Post on 04-Apr-2015
20010 © Marine CyberneticsSecuring the integrity of your control systems
2010 © Marine Cybernetics
Vestre Rosten 77 NO-7075 Tiller, Norwaywww.marinecybernetics.com
Hardware-In-the-Loop (HIL) Simulator Testing
Securing the integrity of your control systems 2010 © Marine Cybernetics
Outline
• Why Hardware-In-the-Loop (HIL) testing
• Experiences from independent HIL testing of DP Systems and Power Management Systems (PMS)
• Independent HIL testing of Drilling Control Systems (DCS)
• Conclusions
Securing the integrity of your control systems 2010 © Marine Cybernetics
Megatrends: • Technology shift from mechanical to computer-controlled vessels• Penetration of information and communication technology is increasing with impact
everywhere • Errors in computer systems are critical for safety and capability to perform marine and
offshore operations
“From sledge hammer to space shuttle…”
ControllersSW
Products
Application solutions Remote
Services
Powersystems PC
MS Windows
I/O
Integrated systems
Testing
Configuration
Operational systems
Instrumentsand
sensors
Stand-alonesystems
Communicationnetworks
Internet
HMI
The Digital “Big Bang”
AUTOMATION
Securing the integrity of your control systems 2010 © Marine Cybernetics
change
There has been a gap concerning software until independent HIL testing was introduced
Independent testing and certification: • Third party testing and certification of traditional marine
and offshore technology (structures and HW systems) are a well developed market served by class societies and independent FMEA consultancies
• Marine Cybernetics enters the market as an independent test supplier of computer based systems with unique Hardware-In-the Loop (HIL) simulator technology
• Independent HIL testing does also serve as input to e.g. DNV certification
Technology for computer testing has been lagging behind
Securing the integrity of your control systems 2010 © Marine Cybernetics
Third party HIL testing and verification process
• Vendors develop and test their own software• Marine Cybernetics performs third party testing and verification of the
software from each vendor, and the integration of the software systems
HIL testing by vendors improves the quality of their own systems, but it does not replace third party testing and verification
Development(vendor 1)
Testing(vendor 1)
3rd party verification by
HIL testing (Marine
Cybernetics)
Installation and operation
Development(vendor 2)
Testing(vendor 2)
Development(vendor 3)
Testing(vendor 3)
Securing the integrity of your control systems 2010 © Marine Cybernetics
Hardware-In-the-Loop (HIL) Testing
• HIL testing is accomplished by connecting a simulation PC in the system’s communication network.
• Inputs to the equipment under test are simulated. • The controllers respond as they would in a dynamic environment.• Simulator responds to output from the controllers as the dynamic system would.• Software (core SW and/or configuration) errors are exposed.
Functional and black-box testing using simulator technology
Securing the integrity of your control systems 2010 © Marine Cybernetics
Closing the control loop by HIL testing
Real time interface
CyberSea Simulator Target system
HIL testing of the target system:1. Functional testing2. Failure testing3. Performance testing4. Known incidents5. Fit for purpose
Securing the integrity of your control systems 2010 © Marine Cybernetics
HIL test regime: Earlier, Deeper and Broader
• Integration testing and validationTest
at Sea
• Software testing and integration testingTest at Dock
• Software testingTest at Factory
Traditional testing regime
FAT
Commissioning
CATTuning and trouble
shooting
HIL testing
Trouble shootingduring operation
New
bui
ld /
upgr
ade
sche
dule
Ope
ratio
n
Securing the integrity of your control systems 2010 © Marine Cybernetics
Design Review
Software Testing
Integration Testing
Service Agreement
Marine Cybernetics Services
Securing the integrity of your control systems 2010 © Marine Cybernetics
Design Review
Software Testing
Integration Testing
Service Agreement
Software testing of individual control systems
Independent HIL testing of individual control systems:• DP Computer System (DP-HIL)• Power Management System (PMS-HIL)• Steering, Thruster and Propulsion Control System (SPT-HIL)• Drilling Control System (Drill-HIL)
Test sites:• Vendor site - Test at Factory • Lab setup using replica hardware • On board using target hardware
Securing the integrity of your control systems 2010 © Marine Cybernetics
Design Review
Software Testing
Integration Testing
Service Agreement
