View
87
Download
10
Category
Preview:
Citation preview
DESIGNDESIGN
Experiences from Hardware-in-the-Loop (HIL) Testing of Power Management SystemsTesting of Power Management Systems
Asgeir J SørensenAsgeir J. SørensenMarine Cybernetics
October 13 -14, 2009
Return to Session Directory
2009 Marine Cybernetics
Experiences from Hardware-in-the-loop (HIL)Experiences from Hardware-in-the-loop (HIL) testing of Power Management Systems
Asgeir J. Sørensen, CEO
E mail: Asgeir Sorensen@marinecyb comE-mail: Asgeir.Sorensen@marinecyb.comTlf: +47 91897457
2009 Marine CyberneticsSecuring the integrity of your control systems
Vestre Rosten 77 NO-7075 Tiller, Norwaywww.marinecyb.com
Outline
• Hardware-In-the-Loop (HIL) Testing• Power Plant HIL SimulatorPower Plant HIL Simulator• PMS HIL Test Scope and Scenarios• Experiences
Detailed Analysis of 4 PMS HIL projects• Detailed Analysis of 4 PMS HIL projects• Coordination, FMEA, and closing of findings• Conclusions
2009 Marine CyberneticsSecuring the integrity of your control systems
Hardware-In-the Loop (HIL) TestingF ti l d bl k b t ti i i l t t h lFunctional and black-box testing using simulator technology
• HIL testing is accomplished by connecting a simulation PC in the system’s g y g ycommunication network
• Inputs and Outputs are simulated (inserted) under test• The controller's respond as they would in a dynamic environment
2009 Marine CyberneticsSecuring the integrity of your control systems
p y y• Software or hardware (calibration, wiring, etc.) configuration errors are exposed
CyberSea Real-World Models
CyberSea Simulator
Mathematical models of wind, waves, current, vessel hydrodynamics, power
2009 Marine CyberneticsSecuring the integrity of your control systems
plant, sensors, equipment, other onboard systems and failure modes are implemented and simulated in the CyberSea Simulator
Overview of the CyberSea Vessel Simulator
Failure modes• Inherent
electro/ mechanical
GUI• Simulation
manager• Visualization• Logging
Station-keeping functions• Vessel
b
Analysis• Trends• Statistics• Positioning
performance
Environ-ment• Wind• Current
Waves
External IO• Ethernet• Analog• NMEA• Modbus
DP systems
Simulator driver
mechanical• Signal
failures
• Logging observer• DP controller• Thrust
allocation
performance• Fuel
consumption• Thrust
• Waves• Ice
• Modbus• Profibus• Canbus• OPC• …
PMS
…Simulator driver
Vessel Dynamics• 6DOF
Hydro-dynamics• 1st and 2nd
Propulsion• Azimuths,
pods, l
Power system• Power
External loads• Mooring
Sensors• DGPS• HPR
A i
…
motion• Coriolis/
centripetal forces
• Multi-body
order wave loads
• Current loads
• Wind loads• Ice loads
tunnels, main props, rudders, …
• Thrust losses and Interactions
generation/ distribution
• Load limitation
• Buses and breakers
• Hawsers• Pipe laying• Ploughing• Risers• Crane• …
• Artemis• Gyros• VRU• Wind
sensors• …
Hydro- Propulsion Power Sensors and Other
Configuration Database
Test cases
HIL Database
Findings
2009 Marine CyberneticsSecuring the integrity of your control systems
dynamics units components pos-ref equipment Test cases Findings
Hardware-In-the Loop (HIL) Testing
Real time interface
CyberSea Simulator Target system
Testing of the Target system1. Functional testing to see if the target system software and
hardware work as specified.2. Failure testing to check if the control system software and
hardware is sufficiently resilient to relevant failure situations.3. Performance testing to see if the control system is tuned to
perform with sufficient accuracy – if requested.4. Known incidents on similar vessels can be reconstructed.
