The Hood Canal Bridge connects the Olympic Peninsula with the Port Gamble area in western Washington State. The bridge was the world's first floating drawbridge over tidal waters when completed in 1961. It spans 2.4 km (1.5 miles) and carries east and westbound lanes of SR 104 traffic over the Hood Canal. The canal reaches depths of 92 m (300 feet) in places under the bridge.

The bridge is a floating concrete structure that utilizes a series of concrete pontoons with two floating draw spans at the center. The draw spans are designed to provide a 183-m (600-foot) wide opening for navigation. They divide the bridge into eastern and western halves.

In 1979, a severe winter storm destroyed the western half of the bridge. It was replaced in 1982 with a new design, as described in "The Hood Canal Floating Bridge" by Mike Abrahams. In 1985, the control system was partially retrofitted with a programmable logic controller (PLC) and a microwave communication link to the eastern structure control system to provide wireless communication between the control systems for the eastern and western structures. Both structures
have independent electrical power sources, power distribution systems and control systems.

Inspection Identifies Anomalies

When PB inspected the western structure control system recently, we noticed two apparent anomalies:

• The presence of 60 volts a.c. on the western structure longitudinal lock control circuit and motor feeders. The feeder circuit breakers were open and the feeders should have been at zero volts.
• The presence of 220 volts a.c. to ground and 53 volts a.c. to ground on the legs of the main control circuit. The voltage expected on this circuit was a balanced 120 volts a.c. to ground, and 240 volts a.c. leg-to-leg.

We were retained subsequently to conduct a study of the western structure control system. Our aim was to identify anomalies that were noticed during the preceding inspection and to develop a plan for corrective action that would make the control system acceptable for continued service. We conducted the study in March 1999, with the assistance of maintenance personnel from the Washington Department of Transportation (WSDOT).

Approach

The fundamental concern with a 240-volt a.c. ungrounded control system is that a conductor fault to ground will go undetected. If a ground fault occurs in a 120-volt a.c. grounded system, a high current will flow to ground and trip the circuit breaker or blow the fuse. In an ungrounded system, a fault to bridge steel (structural members, concrete reinforcement bars, conduit and guardrails) can put voltage on the steel without any current and can go undetected indefinitely. Bridge steel that has been faulted to presents a shock hazard to personnel. If a second fault to the bridge steel occurs, then motors, valves, gates and relays can operate unexpectedly. The present National Electric Code (NEC) 1999 restricts the use of ungrounded control systems for these reasons. [Ed. note: See discussion of the Evergreen Point Bridge in "Bridge Electrical Inspections" by Bert Crouthamel and others for an example of a failure in an ungrounded system.]

In certain applications, NEC will permit the use of ungrounded control systems with proper ground fault monitoring. These applications are those that must be fault tolerant as opposed to fail-safe, such as a fire water pump. A single fault to ground would be detected and alarmed, but the pump circuit breaker would not trip and would allow the pump to operate. The reason for this exception is that during a fire it is likely for a conductor to fault but the fire is the greater risk. Ungrounded control systems are rarely used outside of power plants, critical industrial processes and fire protection systems.

Another concern was that separate voltage sources superimposed and the 220-volt a.c. leg could cause unintended operations. We isolated the control system circuits methodically to determine if independent voltage sources were having an additive effect. Test measurements of voltage, current and resistance were made under various states of operation and rest. Control circuit continuity was tested and wiring was traced to verify the system schematics. Paths for induced voltages were studied and isolated, and circuits were tested to determine if any ground faults were present.

The main control circuit feeder conductors were measured to ground with results showing high ohm values. This result indicated there were no direct faults to ground. The main control transformer (T1) was tested to verify that it was operating properly. All testing was performed with the control system communications link to the east structure off and with critical motor starter circuit breakers open.

Control System Standards

It is necessary to determine what constitutes an acceptable risk when engineering movable bridge control systems. The American Association of State Highway and Transportation Officials (AASHTO) code offers some guidance, but AASHTO specifications and recommendations are limited in regards to control systems.

AASHTO specifies that motor and machine brakes for movable bridges must have fail-safe controls. Unfortunately, these specifications mention only a preference for grounded controls system and fall short of mentioning specific fail-safe control system requirements. Control system standards established for equipment similar to that found on movable bridges are being used with success.

It is a widely recognized essential requirement that a single electrical or control system fault should not cause unintended operations. Most control system standards require designs in which two faults will not cause unintended operations. Some standards require a control system that is fault tolerant while being fail-safe as well. Generally, it is not acceptable for a movable bridge control system to have two faults cause an unintended operation.

Figure 1: Unused wires were abandoned in place.

Control System Description

The control system for the western structure was originally a single phase, 60 Hz, 240-volt a.c., ungrounded, hardwired relay system. The 1985 partial retrofit included the addition of a PLC and a microwave communication link to the eastern structure control system. The present control system evolved into a hybrid of hardwired relays and PLC with unused wires abandoned in place (Figure 1). The control voltage remains 240-volt a.c. ungrounded for the relays and PLC outputs (Figure 2 on the following page). The PLC inputs use 120 volts a.c. power with a grounded neutral. The PLC addition was designed to allow operations of eastern and western draw spans from either the western control room or
the eastern control room without needing a submarine cable. The western control system includes:

• A control desk in the western tower control room
• Two hard wired relay panels in the western tower
• A PLC cabinet.

The control system power originates at a 20-amp circuit breaker. The breaker serves 480-volt a.c. single-phase power to the main control transformer (T1). The transformer secondary supplies 240 volts a.c. power to the control circuits. A lighting panel provides 120 volts a.c. to an uninterruptible power supply (UPS) that serves the PLC processor and input modules. The lighting panel also powers the public address system.

