Independent Performance Validation for Robust and Resilient DP - - PowerPoint PPT Presentation

DYNAMIC POSITIONING CONFERENCE

OCTOBER 9‐11, 2017

DESIGN

Independent Performance Validation for Robust and Resilient DP Systems

Steven Cargill DNV GL Noble Denton Marine Services Chunying Li Aspin Kemp & Associats

Objective driven verification and validation

The three pegs

The basis of confidence Defense in depth Intent and

• bjective

• Intent: Incident free DP operations
• Objective: A DP system which is:
• Reliable
• Robust
• Resilient
• Reduce burden on crew and vessel time required to achieve
• bjective

Intent and objective

Outcome and objective driven

Intent and

• bjective

• Everything we do to give us reasonable

confidence we will achieve our objective - includes many activities and processes:

• Good vessel and DP system design
• Fault tolerant DP systems
• FMEAs and supporting studies
• Crew competence
• Develop procedures and decision support

tools

• Identification of the barriers to loss of

position.

Basis of confidence

The basis of confidence

• The process of maintaining the barriers
• All the things we do to check the barriers are intact:
• Field arrival trials
• Annual DP trials
• Renewal trials
• Planned maintenance
• Gap analysis – new knowledge and learnings

from incidents

• Crew training
• Inspection and survey

Defense in depth

What we do

Defense in depth

• No single failure is to lead to a loss of position
• Fault tolerant systems based on redundancy
• Hidden failures compromise redundancy
• System is only fully fault tolerant when intact
• Potential hidden failures include:
• Deterioration in system performance
• Defective protection systems and other dormant functions.
• Hidden failures must be detected.

Station keeping integrity

Functional requirement

• Classification society rules and surveys during construction and in-

service

• DP system FMEAs, proving trials and sea trials
• Field arrival trials
• Annual DP trials (continuous or batch)
• Planned maintenance activities
• Check lists.

Traditional verification processes

Barriers to loss of position

• DP loss of position incidents continue to occur
• Many are not single point failures
• Single failure plus hidden failure
• Surviving machinery unable to accept the load transfer
• Protective functions did not work as expected
• Validation or verification issue

DP Incidents

Still too many DP incidents

Causes of DP Incidents

Enviroment Power and Propulsion Sensors and Refernces Operator Error

• Independent Performance Validation (IPV) is a ‘Principle’ that is
• utcome and objective driven.
• It is described as ‘independent’ because it is agnostic to the type of

hardware, software and system provider to which it is applied.

• It is a form of ‘defense in depth’ that is used to validate and verify the

barriers to loss of position in any DP system but can also be applied to

• ther mission critical equipment.

Independent Performance Validation

• Know how the DP system works in detail
• Monitor and test its performance to build confidence and

predictability

• Develop and test the barriers to loss of position.

In simple terms

Verification

Designed to test Test on demand Healthy to

• perate

Adding value to the process

Change in test objectives

Performance Protection Test on demand System Existing ng m met ethods ds New methods

• Constrained by

ned by met etho hods ds

• Constrained by

ned by execut ution t n time

• Complia

liance not o

• bjectiv

ive d driv riven System Detection

• Objective: Reduce out-of-service time and improve DP system

verification

• Combination of:
• Condition monitoring with data analytics
• Semi automatic testing – Easy and safe to execute.

Low burden

Seven pillars

Predictability through design validation

Independence Autonomy Differentiation Fault tolerance Fault resistance Fault ride through Separation Predictability Incident Free DP Operations

Predictability through system verification

• Any verification process requires a:
• Scope
• Schedule
• (schedule may be variable and controllable - condition & event

driven)

• What & Why
• When

• Essential attributes in DP redundancy concept:
• Performance attributes
• Protective functions (including standby redundancy)
• Alarms and indications required to initiate intervention.
• There may be many performance attributes that are useful indicators:
• Static and dynamic capacity, power, load acceptance
• Throughput, flow rate, differential pressure, temperature
• Ride through
• Error levels.
• What is the origin of the focus on performance and protection? –

WHY?

