Control systems are an intrinsic and abundant part of modern life; they control everything from personal aspects of our lives, such as our central heating and the engines of our cars, to massive industrial automation, in industries like factories, distribution warehouses and transportation links. They are responsible for not only completing a task, but ensuring that it is done quickly, efficiently and safely.
This article will discuss the constraints imposed on a control system with huge responsibilities, which must function within a challenging, underwater environment.
There are many hostile environments where engineering is a challenge. The difficulties increase exponentially if protection for individuals is required from the inhospitable surroundings, and even more so if individuals are required to interact with surroundings that could be lethal if uncontrolled. Submarines operate in just such an environment. One of the main challenges of submarine design is not, in fact, preventing water from coming into the vessel, but actually controlling how much and how fast the water is allowed into and out of the boat. The main purpose of controlling water flow is to adjust the submarine’s buoyancy, allowing it to dive and resurface, which can be achieved without creating a direct path for the water into the habitable area of the boat. The other system which controls water flow into and out of the boat is the torpedo launch control system This does have a direct path into the boat, as well as the potential to cause a catastrophic accident if it goes wrong.
Torpedoes can be up to 8m long and weigh up to two tonnes. They must be forcibly ejected from the front of the submarine with enough power to ensure it clears the turbulence, created by the boat moving forwards through the water, and also does not get sucked back into the boat. In order to achieve this, there has to be careful control of extremely high pressure air and water to create a pulse, which ‘pushes’ the torpedo out, whilst simultaneously controlling the internal and external openings.
To launch a torpedo, the crew must load it into the tube, which penetrates the protection boundary of the boat, the pressure hull. This creates a situation whereby the torpedo tube could potentially be opened at either end simultaneously: internally to the submarine, and externally out to the sea. If the external bow opening and internal tube door were to be opened at the same time while the boat is submerged, it could sink the submarine. As such, controlling all of the sensors, solenoids, valves, and interlocks that facilitate a launch is a critical and complex activity.
A system with the potential to cause a catastrophic accident requires a single point of control over the complete set of sensors and actuators. The status of every valve and sensor in the system must be explicitly known by the control system, at all times, in order to prevent erroneous orders being sent. Additionally, the system must carefully regulate the control of the high pressure air and water by millimetre changes in valve aperture openings to ensure that the torpedo is successfully deployed. This demands a communications latency within the system below a certain threshold. A comprehensive system update must be completed within sub second times, i.e. the sensor readings must be received, the information processed, instructions calculated and then sent out to the equipment. This leads to the first of many trade-offs, maximising the data and minimising the latency, i.e. getting the most amount of data in the shortest period of time.
With modern technology, creating this kind of system seems like a relatively easy task, as computing power is continuing to increase. However, the restraints on the system, due to the nature of the operating environment, impact this significantly. Developing a system to launch a torpedo is a constant trade-off; due consideration needs to be given to a range of different factors, which are each equally relevant, but also influence each other.
The control of the sensors and valves regulating the internal and external openings, as well as the flow of high pressure air and water, must be done precisely and in real time. There are many different control systems and technologies available to achieve this, all of them at different points on the scale from fundamental building blocks to fully developed systems. The advantages and disadvantages of some of these are below:
The majority of submarine projects are lengthy, spanning over 10 years in the development and build phases, with a 30+ year service life after they are completed. This proves a challenge to designers of an electronic control system in choosing the current technology. As the pace of technology evolution increases, the rate of turnover of products on the market also increases, and older products become obsolete and no longer supported. A control unit could be chosen at the beginning of the design phase, but a few years later, might be no longer available when it comes to the build … let alone when a replacement is needed 20 years down the line. The only option is to try to ‘future proof’ systems, basing them on technology which either:
Choosing the right technology on which to develop a submarine system must be balanced between capability, speed, functionality, development time, ease of development and obsolescence. The more fundamental the building blocks used, the faster and more efficient the end system can be, as the designer can optimise every aspect. Individually-optimised technology is also likely to be easier to maintain in the future, as there will be greater control and knowledge over each individual element and their interfaces. However, using more fundamental components, it will take longer to develop and require a significantly larger development team, as more specialist designers are required to understand each fundamental building block. This inevitably costs more money.
