Voices: Lipták

What Is the Proper Role of Automation?

Automated System Can Lead to More and More Complexity and Confusion. Until the Instruments, Automation and Controls get Extremely Reliable, We'll Still Need to Keep Humans in the Loop

By Bela Liptak

Q: The NTSB published its report of the recent Asiana flight that crashed in San Francisco (lat.ms/1rwL89l).

I find the contrast between the views of the NTSB and your views on the subject of using automation on the flight deck of an airliner interesting. According to the NTSB, the pilots didn't understand the automation in place, and they mistakenly believed that it should have done something to arrest their high descent rate. In fact, there is such a mode in the airliner autopilot systems, but that's not the one they had selected.

I have been employed at a large water and sewer utility for more than 28 years. In the mid-1980s we were early adopters of automation. We got started with those lovely old PM550 controllers from Texas Instruments. The first thing we did was to replace those cam stacks and microswitches for sequencing through a filter backwash. The new backwash system was very effective. The operator would push a button and with great reliability, a backwash sequence would happen. Operators could forget about the details, the interlocks, the permissives, and even where the valves and pump controls were. And they did.

In just a few years, most of the operators had forgotten how a backwash worked. Only the senior plant operator, the controls engineer and the plant superintendent remembered why things were done the way they were. And they got more and more grandiose with their designs. We upgraded the control system, and then the superintendent went wild. We had backwash schemes for energy savings, for water savings, for speed, for deep cleaning and other various permutations and combinations. And then he retired. The controls engineer moved on to a new job and pretty soon we had voodoo with a platform that was rapidly becoming more and more obsolete. We were scared to upgrade it (but we are doing just that).

Complexity and the maintenance, management and operation of such complexity often are forgotten in the design of complex systems. You make the point that automation could stop people from making stupid mistakes such as not maintaining speed or turning too sharply or not shutting the plant down properly. And perhaps you're right—but it leads to more and more complexity and confusion.

That's what happened with Air France 447. The airliner Pitot tubes iced up at an altitude where that was not supposed to be possible. The controls reverted to Alternate Law because the automation had no contingencies to handle three wildly different air speed indications at an altitude where the operating range between the wing stall speed and the compressor stall speed can be as little as 12 knots. Had the pilots been more experienced with manual controls, they would have known in a heartbeat what to do. But they had forgotten.

I fly small airplanes on instruments. Manually, I have a constant feel for what my airplane is doing. Yes, my instrument approaches are sloppier than someone's three-axis autopilot with auto throttles. But I know where I am, and I know what is supposed to come next. And because I fly for fun, I know better than to fly when I'm tired, stressed out or ill.

I think that until the instruments, automation and controls get extremely reliable, we'll still need to keep the humans in the loop. Sooner or later that instrumentation or automation will fail. And then, with so little experience working without automation, the human won't know what to do either. That's the lesson I take home from Three Mile Island, from Fukushima, from Air France 447 and so many other disasters.

Jake Brodsky
jakebrodskype@gmail.com

A: I will say that continuous training is key for the operator. It is true that management needs to be in touch with situations more than ever before, but unfortunately they are not technical.

Hiten A. Dalal
hiten_dalal@kindermorgan.com

A: Air France 447 (the crash in the Atlantic) was due to Airbus' computers basically giving up flying the plane when Pitot tubes froze, and the computers (five of them) switched to what Airbus calls "Alternate Law," which translates as, "You are the pilot. You fly the plane!" Another tragic example of too much dependence on automation.

I have a friend who was hired as an instructor for Air France, and was turning off the computers in the flight simulators to force the pilots to fly the plane. Airbus management told him "Don't do it. The computer is better than the pilot."

Bob Landman
www.hlinstruments.com

A: Yours is a good summary of the present man-machine relationship and of the state of confusion that prevails.This is not new. During the Industrial Revolution, machines were introduced to substitute for human muscle, people were afraid that machines would cause accidents, and that eliminating work, say blacksmithing, would cause massive unemployment. Just the opposite occurred. Employment increased because these machines had to be designed, operated and maintained. While filling these jobs paid more, the work was less exhausting, and the price of horseshoes dropped. Today, when not the human muscle, but some of the routine functions of the human brains are being delegated to machines, people once again worry about the consequence of excessive dependence on these gadgets, and rightly so because misusing them can cause humans to forget how to do things! Yes, a new generation of "button pushers" could grow up—people who believe that square root means a button on a keyboard, logarithm is an African insect, and professional experience and wisdom is something that you can look up on Google or on Wikipedia.

Having prepared the Instrument Engineers' Handbook for some 50 years, I observed that automation can be both helpful or harmful, depending on how it is used. If ignorant programmers are allowed to prepare fancy software that operators do not understand, but are told to trust "what is in the box," this excessive dependence on something that can be wrong in the first place can create a mess. On the other hand, if we understand the proper role of automation, it makes our industries better and safer! The key is to clearly understand what I call overrule safety control (OSC).

During the past few years, I studied seven major accidents and found that the main cause of one was bad design, the cause of another one was operator inaction due to excessive dependence on automation, and five were caused by various degrees of manual operation of the process without OSC. One example of this "manual operation" was at Three Mile Island when the operator sent water into the instrument air supply, and for hours nobody even realized what had happened. This culture, in an age of poor training and potential for terrorism, needs to change.

Understanding what OSC is is critical! OSC is like a rail barrier. On the one hand, it does not prevent the driver from visiting his mother-in-law, but it does prevent him from causing an accident by trying to get there to taste her excellent cooking too fast. OSC is like automatically keeping the vehicle's doors closed when it is moving and preventing the driver (the operator) from "overruling" that safety automation. OSC is the "red line" that neither the manual operator nor the autopilot must be allowed to cross.

