Starship Reactors and Dead Man Switches

[Ted C]

Till now, I have thought, a dead-man's switch is a safety measure, which doesn’t need a decision and an active doing, because it is constructed in a way that it needs an active retaining system and if this fails, the safety measure is automatically released without the need of a decision or an active doing.

A "dead man's switch", as I understand it, is any mechanism that will automatically trip when certain conditions are met.

My example would be a hand grenade with a lever. If the grenade is unlocked, you have to actively press the lever. If you unhand it, the grenade will explode after the preset time.

I have thought, that a dead man’s switch is meaning such a safety measure, because, if the soldier, who is holding such a grenade is shot dead, he would release it without a decision or an active doing and the grenade will explode as it is wanted.

What you have described is essentially the classic example of the term. Another example might be the throttle on a train, which the engineer is supposed to be holding at all times. If the engineer is incapacitated, he can no longer hold the throttle open and the train stops.

I have seen my thoughts confirmed with the examples, I have found on the site "Engineering and Star Trek":

Furthermore, "dead man's switch" principles are employed wherever possible, so that a system is ideally activated by a failure condition. For example, a CANDU reactor's primary emergency shutdown system uses shut-off rods that are electromagnetically suspended above the reactor. If the system fails, its electromagnet will lose power and the rods will fall due to gravity, thus shutting the reactor down.

While Mike's using the same term, we're not discussing entirely the same mechanism, since no person is required to be holding a button to keep the magnets up. In this case, the system is designed so that if the electricity required to power the safety system fails, the shut down happens automatically without any human intervention. You might say this is a "dead power switch" instead of a "dead man switch".

This is the sort of safety system we're talking about for anti-matter containment: if the power required to contain the anti-matter fails, the anti-matter automatically gets ejected before it's too late.

and

Competent engineers would have designed the antimatter tanks so that they must be retained against a constant ejection pressure (perhaps driven by springs, gas pressure, or magnetic repulsion), thus utilizing the "dead man's switch" principle. If the containment magnets are connected in series with the tank retainer magnets, the tanks will be blown free as soon as the fields begin to weaken.

This is the specific case we're discussing. Some careful design is needed to make sure it ejects at the right time. If power to the containment system fails, the power to the system holding the container in place also fails, and the container automatically ejects from the ship. You would probably also include a capacitor some other system to maintain the containment field long enough for the container to get clear of the ship.

Anyway, I have looked to confirm, that the described safety measure is called really dead-man's switch in English and that I haven’t confused it with the name of another safety measure.

Per Wikipedia a dead man's switch, as its name suggests, is a device intended to stop a machine in case the human operator becomes incapacitated, and is a form of fail-safe. They are commonly used in train locomotives, freight elevators, lawn mowers, tractors, jet skis, outboard motors, snowblowers and snowmobiles.

In short, that was not, what I have imagined under a death-man's switch. This safety measure will be released even if there is no malfunction only because the human operator becomes incapacitated.

We're talking about the principle, though, not a strictly defined dead-man's-switch. The objective is to make sure that if anti-matter containment is failing, you don't need to have a person around to deliberately eject the container: it will happen automatically.

For our debate, this would mean, that the warp core is ejected only because someone hasn’t pushed on a button in the given interval or something similar, even if the warp core has no malfunction.

That's not what Mike or I proposed. He's talking about a mechanism that detects a failure condition (anti-matter containment system has no power) and automatically takes action to create a safe condition (anti-matter containers are ejected from the ship) without any need for human intervention.

That neither apply to our debate nor to the given examples on the site “Engineering and Star Trek”.

Either there is another definition of death-man's switch, I’m unaware of or the writer of the article “Engineering and Star Trek” has mistaken the meaning of a death-man's switch with another safety measure.

The latter would be pity, because that would prove, that the writer is for all his swaggering an incompetent engineer, who is using wrong technical terms. I’m not an engineer and English is for me – contrary to the writer of this article - a foreign language. I think I would be excused. But I don’t see a reason to excuse an engineer, who always boasts with his alleged competence.

As Mike is legally licensed to practice in Canada and has been working in his field for years, I doubt he could be considered incompetent. You just seem to be nit-picking his choice of words.

But as I have said, there could be another definition of death-man's switch, I’m unaware of. Maybe you can provide me with one and can even give me a link to its source.

I hope I have explained the situation adequately in my earlier responses.

