DYNAMIC POSITIONING CONFERENCE OCTOBER 9‐11, 2017 DESIGN Independent Performance Validation for Robust and Resilient DP Systems Steven Cargill DNV GL Noble Denton Marine Services Chunying Li Aspin Kemp & Associats
The three pegs The basis of confidence Intent and Defense in objective depth Objective driven verification and validation
Intent and objective • Intent : Incident free DP operations • Objective: A DP system which is: • Reliable • Robust • Resilient • Reduce burden on crew and vessel time required to achieve objective Intent and objective Outcome and objective driven
Basis of confidence • Everything we do to give us reasonable confidence we will achieve our objective - includes many activities and processes: • Good vessel and DP system design • Fault tolerant DP systems • FMEAs and supporting studies • Crew competence • Develop procedures and decision support tools • Identification of the barriers to loss of The basis of position. confidence
Defense in depth • The process of maintaining the barriers • All the things we do to check the barriers are intact: • Field arrival trials • Annual DP trials • Renewal trials • Planned maintenance • Gap analysis – new knowledge and learnings from incidents • Crew training Defense in depth • Inspection and survey What we do
Station keeping integrity • No single failure is to lead to a loss of position • Fault tolerant systems based on redundancy • Hidden failures compromise redundancy • System is only fully fault tolerant when intact • Potential hidden failures include: • Deterioration in system performance • Defective protection systems and other dormant functions. • Hidden failures must be detected. Functional requirement
Traditional verification processes • Classification society rules and surveys during construction and in- service • DP system FMEAs, proving trials and sea trials • Field arrival trials • Annual DP trials (continuous or batch) • Planned maintenance activities • Check lists. Barriers to loss of position
DP Incidents • DP loss of position incidents continue to occur • Many are not single point failures • Single failure plus hidden failure • Surviving machinery unable to accept the load transfer • Protective functions did not work as expected • Validation or verification issue Enviroment Causes of DP Incidents Power and Propulsion Sensors and Refernces Operator Error Still too many DP incidents
Independent Performance Validation • Independent Performance Validation (IPV) is a ‘Principle’ that is outcome and objective driven. • It is described as ‘independent’ because it is agnostic to the type of hardware, software and system provider to which it is applied. • It is a form of ‘defense in depth’ that is used to validate and verify the barriers to loss of position in any DP system but can also be applied to other mission critical equipment.
In simple terms • Know how the DP system works in detail • Monitor and test its performance to build confidence and predictability • Develop and test the barriers to loss of position. Healthy to operate Test on PORT demand T5 T3 PORT MAIN SWITCHBOARD CENTRE G5 G6 SWITCHBOARD G3 T6 T1 Designed to FORWARD AFT G4 G1 G2 test STARBOARD MAIN SWITCHBOARD T4 T2 STARBOARD Verification
Change in test objectives New methods Protection Performance Detection Existing ng m met ethods ds System System • Constrained by ned by met etho hods ds • Constrained by ned by execut ution t n time Test on demand • Complia liance not o objectiv ive d driv riven Adding value to the process
Low burden • Objective: Reduce out-of-service time and improve DP system verification • Combination of: • Condition monitoring with data analytics • Semi automatic testing – Easy and safe to execute.
Seven pillars Fault ride through Predictability through design validation Fault resistance Incident Free DP Operations Fault tolerance Predictability Differentiation Separation Independence Autonomy
Predictability through system verification • Any verification process requires a: • Scope • Schedule • (schedule may be variable and controllable - condition & event driven) • What & Why • When
Identifying the verification scope • Essential attributes in DP redundancy concept: • Performance attributes • Protective functions (including standby redundancy) • Alarms and indications required to initiate intervention. • There may be many performance attributes that are useful indicators: • Static and dynamic capacity, power, load acceptance • Throughput, flow rate, differential pressure, temperature • Ride through • Error levels. • What is the origin of the focus on performance and protection? – WHY? Verification scope can be derived from FMEA
Essential attributes Detection Alarms REDUNDANT REDUNDANT GROUP A GROUP B LOSS OF POSITION OR HEADING Performance Performance T1 OR REDUNDANT REDUNDANT T2 GROUP A GROUP B DRIFT DRIVE FAULT TREE OFF OFF Testing T1 T3 T2 T4 AND OR T3 T4 Protection TWO COMPLETELY INDEPENDENT EACH REDUNDANT GROUP EQUIPMENT GROUPS MUST BE CAPABLE OF DEVELOPING EACH CAPABLE OF PROVIDING SURGE, SWAY & YAW THE REQUIRED POST FAILURE Protection DP CAPABILITY LOSS OF LOSS OF DRIVE OFF DRIVE OFF POSITIONING POSITIONING IN IN BY BY GROUP A GROUP B GROUP A GROUP B Simple redundancy concept
Verification schedule • Traditional verification methods defined schedule and constrained scope • New methods confidence and event driven • Must satisfy a number of stakeholders including manufacturers and classification societies.