Figure 2: Hood Canal Bridge, West Control System Study Sketch

Findings

Fault Analysis. There were three basic types of control system faults to consider with this system:

• Conductor fault to bridge steel, a panel enclosure or other common ground point
• Conductor fault to another conductor (this type of fault is rare, but could result in an energized conductor touching an otherwise de-energized conductor and establishing a circuit)
• Fault at the PLC's 240 volts a.c. triac outputs.

A conductor-to-conductor fault is rare but not impossible. We recommended that maintenance be performed routinely to torque all electrical terminals to avoid loose wires. This is especially important because the west structure control panels are on the south flanking pontoon and are constantly exposed to heavy cyclical vibration caused by waves. The prevailing south winds frequently cause large waves in the Hood Canal. Roadway traffic induced vibration was an additional cause for concern.

Triacs tend to fail in the short circuit mode. Such a failure can be intermittent, making it difficult to detect. The failure would operate any device connected to the output.

In addition, the entire PLC cabinet and contents were at risk of a common mode fault. The UPS battery bank was located on top of the PLC cabinet. A battery acid leak could have resulted in many possible combinations of open and shorted control circuits. Furthermore, off gas from overcharging batteries presented an explosion hazard in the electrical room.

The western span lift control circuits were less vulnerable to unintended operation due to faults. It would require two faults to start a hydraulic lift pump and a third fault to energize a lift solenoid valve. It would take extreme conditions for three faults to occur coincidentally. One common mode fault might be heavy roadway traffic or severe winter storms vibrating control wires loose from the terminals. Another common mode fault could be an animal chewing through a wire bundle. It was possible for two of the faults to occur over time and go undetected until the third fault occurs.

Longitudinal Span Locks: Unintended Operations.

Two longitudinal locks couple the eastern and western draw spans. The locks are hydraulically operated and require a maintained fluid pressure. The pump control circuit is kept energized so the pump can start automatically if the fluid pressure bleeds down.

We determined that the following scenario could result in the unintended unlocking of both longitudinal locks in a manner that could go undetected:

The western bridge control circuit that unlocks the longitudinal locks does not have power to it normally until the bridge is made ready for an opening. It would take two concurrent faults to unlock these locks. For example, one of the main control circuit wires has a back-fed voltage. This back-feed is possible because of a jumper of unknown origin. The jumper effectively bypasses a control relay used to ready the control system for operation. A wire connected to the unlocking solenoid valves could fault to ground. If any of the main control circuit return wires also fault to ground, then the ground path could complete a circuit and the unlocking solenoid valves would energize. This would result in unlocking the longitudinal locks.

The longitudinal locks have two levels of mechanical redundancy:

• The presence of two longitudinal locks, although this redundancy must be discounted because they are both needed for span alignment and they share a common control circuit
• The presence of the northern and southern end locks in the machine houses.

The end locks would help to limit the motion of the western span if the longitudinal locks become unlocked. The eastern span end locks are not used so the span can move with the tide. Therefore, the eastern and western spans are likely to separate if the longitudinal locks become unlocked. We recommended that the control circuits for longitudinal locks be modified until the bridge control system could be replaced.

Traffic and Barrier Gates: Unintended Operations. The undetected, two ground fault scenario is not restricted to the longitudinal span locks. This condition can occur with any electrically operated device in this control system. The greatest risk to the users of the bridge would be the unintended operation of a traffic gate or the barrier gate while the bridge is open to roadway traffic. The barrier gate will close if a motor control circuit wire connects to a main control circuit wire through two ground faults because a complete circuit will put 240 volts a.c. across the gate motor starter relay.

A similar situation could occur when the control system is made ready for an operation. If two ground faults that connect any of the main control circuit wires to either motor control circuit wire have occurred, then the barrier gate will close as soon as the traffic warning light is turned on while the traffic gates are still open.

The western traffic gates will close unintentionally if a single failure occurs when the western traffic warning signal is turned "on" from the eastern structure control room. The scenario is as follows:

A single triac short circuit failure on a specific PLC output occurs. The output is for the eastern control of western traffic gates down command. This will energize the gate control relay just as soon as the western traffic warning signal is turned on, but only if operating the western structure from the eastern control room. The gate control relay operates one of two western traffic gate motor starters.

Two coincident triac short circuit failures on specific output addresses would cause the northwest traffic gate to close unintentionally without any operator action. Similarly, two other coincident triac short circuit failures would also cause the southwest traffic gate to close. One failure could go undetected indefinitely until a second failure caused a gate to close with traffic on the bridge.

Recommendations

We made the following recommendations, which would greatly reduce the possibility of unintended equipment operations:

• Replace the control system with a grounded, 120-volt a.c. system.
• Replace the hardwired relays and triac outputs with a PLC using relay type outputs.
• Replace some 240-volt devices with 120-volt equipment, such as the hydraulic solenoid valves and the motor starter coils.

A grounded control system will be faster and easier for the client to trouble shoot because there will be no back-feeding voltages. Any fault to ground will cause a breaker to trip with a grounded system. The system should be designed to be fail-safe. Control configuration should be engineered to require four or more coincidental faults before the longitudinal span locks or gates can operate unintentionally. For the remaining equipment, it is acceptable for three coincidental faults to cause unintended operations, but common mode failures should be minimized. Consideration should also be given to using vibration proof terminals for all new wiring.

It will be necessary to keep the bridge operational as long as possible and minimize down time. Therefore, field wiring replacements must be minimized and it will be necessary to make some new conduit penetrations. Any new conduit penetration will require a non-destructive method for locating reinforcing bars and tendons. Core drilling the floating concrete pontoons must be done with extreme care.

As a result of our recommendations, the western half of the bridge is scheduled for a total control system rehabilitation. Interim safety provisions were made to the bridge operating procedures until the rehabilitation is completed.