2009 Marine CyberneticsSecuring the integrity of your control systems
5. Fit for purpose - operational aspects, alarms, time to respond, ...
PMS- HIL
Planned operationTest at factoryTest at DockNormal operation
2009 Marine CyberneticsSecuring the integrity of your control systems
PMS-HIL Test Activities• IFT: Interface Test
– at PMS maker (or at MC lab).
• TaF: Test at Factory– at PMS maker (or TaL at MC lab).
• TaD: Test at Dock• TaD: Test at Dock – at Yard (or after ship delivery)– power system disconnected from PMS
• TaQ: Test at Quay – at yard (or after ship delivery)– power system connected to PMS– power system connected to PMS– combination of simulator testing and
manual testing, as appropriate.
2009 Marine CyberneticsSecuring the integrity of your control systems
Test scope PMS-HIL (I)
PMS software and IO-system Compliance to PMS functional description Functions tested:
– Blackout restoration– Load sharing (active and reactive power)
Load dependent start / stop– Load dependent start / stop– Mode control– Start of standby generator on fault– Blackout prevention – Power reservation – Heavy consumer control– Power plant monitoring and command functions– Integration with IAS– Integration with IAS
2009 Marine CyberneticsSecuring the integrity of your control systems
Test scope PMS-HIL (II)
Failure modes tested
– Power generation / distribution / consumer:Inherent component failuresFeedback and sensor signal failure modesC d i l f il dCommand signal failure modes
– PMS computer equipment failures
– Operator station equipment failure
– Network communication failure modes
2009 Marine CyberneticsSecuring the integrity of your control systems
Examples of failure modes tested Pre-warning from diesel engines Shutdown of diesel engines Short-circuit of one switchboard* Unavailable diesel engine Locked governor fixed power*
PMS-HIL tests how the power management
t h dl th Locked governor – fixed power Loss of fuel supply to one diesel engine* Full throttle to one diesel engine* Failure in load sharing line of engine governors* Reduced max power from engine*
system handles these failure modes
Loss of generator excitation* Full generator excitation* Deviating generator excitation* Protection trip of generator Protection trip of bus-tie* Diffi lt d/ Protection trip of bus tie Generator synchronization failure Generator CB not following command Bus-tie synchronization failure Bus-tie CB not following command P ti l bl k t
* Difficult and/or dangerous to test with traditional
Partial blackout Blackout Over / under bus voltage* Over / under bus frequency* Protection trip of consumers
methods – hard to find without HIL testing
2009 Marine CyberneticsSecuring the integrity of your control systems
p Failure of power reduction function of
propulsion/thruster drives
Demo 1: Normal operation
1. Starts and connects G12 St t th t 1 (l d t 30%)2. Starts thruster 1 (load to 30%)3. Starts and synchronizes G2 and G84 Observe that active power is shared between4. Observe that active power is shared between
running generators5. Start and increase drilling drive 1 and 2 to 50%6. Connects thruster 3 and 5 and Increase these
thruster loads to 50%7 O b b k BT8 d BT9 d b th t7. Open bus breakers BT8 and BT9 and observe that
active power now is different on each side of the split
2009 Marine CyberneticsSecuring the integrity of your control systems
Demo 1: Normal operation
Start Thruster 1Start G2
Start G8
Start Thruster 1
Start Drill 1 & 2
Start Thruster 3 & 4
G1 running
2009 Marine CyberneticsSecuring the integrity of your control systems
Start Thruster 3 & 4
Open bus-tie BT8 and BT9
Demo 2: Shutdown of G2 with load reduction of drilling loadsg
1. Initial state:Plant running with closed ring– Plant running with closed ring,