Classification society initiatives The major classification societies are consulting with industry stakeholders on how to enable remote verification for class DP surveys. LESS MORE
Practical examples Verification of: 1. Protection for power plant operating with closed busties 2. Systems for blackout recovery 3. Parameters and software revisions in critical controllers. IPV in action
Cascade waveform injection testing • Testing the switchboard protection systems with three phase waveforms derived from time domain model of power plant • ‘Cascade’ because all levels of protection can be tested in sequence • Much wider range of simulated faults and plant configurations than is possible with live testing • Explore limits and boundaries in a low stress environment • Better than modelling alone – finds hardware issues and design flaws. IPV in action
Principle of injection testing SPEED f P = √3 V LINE I LINE COS Ø kW V I NEUTRAL GEN VT INCOMER CONTROLLER OPEN FOR TEST G GEN PROTECTION RELAY CONTROL CCT I PHASE TEST SET OPEN FOR NEUTRAL TEST OPEN RETURN PORT 11kV BUS CENTRE STARBOARD OPEN CLOSED TRIP BUS VT BUS VT LOCKED OUT LOCKED OUT TIE LINE VT TIE LINE FEEDER VT PROTECTION CONTROL CONTROL RELAY CCT CCT CONTROL CONTROL CCT CCT FAULT CURRENT FAULT VOLTAGE WAVEFORM WAVEFORM 3 PHASE A B C N A B C N V & I MATH 110Vac MODEL CURRENT VOLTAGE POWER FAULT ARBITRARY WAVEFORM WAVEFORMS GENERATOR Connections to switchboard
Waveform injection in practice Proof of concept
Production version Data acquisition Profibus sniffer External test leads and recording equipment replaced by embedded highspeed data acquisition and logging equipment IPV in practice
Waveform generator Voltage Current • Multichannel arbitrary waveform generator interfaced to switchboard through harness • Simulating a high current fault Proof of concept
Testing protection response Constant kW Rising frequency Governor fails to full fuel
High reliability in blackout recovery PRE-MAG LOCAL EMERGENCY 110Vdc BUS 690V 690V MCC 690V SWBD DIST Multiple power sources OPERATOR INTERFACE AND CONTROL K001 K002 K002 • LOCAL / REMOTE • START / STOP • PUMP E-STOP / LOCK OUT • POWER SELECTION HIGH RELIABILITY 690Vac BUS • DUTY STANDBY SELECTION • POWER AVAILABLE • RUNNING SOURCE INDICATION K004 K005 K006 • RUNNING INDICATION • PUMP AVAILABLE INDICATION HIGH • REMOTE SHUTDOWN 690/ 690/ RELIABILITY • 230 230 POWER SUPPLY HEALTHY G002 G001 BUS OUTPUT = = = 24V DIST K007 M M AIR PRESSURE SUPPLY FLOW PUMP PUMP 1 2 1 2 GENERATOR JW COOLING VALVES FUEL PUMPS PNEUMATIC PUMP STATUS AIR PROCESS MONITORING DRIVEN Periodic automatic test of pumps PUMP EMERGENCY FUEL TO ENGINES Monitoring of other dormant functions
User configurable settings Monitoring parameters and access to digital controllers • Parameters affect performance (also SW Rev) • Wrong parameters continue to cause DP incidents • Parameters get changed inadvertently Parameter verification
Monitoring of parameters Digital controllers for one generator To alarm system and email server Comparing parameter and software revisions
Monitoring access, parameters and revisions • Green Bee gathering data from generator protection relay • Yellow Bee and Green Bee Proof of concept
Recommend
More recommend