The consequences of system error range from minor to catastrophic, but when there are potentially hundreds of lives at stake, the worst case scenario must always be considered and accounted for. As such, there must be multiple elements in place to provide a safety system, which sits alongside the normal launch system. This involves, interlocking (for example, stopping the external and internal doors from being opened at the same time), monitoring of interlocks (to check they are working currently and providing true readings as to their status) and redundancy in the form of electrical hardware, mechanical hardware and software.
The software should never command an unsafe operation.
But even if it did:
The first electrical interlock should prevent the operation
But even if that failed:
The second interlock will prevent the operation
But even if that failed:
The mechanical interlock is the failsafe to stop the illegal operation.
The level of safety required drives the design of the system in two ways:
1) Increasing the number of components required increases the processing requirements. As each set of interlocks requires both control and monitoring, the quantity of data to be retrieved and processed increases, and there are more variables to be included in any control decisions made by the main control unit. Increasing the number of components also adds another set of data to be included in each short update cycle. In order to maintain an update cycle latency of less than the maximum allowable time, the processing power must be increased, driving the selection of technology.
2) The technology and components, which are used in the system, must be reliable and have pedigree that can be proven, i.e. have been available and used within the industry for a significant period of time (generally years) without going wrong. All components used, down to the individual resistors, are required to have failure rate data associated with them, and to have been used in a similar environment. This again drives the selection of technology, encouraging the use of older, proven technology - which is generally slower, less efficient, less capable and, critically, more susceptible to obsolescence.
Launch systems are a critical component of a modern naval submarine, for both attack and defence. As such, they need to have high availability. This means that systems must be ‘online’ and in a ready-to-operate state, as well as have ‘high reliability,’ which refers to the length of time for which the system will operate (e.g. 10 years). Both of these factors can be increased by separating and distributing the system’s functions into separate units, and then duplicating those units to perform a task, and provide backups, in case of a failure of the main unit. The main drawback is the increased complexity of controlling multiple different units, which also increases the update latency of the system; there are now a significant number of additional units to query, process information from, and issue control messages to.
The sea water environment outside a submarine can be hostile, but so too can the atmosphere inside the boat. The four competing factors influencing the system are: heat, humidity, strength and size. As submarines travel the globe; they can be in the some of the most extreme climates, with humidity peaking at 100%, meaning the air is completely saturated with water. Because the control system is electronic, it must be sealed in watertight panels to prevent moisture ingress onto its components. The internal temperature of the submarine could reach over 40oC, which is generally well within the operating range of most electronic components (even if the submariners might not function particularly well at these temperatures). However, without the ability to put ventilation in the panels, due to the moisture, the active electronic components can cause the air temperature inside the panel to exceed recommended operating ranges, which could either cause them to fail, or at the very least reduce their operating lifespan (affecting availability and reliability). The solution would be to make the panels out of a material with high thermal conductivity, such as aluminium, which will dissipate the heat as quickly as possible. However, due to the fact the panels have to be capable of withstanding a high shock level (e.g. underwater explosion), they need to be made out of a stronger material, like steel, which has a very low thermal conductivity and does not dissipate the heat as well. As this is the case, the only other thing to do is to increase the size of the panel, so that there is increased surface area to provide cooling. However, as has already been mentioned, space on the boat is a premium commodity that the different systems actively compete for.
Getting the balance right between these elements is critical, as miscalculating it could lead to a system failure.
These are just some of the factors which are essential to consider when developing a control system for a submarine. In addition, this is just one of a multitude of critical systems that need to be included, each one with its own unique requirements and demands.
The design of any control system, regardless of its task, cannot be taken as an isolated element; functionality, technology, interfacing, environment, safety, personnel, implementation and deployment must all be considered in order to form a complete interacting system. Every design decision will have a knock on effect on another element, which may be either obvious or more subtle - and may not even be noticed until it becomes an issue (which might not be for several decades). The challenge is to understand every angle, influence and interface as well as understand the trade-offs between them.