– G1, G2 and G8 connected, – thruster 1, 3 and 5 running– Drilling load 1 and 2 connected
2. Simulate failure on G2 such that it trips and stops3 Observe load reduction on drilling drives to keep3. Observe load reduction on drilling drives to keep
generator loads below 100%4. Start and synchronize G2 and observe that load y
reduction to drilling loads is relaxed
2009 Marine CyberneticsSecuring the integrity of your control systems
Demo 2: Shutdown of G2 with load reduction of drilling loads
Shutdown G2 causes increased power on G1 and G8Reconnection G2
2009 Marine CyberneticsSecuring the integrity of your control systems
Drilling load is reduced while G2 is disconnected to avoid overload of G1 and G8
Demo 3: G4 fails to full power and causes full blackoutG4 fails to full power and causes full blackout1. Initial state:
– Plant running with closed ring, G1 G4 d G8 t d– G1, G4 and G8 connected,
– All thrusters running– Each generator 22% loaded (1.07 MW)
2. Simulates failure on G4 governour/fuel rack such that it G4 diesel i t t t i ( t t 5 5% / )engine power output ramps to maximum (at rate 5.5% / sec)
Monitors generator power (G1, G4, G8) and bus frequency
3 Th f il G4 fi ll G1 d G83. The failure on G4 causes finally reverse power on G1 and G8. These are tripped by reverse power (< -5%, 0.5s) protection relay
4. Remaining G4 then accelerates since load is less than generator output. G4 circuit breaker is finally tripped on over-f / d ( 65H 1 )frequency/speed (>65Hz, 1s)
FULL BLACKOUT since PMS failed to trip the tie-breakers
2009 Marine CyberneticsSecuring the integrity of your control systems
Initial state without failureActive power shared equally
Time: 0 sec.
Active power shared equally between connected generators
2009 Marine CyberneticsSecuring the integrity of your control systems
Failure activated: G4 diesel engine is ramping against full power
Increasing power output
Decreasing power output
Decreasing power output
G4G4 power increases while
G1 and G8 approaches zero
power
Bus frequency starts rising
slowly due to f il G4
2009 Marine CyberneticsSecuring the integrity of your control systems
failure on G4
G4 with failure is now
G1 and G4 has tripped by reverse power trip relayG4 with failure is now
only source of power to the thrusters
Breaker Breaker tripped on reverse power
tripped on reverse power
Electric power supplied b G4 t d hby G4 steps down when the two G1 & G4 trips
since G4 no longer supplies reverse power to
G1 & G4
Bus frequency starts rising faster after G1 & G8 trips, since
braking effect from G1 & G8 now disappears
2009 Marine CyberneticsSecuring the integrity of your control systems
pp
High frequency trip of G4 Full blackout
G4 Breaker tripped due
to high frequency
Full blackout with no power to thrusters
Zero output power from G1,
G4 and G8
Bus frequency drops to zero after trip of last
generator breaker
2009 Marine CyberneticsSecuring the integrity of your control systems
Demo 4: G4 fails to full power, PMS trips bus-ties and reduces consequences to partial blackout
1. Initial state:1. Initial state:– Plant running with closed ring, – G1, G4 and G8 connected, – All thrusters running– Each generator 22% loaded (1.07 MW)
2 Simulates failure on G4 governour/fuel rack such that it G4 diesel engine power2. Simulates failure on G4 governour/fuel rack such that it G4 diesel engine power output ramps to maximum (at rate 5.5% / sec)
Monitors generator power (G1, G4, G8) and bus frequency
3 PMS splits the bus in a port and starboard bus by opening bus-tie breakers3. PMS splits the bus in a port and starboard bus by opening bus tie breakers. Starboard side recovers to normal operation with no failure
4. The failure on G4 causes finally reverse power on G1. G1 is then tripped by reverse power (< -5%, 0.5s) protection relay.