Before we continue this debate, I would want to know, what exactly you mean, when you speak of a death-man's switch. I want prevent that we argue over one another.

I have meant a safety measure which doesn’t need a decision and an active doing, because it is constructed in a way that it needs an active retaining system and if this fails, the safety measure is automatically released without the need of a decision or an active doing. If such a safety measure is not defined as a death-man's switch, please give me the exact name of it. I wouldn’t want to continue this debate with a wrong technical term.

That's pretty much what we're talking about. A system that activates without human intervention when specific conditions are met.

A more accurate -- if more generic -- term would be "failsafe".

[GStone]

That's not what Mike or I proposed. He's talking about a mechanism that detects a failure condition (anti-matter containment system has no power) and automatically takes action to create a safe condition (anti-matter containers are ejected from the ship) without any need for human intervention.

Which sucks when you're in the hangar of a space station and there's a computer malfunction or when you're fighting and there's damage to the computer and this function is activated. Both of those are not safe conditions.

[Ted C]

That's not what Mike or I proposed. He's talking about a mechanism that detects a failure condition (anti-matter containment system has no power) and automatically takes action to create a safe condition (anti-matter containers are ejected from the ship) without any need for human intervention.

Which sucks when you're in the hangar of a space station and there's a computer malfunction or when you're fighting and there's damage to the computer and this function is activated. Both of those are not safe conditions.

Computer malfunction? His proposed mechanism is pretty much independent of the computer. The containment field and the magnet or whatever holding the container in place are both on the same power circuit: if the power is insufficient to sustain the containment field, it is also insufficient to hold onto the container. No computer action is needed.

Could this be bad if it happened in a space station? Yes. Would it be substantially worse than having the container explode inside the ship in the station? I have trouble seeing it as that much worse.

Could it be bad to lose an anti-matter container this way in a battle? Possibly, but I don't see how it would be worse than having the container explode in the ship during the battle.

You seem to be making up complaints without thinking them through.

[SailorSaturn13]

This is the sort of safety system we're talking about for anti-matter containment: if the power required to contain the anti-matter fails, the anti-matter automatically gets ejected before it's too late.


The objective is to make sure that if anti-matter containment is failing, you don't need to have a person around to deliberately eject the container: it will happen automatically.

Never in series is containment energy failure stated as possible reason for core breach. How can you predict when someone shoots at it , or a ship crashes into it. Neither can you detect overloading swiftly.

Al;so what about self-destruct sequence? How can it be achieved with such configuration?

[Ted C]

Never in series is containment energy failure stated as possible reason for core breach. How can you predict when someone shoots at it , or a ship crashes into it. Neither can you detect overloading swiftly.

Al;so what about self-destruct sequence? How can it be achieved with such configuration?

The anti-matter is contained in forcefields that require power. If the power goes, the fields go.

The core is a different problem from the antimatter containment pods. The best solution there would be to just cut the fuel flow into the core if the pressure got to high, starving the reaction. The problem in the design is that the core already contains far more antimatter than it actually needs to keep the reaction going, so it can still explode even if you cut off the fuel supply.

Obviously you can't plan for every contingency. If you sustain a direct hit on an antimatter storage pod, there's nothing you can do to keep it from blowing. You just put in what failsafes you can actually make work.

Self-destruction should be a system in its own right, with failsafes to prevent accidental activation, instead of simply a way to exploit of design flaws to destroy the ship.

[GStone]

Computer malfunction? His proposed mechanism is pretty much independent of the computer. The containment field and the magnet or whatever holding the container in place are both on the same power circuit: if the power is insufficient to sustain the containment field, it is also insufficient to hold onto the container. No computer action is needed.

Pretty much independent? We aren't talking about 2 wooden blocks pushed next to each other. How do you think power is being regulated through the circuit? With light fixtures, you've got the light switch. It's turned on and off with a manual action. The containment field for a warp core, what's used? It isn't a switch. It's computer controlled. A malfunction that effects the circuitry that's designated 'containment field circuitry' could cause the ejection.

Could this be bad if it happened in a space station? Yes. Would it be substantially worse than having the container explode inside the ship in the station? I have trouble seeing it as that much worse.

At the very least, more of the explosion is gonna directly effect the ship first and the station second and not the station first and the ship second (second because part of the station blowing up crashes into the exploding ship).

Could it be bad to lose an anti-matter container this way in a battle? Possibly, but I don't see how it would be worse than having the container explode in the ship during the battle.

