Voices: Lipták

What Is the Proper Role of Automation?

Automated System Can Lead to More and More Complexity and Confusion. Until the Instruments, Automation and Controls get Extremely Reliable, We'll Still Need to Keep Humans in the Loop

By Bela Liptak

Q: The NTSB published its report of the recent Asiana flight that crashed in San Francisco (lat.ms/1rwL89l).

I find the contrast between the views of the NTSB and your views on the subject of using automation on the flight deck of an airliner interesting. According to the NTSB, the pilots didn't understand the automation in place, and they mistakenly believed that it should have done something to arrest their high descent rate. In fact, there is such a mode in the airliner autopilot systems, but that's not the one they had selected.

I have been employed at a large water and sewer utility for more than 28 years. In the mid-1980s we were early adopters of automation. We got started with those lovely old PM550 controllers from Texas Instruments. The first thing we did was to replace those cam stacks and microswitches for sequencing through a filter backwash. The new backwash system was very effective. The operator would push a button and with great reliability, a backwash sequence would happen. Operators could forget about the details, the interlocks, the permissives, and even where the valves and pump controls were. And they did.

In just a few years, most of the operators had forgotten how a backwash worked. Only the senior plant operator, the controls engineer and the plant superintendent remembered why things were done the way they were. And they got more and more grandiose with their designs. We upgraded the control system, and then the superintendent went wild. We had backwash schemes for energy savings, for water savings, for speed, for deep cleaning and other various permutations and combinations. And then he retired. The controls engineer moved on to a new job and pretty soon we had voodoo with a platform that was rapidly becoming more and more obsolete. We were scared to upgrade it (but we are doing just that).

Complexity and the maintenance, management and operation of such complexity often are forgotten in the design of complex systems. You make the point that automation could stop people from making stupid mistakes such as not maintaining speed or turning too sharply or not shutting the plant down properly. And perhaps you're right—but it leads to more and more complexity and confusion.

That's what happened with Air France 447. The airliner Pitot tubes iced up at an altitude where that was not supposed to be possible. The controls reverted to Alternate Law because the automation had no contingencies to handle three wildly different air speed indications at an altitude where the operating range between the wing stall speed and the compressor stall speed can be as little as 12 knots. Had the pilots been more experienced with manual controls, they would have known in a heartbeat what to do. But they had forgotten.

I fly small airplanes on instruments. Manually, I have a constant feel for what my airplane is doing. Yes, my instrument approaches are sloppier than someone's three-axis autopilot with auto throttles. But I know where I am, and I know what is supposed to come next. And because I fly for fun, I know better than to fly when I'm tired, stressed out or ill.

I think that until the instruments, automation and controls get extremely reliable, we'll still need to keep the humans in the loop. Sooner or later that instrumentation or automation will fail. And then, with so little experience working without automation, the human won't know what to do either. That's the lesson I take home from Three Mile Island, from Fukushima, from Air France 447 and so many other disasters.

Jake Brodsky

A: I will say that continuous training is key for the operator. It is true that management needs to be in touch with situations more than ever before, but unfortunately they are not technical.

Hiten A. Dalal

A: Air France 447 (the crash in the Atlantic) was due to Airbus' computers basically giving up flying the plane when Pitot tubes froze, and the computers (five of them) switched to what Airbus calls "Alternate Law," which translates as, "You are the pilot. You fly the plane!" Another tragic example of too much dependence on automation.

I have a friend who was hired as an instructor for Air France, and was turning off the computers in the flight simulators to force the pilots to fly the plane. Airbus management told him "Don't do it. The computer is better than the pilot."

Bob Landman

A: Yours is a good summary of the present man-machine relationship and of the state of confusion that prevails.This is not new. During the Industrial Revolution, machines were introduced to substitute for human muscle, people were afraid that machines would cause accidents, and that eliminating work, say blacksmithing, would cause massive unemployment. Just the opposite occurred. Employment increased because these machines had to be designed, operated and maintained. While filling these jobs paid more, the work was less exhausting, and the price of horseshoes dropped. Today, when not the human muscle, but some of the routine functions of the human brains are being delegated to machines, people once again worry about the consequence of excessive dependence on these gadgets, and rightly so because misusing them can cause humans to forget how to do things! Yes, a new generation of "button pushers" could grow up—people who believe that square root means a button on a keyboard, logarithm is an African insect, and professional experience and wisdom is something that you can look up on Google or on Wikipedia.

Having prepared the Instrument Engineers' Handbook for some 50 years, I observed that automation can be both helpful or harmful, depending on how it is used. If ignorant programmers are allowed to prepare fancy software that operators do not understand, but are told to trust "what is in the box," this excessive dependence on something that can be wrong in the first place can create a mess. On the other hand, if we understand the proper role of automation, it makes our industries better and safer! The key is to clearly understand what I call overrule safety control (OSC).

During the past few years, I studied seven major accidents and found that the main cause of one was bad design, the cause of another one was operator inaction due to excessive dependence on automation, and five were caused by various degrees of manual operation of the process without OSC. One example of this "manual operation" was at Three Mile Island when the operator sent water into the instrument air supply, and for hours nobody even realized what had happened. This culture, in an age of poor training and potential for terrorism, needs to change.

