Bath Boats left underwater

[Scholar Gypsy]

On 16/09/2020 at 12:23, MoominPapa said:

The automatic control systems for sluice gates don't seem to be designed like the critical systems they are, with redundancy of sensors, voting, monitoring, and so on. Something similar happened on the Weaver a few weeks ago when the sluices at Vale Royal opened wide and emptied the top end of the river, stranding boats and causing excess water problems downstream.

 

MP.

Is the other issue that it's not obvious (or at least not to me) what the "fail safe" mode should be?  If the software detects a problem eg with the sensors, what it should do with the gate (in addition to calling a human to say there is a problem!)?  At some times shutting the gate could cause problems too. As far as I can see there is no fixed weir here, just two radial gates?

 

Stamp End was a bit hairy when we went through in the floods last year. Roughly 10 mins open (with a strong current upstream) and then 20 mins calm. After a bit of observation we worked out how to safely transit the Glory Hole, moor up in the City, and then approach the lock. 

[MoominPapa]

3 hours ago, Scholar Gypsy said:

Is the other issue that it's not obvious (or at least not to me) what the "fail safe" mode should be?  If the software detects a problem eg with the sensors, what it should do with the gate (in addition to calling a human to say there is a problem!)?  At some times shutting the gate could cause problems too. As far as I can see there is no fixed weir here, just two radial gates?

 

3 hours ago, Scholar Gypsy said:

 

Stamp End was a bit hairy when we went through in the floods last year. Roughly 10 mins open (with a strong current upstream) and then 20 mins calm. After a bit of observation we worked out how to safely transit the Glory Hole, moor up in the City, and then approach the lock. 

The fail safe mode rather depends on the problem, I feel. In the end the ability to raise an alarm and the ability of the organisation to respond to that in a timely manner is probably the best protection. When I talked to the EA control room about the Stamp End girations, they had no idea it was even happening.  As for automatic protections, on the level sensing side, multiple sensors and voting would work. It's pretty easy to spatially distribute them, and even provide a fall back layer of lower precision sensors.  If the control loses all knowledge of water level, the best response is probably "don't move anything and ring the alarm".

 

Control room systems that can monitor levels and raise alarms on unusual situations would be good. 

 

A rather sticky problem on most sluices is that they use bi-directional motors: a single failure in the contactors can end up with the motor running the opposite way to what the control system commands, which is an an obvious hard-open or hard-close situation. That seems to be what happened on the Weaver last month. Redesigning hardware with two motors might help here, or at least separate and redundant position sensors so the control can stop an action if it's not what it commanded and raise an alarm. 

 

Self-test and alarms and redundancy. If it can keep an Airbus flying, it can fix this.

 

MP.

[Scholar Gypsy]

16 minutes ago, MoominPapa said:

 

The fail safe mode rather depends on the problem, I feel. In the end the ability to raise an alarm and the ability of the organisation to respond to that in a timely manner is probably the best protection. When I talked to the EA control room about the Stamp End girations, they had no idea it was even happening.  As for automatic protections, on the level sensing side, multiple sensors and voting would work. It's pretty easy to spatially distribute them, and even provide a fall back layer of lower precision sensors.  If the control loses all knowledge of water level, the best response is probably "don't move anything and ring the alarm".

 

Control room systems that can monitor levels and raise alarms on unusual situations would be good. 

 

A rather sticky problem on most sluices is that they use bi-directional motors: a single failure in the contactors can end up with the motor running the opposite way to what the control system commands, which is an an obvious hard-open or hard-close situation. That seems to be what happened on the Weaver last month. Redesigning hardware with two motors might help here, or at least separate and redundant position sensors so the control can stop an action if it's not what it commanded and raise an alarm. 

 

Self-test and alarms and redundancy. If it can keep an Airbus flying, it can fix this.

 

MP.

Thanks - interesting! I enjoy trying to break systems (in my mind, not physically of course).

It gives me confidence on the boat to have two pairs of coolant temperature and oil pressure sensors, one to inform the gauges and one to set off the buzzer. I have been meaning for a while to add a test button to check the water buzzer circuit. The oil pressure buzzer circuit gets regularly tested, in normal operation.