It keeps you from turning into a sitting duck for your enemies to pounce on. If it explodes because you've suffered damage during the fight, that's better than being put at the mercy of your opponent, which may just show you none at all.

You seem to be making up complaints without thinking them through.

It's the lesser of 2 evils I'm talking about. What I'm proposing is the far lesser one.

[Ted C]

Pretty much independent? We aren't talking about 2 wooden blocks pushed next to each other. How do you think power is being regulated through the circuit? With light fixtures, you've got the light switch. It's turned on and off with a manual action. The containment field for a warp core, what's used? It isn't a switch. It's computer controlled. A malfunction that effects the circuitry that's designated 'containment field circuitry' could cause the ejection.

You've not described the same mechanism. We're talking about a storage container held in place against ejection pressure by an electro-magnet. The electro-magnet gets its power from the same circuit as the container itself. If power fails to the circuit, the electromagnet lets go and the container blows clear before the containment field collapses. Computer control has nothing to do with it.

At the very least, more of the explosion is gonna directly effect the ship first and the station second and not the station first and the ship second (second because part of the station blowing up crashes into the exploding ship).

And if the ship has more than one antimatter storage container, the explosion is likely to rupture them as well, causing an even larger explosion. Better to have one container go than the whole ship, even inside a space station.

It keeps you from turning into a sitting duck for your enemies to pounce on. If it explodes because you've suffered damage during the fight, that's better than being put at the mercy of your opponent, which may just show you none at all.

On a ship which presumably has multiple antimatter storage containers, you're not going to be a sitting duck because one of them automatically ejected to prevent the destruction of the ship. You do realize that each container should have an independent failsafe, don't you?

And you're assumption that it will always be preferable to have the ship explode instead of surrendering is absurd.

It's the lesser of 2 evils I'm talking about. What I'm proposing is the far lesser one.

You're talking about a false dilemma.

If you need to destroy your ship to prevent capture, you don't rely on your own lack of safety features to do it; you scuttle it yourself using a system specifically designed for that purpose.

[SailorSaturn13]

On a ship which presumably has multiple antimatter storage containers, you're not going to be a sitting duck because one of them automatically ejected to prevent the destruction of the ship. You do realize that each container should have an independent failsafe, don't you?

And you're assumption that it will always be preferable to have the ship explode instead of surrendering is absurd.

Eject core and die surely. Have it in, and get a chance (however slim) to keep it.


In Voyager season 4 we see an episode when they had to eject the core. The ship was rendered powerless, unable to oppose even extremely weak opponents.

The anti-matter is contained in forcefields that require power. If the power goes, the fields go.

While not canon, backstage info is that the forcefields are powered by stored AM itself, and cannot go unless there is no AM left.
Note also that nearly NONE of modern warships has a mechanism to release it's main reactor.

[GStone]

You've not described the same mechanism. We're talking about a storage container held in place against ejection pressure by an electro-magnet. The electro-magnet gets its power from the same circuit as the container itself. If power fails to the circuit, the electromagnet lets go and the container blows clear before the containment field collapses. Computer control has nothing to do with it.

And where is the power for the container itself coming from then in this type?

And if the ship has more than one antimatter storage container, the explosion is likely to rupture them as well, causing an even larger explosion. Better to have one container go than the whole ship, even inside a space station.

No, it's not. That would assume that there is one system for containing all the anti-matter and they will all come in contact with normal matter when the containment field of just one pod goes down.

On a ship which presumably has multiple antimatter storage containers, you're not going to be a sitting duck because one of them automatically ejected to prevent the destruction of the ship. You do realize that each container should have an independent failsafe, don't you?

You will be because this 'dead power switch' is also ejects the core, too, not just the anti-matter pods.

And you're assumption that it will always be preferable to have the ship explode instead of surrendering is absurd.

What makes you think your opponent will want to take you prisoner?

You're talking about a false dilemma.

If you need to destroy your ship to prevent capture, you don't rely on your own lack of safety features to do it; you scuttle it yourself using a system specifically designed for that purpose.

You don't create a more hazardous situation just because you can. A warp core breach is one of the methods used. In TOS, it was sequential explosions, but since then, it's been the warp core breach. We've seen how effective the breaches are.

[Ted C]

And where is the power for the container itself coming from then in this type?

From the circuit providing power to the magnets. We're you even reading?