So why is OSC absolutely safe?

  1. Because it overrules not only the unsafe actions of the driver, but also those of the autopilot. In other words, OSC is totally independent of either, and it overrules both! It overrules all unsafe instructions, regardless of whether they come from the operator or from the computer.
  2. Can the OSC fail? Naturally it can, even if it has triple-redundant backups that are using the very best sensors. Yes, it can.
  3. But, if the OSC becomes inoperative for any reason, both the operator and the autopilot continue functioning just as if it did not exist. It is like the safety locks on the car doors or the red light on the street corner. If it fails, you are simply back to normal control.

So what does this mean for Air France 447? It means only two things:

  1. Bad sensors should not be used. Pitot tubes can freeze up, static pressure altimeters can give false information when air density changes (cold fronts, etc.) So forget such ancient sensors, and use redundant radar with GPS backup.
  2. OSC must be on all the time, no matter if the autopilot drops out, and no matter how ignorant or careless the pilot is or what he believes the autopilot is doing. OSC simply prevents both the pilot and the autopilot to attempt landing at unsafe speeds.

In the broader sense, our process control professionals must have a total understanding of the processes they control, must totally separate OSC from regular operational controls, and during the design phase, they must also control the software developers and not the other way around!

For examples of my proposed OSC designs, you can refer to my previous articles about eliminating the possibility of nuclear accidents by using automated underwater nuclear power plants (February 2014, bit.ly/1gLErMK), or you can read my article in the November 2013 issue (bit.ly/1r9s95F) about how OSC would have prevented the BP accident.

Béla Lipták
liptakbela@aol.com

More from this voice

Title

How to select control valves, Part 2

When it comes to selecting and sizing control valves and positioners, this article not only helps you pick the right one for the right job, but also includes a valuable valve selection chart you can download!

09/12/2006

Improving Oil and Gas Well Safety

Liptak Walks Us Through Step-by-Step How Process Control Can Improve the Safety of Fracking, Off-Shore Drilling, Well Blow-Out Prevention, Drilling Ship Stability and Much More

08/29/2012

Loop Drawings for Smart Instruments

Readers Look to Our Experts for Information on Smart Instruments

03/12/2013

Magmeter Maintenance, Feed-Forward Variations; Robots

What Maintenance Is Required for a Magmeter? And What's the Difference Between "Positional Feed-Forward" and "Incremental Feed-Forward" in PID Control?

04/11/2012

Measuring Level in a Wastewater Treatment Digester

A Reader Asks Our Experts If They Foresee Any Issues for His Project in Which He Will Use Two Technologies to Measure Level in the Wastewater Treatment Plant Digester, a 6-GHz Radar and a DPT

07/15/2013

More Reasons BWR Power Plants Are Unsafe

Covering the Automation Errors That Exist in the Old American BWR Plants

08/26/2011

New Advances in Flow Instrumentation

Need for Transporting and Accurately Metering Oil, Gas Prompted Latest Developments Says Lessons Learned Columnist Béla Lipták

07/15/2014

Nuclear Plant Security and Cyber Terrorism

How To Improve Nuclear Power Plant Security

10/28/2008

Nuclear Security, Part II—Fission Basics

The Overall Topic of the Nuclear Power Plant Operation and the Use of Process Control to Protect Against Nuclear Accidents

01/09/2009

On the Road to Renewable Transportation

The OECD estimates that replacing 10% of the country’s motor fuels with bio-fuels would use one-third of all croplands.

11/06/2007

Pad Type D/P Level Installation; Orifice Plate Location

How Reliable is a Pad-Type Flange? Can It Withstand Pressure and Leakage? Also, Is There Any Way to Locate a D/P Transmitter above the Pipe Tapping Point?

10/18/2013

Plugged Furnace Pressure Connection

IT and Algorithm Wizards Can Develop the Smartest Devices or Protocols, but If the Information They Work With Is Bad, It Will Do No Good

08/05/2013

Preventing Nuclear Accidents by Automation -- Part 2

Bela Liptak Discusses the Design and Control Errors at Fukushima, Because They Still Exist in Many American Boiling-Water Reactors (BWR) and Must Be Corrected

07/05/2011

Process Automation Through 50 Years in History

We've Come a Long Way in 50 Years and Automatic Safety Controls Are the Airbags of the Industry

09/05/2013

Process Control's Role in Nuclear Waste Handling

Liptak Talks about the Role of Process Control in Nuclear Safety and How It Can Plays in Reducing the Risks Associated with the Transportation and Storage of Nuclear Wastes

09/11/2009

Protecting Blast Furnace Pressure Transmitters from Plugging

Installing a Pressure Transmitter for Dusty Service. Help Me Please!

01/10/2012

Pumping Station Optimization - Part 1

Liptak Describes the Pumping Process to Then Show How to Control and Optimize Pumping Stations

11/03/2009

Pumping Station Optimization - Part 2

Bela Liptak Talks About the Phenomenon of Net Positive Suction Head (NPSH) and Multiple Pump Stations

01/08/2010

Pumping Station Optimization, Part 3

The Optimization of Pumping Stations and Liquid Distribution Systems Can Save 25 Percent or More Energy

03/04/2010

Rangeability of Equal Percentage Control Valves

A Reader Turn to Our Experts For Advice on Installing a Control Valve. See What Our Experts Had to Say

09/12/2013