the impact event was not the initial loss of power but the thermal damage from restoration of power.

After people hitting the big red button (or the fire alarm doing it automatically), this is the most common failure mode for a data center.

Re:Uncontrolled RETURN of power?

Charge the batteries from the generator, shut down generator line in, start up mains line in. If you can go from mains to generator you can go back the same way.

Re:Uncontrolled RETURN of power?

[aaarrrgggh]

Famous last words. VRLAs fail open-circuit or very high impedance under load. Without proper cell-level monitoring you really don't know if you have any battery left when under load. Best course of action is generally to ride on generator while you have someone pull all the jars with an Alber meter and live with reduced voltage or parallel strings.

Raspberry Pi

Can they replace those servers with low power Raspberry Pi machines?

Re:BIG DC power systems are not really IT guys mor

[Maxo-Texas]

It is if it is set up and administered right.

we did monthly failovers between different physical sites. A blown DC at one site wouldn't have made a difference.

Our failovers involved a couple hours of oncall for about 150 staff. Most the time only a half dozen were working but a couple times a year it would involve most the staff (and a lot of it people) for part of that. A database would be out of sync or messed up and that would fall to the IT staff to fix. It became less common over time.

Did you miss that they fixed the power problems and then the IT systems were messed up for a long time afterwards indicating poor disaster planning and low staff skill.

A company as big as BA, should have had a separate failover site and been doing regular failovers.

BA utility providers have already call BS on this

The utility providers for all of BA's major operations centers in England are all on record as saying there were no power surges, anomalies, etc. This wasn't "we're unaware of...", they all went back over their logs and categorically denied it (seems like they weren't happy about BA trying to pin any bit of this sh*t show on them). As many have pointed out above and elsewhere, none of this passes the sniff test. BA's taking a beating for this, not just over stranding passengers but how they handled the stranded passengers. Many of their communications to passengers have failed to mention BA's obligations as well as refunds and options passengers are legally entitled to. They even had the nerve to point most people to their toll customer service line instead of their toll-free one, charging people 35 pence/min to sit on hold while they were trying to get their travel plans sorted out. Even nickel and diming low cost carriers (LCC's) like RyanAir aren't stupid enough to try something like that after a system-wide disruption.

IT servers???

[acoustix]

As opposed to another type of servers? Do they have building & grounds servers? Operations servers? Receptionist servers?

Just curious...

It was outsourced to save money. This is reaping..

... what one sows.

Ignorance or Naivety?

or both?

"It was not an IT issue, it was a power issue." - BA

This is why they had IT issues everyone. They obviously do not know what counts as IT and what counts at ALL.
This is why it was easy for them to justify offshoring.
This is why they fucked up.

Heads should roll and IT change management should kick in for damage control.

I bet their systems are also greatly vulnerable and they wouldn't even know.

Re:Yes, because small scale deployments always map

"I was able to protect my puddly shit at my workplace with equipment I bought at Frys, so BA should have been able to protect its 12,000 servers just like I did."

Scaling up is hard. Just because you were able to do it with your install doesn't mean it would be just as easy for a larger install.

That said, they should have done a better job at BA. Even though testing power isn't part of a smaller DC's MO, it should be for a company the size of BA...at least in their dev environment.

Disclaimer: I'm a s/w dev in an unrelated area, so zero direct experience.

Anyway, "scaling up is hard" ... agree. However, why are their IT systems not sharded into multiple data centers ... preferably each also containing capacity to failover another site? Let's say they had a data center at the 2 sites in the UK and 2 more sites outside the UK. If one of the data centers goes down a peer takes over (or the load gets split 3 ways).

OK, then on a regular basis they could deliberately fail a datacenter & practice taking the load elsewhere.

I understand that having multiple datacenters means additional cost, but redundancy always comes at a cost. Sounds like they had a non-functioning RAID-1 (where D == datacenter) when they could have had RAID-5 (or 6)

I also understand that implementing this comes with additional s/w complexity ... but if you're big enough it'd seem to be worth it.

Meh, enough hand-waving.

I used to subcontract to BA

This is not surprising. I was actually hired because the IT department took too long.
One project my manager was involved with was cancelled after 3 years because the goal had already passed. They never even started!

Awaiting lawsuit for clarification

[MacDork]

If a power surge caused the issue, then surely BA will sue the power company. If the power company can demonstrate there was no surge, surely they will sue BA for defamation.

There is no spoon

[stoatwblr]

And there was no power surge (not outside the DCs anyway).

A large number of ex-BA IT staff have commented in fora about the historic robustness of the system, however over the last 5 years BA has systematically gutted its IT staff and outsourced just about everything to India.

The CIO of BA (and IAG) is a manager whose last claim to fame was being the person responsible for ramming through the highly contentious (as in strike-causing) cabin crew contracts which stripped out many rights in 2011.

He has ZERO IT background and was charged with reducing the IT bill by $90 million per year.

Make of that what you will.

Re:There is no spoon

[stoatwblr]

An airline is a very large, very complicated IT network and logistical operation. Operating aircraft and feeding the self-loading freight is actually secondary (think wet-leasing).

Functional, reliable and resilient IT is the absolute core of the business. It's not a cost centre. If you fuck this up then your company is dead. This isn't like freight ops. You can't book two passengers in seat 13A as one example of the degree of error tolerance required.

IAG (BA's parent company) has lost sight of this fact. Alex Cruz' cost cutting in IT was explicitly blamed by Vuerlig (another IAG subsidiary) for the huge meltdown they had just after he left them and switched to running BA. The difference being that Vuerlig is a low-cost airline with limited flight ranges and much lower customer expectations.

The corporate knowledge to deal with IT problems has been systematically removed from the company. Given that - and the way the people involved were removed it's not surprising that Alex Cruz "appeals" to muck in were met with a collective yawn and "not unless you pay us a lot of money" from the recently redundant.

I'd be very surprised if the total costs falling out from this cockup are less than three times the supposed IT "savings" made in BA's cutbacks. By the time regulator fines (for failing to provide legally required support for passengers) are added in, it could be 10 times the supposed savings.

Re:BIG DC power systems are not really IT guys mor

[tibit]

The problem is really quite simple: corporate drones think that throwing tantrums at a problem will get it fixed. Tantrums include not only screaming at people, but also throwing money at a problem. There's this thing called human capital where most qualified people will naturally reward an employer's loyalty to them with their loyalty to the cause of the employer. Yet the corporate world is treating humans like replaceable cogs, and that's what they get: stuff that's held together by good wishes and chewing gum. Why? Because in such a work atmosphere, nothing better will ever flourish.

Probably not true

Most companies automatically fall under the "oops, a power outage" cover story, when in fact they had been hacked. I know of at least one major company that's done this recently (inside info). Their premise was that a power outage or incompetence is much better PR than being hacked or compromised. See a pattern? There have been a few in the media recently. British Airways of all people, to have a power issue, no redundancy, etc. I am not buying it 100%.