No, it's not. That would assume that there is one system for containing all the anti-matter and they will all come in contact with normal matter when the containment field of just one pod goes down.

Where does that assumption come from? Each pod should be an independent antimatter storage unit that will eject if its containment system fails. What happens to one pod does not automatically happen to all of them.

The explosion of a pod in the ship, however, would probably damage other pods, which would themselves explode in a cascading failure. You don't want a pod to blow inside the ship.

You will be because this 'dead power switch' is also ejects the core, too, not just the anti-matter pods.

What part of independent failsafe did you fail to grasp? The ejection of one of the antimatter pods would not automatically cause the ejection of the warp core.

What makes you think your opponent will want to take you prisoner?

Your solution seems to be to commit suicide without even trying to find out.

You don't create a more hazardous situation just because you can. A warp core breach is one of the methods used. In TOS, it was sequential explosions, but since then, it's been the warp core breach. We've seen how effective the breaches are.

That's because the warp core is such an inherently hazardous design. If the thing weren't basically a bomb waiting to destroy the ship at all times, you would actually need a dedicated self-destruct system, and you would design that so it couldn't go off accidentally.

[Ted C]

Eject core and die surely. Have it in, and get a chance (however slim) to keep it.

As exhibit A, I offer Star Trek: Insurrection. Ejecting your warp core does not automatically result in your ship's destruction, even if you're under attack by two heavily-armed warships.

While not canon, backstage info is that the forcefields are powered by stored AM itself, and cannot go unless there is no AM left.

That makes no sense whatsoever. Antimatter does not leak power any more than normal matter does; you have to have a reaction system, and the only known M/AM reactor on a starship is the warp core.

Note also that nearly NONE of modern warships has a mechanism to release it's main reactor.

No, but they I daresay they do have shutdown failsafes.

[GStone]

From the circuit providing power to the magnets. We're you even reading?

Which comes from where? That's what I'm getting at.

There's obviously some kind of computer control, even if you were to deisgn it with independent computers to regulate everything. A malfunction in one of these independent computers would still cause a premature ejection of the am pod.

Where does that assumption come from? Each pod should be an independent antimatter storage unit that will eject if its containment system fails. What happens to one pod does not automatically happen to all of them.

They're not all gonna be sitting right next to each other. That itself is a bad design. If one goes, the others don't necessarily have to go either. It's better to have them either moved into position when the current one is close to being used up or switch the feed to another line.

What part of independent failsafe did you fail to grasp? The ejection of one of the antimatter pods would not automatically cause the ejection of the warp core.

You have yet to say where the power is coming from for this supposed independent system? One of the fusion generators? Is it an electrical generator built into each pod?

Your solution seems to be to commit suicide without even trying to find out.

My solution doesn't eject the ship's main source of power, if there's a malfunction.

That's because the warp core is such an inherently hazardous design. If the thing weren't basically a bomb waiting to destroy the ship at all times, you would actually need a dedicated self-destruct system, and you would design that so it couldn't go off accidentally.

Pretty much any high power generating generator can be used, as a bomb when done deliberately. Fusion, fission, chemical. Safeguards are taken to keep the act of causing the energy generation from happening. This is no different, except for maybe power potential.

[Ted C]

From the circuit providing power to the magnets. We're you even reading?

Which comes from where? That's what I'm getting at.

The ship's power grid, which will have multiple circuits, each of which can get power from multiple sources. Each AM container should have its own circuit on that grid.

There's obviously some kind of computer control, even if you were to deisgn it with independent computers to regulate everything. A malfunction in one of these independent computers would still cause a premature ejection of the am pod.

If there are in fact independent computers, then a failure in one computer shouldn't eject but one pod. Of course, if you have an on-command ejection system, you already have the risk of a computer error ejecting a pod.

They're not all gonna be sitting right next to each other. That itself is a bad design. If one goes, the others don't necessarily have to go either. It's better to have them either moved into position when the current one is close to being used up or switch the feed to another line.

Of course they're not all together, but unless each container holds far less antimatter than a photon torpedo, one of these things exploding inside the ship would be enough to destroy the whole ship, which would result in the failure of all the other AM pods.

What part of independent failsafe did you fail to grasp? The ejection of one of the antimatter pods would not automatically cause the ejection of the warp core.

You have yet to say where the power is coming from for this supposed independent system? One of the fusion generators? Is it an electrical generator built into each pod?