5. Remaining G4 on port side then accelerates since load is less than generator output G4 circuit breaker is finally tripped on over frequency/speed (>65Hz 1s)output. G4 circuit breaker is finally tripped on over-frequency/speed (>65Hz, 1s)
6. Port side BLACKOUT, but power available on starboard side since PMS opened the tie-breakers in due time.
7. The DP control system transfer thruster loads to starbord side and can keep vessel at position
2009 Marine CyberneticsSecuring the integrity of your control systems
Failure activated: G4 diesel engine is ramping against full power
Increasing power output
Decreasing power output
Decreasing power output
G4 power increases while
G1 and G8 approaches zero
power
Bus frequency starts rising
slowly due to
2009 Marine CyberneticsSecuring the integrity of your control systems
pslowly due to failure on G4
PMS has opened bustie breakers due to active power unbalancepower unbalance
B s tiesBus-ties opened by
PMS
2009 Marine CyberneticsSecuring the integrity of your control systems
G1 has tripped by reverse power trip relay
Breaker tripped on reverse power
Bus frequency starts rising faster on port side (blue) but
2009 Marine CyberneticsSecuring the integrity of your control systems
p ( )recovers to normal on starboard
(green)
High frequency trip of G4 Blackout port side
G4 Breaker tripped due
to high frequency
Blackout port side only
2009 Marine CyberneticsSecuring the integrity of your control systems
DP control system transfer thruster load to starboard sidestarboard side
2009 Marine CyberneticsSecuring the integrity of your control systems
Load on G8 increases since DP system transfers load to starboard side
Important limitations in PMS-HIL test target
Currently NOT included in PMS-HIL test target:
Wi i i i hb d Wiring in switchboard
Protection relay functionality
Protection relay setting
Test / verification of protection relay selectivity
Power system performance:– AVR (voltage stability)– Governor (frequency stability)– VSD (thruster drive controller stability and performance)– Performance of load reduction function in drives
(PMS-HIL verifies that correct load reduction signals are send from PMS, but not that these signals actually are used correctly by the thruster drive)
2009 Marine CyberneticsSecuring the integrity of your control systems
61 New buildings/Retrofits
17 Platform Supply Vessels (PSV)
11 Anchor Handling Tug Supply (AHTS)
4 Emergency Rescue Recovery Vessels4 Emergency Rescue Recovery Vessels (ERRV)
15 Offshore Construction Vessels• ROV, Diving, IMR, Survey & geo, Well intervention
9 Drilling vessels9 Drilling vessels
5 Shuttle tanker
2009 Marine CyberneticsSecuring the integrity of your control systems
Findings and Severity Grades
Severity grade Definition
A Non‐conformity with rules and regulations– Not inA Non conformity with rules and regulations Not in compliance rules and regulations (IMO, flag state, coastal state, class rules, and similar).
B Non‐conformity with requirements – Not in compliance with specifications, industry guidelines and standards, documentation (such as functional design specifications d l ) i t d dand user manuals), or intended use.
C Recommendations to be evaluated for improvement in design, functionality, documentation, or operationaldesign, functionality, documentation, or operational procedures.
2009 Marine CyberneticsSecuring the integrity of your control systems
Safety and availabilityClass main concern: A findings Minimum requirements ensuring safety
Client concern: A, B (and C) findings Safety Reliability Efficiency Functionality Performance Availability
Safety $$$Availabilityy Availability
2009 Marine CyberneticsSecuring the integrity of your control systems
Experiences from DP HIL testing (45 projects)
Number of test activities
Totalfindings
A-findings
B-findings
C-findingstest activities findings findings findings findings
Total DP-HIL 1013 21% 49% 30%projects
Test at Factory 44 706 19% 49% 32%Test at Factory 44 706 19% 49% 32%
Test at Dock 30 170 24% 48% 28%
T S 30 137 26% 51% 23%Test at Sea 30 137 26% 51% 23%
2009 Marine CyberneticsSecuring the integrity of your control systems
Experiences from PMS HIL testing (14 projects)
Number of test activities
Totalfindings
A-findings
B-findings
C-findings
Total PMS-HIL projects
670 21% 67% 12%
Test at Factory 14 593 22% 68% 10%Test at Factory 14 593 22% 68% 10%
Test at Dock 4 58 14% 60% 26%
Test at Quay 3 19 26% 53% 21%Q y
Ob tiObservations• More findings in a typical PMS than in a typical DP computer system• PMS findings are often of B-category due to less detailed rules and
regulations
2009 Marine CyberneticsSecuring the integrity of your control systems
regulations
Detailed analysis of 4 PMS HIL test projects
Representative selection• Different vessel types – drilling, construction, supply• Different PMS makers• ”Typical” with respect to project orgranization and number of findings• Typical with respect to project orgranization and number of findings
Classification of findings according to PMS function
Classification of findings according to consequences• Drift-off - Loss of available power beyond “worst case single point failure”• Operational unavailability (Non Productive Time) – Safe abortion of operation no drift off but downtimeoperation, no drift-off, but downtime.
