Are we being over redundant?
Updated: Feb 3
Few things in the rope rescue community generate more discussion than the issue of redundancy in two rope systems. In 2016 we wrote a blog that brushed upon this called speed versus safety [https://www.roninrescue.com/post/special-ops-part-four-speed-vs-safety]. In the intervening 5 years, much has happened, but it seems this is still a hot conversation. Sometimes when we look at rigging today it appears we are becoming more risk-averse than we were in 2016.
An oft-repeated statement is that redundant systems in rope work are unnecessary by the very definition of the term. Looking closer, however, there are several definitions for the term redundant, and viewing belay systems and two rope systems as “unnecessary” is only looking at a very narrow definition of the term.
Merriam-Webster defines redundant as:
1) Exceeding what is necessary or normal;
2) Characterized by or containing an excess
3) Serving as a duplicate for preventing the failure of an entire system upon failure of a single component.
It is the third part of the definition (sometimes termed the engineering or technical definition) of redundant that we, as rope practitioners, are concerned with. We create redundancy by duplicating components and systems either in parallel or backup, and therefore we mitigate risk by reducing the exposure of suspended persons to complete system failure. One example of this in rope rescue would be a separately rigged backup line to the mainline. Redundancy is one method of creating a fail-safe system.
According to The American Heritage® Dictionary of the English Language, 5th Edition, the definition of fail-safe is:
Capable of compensating automatically and safely for a failure, as of a mechanism or power source.
Another definition, from Wikipedia, defines fail-safe as causing a piece of machinery or other mechanisms to revert to a safe condition in the event of a breakdown or malfunction
Fail-Safe and Redundancy
Fail-safe can be achieved through redundancy, however, there are other methods of achieving fail-safe. In the rope community, the distinction between fail-safe and redundancy has not been well defined, but the concept of automatic, safe-failure compensation is generally well understood. The distinction between a redundant and duplicated system versus a system that is fail-safe but not duplicated is becoming more important with the proliferation of systems using devices in applications where the risk of catastrophic failure is being mitigated without using a second rope system. For example, think of rigging a descent control device with an ASAP in front, with the intention of creating a failsafe system if the operator misuses the device. Defining the difference between redundant and fail-safe will allow practitioners to better assess the applicability of these systems to their level of ability and their organization's requirements.
Let’s further breakdown the concept of redundancy and how it may apply to rope rescue systems:
• In engineering, Redundancy is the duplication of critical components or functions of a system with the intention of increasing the reliability of the system.
• Backup Redundancy, is when you have a secondary system to back up the primary system.
• Parallel Redundancy, uses multiple control devices running in parallel. Both devices are synchronized and are operated in conjunction with one another.
These concepts can help to simplify the way we look at creating rope systems that mitigate the risk of catastrophic failure. If we use the “Serving as a duplicate” definition of redundant then we can categorize systems in the following ways:
1. Systems that duplicate functions are Parallel Redundant (eg. Two Tension Rope System - TTRS)
2. Systems that utilize a separate backup to the primary system are Backup Redundant (eg. Dedicated Main / Dedicated Belay System -DM/DB)
The critical difference between parallel and backup redundant systems is the criteria of duplication of function, and therefore the ability to continue the operation in the event of failure of one system or component when using a Parallel Redundant system. A Backup Redundant system may or may not – depending on the control device used – be operable after being activated.
Backup Redundant Systems
Backup(belay) redundancy is the redundancy mode for Main and (un-tensioned) Belay rope systems, such as tandem prussik belay, 540 belays, backup devices (including ASAP), etc. As the backup system is generally un-tensioned and susceptible to a buildup of slack rope, these systems, in comparison with parallel systems, generally will have the following hazard characteristics:
1. Potential free-fall prior to backup system engagement
2. Higher potential Maximum Applied Force
3. Longer potential Stopping Distance
4. Once activated the suspended load is immobile (control device dependant)
Belay rope systems are often chosen based on the following criteria:
1. Simpler operation
2. Fewer personnel
3. Available equipment
4. Training and familiarity
5. When the operation of a parallel tensioned system complicates the operation.
6. At times when rigging for confined space rescue.
Typical rope access systems utilize ascent and descent devices on the working rope and a backup device on the safety rope. Most available backup devices lock on activation and are typically not operable (for lowering or raising the suspended person) once activated. In some cases, there may be deformation of the backup device, the rope, or the connecting components. After activation the device will likely not be able to be moved on the rope until the tension is transferred, requiring a separate system or systems to be deployed to retrieve any persons remaining suspended on rope.
Hitch-based belay systems (tandem or single prussik, Swabisch hitch, etc.) may require transferring tension and manipulation prior to continuing an operation. A severe impact onto a hitch-based belay system may damage the rope or render the hitches inoperable (tandem prussiks fusing onto the host rope for example).
Certain Belay systems in single tensioned rope systems may be operable after activation (MPD, 540 – emergency lowering capability, ID, etc.). Systems constructed using belay devices with the capability to operate post-activation could be considered a hybrid model, operating in backup mode while providing duplication of function.
Parallel Redundant Systems
Parallel Redundancy is the redundancy mode for Dual Capability Two Tensioned Rope Systems (DCTTRS). Changeovers are efficient and can be achieved with little downstream effect. Note that parallel systems need not be identical (the “mirrored system” approach) but they do need to duplicate each other in function. Duplicate (or in the case of some aerospace engineering triplicate and quadruplicate) systems not only serve to increase reliability by mitigating the risk of catastrophic failure, but also allow the system to remain operable in the event of the failure of one system or component.