Each pod would have an independent circuit on the ship's grid, and the circuit could potentially be powered by multiple sources. It could even have a battery to keep it going for a while if main power were interrupted. The idea is to have a failsafe to get rid of the pod if the containment field's power supply is getting to low to keep the AM contained. With defense in depth, you have main power from the ship to the circuit, auxiliary power from the ship, a local battery, and finally the ejection system as a last resort.

Your solution seems to be to commit suicide without even trying to find out.

My solution doesn't eject the ship's main source of power, if there's a malfunction.

My solution prevents the destruction of the ship by ejecting a pod that's losing containment. You wouldn't eject the core unless the core itself is losing containment. Each component has an independent failsafe: get it?

That's because the warp core is such an inherently hazardous design. If the thing weren't basically a bomb waiting to destroy the ship at all times, you would actually need a dedicated self-destruct system, and you would design that so it couldn't go off accidentally.

Pretty much any high power generating generator can be used, as a bomb when done deliberately. Fusion, fission, chemical. Safeguards are taken to keep the act of causing the energy generation from happening. This is no different, except for maybe power potential.

A fusion or fission reactor doesn't actually make a good bomb. A fission reactor can melt down if the reaction is allowed to run away, but it won't explode. It might be possible to make a fusion reactor explode, but getting a fusion reaction going in the first place is difficult enough that you would have to overload the reactor on purpose. Gasoline engines are actually more comparable to to a M/AM reactor in this regard, since the fuel itself can explode with relatively little provocation. Still, most modern gas tanks won't explode, they'll just burn. The objective remains to design a system that won't blow up by accident.

[GStone]

The ship's power grid, which will have multiple circuits, each of which can get power from multiple sources. Each AM container should have its own circuit on that grid.

The power grid is regulated by the computer. Computer malfunction.

Of course, if you have an on-command ejection system, you already have the risk of a computer error ejecting a pod.

And you don't have that risk with the power grid regulated by the computer?

Of course they're not all together, but unless each container holds far less antimatter than a photon torpedo, one of these things exploding inside the ship would be enough to destroy the whole ship, which would result in the failure of all the other AM pods.

But, adding in a dead power switch is needlessly repetitive. There's already a system in place to eject the am pods. It was mentioned in Contagion. The only reason why it didn't is because of the virus and even with a dead power switch, there's still gonna be things that need power to move, which is regulated by the computer, so a dead power switch can't be computer regulated free.

The idea is to have a failsafe to get rid of the pod if the containment field's power supply is getting to low to keep the AM contained.

My solution prevents the destruction of the ship by ejecting a pod that's losing containment. You wouldn't eject the core unless the core itself is losing containment. Each component has an independent failsafe: get it?

You say it activates when you're loosing power. Loosing power takes time. The energy used in keeping containment isn't just gonna suddenly disappear. Instead of fixing the problem without having the pod automatically be spit out of the ship, you waste your power source needlessly and automatically at the first sign of trouble--- when you start to loose containment.

You can't just say 'well, it'll be ejected once the entire containment field is down'. By that time, the explosions will have already started and the pod won't just fall because there's no gravity in space, so it's gotta be pushed out.

With defense in depth, you have main power from the ship to the circuit, auxiliary power from the ship, a local battery, and finally the ejection system as a last resort.

In The Last Outpost, they've lost power and it's getting much colder. So cold that they're huddled in beside each other. Have they lost containment on the am pods? Are they loosing it? No. What they'd die from eventually is the cold and hunger. They aren't worried about the am pods. So, they must already have an independent system. There's no reason to have this dead power switch system you're describing because it is already working fine. There's no need for this that and this other bit in this system you're describing.

The objective remains to design a system that won't blow up by accident.

What you want to have happen does not work. It will not work because you need to give yourself pretty much zero time to try to regain containment to make this system operational. You start to loose containment and it must be ejected with your system. That is the biggest design flaw of the dead power switch system. There's a system in place that gives you some leeway in when it gets ejected. The idea of using it whenever possible is absurd.

[Who is like God arbour]

I will mostly ignore the posts made since Ted C's answer to my last posts.
Only that: I think, if we argue about a fail-safe system as described in my example ...

• • My example would be a hand grenade with a lever. If the grenade is unlocked, you have to actively press the lever. If you unhand it, the grenade will explode after the preset time. I have thought, that a dead man’s switch is meaning such a safety measure, because, if the soldier, who is holding such a grenade is shot dead, he would release it without a decision or an active doing and the grenade will explode as it is wanted.

