Skip to main content
Back to Library
postmortem

The Mechanism

4 min read Chapter 9 of 38

The Mechanism

The XA/21 alarm and logging subsystem processes sensor data in a pipeline. Sensor measurements arrive from remote terminal units (RTUs) across the grid. The SCADA front-end processes these measurements and writes them to a shared real-time database. The alarm processing subsystem reads from this database, evaluates alarm conditions (is this value above threshold? has this breaker changed state?), and writes alarm events to both the operator display and the historical log.

The race condition is in the interaction between the alarm processing thread and the logging thread. Both threads access shared data structures. Under normal load, the timing of their access does not produce a conflict. Under specific conditions, when a burst of state changes arrives simultaneously (as happens when a transmission line trips and multiple associated breakers, relays, and measurements change state at once), the concurrent access produces a deadlock or stall.

The Task Force report describes the effect but not the exact code path, because the XA/21 software is proprietary GE code. What is documented is the behavior: the alarm system stops processing new alarm conditions. It does not crash. It does not restart. It enters a state where it consumes CPU cycles without producing output. The operator’s alarm display freezes on whatever it was showing at the moment of the stall. If no alarms were displaying, the screen remains blank. If alarms were displaying, the same alarms remain on screen indefinitely, with no new alarms appearing regardless of grid conditions.

// RECONSTRUCTED FROM TASK FORCE BEHAVIORAL DESCRIPTION
// Actual GE XA/21 source code is proprietary
// This reconstruction illustrates the documented behavior pattern

// Alarm processing and logging share a state table
struct alarm_state {
    int breaker_id;
    int previous_state;
    int current_state;
    time_t timestamp;
    int processed;      // flag: 0 = needs processing, 1 = done
    int logged;         // flag: 0 = needs logging, 1 = done
};

// FAILURE POINT: Both threads access the alarm_state table
// without adequate synchronization. Under burst conditions,
// thread A reads 'processed' while thread B writes 'logged',
// producing a stall where neither thread can make progress.

void *alarm_processing_thread(void *arg) {
    while (1) {
        for (int i = 0; i < MAX_ALARMS; i++) {
            if (alarm_table[i].processed == 0) {
                evaluate_alarm_condition(&alarm_table[i]);
                update_operator_display(&alarm_table[i]);
                alarm_table[i].processed = 1;
            }
        }
    }
}

void *logging_thread(void *arg) {
    while (1) {
        for (int i = 0; i < MAX_ALARMS; i++) {
            if (alarm_table[i].processed == 1 && alarm_table[i].logged == 0) {
                write_to_historical_log(&alarm_table[i]);
                alarm_table[i].logged = 1;
            }
        }
    }
}

The critical absence is a watchdog. No component in the XA/21 monitors whether the alarm system is functioning. There is no heartbeat check, no “alarm about alarms,” no dead-man switch that would notify operators if the alarm processing pipeline stalls. The alarm system is a single point of failure for operator awareness, and it has no monitoring.

This design reflects an assumption: the alarm system is infrastructure, not a component that can fail independently. Like the floor beneath the operators’ chairs, it is expected to be present. No one designed a fallback for the case where it is not.

The cascade itself follows the physics of electrical transmission.

A transmission line has a thermal rating: the maximum current it can carry before the conductor heats enough to expand and sag below safe clearance from the ground or from vegetation. When a line carries current beyond its thermal rating, the conductor temperature rises, the metal expands, and the line physically sags. If it sags into a tree, the resulting electrical contact (a phase-to-ground fault) causes protective relays to trip the line offline.

When a line trips, the current it was carrying does not disappear. It redistributes to every other parallel path in the network, proportional to the electrical impedance of each path. If the remaining paths are already near their thermal limits, the additional current pushes them over. They sag. They contact trees. They trip. Each trip redistributes more current to fewer remaining paths. This is a positive feedback loop.

The physics provides a window of intervention. Between the first line trip and the point where the cascade becomes self-sustaining, an operator can act. The standard response is load shedding: deliberately disconnecting some customers to reduce the total demand on the remaining transmission lines, bringing them back within their thermal ratings. Load shedding is planned blackout: a small, controlled outage to prevent a large, uncontrolled one. It requires situational awareness. It requires alarms.

The 91-minute window between 14:14 (alarm stall) and 15:45 (cascade initiation) was the intervention window. The operators had no alarms, no state estimator, and no automated indication that four major transmission lines had tripped. The intervention that would have prevented the cascade, controlled load shedding in the Cleveland area, was never initiated because the operators did not know it was needed.