Identifying the verification scope

Verification scope can be derived from FMEA

Essential attributes

Performance



T4 T3 T2 T1 EACH REDUNDANT GROUP MUST BE CAPABLE OF DEVELOPING SURGE, SWAY & YAW T1 T3 T2 T4 REDUNDANT GROUP A REDUNDANT GROUP B REDUNDANT GROUP A REDUNDANT GROUP B TWO COMPLETELY INDEPENDENT EQUIPMENT GROUPS EACH CAPABLE OF PROVIDING THE REQUIRED POST FAILURE DP CAPABILITY LOSS OF POSITION OR HEADING OR DRIFT OFF DRIVE OFF AND OR LOSS OF POSITIONING BY GROUP A LOSS OF POSITIONING BY GROUP B DRIVE OFF IN GROUP A DRIVE OFF IN GROUP B FAULT TREE

Performance

 

Protection Detection



Alarms Testing Protection 

Simple redundancy concept

Verification schedule

• Traditional verification methods defined schedule and constrained

scope

• New methods confidence and event driven
• Must satisfy a number of stakeholders including manufacturers and

classification societies.

The major classification societies are consulting with industry stakeholders on how to enable remote verification for class DP surveys.

Classification society initiatives

LESS MORE

Verification of:

• 1. Protection for power plant operating with closed busties
• 2. Systems for blackout recovery
• 3. Parameters and software revisions in critical controllers.

Practical examples

IPV in action

• Testing the switchboard protection systems with three phase

waveforms derived from time domain model of power plant

• ‘Cascade’ because all levels of protection can be tested in sequence
• Much wider range of simulated faults and plant configurations than is

possible with live testing

• Explore limits and boundaries in a low stress environment
• Better than modelling alone – finds hardware issues and design flaws.

Cascade waveform injection testing

IPV in action

Connections to switchboard

Principle of injection testing

11kV BUS CENTRE PORT STARBOARD OPEN CLOSED TIE LINE VT GEN VT CONTROL CCT CONTROL CCT BUS VT FEEDER PROTECTION RELAY GEN PROTECTION RELAY G OPEN FOR TEST OPEN FOR TEST OPEN I PHASE NEUTRAL INCOMER CONTROLLER TEST SET NEUTRAL RETURN BUS VT CONTROL CCT CONTROL CCT CONTROL CCT TIE LINE VT CURRENT VOLTAGE A B C N A B C N ARBITRARY WAVEFORM GENERATOR 110Vac POWER MATH MODEL 3 PHASE V & I FAULT WAVEFORMS FAULT CURRENT WAVEFORM FAULT VOLTAGE WAVEFORM kW V I f P = √3 VLINE I LINE COS Ø SPEED TRIP LOCKED OUT LOCKED OUT

Waveform injection in practice

Proof of concept

Production version

External test leads and recording equipment replaced by embedded highspeed data acquisition and logging equipment Data acquisition Profibus sniffer

IPV in practice

• Multichannel arbitrary waveform generator interfaced to

switchboard through harness

• Simulating a high current fault

Waveform generator

Proof of concept

Voltage Current

Testing protection response

Governor fails to full fuel

Rising frequency Constant kW

Monitoring of other dormant functions

High reliability in blackout recovery

PRE-MAG BUS 690V K001 LOCAL 690V MCC K002 EMERGENCY 690V SWBD K002 HIGH RELIABILITY 690Vac BUS K004 K005 K006 HIGH RELIABILITY BUS OUTPUT

= = =

110Vdc DIST M M 24V DIST K007 PUMP 2 PUMP 1 PROCESS MONITORING GENERATOR FUEL PUMPS AIR DRIVEN PUMP EMERGENCY FUEL TO ENGINES PNEUMATIC PUMP STATUS PRESSURE FLOW G001 G002 690/ 230 690/ 230 JW COOLING VALVES 1 2 AIR SUPPLY OPERATOR INTERFACE AND CONTROL

• LOCAL / REMOTE
• START / STOP
• PUMP E-STOP / LOCK OUT
• POWER SELECTION
• DUTY STANDBY SELECTION
• POWER AVAILABLE
• RUNNING SOURCE INDICATION
• RUNNING INDICATION
• PUMP AVAILABLE INDICATION
• REMOTE SHUTDOWN
• POWER SUPPLY HEALTHY

Periodic automatic test of pumps Multiple power sources

Monitoring parameters and access to digital controllers

User configurable settings

Parameter verification

• Parameters affect performance (also SW Rev)
• Wrong parameters continue to cause DP incidents
• Parameters get changed inadvertently

Comparing parameter and software revisions

Monitoring of parameters

Digital controllers for one generator To alarm system and email server

• Green Bee gathering data from generator

protection relay

• Yellow Bee and Green Bee

Monitoring access, parameters and revisions

Proof of concept

• IPV is a principle not a product
• It can be applied to any system but is a good fit to DP system designs

built to the seven pillars

• It is intended to provide superior DP system integrity
• It is intended to be more time efficient than traditional verification

methods.

Conclusions

Thank you

steven.cargill@dnvgl.com CHUNYINGLI@aka-group.com