This article was printed in CONTROL's August 2009 edition.f
This column is moderated by Béla Lipták, process control consultant and editor of the Instrument Engineer's Handbook (IEH). Preparation of the 4th edition of Volume 3, Process Software and Networks, is in progress. If you are qualified to update an existing chapter or prepare a new one, or participate in answering questions for this column, write to email@example.com.
Q: We've had more than a dozen questions asking if better understanding of process control could help determining the probable causes of aviation accidents and in offering control solutions to prevent the repetition of the Air France Flight 447 accident that occurred on June 1, 2009, over the Atlantic.
Before giving my answer, let me note that the June 1 accident was not unique. Two other accidents involving Airbus 330s took place this year. Brazilian carrier TAM's (TAM Linhas Aéreas) Flight 8091 from Miami to Sao Paulo and Northwest Airlines Flight 8 from Hong Kong to Tokyo also reported loss of speed and altitude readings, and had to switch off their autopilot and auto-throttle systems. No casualities occurred in either case. Earlier, Aero Peru Flight 603 crashed into the Atlantic because the maintenance crew forgot to remove the tapes placed on the pitot tubes after completing the waxing of the plane (www.avweb.com/other/peru603.html). This accident killed 189 people and occurred because the failure of the pitot sensors caused the pilots to fly too slowly, and the plane stalled. In other cases, the pitot tube ports were blocked by ice.
Many of these cases, such Yemenia Airlines Flight IY626, which crashed in the Indian Ocean in June with only one survivor, and Air France flight 447, are still being analyzed. In these cases, the exact causes of the crashes remain unclear, but the pitot tubes are suspected of at least contributing to the catastrophic failures.
A: So, perhaps it's time to review what we know about pitot tubes and how they operate (Figure 1). The pitot tubes detect the velocity (V) of the airplane relative to the air surrounding it—not relative to the ground. It measures V by measuring the difference between total pressure (Pt) and barometric pressure (Ps) according to the equation V = √(Pt-Ps). This sensor is convenient because it reads both velocity and barometric (static) pressure (Ps). Ps is used by the pilot as a measure of altitude.
Now, what can happen if an airplane is flying horizontally at an altitude of 30,000 feet, and it runs into a cyclone or hurricane? It's obvious that if the ports of the pitot tubes are plugged by ice formation, which can be reduced by heating the pitot tube or by something else, both measurements (velocity and altitude) will be lost.
It is less obvious that there are other causes of measurement failure. For example, the wind of a hurricane can have a speed of 150 mph to 200 mph, and in its eye, it can have a vacuum of up to 4 in. Hg (inches of mercury). When the airplane reaches the eye, the pitot tube readings start reversing. This happens because as the plane enters the hurricane's eye, the barometric (static) pressure quickly drops. Therefore, the pilot will believe that the altitude of the airplane is quickly rising, and he or the autopilot will act to lower the altitude of the plane.
As the static pressure (Ps) drops, this can cause an indication of increased velocity via V = √(Pt-Ps). Therefore, the pilot or autopilot will believe that both the plane's altitude and its speed are rising, and will try to decreased the altitude while also slowing down the plane. But, neither of these steps will change the two pressures (Ps and Pt), and the speed or the altitude readings will remain unaltered. This will confuse the pilot, and he or she is likely to reduce speed even more, and drop the plane even faster. In addition, when the auto pilot reads this reverse response, which according to its computer model makes no sense, it switches off. Therefore, the airplane does not explode in the air, but eventually hits the water. Though we don't know for sure yet, this appears to be what happened in the case of Air France 447.
So what is the solution? The answer is very simple. It is one that has been used in process control for generations—on critical measurements, use redundant sensors. Another basic rule is that the backup sensor(s) must always operate on a totally different principle than does the primary. Therefore, if the speed and altitude sensors are provided with backup detectors that are programmed to overrule their primary (pitot) measurements automatically in case their readings drastically differ, the flight will be safe, at least from these sorts of failures.
Consequently, the aviation industry should require that all airplanes be provided with alternative sensors, such as GPS-based altitude sensors, as backup controls. In addition, all airplanes should continuously transmit their flight data to land-based flight control centers. The computers there would not only serve as backup during the flight, but would also provide the data for quick and reliable accident analysis without the need to find the "black box."
What we should learn from these accidents (not only in aviation, but also in nuclear, fossil, chemical and other industries) is that these disciplines should not operate as "closed shops." Instead, they should depend not only on their own group's experience (using outdated tools like pitots and black boxes), but also should take advantage of the advanced state of the sciences in the process control profession as a whole because that is richer than the know-how of any single industry.
Q: We would like to improve on the safety record of fossil and nuclear energy processes as we design our new renewable energy process. One element of that improved performance is the selection of the safe failure position for valves. We have followed the advice in the Instrument Engineers' Handbook concerning the possible types of failures, including mechanical, air and electric power supply failures. We've also followed the advice given there on how to determine the safe failure positions, such as using a closed valve failure position on heating, and open on cooling. In critical cases, we're using electric motor-operated valves to back up valves with pneumatic actuators, and we are installing them in parallel for cooling and in series for heating applications as recommend.
Now, we came across a situation where the safe failure position required in one phase of the process is different from the failure position required in another phase. In other words, the same valve should fail open, closed, or in the last position, depending on the process phase. Am I right that in such cases we should use double-acting and not spring- return actuators? Do you have any other advice on how to design for such situations?
A: Without knowing nearly enough about the process, two ways to accomplish your stated goal come to mind. 1) Build a manifold with three automatic valves in parallel, so that each valve has manual block valves. Use a spring-return valve in the air-to-open and another in the air-to-close runs. The valve in the third run can have a double-acting actuator. Assuming the process state changes are sufficiently spread out in time, the active run can be manually selected for each state (phase).
2) Many years ago, the large butterfly valve for a 7000 hp hot gas expansion turbine had to close quickly if the shaft to the axial compressor failed. A local power supply, consisting of a cylinder of compressed nitrogen, provided the pressure to operate a double-acting valve. A local pneumatic control device sensed over-speed, and closed the inlet valve. This was done at a large nitric acid plant owned by Hercules Powder Co. in the late 1960s.
Have you done the probability analysis for everything involved in a failure, not just the air supply? There is a balance between cost and risk to be considered. Intrinsic electrical safety is based on the idea that the probability of two improbable events happening at the same time is an acceptable level of risk. Is it possible for one accident or fire to take out both plant air and electricity? My apologies if this repeats what you already know.
A: It is not unusual to have valves with both fail open and fail close control systems in fossil power applications. This is usually achieved through the use of two solenoids, one for fail closed and one for fail open.
The reliability of these systems can be further improved by using redundant solenoids and a voting system, or by specifying the reliability of the instruments using IEC 61508 and the SIL rating system. Triple-redundant solenoids have been used for more than 30 years in Europe for boiler and condenser protection. Triple redundancy is being replaced by the SIL system.