Independent HIL testing of control systems with focus on physical and functional integration including closing of findings
• HIL testing of DP Systems:• DP Computer System (DP-HIL)• Power Management System (PMS-HIL)• Steering, Thruster and Propulsion System (SPT-HIL)
• HIL testing of Drilling Systems:• Drilling Control System (Drill-HIL):
Test sites: • On board using target hardware• Lab setup using replica hardware
Integration testing of control systems
Securing the integrity of your control systems 2010 © Marine Cybernetics
Design Review
Software Testing
Integration Testing
Service Agreement
Life-cycle services to secure safe and efficient operation
• Software change risk assessment• Assessment of updates and changes• Logging of Software version and configurations
• Helpdesk: support during trouble shooting, problems, and incident investigations
• Verification testing (i.e. annual/periodic/continuous)• Reduced trouble and off-hire time during Annual DP Trial• Less destructive testing• On-demand Software testing before onboard upgrades
Securing the integrity of your control systems 2010 © Marine Cybernetics
ReferencesVendors:
E&P companies:
Yards:
Vessel owner:
Securing the integrity of your control systems 2010 © Marine Cybernetics
66 New buildings/Retrofits
19 Platform Supply Vessels (PSV)
11 Anchor Handling Tug Supply (AHTS)
4 Emergency Rescue Recovery Vessels (ERRV)
15 Offshore Construction Vessels• ROV, Diving, IMR, Well intervention
10 Drilling Vessels
1 Seismic Vessel
5 Shuttle Tankers
Securing the integrity of your control systems 2010 © Marine Cybernetics
4 Platform supply vessels (PSV)
Service agreements and annual DP trials using HIL testing
1 Drilling Vessel
1 Anchor Handling Tug Supply (AHTS)
Securing the integrity of your control systems 2010 © Marine Cybernetics
Findings statistics from HIL testingTest results of 47 DP & 15 PMS projects
Securing the integrity of your control systems 2010 © Marine Cybernetics
Findings statistics from HIL testing
Securing the integrity of your control systems 2010 © Marine Cybernetics
Third Party Testing and Verification of Drilling Control Systems
HIL Simulator
Securing the integrity of your control systems 2010 © Marine Cybernetics
CyberSea .Power .Plant .
Simulator .
• CyberSea• Vessel Simulator
Test scenarios
Operational- Operation modes - Operator commands - Vessel motion- Well and drill string
Control system failures
- Computer failure- I/O failure- Network failure
Equipment failures- Sensor failures - Drive failure and
blackout- Hydraulic actuator
failures- Brake failures- Failure of auxilliaries- Electric failures- Bit or drill string stuck- Valves stuck or does not
follow command
C
CyberSea Drilling HIL Simulator
Roughneck
DrawWorkTop drive Pipe handling
machines
Drive
CyberSeaVessel
Simulatorincl.
Riser
Drill-HIL Testing
Securing the integrity of your control systems 2010 © Marine Cybernetics
Interface HIL simulator - Drilling control system
• Draw work with VSD• ∼ 1500 hardwired and serial IO
signals
• Top Drive with VSD:• ∼ 600 hardwired and serial IO signals
• Pipe handling machines (each):• ∼ 30 - 300 hardwired and serial IO
signals
Interfaces all relevant IO for each machine or system to the HIL simulator
HIL simulator
Hardwired IOSerial IO (e.g. Profibus DP, SSI encoders)
Securing the integrity of your control systems 2010 © Marine Cybernetics
• ∼ 200 tests for Draw work / VSD
• ∼ 150 tests for Top Drive / VSD
• ∼ 150 tests for complex pipe handling machines
• ∼ 40 – 100 tests for simpler pipe handling machines
• ∼ 100 tests for heave compensating system
• ∼ 100 tests for anti-collision system
Test scopeTypical number of tests for each machine / system (project dependent)
∼ 10% are test of functions
∼ 90% are test of functions while simulating a failure
Securing the integrity of your control systems 2010 © Marine Cybernetics
Brownfield upgrades are upgrades where parts of the drilling equipment is kept as so-called legacy systems
Characterization of Brownfield upgrades
Drillers Cabin
Drilling Control Network (UDP/TCP/IP)
Legacy Systems
New Equipment
PLC ComputersPLC Computers
Challenge: Insufficient test methods have lead to delays in installation
Securing the integrity of your control systems 2010 © Marine Cybernetics
Drillers Cabin
Drilling Control Network (UDP/TCP/IP)
Independent HIL testing of Brownfield upgrades
HIL Simulator of Legacy Systems
HIL Simulator of New Equipment
Configuration: • All computers are set up and connected with the driller’s chair and the HIL simulators of
the legacy systems and the new drilling equipment.• 3D graphics are used for testing of anti-collision.