• Deviation from rules and regulations – Other deviations beyond those causing immediate drift-off or operational unavailability.
• Degraded system performance• Deviation from specification – Deviation from functional design specification (FDS) and intended use, but with no immediate consequences for safety or operational availability.
• Potential for improvement
2009 Marine CyberneticsSecuring the integrity of your control systems
Potential for improvement.
Function na
Drift-of
Operation
unavailabi
Deviation fromand regulat
Degraded syperform
an
Deviation fspecificati
Potential fim
provem
Total identiame
ff nal ility
m rules
tions
ystem
nce
from
ion
for m
ent
ified
Others 0 0 1 0 8 0 20Automatic control
0 0 0 0 2 1 30 0 0 0 2 1 3Semi-automatic control 0 0 0 0 0 0 0Emergency mode 0 0 1 0 0 0 1Max. 1/2/3… generators 0 0 1 0 1 0 2Min. 1/2/3… generators 0 0 0 0 0 0 0Cl d b d 0 0 0 0 1 0 1Closed bus mode 0 0 0 0 1 0 12/3/…-split mode 0 0 0 0 0 0 0HMI 1 0 10 6 58 18 95Communication with IAS 0 0 1 0 0 0 1
Load dependent start of generator sets 0 1 0 0 4 2 7p g
Load dependent stop of generator sets 0 0 0 2 2 0 5Active power load sharing 2 3 0 1 1 0 8
Asymmetric active power loading of prime movers 0 0 0 0 2 0 3Reactive power load sharing 1 0 0 0 0 0 1Power reservation functions 0 0 0 0 3 0 3
Start interlock of heavy consumers 0 0 0 1 0 0 1
Prime mover and speed governor feedback 1 0 5 4 10 7 31Generator and automatic voltage controller feedback 0 3 11 2 12 3 31Ci i b k f db k 3 1 8 10 22 16 61
2009 Marine CyberneticsSecuring the integrity of your control systems
Circuit breaker feedback 3 1 8 10 22 16 61Switchboard feedback 0 0 11 2 4 6 24
Synchronization controller feedback 0 0 0 0 1 0 1VSD feedback 0 0 0 0 3 7 10Heavy consumers feedback 0 0 0 0 0 0 0
Commands to generator and automatic voltage controller 0 0 1 0 0 0 1Commands to circuit breakers 1 1 3 3 6 2 17Commands to synchronization controllers 0 0 0 0 0 0 0Commands to VSD 0 0 0 0 0 0 0Commands to heavy consumers 0 0 0 0 0 0 0Commands to heavy consumers 0 0 0 0 0 0 0Alarm and messaging functionality 1 0 7 1 7 11 28Active power unbalance detection and handling 6 5 5 4 2 2 24
Reactive power unbalance detection and handling 3 3 10 0 1 1 18
Under- and overfrequency detection and handling 0 2 5 2 8 1 20Under- and overvoltage detection and handling 1 0 8 0 3 1 13
Start of standby generator on prewarning (changeover) 0 0 0 1 6 0 7Start of standby generator on fault 0 0 0 1 0 0 1
Start of standby generator on power distribution overload 0 0 0 0 0 0 0Load reduction/limitation functions 5 3 1 2 3 3 20Load shedding 0 0 0 0 0 0 0Load shedding 0 0 0 0 0 0 0Blackout restoration 4 0 2 5 9 4 28Changeover of functions between controllers 0 0 1 0 0 0 1Asymmetric load sharing abortion or override 0 0 0 0 0 0 0Prevention against operator induced blackout 1 0 0 1 0 1 3Power supply and UPS power to PMS 0 0 3 0 0 0 3Power supply and UPS power to operator stations 0 0 0 0 0 0 0Network communication 0 0 2 2 1 1 6IO unit 0 0 0 0 0 0 0CPU 0 0 0 0 0 1 1
2009 Marine CyberneticsSecuring the integrity of your control systems
CPU 0 0 0 0 0 1 1
Overcurrent detection and handling 0 0 1 0 0 0 1PMS configuration 5 0 2 1 6 2 16
Consequences of PMS errors –Best case vs worst case assumptionsBest case vs. worst case assumptions
Best case assumption(no hidden errors)
Worst case assumption(possible hidden errors)
Protection relays Work as intended One or more functions failProtection relays Work as intended One or more functions fail (no trip on reverse power, over/under freqency or voltage, over current....)
