Asgeir J Sørensen HIL Simulator Testing

20010 © Marine CyberneticsSecuring the integrity of your control systems

2010 © Marine Cybernetics

Vestre Rosten 77 NO-7075 Tiller, Norwaywww.marinecybernetics.com

Hardware-In-the-Loop (HIL) Simulator Testing

Securing the integrity of your control systems 2010 © Marine Cybernetics

Outline

• Why Hardware-In-the-Loop (HIL) testing

• Experiences from independent HIL testing of DP Systems and Power Management Systems (PMS)

• Independent HIL testing of Drilling Control Systems (DCS)

• Conclusions


Megatrends: • Technology shift from mechanical to computer-controlled vessels• Penetration of information and communication technology is increasing with impact

everywhere • Errors in computer systems are critical for safety and capability to perform marine and

offshore operations

“From sledge hammer to space shuttle…”

ControllersSW

Products

Application solutions Remote

Services

Powersystems PC

MS Windows

I/O

Integrated systems

Testing

Configuration

Operational systems

Instrumentsand

sensors

Stand-alonesystems

Communicationnetworks

Internet

HMI

The Digital “Big Bang”

AUTOMATION


change

There has been a gap concerning software until independent HIL testing was introduced

Independent testing and certification: • Third party testing and certification of traditional marine

and offshore technology (structures and HW systems) are a well developed market served by class societies and independent FMEA consultancies

• Marine Cybernetics enters the market as an independent test supplier of computer based systems with unique Hardware-In-the Loop (HIL) simulator technology

• Independent HIL testing does also serve as input to e.g. DNV certification

Technology for computer testing has been lagging behind


Third party HIL testing and verification process

• Vendors develop and test their own software• Marine Cybernetics performs third party testing and verification of the

software from each vendor, and the integration of the software systems

HIL testing by vendors improves the quality of their own systems, but it does not replace third party testing and verification

Development(vendor 1)

Testing(vendor 1)

3rd party verification by

HIL testing (Marine

Cybernetics)

Installation and operation


Testing(vendor 2)


Testing(vendor 3)


Hardware-In-the-Loop (HIL) Testing

• HIL testing is accomplished by connecting a simulation PC in the system’s communication network.

• Inputs to the equipment under test are simulated. • The controllers respond as they would in a dynamic environment.• Simulator responds to output from the controllers as the dynamic system would.• Software (core SW and/or configuration) errors are exposed.

Functional and black-box testing using simulator technology


Closing the control loop by HIL testing

Real time interface

CyberSea Simulator Target system

HIL testing of the target system:1. Functional testing2. Failure testing3. Performance testing4. Known incidents5. Fit for purpose


HIL test regime: Earlier, Deeper and Broader

• Integration testing and validationTest

at Sea

• Software testing and integration testingTest at Dock

• Software testingTest at Factory

Traditional testing regime

FAT

Commissioning

CATTuning and trouble

shooting

HIL testing

Trouble shootingduring operation

New

bui

ld /

upgr

ade

sche

dule

Ope

ratio

n


Design Review

Software Testing

Integration Testing

Service Agreement

Marine Cybernetics Services


Design Review

Software Testing

Integration Testing

Service Agreement

Software testing of individual control systems

Independent HIL testing of individual control systems:• DP Computer System (DP-HIL)• Power Management System (PMS-HIL)• Steering, Thruster and Propulsion Control System (SPT-HIL)• Drilling Control System (Drill-HIL)

Test sites:• Vendor site - Test at Factory • Lab setup using replica hardware • On board using target hardware


Design Review

Software Testing

Integration Testing

Service Agreement

Independent HIL testing of control systems with focus on physical and functional integration including closing of findings

• HIL testing of DP Systems:• DP Computer System (DP-HIL)• Power Management System (PMS-HIL)• Steering, Thruster and Propulsion System (SPT-HIL)

• HIL testing of Drilling Systems:• Drilling Control System (Drill-HIL):

Test sites: • On board using target hardware• Lab setup using replica hardware

Integration testing of control systems


Design Review

Software Testing

Integration Testing

Service Agreement

Life-cycle services to secure safe and efficient operation

• Software change risk assessment• Assessment of updates and changes• Logging of Software version and configurations

• Helpdesk: support during trouble shooting, problems, and incident investigations

• Verification testing (i.e. annual/periodic/continuous)• Reduced trouble and off-hire time during Annual DP Trial• Less destructive testing• On-demand Software testing before onboard upgrades


ReferencesVendors:

E&P companies:

Yards:

Vessel owner:


66 New buildings/Retrofits

19 Platform Supply Vessels (PSV)

11 Anchor Handling Tug Supply (AHTS)

4 Emergency Rescue Recovery Vessels (ERRV)

15 Offshore Construction Vessels• ROV, Diving, IMR, Well intervention

10 Drilling Vessels

1 Seismic Vessel

5 Shuttle Tankers


4 Platform supply vessels (PSV)

Service agreements and annual DP trials using HIL testing

1 Drilling Vessel

1 Anchor Handling Tug Supply (AHTS)


Findings statistics from HIL testingTest results of 47 DP & 15 PMS projects


Findings statistics from HIL testing


Third Party Testing and Verification of Drilling Control Systems

HIL Simulator


CyberSea .Power .Plant .

Simulator .

