Archetroceedings T.Ab
Total Page:16
File Type:pdf, Size:1020Kb
2 1DEC. 1984 ARcHETROCEEDINGS t.ab. v.Scheepsbouwkunde FOURTitchnischeliogeschoQi SHIP CONTROL SYSTEM§ SYMPOSIUM P1975-7 Suppl. October 27-31,1975 FOURTH jjjjtjjlSjPOSIuwTEMS ROYAL NETHERLANDS NAVAL COLLEGE DEN HELDER SUPPLEMENT ROYAL NETHERLANDS NAVAL COLLEGEDEN HELDER THE NETHERLANDS THE SYMPOSIUM WILL BE HELD IN THE NETHERLANDS, THE HAGUE - CONGRESS CENTRE - 27-31 OCTOBER 1975 Statements and opinions expressed in the papersare those of the authors, and do not necessarily represent the views of the Royal Netherlands Navy. The papers have been reproduced exactly as theywere received from the authors. Published by the Royal Netherlands Naval College SUPPLEMENT CONTENTS SESSION DI: The plight of the operator J. Stark and J. Forrest PAPER NOT RECEIVED SESSION NI: Naval Ships control reliability: a hardwaresoftware issue. P.P. Dogan SESSION P2 An experiment to determine theeffectiveness of the collision avoidance features of a surface shipbridge control console. A.D. Beary Jr. and W.J.Weingartner PAPER NOT RECEIVED members CURRICULUM VITAEof authors, chairmen, symposium committee CHANGES OF CHAIRMEN ERRATA NAVAL SHIPS CONTROL RELIABILITY: A HARDWARE-SOFTWARE ISSUE BY Pierre P. Dogan The Charles Stark Draper Laboratory, Inc. Cambridge, Massachusetts (USA) This paper looks at conceptual approaches to boosting the reliability of ship control systems, based on current and predicted trends incomponents, and system architectural technologies. References are made from space and other programs.An intimate mix of hardware and software issues needto be addressed; as hardware component technologiesprogress, often driven by ad- vances from commercial,not military developments, a need emerges fornew hardware and software architectures dedicated to the militarymission, which the author feels, the market place of commercial developmentsis not likely to spontaneously create. 1. TRADITIONAL APPROACHES IN NAVAL SHIP CONTROL DESIGN Manual controls, systematic reliance on several levels of manualbackup, as well as the availability of onboard repairs, have beentraditional assump- tions of the control system design philosophy for navalships and submarines. The traditional approach in naval ship machineryand motion control can be ascribed to the perception by the militaryusers of a basic lack of high re- liability in available control technology. This perception is now being gradually modified by the adoption of digitaltechnology, usually in the form of substitution of analog equipment by programmabledigital controllers such as the standard U.S. Navy AN-UYK-20 minicomputer. (1) In contrast, numerous naval combat systems haverecently been, or are being acquired today, where sophisticatedreal-time integration of sensors, effectors, and displays do not fit the traditionalmanual control approach at all; in these, increased reliance is madeon large central computer com- plexes (CCC): central computer complexeson surface ships and submarines are typically made of varying combinations of severalNavy standard AN-UYK-7 main- frames, and constitute the centralnervous system of military payloads dis- tributed along the length of the vehicle. In the last decade of naval combatantplatform design, there was thus, at least for a while, a trend to marry complexmilitary payloads controlled by sophisticated central complexes,to surface or subsurface platforms that relied mostly on manual or only semiautomaticmachinery and motion control, or which only recently were slated touse decentralized minicomputers. Why this contrast? What are the reliability virtues ofan "octopus" central computer complex wired to many parts ofthe ship? Alternatively, for how long will legitimate conservatism in shipcontrol design (i.e., maintain safety, reliability) necessarily imply therejection of automation? Can naval automation be reconciled with safety/reliabilityand low life-cycle cost? aeliable answers to these questions cannot, of course, becompletely given. The thesis of this paper is that the centralcomputer complex trend in combat systems, and the decentralized minicomputer trend in ship control will eventu- ally merge, as the fundamental reliabilityproblem still faced by each trend -1- is gradually resolved. This resolution and merging will result from steady advances in three technology areas: Microelectronics (large-scale integration and very large-scale integration packaging), and optional transmission components. Local and distributed fault tolerance. Ultra-reliable large-scale real-time software made possible by an software reliability approach such as Higher OrderSoftware(HOS).