Titanic submarine control considerations
The submarine built by OceanGate went missing on 18th June 2023. A lot of online criticism was directed towards the control hardware of the submarine - Logitech F710 controller.
However, why is this the case? It has 2 dual axis potentiometers and some capacitive sensing buttons. Why is this controller seen as insufficient? Even military equipment seems to be controlled with video game controllers, one reason being that operators are familiar with the controller from playing video games in the past
One thing that comes to mind is water resistance. If the hull became partially flooded, the controller might get water damage and lose functionality. Besides that, what other safety considerations are there? Is the internet knee jerk reaction of 'Oh my god they are controlling a submarine with a gaming console, how unprofessional' just an uninformed outcry, or are they founded in legitimate concerns?
If anyone has maritime engineering experience, please share what are the industry standards and considerations when designing controls for submarines.
3 answers
I don't have any special knowledge about how submarines get controlled, so this is mostly speculation.
I expect that the actual controls are fine. There seem to be the necessary degrees of freedom, and as you say, people are already familiar with the interface. In that sense I don't see anything wrong with it.
However, when I heard about it, my first reaction was that it might be irresponsible due to reliability. A consumer game controller like this is going to be optimized for high flashiness and low price. Reliability was likely not a major design consideration, as long as it doesn't fail so often as to be considered junk by the market.
If the controller stopped working when you're playing a game, you'd be annoyed and be out $50. You'd shake it off and get a replacement, maybe a different brand this time. The cost of failure is relatively low. If you suddenly can't control the submarine you're in 2 miles under the ocean, you're going to end up dead. The cost of failure is high.
There is a reason military and other high-rel electronics cost more than the equivalent consumer versions. There are rules for how much every part must be derated for temperature, voltage, and other parameters. You have to do formal testing to show that the product survives in dry heat, damp heat, cold, vibration, electrostatic discharge, etc. These things cost real money and delay the design cycle. I've been thru tests like that with industrial products. The tests usually find something that requires the design to be tweaked. All that adds cost, but makes the product more reliable.
Especially for something that goes near the ocean, I'd want contact mating surfaces gold plated. Corrosion, even just due to normal air in a marine environment, is something you have to consider. I'd also want to know that the design passed vibration tests. That's not because a submarine like that vibrates a lot, but because it makes the unit less susceptible to normal dings and small accidents. If you drop your game controller on a concrete floor and it breaks, you'd probably blame yourself. If it got accidentally banged (that's going to happen) and breaks in a submarine, it doesn't matter who you blame, you're dead.
One way I could see the use of a price-optimized game controller be acceptable is if there were at least two spares on board that are regularly checked to make sure they are ready to use. Now you need three failures in three independent units in the space of a few hours before there is a serious problem. That's a much lower risk.
1 comment thread
Coming from a background of safety-related applications and industrial control systems, with some maritime applications experience, I could offer a few insights.
These kind of game controls are literally only good for one single thing: button ruggedness. They need to withstand some pretty brutal treatment. I've done evaluations where we compared button components taken from game consoles with military grade equivalents and there weren't really much in the way of difference in ruggedness of the actual button mechanics. Number of electrical/mechanical operations, shock & vibration etc, they perform well - to the point where we used the actual buttons from a game console in industrial control system at one point. They were even better than some military grade components that used hall effect sensors, because hall effect sensors tend to go haywire in demanding environments. So far so good.
Where these fail is where it comes to redundancy. It is custom for safety-critical control system to have some sort of backup plan when the unexpected unlikely happens. The mindset difference between general development and safety-related is that the former is at best concerned with "how long can we keep this from failing", whereas the later does that but also considers "what do we do when it fails". Not if it fails but when it fails. You need a safe mode of some sort when that happens.
In this case, a submarine is similar to automotive or med-tech concerns: when something fails the safe mode is to keep running the best you can, so-called "limp home" mode. So you'd need to have a backup system and/or a backup technology to fall back to.
And with that in mind you also have to consider the application-specific requirements. What happens if the controller gets covered in salt water, for example. These controllers have a pretty low IP class and it would have been reasonable to demand somewhere around IP66/67 even if the environment is expected to be nice and dry in normal conditions. There is a whole set of rules/qualification for marine applications and equipment specifically. IEC 60945 might be applicable - it is used for handheld and bridge-mounted electrical equipment in a maritime setting and covers both EMC and environmental requirements. Including high IP class, salt water/fog tests, UV tests and so on - these tests are tough and marine environments are pretty extreme. In addition, regular EMC + ESD testing and requirements equivalent to the average industrial application.
An unprotected PCB like in the picture probably won't do - you would cover them with some manner of protection like lacquer or silicon, or perhaps simply embed the whole thing in non-conductive moulding. Oxidation would be a major concern, especially around contact areas and poorly made solder joints. Gold-plated connectors and highest IPC class would be some of the standard measures.
Software and microcontrollers for safety-related applications also come with a lot of requirements regarding redundancies and safe modes. Nowadays you typically pick specialized microcontrollers for such applications and you code them according to various coding standards (MISRA-C, SIL etc). You'll need to integrate this with your quality system. Both the software and the PCB will need to implement means to supervise critical functions, so that when something breaks you detect the problem and fall back to a safe mode. The IC and PCB inside the game controller will have none of these safety measures implemented.
And then if it would be a military submarine, we would obviously pile up a whole lot of even more demanding requirements and then all electronics would definitely have to be re-designed, since there's just no chance that some video game console will pass through the extreme EMC testing required - the MIL-STD-461 places military submarines in the toughest EMC category of all possible applications.
Finally, you'll need some sort of maintenance plan. Electronics doesn't last forever, so it would need to be inspected on regular basis. For safety-related applications that usually means an annual maintenance where seals, mechanics, connectors etc are checked. And some components like electrolyte capacitors and microcontrollers always come with a "best-before" date, even if that means they'll work just fine for 10+ years - but then what?
This specific disaster will no doubt get examined by accident commission and it will end up in court sooner or later. And in court, the designers will have to make an argument that they did their best in following engineering/maritime standards and best practices. If they have at least made that attempt but it failed anyway, then juridically they are in a much better position than if they put some video game controllers or Arduinos in there - then it's an open goal for the prosecution. The designers will need to show documentation that they put this whole thing through maritime certification from some reputable 3rd party test house.
0 comment threads
One of the challenges with this particular controller is that it's wireless. Wireless devices need a) a clear enough RF channel to the receiver and b) a suitable power supply, namely batteries. Both of these problems are common enough for most people to be familiar with them. The alternative is providing a wire which offers both power and signalling.
When conducting a risk analysis of such a system, the wireless version is susceptible to both loss of power and loss of signal (eg interference). The wired version will not suffer from these unless the cable is damaged.
In a small sub there's basically no benefit to having wireless (because the controller is only ever going to be used from one location) and it introduces further risks. In a safety-conscious engineering design, it is hard to see why you would choose the wireless controller.
2 comment threads