• CyberSea• Vessel Simulator

Test scenarios

Operational- Operation modes - Operator commands - Vessel motion- Well and drill string

Control system failures

- Computer failure- I/O failure- Network failure

Equipment failures- Sensor failures - Drive failure and

blackout- Hydraulic actuator

failures- Brake failures- Failure of auxilliaries- Electric failures- Bit or drill string stuck- Valves stuck or does not

follow command

C

CyberSea Drilling HIL Simulator

Roughneck

DrawWorkTop drive Pipe handling

machines

Drive

CyberSeaVessel

Simulatorincl.

Riser

Drill-HIL Testing


Interface HIL simulator - Drilling control system

• Draw work with VSD• ∼ 1500 hardwired and serial IO

signals

• Top Drive with VSD:• ∼ 600 hardwired and serial IO signals

• Pipe handling machines (each):• ∼ 30 - 300 hardwired and serial IO

signals

Interfaces all relevant IO for each machine or system to the HIL simulator

HIL simulator

Hardwired IOSerial IO (e.g. Profibus DP, SSI encoders)


• ∼ 200 tests for Draw work / VSD

• ∼ 150 tests for Top Drive / VSD

• ∼ 150 tests for complex pipe handling machines

• ∼ 40 – 100 tests for simpler pipe handling machines

• ∼ 100 tests for heave compensating system

• ∼ 100 tests for anti-collision system

Test scopeTypical number of tests for each machine / system (project dependent)

∼ 10% are test of functions

∼ 90% are test of functions while simulating a failure


Brownfield upgrades are upgrades where parts of the drilling equipment is kept as so-called legacy systems

Characterization of Brownfield upgrades

Drillers Cabin

Drilling Control Network (UDP/TCP/IP)

Legacy Systems

New Equipment

PLC ComputersPLC Computers

Challenge: Insufficient test methods have lead to delays in installation


Drillers Cabin

Drilling Control Network (UDP/TCP/IP)

Independent HIL testing of Brownfield upgrades

HIL Simulator of Legacy Systems

HIL Simulator of New Equipment

Configuration: • All computers are set up and connected with the driller’s chair and the HIL simulators of

the legacy systems and the new drilling equipment.• 3D graphics are used for testing of anti-collision.

PLC ComputersPLC Computers

Marine Cybernetics HIL Simulator

Advantages:• Interconnection to legacy systems

is extensively tested• Allows for testing in a simulator

environment that may cause collisions or damage to equipment in real

• Testing is done before and during installation, in parallel with commissioning, and after commissioning

• High availability of test lab through all phases of the project


• Command and monitoring• Alarm and messaging functionality• Mode change control• Command abortion/canceling• Sensor and feedback monitoring

and integrity check• Hoist / Lower travelling block

(main motors)• Hoist / Lower travelling block

(feedoff motors)• Regenerative brake control• Eddy current brake control• Disc brake control• Crown saver• Floor saver (soft and hard)• Tool compensation (in floor saver)• Raised floor (in floor saver)

Example of targeted functions to be HIL tested

• Dolly position compensation (in crown saver)

• Gear shift control• Torque limiting• Feed-off mode:

• Constant weight on bit mode• Constant rate of penetration

mode (fast and slow mode)• Constant TD motor torque

mode• Constant mud pump

pressure • Hand mode (bypassing anti-

collision)• Start/stop /supervision of

auxiliaries• Emergency stop• Power limitation / reduction• Compliance to documentation

Draw work


• PLC equipment• PLC power supply failure• Operator station power supply failure• Network communication failure• IO unit failure• CPU failure

• Sensors• Encoder failures• Proximity switch failure• Load cell failure• Failure on other sensors

• Disk brake• Command signal effectuation failure• Failure on status, measurement and feedback to

control system• Brake function failure• Hydraulic system failure• Auxiliary system failure

• Gear shift system• Command signal effectuation failure• Failure on status, measurement and feedback to

control system• Hydraulic system failure

Failures can be activated while testing functions

• Eddy current brake• Command signal effectuation failure• Failure on status, measurement and

feedback to control system• Brake function failure• Electric system failure• Cooling system failure• Auxiliary system failure

• Draw work variable speed drives• Command signal effectuation failure• Failure on status, measurement and

feedback to control system• Drive controller failure• Rectifier failure• Inverter failure• DC bus failure• AC power supply failure• Transformer failure• Brake resistors failure• Motor failure• Cooling system failure• Lubrication system failure• Load sharing failure• Auxiliary system failure

Draw work

Example of simulated failure:• freeze value• fail to zero• broken wire

Example of simulated failure:• rapid or slow increasing temperature• increase in cooling system pressure


• Monitoring• Alarm and messaging functionality• Prevent machine from entering other machines zone• Stop machine if other machine is entering the zone• Normal mode• Anti-collision release (machine to ignore stop commands from anti-collision system)• Anti-collision ignore (machine to be ignored by other machines)• Stop of machines on non-healthy position data• Compliance to documentation

Example of targeted functions to be HIL tested Anti-collision / zone management system


Conclusions• Third party testing, verification and certification of mechanical systems

and structures are well established in the maritime and offshore industries

• The impact and complexity of software based systems are increasing in the maritime and offshore industries

• Traditional testing, verification and certification is not sufficient for software based systems

• It has been demonstrated in more than 50 DP and PMS HIL projects that findings are identified and closed as a result of independent HIL testing, many of them being critical with potentially serious consequences

• Third party HIL testing of drilling control system is proposed for new buildings and Brownfield upgrades

• Good cooperation with all involved parties – vendors, yards, owners, end-users and class important securing the success of systems and vessels

Documents

Asgeir J Sørensen HIL Simulator Testing