...and the example described in "Engineering and Star Trek",...

• • Furthermore, "dead man's switch" principles are employed wherever possible, so that a system is ideally activated by a failure condition. For example, a CANDU reactor's primary emergency shutdown system uses shut-off rods that are electromagnetically suspended above the reactor. If the system fails, its electromagnet will lose power and the rods will fall due to gravity, thus shutting the reactor down.

    and

    Competent engineers would have designed the antimatter tanks so that they must be retained against a constant ejection pressure (perhaps driven by springs, gas pressure, or magnetic repulsion), thus utilizing the "dead man's switch" principle. If the containment magnets are connected in series with the tank retainer magnets, the tanks will be blown free as soon as the fields begin to weaken.

... Ted C is correct. The functional principle of such a system is, that it is released without a decision from an human operator or a computer (I side-step the philosophical or technolgical question, wether a computer can make a decision at all. For our propose, it is irrelevant.)



But I don't think, that a death man's switch as defined in Wikipedia is the same principle as the fail-safe system as it is described in my example and in "Engineering and Star Trek".
Every fail-save system has the goal to prevent further damage. The relevant differences are, when, respectively by what circumstences such a system is released.

The death man's switch is intended to stop a machine in case the human operator becomes incapacitated to prevent an accident because the operator is not able to control said machine anymore. This fail-safe system is released even if the machine itself has no malfunction. And such a system is not always released automatical anymore. The example with the throttle on a train, which Ted C has given, ...

• • Another example might be the throttle on a train, which the engineer is supposed to be holding at all times. If the engineer is incapacitated, he can no longer hold the throttle open and the train stops.

... is good to evaluate this. Today, a train conductor doesn't have to hold a throttle all the time. Today, he is supposed to push a button or a pedal in certain intervalls. A computer monitored, that this is done. If it is once not done, the computer usually asks the train conductor, before he brings the train to a stop, if he doesn't get an answer. I would even bet, that the computer is programmed to decide, when and how to brake, so that it doesn't initiate a full service application of the brake in an unfavorable block, e.g. on a bridge, in a tunnel or in a bend, where the train could be carried out of its rails. That is a death man's switch, or rather a dead-man's vigilance device, an advancement of the basic dead man's switchs. (There were accidents despite a basic dead man's switch because the train conductor has fallen asleep and has lain on the dead man's switch button or is fallen on the dead man's switch button pedal.)


But the fail-safe system as it is described in my example and in "Engineering and Star Trek" has a totally other premise. That system is released automatical, if there is a malfunction in the machine or a factor, which could be dangerous for the safe functioning of the machine, e.g. an earth quake, an energy boost or energy drop or to high temperatures or similar factors - but not the absence of an human operator.
Such a fail-safe system is released through an as simple mechanism as possible, mostly due simple physical reactions.

• • For example, due to an energy boost, a fuse is opened and the electromagnet from the electromagnetically above the reactor suspended shut-off rods fails and the rods will fall due to gravity, thus shutting the reactor down.
    The same happens, if there is an energy drop. But then, there is no need for an open fuse. Due to the energy drop, the electromagnetically above the reactor suspended shut-off rods fails and the rods will fall due to gravity, thus shutting the reactor down.
    Something similiar could happen, if the temperatur increased above a certain magnitude. A bimetal relay could open the fuse and the electromagnet from the electromagnetically above the reactor suspended shut-off rods fails and the rods will fall due to gravity, thus shutting the reactor down.
    For an ejection system, the gravitation is replaced by constant ejection pressure (perhaps driven by springs, gas pressure, or magnetic repulsion).

One could say, that through such a failure condition a chain reaction (not nuclear) is induced. If there is such a fail-safe system (and that allone would be dependable and there would be no need for monitoring or maintaining other systems), there wouldn't be a need for an human operator, respectivly its constant monitoring. The human operator or computer wouldn't even be able to prevent that such a fail-safe system is released, if they notice, that the fail-safe system itself is defect.

That's why I think, that both fail-safe systems, the death man's switch and the fail-safe system, as it is described in my example and in "Engineering and Star Trek", are not the same systems. There are to many differences and the similarities are the same as in the most other fail-safe systems too.

For lack of a better technical term, I call the fail-safe system, as it is described in my example and in "Engineering and Star Trek" an automatical CR fail-safe system, or short, a CR fail-safe system.