Understanding what OSC is is critical! OSC is like a rail barrier. On the one hand, it does not prevent the driver from visiting his mother-in-law, but it does prevent him from causing an accident by trying to get there to taste her excellent cooking too fast. OSC is like automatically keeping the vehicle's doors closed when it is moving and preventing the driver (the operator) from "overruling" that safety automation. OSC is the "red line" that neither the manual operator nor the autopilot must be allowed to cross.

So why is OSC absolutely safe?

  1. Because it overrules not only the unsafe actions of the driver, but also those of the autopilot. In other words, OSC is totally independent of either, and it overrules both! It overrules all unsafe instructions, regardless of whether they come from the operator or from the computer.
  2. Can the OSC fail? Naturally it can, even if it has triple-redundant backups that are using the very best sensors. Yes, it can.
  3. But, if the OSC becomes inoperative for any reason, both the operator and the autopilot continue functioning just as if it did not exist. It is like the safety locks on the car doors or the red light on the street corner. If it fails, you are simply back to normal control.

So what does this mean for Air France 447? It means only two things:

  1. Bad sensors should not be used. Pitot tubes can freeze up, static pressure altimeters can give false information when air density changes (cold fronts, etc.) So forget such ancient sensors, and use redundant radar with GPS backup.
  2. OSC must be on all the time, no matter if the autopilot drops out, and no matter how ignorant or careless the pilot is or what he believes the autopilot is doing. OSC simply prevents both the pilot and the autopilot to attempt landing at unsafe speeds.

In the broader sense, our process control professionals must have a total understanding of the processes they control, must totally separate OSC from regular operational controls, and during the design phase, they must also control the software developers and not the other way around!

For examples of my proposed OSC designs, you can refer to my previous articles about eliminating the possibility of nuclear accidents by using automated underwater nuclear power plants (February 2014, bit.ly/1gLErMK), or you can read my article in the November 2013 issue (bit.ly/1r9s95F) about how OSC would have prevented the BP accident.

Béla Lipták

More from this voice


Scraping the Bottom of the Barrel-Part 3

Liptak Discusses Pipelining Safety and How Automation Processes Can Prevent Pipelining Accidents


Deaerator Level Control

Can a P Controller Be Replaced With a Linear Function Generator in Controlling the Level on a Deaerator?


Protecting Blast Furnace Pressure Transmitters from Plugging

Installing a Pressure Transmitter for Dusty Service. Help Me Please!


Scraping of the Bottom of the Barrel -- Fracking

Proponents Believe Fracking Gas Could Meet U.S. Energy Needs for a Century. Opponents Say the NG Supply Will Be Exhausted in Just a Few Decades


D/P Impulse Lines; Chinese Solar Tech

How to Keep Impulse Lines Full of Water When the Pump Shuts Down, and Are the Controls, Converters or Collectors for Photovoltaic Designs Better Products?


Controls for Scraping of the Bottom of the Barrel - Part 1

Discussing the Emerging New Industries That Are Aiming at Exploiting the "Unconventional" Fossil Fuel Deposits


Software for Renewable Energy Processes - 4

Talking About Software Needs for Control and Optimization of Solar Energy Storage and Transportation Systems


How Automation Can Prevent Nuclear Accidents-Part 3

Watch Out for Outdated and/or Unreliable Instruments. These Can Cause Major Disasters


More Reasons BWR Power Plants Are Unsafe

Covering the Automation Errors That Exist in the Old American BWR Plants


Preventing Nuclear Accidents by Automation -- Part 2

Bela Liptak Discusses the Design and Control Errors at Fukushima, Because They Still Exist in Many American Boiling-Water Reactors (BWR) and Must Be Corrected


The Fukushima Nuclear Accident - Part 1

Béla Lipták Talks About the Safety Processes Used at the Fukushima Plant


Control Software for Renewable Energy - 6

The Key Component of a Wireless and Fully Distributed Solar-Hydrogen System Is the Reversible Fuel Cell (RFC)


Software for Renewable Energy Processes-5

Bela Liptak Describes the "Battery Swap"-Based Transportation and the "Energy Free" Housing He Sees for the Future


Software for Renewable Energy Processes - 4

Solar Is the Fastest Growing Power-Generation Technology in the World


Control Software and Renewable Energy, Part 3

Bela Liptak Discusses the Control of the Renewable Energy Processes That Use Energy Sources Such as the Sun, the Moon, the Rotation of Earth and Its Coriolis Effect and the Heat Below the Ground


Renewable Energy Processes, Part 2

The Control System Must Be able to Detect the Loss of the Grid and Respond by Isolating Itself from the Grid or by Tripping Offline


Control Software and Renewable Energy, Part 1

Columnist Bela Liptak Launches a Series of Articles Talking About Control Software in Need of Development for Renewable Energy Processes. Here is Article Number 1


Pumping Station Optimization, Part 3

The Optimization of Pumping Stations and Liquid Distribution Systems Can Save 25 Percent or More Energy


Pumping Station Optimization - Part 2

Bela Liptak Talks About the Phenomenon of Net Positive Suction Head (NPSH) and Multiple Pump Stations


Pumping Station Optimization - Part 1

Liptak Describes the Pumping Process to Then Show How to Control and Optimize Pumping Stations