PLC ComputersPLC Computers
Marine Cybernetics HIL Simulator
Advantages:• Interconnection to legacy systems
is extensively tested• Allows for testing in a simulator
environment that may cause collisions or damage to equipment in real
• Testing is done before and during installation, in parallel with commissioning, and after commissioning
• High availability of test lab through all phases of the project
Securing the integrity of your control systems 2010 © Marine Cybernetics
• Command and monitoring• Alarm and messaging functionality• Mode change control• Command abortion/canceling• Sensor and feedback monitoring
and integrity check• Hoist / Lower travelling block
(main motors)• Hoist / Lower travelling block
(feedoff motors)• Regenerative brake control• Eddy current brake control• Disc brake control• Crown saver• Floor saver (soft and hard)• Tool compensation (in floor saver)• Raised floor (in floor saver)
Example of targeted functions to be HIL tested
• Dolly position compensation (in crown saver)
• Gear shift control• Torque limiting• Feed-off mode:
• Constant weight on bit mode• Constant rate of penetration
mode (fast and slow mode)• Constant TD motor torque
mode• Constant mud pump
pressure • Hand mode (bypassing anti-
collision)• Start/stop /supervision of
auxiliaries• Emergency stop• Power limitation / reduction• Compliance to documentation
Draw work
Securing the integrity of your control systems 2010 © Marine Cybernetics
• PLC equipment• PLC power supply failure• Operator station power supply failure• Network communication failure• IO unit failure• CPU failure
• Sensors• Encoder failures• Proximity switch failure• Load cell failure• Failure on other sensors
• Disk brake• Command signal effectuation failure• Failure on status, measurement and feedback to
control system• Brake function failure• Hydraulic system failure• Auxiliary system failure
• Gear shift system• Command signal effectuation failure• Failure on status, measurement and feedback to
control system• Hydraulic system failure
Failures can be activated while testing functions
• Eddy current brake• Command signal effectuation failure• Failure on status, measurement and
feedback to control system• Brake function failure• Electric system failure• Cooling system failure• Auxiliary system failure
• Draw work variable speed drives• Command signal effectuation failure• Failure on status, measurement and
feedback to control system• Drive controller failure• Rectifier failure• Inverter failure• DC bus failure• AC power supply failure• Transformer failure• Brake resistors failure• Motor failure• Cooling system failure• Lubrication system failure• Load sharing failure• Auxiliary system failure
Draw work
Example of simulated failure:• freeze value• fail to zero• broken wire
Example of simulated failure:• rapid or slow increasing temperature• increase in cooling system pressure
Securing the integrity of your control systems 2010 © Marine Cybernetics
• Monitoring• Alarm and messaging functionality• Prevent machine from entering other machines zone• Stop machine if other machine is entering the zone• Normal mode• Anti-collision release (machine to ignore stop commands from anti-collision system)• Anti-collision ignore (machine to be ignored by other machines)• Stop of machines on non-healthy position data• Compliance to documentation
Example of targeted functions to be HIL tested Anti-collision / zone management system
Securing the integrity of your control systems 2010 © Marine Cybernetics
Conclusions• Third party testing, verification and certification of mechanical systems
and structures are well established in the maritime and offshore industries
• The impact and complexity of software based systems are increasing in the maritime and offshore industries
• Traditional testing, verification and certification is not sufficient for software based systems
• It has been demonstrated in more than 50 DP and PMS HIL projects that findings are identified and closed as a result of independent HIL testing, many of them being critical with potentially serious consequences
• Third party HIL testing of drilling control system is proposed for new buildings and Brownfield upgrades
• Good cooperation with all involved parties – vendors, yards, owners, end-users and class important securing the success of systems and vessels