Now to the point, why I think, that it would be disadvantageous to employ a CR fail-safe system wherever possible in a star ship.

There is no doubt, that it would be better, if the warp core or the anti matter pods are ejected, before they explode in the ship. The question would be, what fail safe system would be advisable for this task.

I think, that a CR fail-safe system would be disadvantageous because they tend to be released in unfavourable situations, in which a star ship - contrary to a terrestrical reactor - can get but have to continue to functioning nevertheless. They don't have damage-tolerance or fault-tolerance (other construction principles), which is especially needed by a star ship in a battle.

• • For example, if the Enterpise in Star Trek II would have had CR fail-safe systems, they would have lost at least their warp core and maybe even all anti matter pods, after the warp core was damaged and the ship hast lost its main- and secondary-power.
    If the Enterprise in TNG "The Last Outpost" or "The Booby Trap" would have had CR fail-safe systems, they would have lost their warp core and all anti matter pods, after their energy was drained.

We have seen in many episodes, that a containment field usually doesn't lost its integrity suddenly. There is usually enough time to prevent its collapse. We can conlude, that there is a capacitor or some other systems, which maintain the containment field. Therfore, as we have seen, the crew has in most cases enough time, to repair the damage. An ejection would be necessary only if the crew fails to repair the damage and the total collapse of a containment field is not preventible anymore. But that must be decided, either through the computer or through the operator.

• • For example, if the Enterprise in the TNG episode "11001001" would have had a CR fail-safe system, the warp core would have been ejected in the star base. But because it has had no such disadvantageous system, they had enough time to evacuate the Enterprise and program the auto-pilot to fly the Enterprise away. (We don't know, wether the computer should have ejected the warp core, after the Enterprise has left the star base and has arrived at a safe dictance.)

Furthermore, I doubt, that the ejection system of the warp core could be constructed as a CR fail-safe system. You can't on the spur of the moment eject the warp core. There a pipes and power supply line from and to the warp core, which have to be sealed. Through some of these pipes is anti-matter flowing. These pipes have to have their own containment and aren't closeable as easily as a water tap. But a CR fail-safe system is so "dependable" because it is so simple designed. The more complex it is the more accident-sensitive it is.

That's why I think, you need an active, but dependable ejection system.

Sure, there it the danger, that the ejections system itself fails and in an emergency, the warp core is not ejectable anymore. But an engineer has to ponder the different probabilities and measures of damages. And I think it is better, that the crew of a ship has the last word, wether essential systems are shut off or even ejected with the minimal risk, that the ejection system could fail than that for example in a battle the CR fail-safe systems are released due to damage, which is in a battle very probable although the crew could have maybe repaired the damage and continued the battle.

Another question would be, if the active ejection system itself could be improved, that there are not so many malfunctions. (I think, that this is realy stupid written from the authors of the diverse episodes.) But to design a CR fail-safe system instead would be a bad solution.

I provide the following quotation from TNG "Contagion":

• • GEORDI
    Sensor recordings reveal that what we witnessed was an uncontrolled and catastrophic matter/antimatter mix. The magnetic seals between the chambers collapsed --
    
    PICARD
    That's not possible.
    
    GEORDI
    Yes, sir, it is, but a highly improbable series of events has to take place before such an occurrence can result.
    
    PICARD
    Explain.
    
    GEORDI
    In the event of a breach of seal integrity there is an emergency release system which dumps the antimatter.
    
    DATA
    Apparently such a dump began, was then halted, and the containment
    seals were dropped. There was still sufficient antimatter present to lead to the result we observed.

As I understand it, such an event was highly improbable. Sure, a CR fail-safe system would have prevented it. But as a basic principle, it wouldn't be needed because such a situation wouldn't normally happen.

As I have already asked earlier:

• • There was how many warp core breachs in whole Star Trek with (ENT: 97, TOS:80, TNG:176, DS9:173, VOY:168) 694 episodes and 10 movies? How many was due to a battle or some other exceptional circumstances?

For me, it seems, that Star Trek Engineering is not idiot engineering. They have decided, to take some mini-risks substitutional for important vantages.

A terrestrial reactor is a whole other question because, as it is obviously, it has total other requirements to security, damage-tolerance and reliability. As I have said already, if a terrestrial reactor is shut down, nobody has to die. Other reactors would undertake the electricity supply. But if it explodes, many people are affected by this. That's different for a star ship.