One of the lessons of the shuttle disaster should be to increase the role of the process control engineer in design. Whether it is the control of the landing of a space vehicle or the control of any other critical process, an essential prerequisite of safety is the full understanding of the process. The person who understands both the hardware and the software components of the controlled process must be the process control engineer.
Referring back to the shuttle disaster: When control algorithms are configured, it is essential their live zero can be distinguished from a loss of measurement signal. All process control engineers know this, but not too many others do. I am not saying there were no process control people on the shuttles design team or that the loss of measurement signals contributed to the tragedy. My sole purpose is to illustrate a possible chain of events, if some temperature sensors also served as measurement inputs of control algorithms.
If that was the case, when these measurement signals were severed, the loop could have interpreted the loss of input as a reading of low temperature and, in response, could have stopped cooling the aluminum wall. If a process control engineer was part of the design team, I am sure the wall cooling control algorithms would have distinguished a live zero from a loss of signal¦
Naturally, if there was no means of cooling the wall at all, that is even worse. All system components that can overheat in an emergency should always be protected by emergency cooling.
We learned from the accident at Three Mile Island that a high cooling water level signal does not necessarily mean that full cooling is being provided for the reactor. The level of cooling water can also rise because the water is boiling.
One would think such a simple point would be understood by now throughout the nuclear power industry and the required corrections would have been made. Yet, last year, when I reviewed the level measurement practices at a nuclear power plant, I found over a dozen such misapplications. In these level loops, only hydrostatic head is measured. Therefore, when the water is boiling, we know neither the level nor the mass of coolant inside the reactor or other tank.
One solution to this problem is illustrated in Figure 1, where the use of multiple differential pressure cells makes it possible to independently determine density and total hydrostatic head. If, in addition, one also needs to know the interface between the boiling water and the steam, the installation of a separate refraction-type level detector is recommended.