(2,3) These advances are expected to increase by an order of maenitude or morethe confidence level in naval computer control over the next decade. The contrast in automation and centralization levels between combatand ship control systems can be explained. The complexity and speed requirement of modern combat systems demanded computerization from the onset; systemsin- tegration was perceived to be best done through software. From these givens, the combat system designers could leapfrog an intermediate designapproach that would have used local dedicated computers, and that would havebeen prone to equipment proliferation and high logistics cost; acentral computer complex approach appeared to offer economies of scale (including, itseemed then, cost reduction), and an increased ability to shift computer loads betweentasks, an apparent advantage for casualty control. Reliability, was not the over- whelming consideration. Specific attempts to achieve adequate reliability are usually made by complex redundant designsusing the replication of whole accel- computers. The very decision to standardize on the AN-UYK 7 computer erated this trend. In ship and submarine machinery and motion control,however, safety and reliability have always been the prime consideration. "Don't lose the ship." Allowance for automation is made sparingly and usually inthe context of safety issues involving phenomena occurring at toohigh a speed for humans to handle (e.g., gas turbine overspeed). In spite of the gradual introduc- tion of automatic control, a much higher level ofreliability in control equipment needs to be demonstrated and conveyed to the userscommunity before machinery and motion control of ship and submarines areturned over to through re- "black boxes". While the need for reduction in life-cycle costs duced manning is indeed drastic in these days of economichardship, it has not yet met a sufficiently low-risk levelof automation technology to materi- ally impact ship control design. 2. NEW EMERGING NAVAL SHIP CONTROL REQUIREMENTS Future naval combatant vehicles will need morethan maximization of ship availability, a simpler commercial objective.Stringent requirements for reliable equipment and systems operation stemfrom several facts central to will continue the military mission. However, automation of naval ship control Four proceeding at a slower pace than in similarlysized commercial ships. factors summarized below explain why. impossible to reduce (1) The Military Mission is More Complex--It is the function of a naval ship crew to mostly orexclusively maintaining ship systems. The crew has the vital function of manning the military payloads for strategic ortactical engagements, a requirement commercial shipsdo not have. The scenarios of en- gagement, and the control of these payloadsrequire a high ship control reliability. -2- Automation of Steady-State Conditions Is Easy; Automation of Tran- sients Is Difficult--The essence of the military mission of a mobile platform such as a surface ship or submarine lies within complex sequences of mission-phase "transients" involving changes in the control of vehicle motion, motion rates, and the activation of payloads. While automatic control can be tailored to steady- state conditions with relative ease (as speed and course-keeping for a commercial ship), the naval ship or submarine requires a control system to optimize the scenario transients within safety limits. For a submarine they are typically: rapid propulsion maneuvering; boat trimming as a function of sometimes rapidly changing speed; quick diving; rapid but covert approach to the surface, especially in agitated seaways; missile launch in a seaway; variable ballast control; combined trimming and steering etc. I believe that the "bottleneck" that specifies the complexity of the ship or submarine control system, and eventually its sys- tems level relaibility, lies in the safe transition between these transient mission phases. "Absolute" or ultra-high reliability should be expected of the motion control equipment during these transitions, since the penalty to be incurred for an equipment fault far outweighs the simpler economic penalties that would be incurred by a commercial platform of similar size (i.e., submarine below collapse depth, or broaching through the surface in wartime. The Human Factor: Ingrained, and Often Justified Risk Aversion The human factor in accepting automation of naval ship control functions remains dominant. Methods of officer's performance evaluation in peace and wartime probably create a special aversion to having to depend on "black boxes", especially ones that are known to fail more than occasionally. Wartime Logistics Constraints--From a Logistic point of view, it is not reasonable to exaggerate the "short-time-to-repair"design approach, since it implies the availability ofspares and relatively high crew skills, both of which can be in short supply,or cannot be made available quickly