Ideally, redundant systems duplicate the other systems function – lowering, raising, connecting, etc. Redundant control devices not only duplicate function but allow the load to be moved in the event of failure of one system or component.
One of the primary arguments for moving to Two Tensioned Rope Systems (TTRS) is the evidence that rope systems are better able to survive a drop test over an edge when the ropes are insulted in parallel versus in series. Compared to backup systems, other factors that pre-dispose many practitioners to choose parallel redundant, two tensioned systems include:
1. Potential for free fall is eliminated in most operations
2. Lower Maximum Applied Force
3. Shorter Stopping Distance
4. Duplicate system is operable after the loss of one system or component
Some reasons for not choosing parallel systems include:
1. May require more equipment or personnel
2. Requires greater coordination
3. May introduce complexity
4. Devices difficult to operate when the load force is split between two systems
Redundancy in two tensioned rope rescue or rope access systems is typically achieved through duplication of systems that mitigate the risk of catastrophic failure and allow the remaining system(s) to continue operating in the event of failure of a system or a component. After a failure event, an assessment must be made to determine whether to immediately continue the operation on the remaining system(s) or to deploy additional rope system(s) to restore redundancy. This assessment must look at the integrity of the remaining systems and components, injury to the suspended person, and the time and risk required to re-establish redundancy versus the time/risk it would take to immediately lower the suspended person to ground.
What about Fail-Safe?
Some manufactures already build “fail-safes” into their components. For instance, the “anti-panic” or “whistle stop/hands free” stops in descent control devices meet the definition of fail-safe (reverts to a safe condition in event of a malfunction) however does not meet the definition of redundant (this is not a component failure - device breakage - but a human failure - misuse). It is also not an “extra component” that “backs up” the system.
Another rigging method that has come onto the scene lately is the aforementioned idea of rigging an ASAP lock in front of a descent control device. Some would argue that it also meets the redundant definition. We would say an ASAP provides a fail-safe in this setup, not redundancy. It seems to be there to prevent operator misuse of the descent control device and is not a separate system. As well if the line breaks below the ASAP, there is no redundancy in the system at all.
In the context of single rope technique, adding backups such as a third hand below a descent control device creates a fail-safe system (backing up the operator) but does not create redundancy (still only one system).
The question becomes: is fail-safe needed if the system is redundant? As noted, redundancy is one method of achieving a fail-safe system. Depending on the definition you look at, this can become a circular argument but that is overly semantic. In most scenarios, does adding fail-safe components to redundant, and therefore already fail-safe systems, create unnecessary rigging and eat up valuable time?
Let’s look at the previous TTRS example, this time with two ASAP’s in front of CMC Clutches. Considering many devices on the market today will both lower and belay a load (which is required in a Dual Capability TTRS System), in what scenario are we imaging that the ASAP lock will engage?
1. Failure of the mainline? It’s TTRS; the other line catches with a jolt force.
2. Failure of an anchor system? Same as a mainline failure.
3. One operator lets go of the rope? Device auto-stops.
4. One operator panics and pulls the device handle? Device auto-stops.
5. One operator panics and holds handle in place and “speed lowers". The other device being operated properly by a competent operator will stop the lower as their device cannot keep up the speed.
6. One operator, operating both devices (i.e. shark finning/double clutching) loses one line and lowers the package to the ground, at speed, without noticing or has inertial run away in the operating CD Device. The Inertial runaway issue mentioned above can be mitigated by including a friction carabiner as recommended by the manufacturer of some of those devices that can inertially run away (e.g. a Petzl I'D). Many of the newer control devices do not require a friction carabiner, although we have personally found it useful when doing rescues with the CMC Clutch to include one to smooth out the descent. Note – many newer devices do not have the issue of internal runaway as the force at which the device regrips the rope is adequate to catch the load.
Regarding the ASAP or ASAP Lock. In their Tech Tip: ASAP Usage on an Incline, Petzl states the ASAP lock works at “moderate speeds” and locks up at “great speeds”. They mention that on a smooth 30-degree surface sliding at a “medium speed” the device will lock in roughly 3m. The device uses a centrifugal force clutch. Petzl no longer publishes the activation speed of the ASAP. Anecdotally we have heard of speeds from anywhere between 2.8 to 3.2 m/s to activate the device. 3 m/s is approximately 11 km/hr. The remaining device operator should be able to notice the rope moving through the device at a fraction of this speed and stop the lowering operation before the ASAP activates. Perhaps this is a valid reason for adding a fail-safe to a redundant system – that of a single operator allowing the load to descend too quickly, however, this could also be viewed as mechanically “backing up” an untrained operator. The question that does not appear to have been thoroughly tested yet though, is how easy is it to lower either a single rope or a two-tension system fast enough to activate an ASAP, and how likely is it that an operator could override the panic stop in the event of losing one of the two ropes?
It is important for a rope practitioner to be able to distinguish the differences between operating Backup Redundant systems from Parallel Redundant (duplicated in function) systems so that they will be able to anticipate what is needed to remove suspended persons from suspension after the failure of either a system or a component. Categorizing systems according to accepted terms is one step forward to understanding and allows for increased clarity in communication. It is also important for an operator to understand that while fail-safe can be achieved through redundancy, just because it is fail-safe, does not necessarily mean it is redundant.
This paper is not an argument for, or against, any particular system. There are innumerable applications in ropework and to espouse one type of system over another without context would be inappropriate.