Governors and AVRs Work as intended May have hidden errorsHardwired interlocks Work as intended May have hidden errorsOperators Respond correctly May make mistakes due toOperators Respond correctly May make mistakes due to
missing or incorrect information
Selectivity As intended May have hidden errorsSelectivity As intended May have hidden errorsBreakers Work as intended May not open or close on
commandOperational According to test scenario Closed bus-ties in DP2
2009 Marine CyberneticsSecuring the integrity of your control systems
Operational philosophy
According to test scenario Closed bus ties in DP2
Consequences of PMS errors –Best case vs worst case assumptionsBest case vs. worst case assumptions
Potential for improvement
Deviation from specification
D i ti f l d l ti
Degraded system performance
Worst case assumption
Best case assumption
Operational unavailability
Deviation from rules and regulations
Drift-off
2009 Marine CyberneticsSecuring the integrity of your control systems
0 10 20 30 40 50 60 70 80
Number of findings
Are there findings that could not have been f d ith t HIL t ti ?found without HIL testing?
• The analysis of 14 PMS HIL test projects has classified findings according to whether they could have been found without HIL testing or not.
• The analysis is based on what are typical test scopes at Factory Acceptance Test, Customer Acceptance Test, FMEA trials and class.Test, Customer Acceptance Test, FMEA trials and class.
• 65 % may be found without HIL (but majority will be found during sea trials only)35 % ill NOT b f d ith t HIL• 35 % will NOT been found without HIL
• However, in some projects the HIL testing was conducted after delivery of the , p j g yvessel from the yard. In these projects the number of findings are not significantly less than what we normally find at FAT! This indicates that the effect of HIL testing is much more than the proven 35%.
2009 Marine CyberneticsSecuring the integrity of your control systems
When are findings closed?
70%
50
60
30
40
10
20
0
10
Test at Factory Test at Factory 2 Test at Factory 3 Test at Dock Test at Quay
2009 Marine CyberneticsSecuring the integrity of your control systems
HIL testing = FMEA of software ++HIL testing = FMEA of software ++
• Can HIL replace traditional FMEA?• Can HIL replace traditional FMEA? • Is HIL necessary even if FMEA is done?
HIL d FMEA l t d b th d dHIL and FMEA are complementary, and both are needed.
HIL and FMEA testing should be coordinated.
HIL verifies the FMEA analysis report
2009 Marine CyberneticsSecuring the integrity of your control systems
Conclusions
• It has been demonstrated in 14 PMS HIL project that findings are identified and closed as a result of HIL testing, many of them being critical with potentially serious consequences.
• The analysis showed that at least 35% of the findings would be hard to identify with conventional testingidentify with conventional testing.
• Experience with HIL testing only conducted after delivery of vessels showed high number of severe findings. It indicates that proper independent HIL testing reveals more findings – due to more systematic and time spent for testing.
• 88% of the findings were identified already at the first test activity88% of the findings were identified already at the first test activity (typically SW FAT) reducing costly delays, incidents and trouble shooting during sea trials and operations.
2009 Marine CyberneticsSecuring the integrity of your control systems
Recommended