Implementation of a Fault Tolerant Controller for Offshore Platforms Control.pdf

Application Note ║ Note d’application

[email protected] www.redca.com

www.safetyusersgroup.com of 11

Implementation of a Fault Tolerant Controller for Offshore Platforms Control Victor Machiavelo Salinas, Mr. REDCA, Mexico D.F., Mexico November, 2006 ABSTRACT Over the last years, Petróleos Mexicanos (PEMEX) has carried out an intense modernization job in all of its facilities around the country. As part of the modernization project, automation and optimization of the control equipment, instrumentation and communications play a fundamental role. INTRODUCTION The purpose of this paper is to describe in general terms the strategy being used by PEP— PEMEX Exploración and Perforación (Exploration and Perforation)—for automating its remote offshore platforms located just outside the oil camp of Cantarell. Remote drilling platforms are marine installations whose main function is to extract oil and natural gas from the wells. They are part of a marine offshore complex that includes different platforms, including habitation, production, compression, link, and communications. Remote platforms are separated from the rest of the complex, normally located within two to six kilometers (one to four miles), and communicate with the complex via radio systems, microwaves and frequency linking to the habitation platform, which has a master controller that can communicate with other remote platforms within the marine complex. The remote platforms have between three to eight extraction wells, and are “unmanned,” that is, there are no people living on them. As a result, reliability and availability of the control systems and instrumentation are not only fundamental to ensuring the security and safety of the entire installation, but they are also essential for maintaining the oil field’s production and protecting the ecological environment. The project involved automating 23 remote platforms that belong to six different marine complexes located in the Cantarell Field. Although the complete project includes different levels in the automation of the complexes, this document only describes automating the six remote platform complexes, as shown in Figure 1 below.

Figure 1 General diagram of project, showing the six remote platform complexes




IMPLEMENTATION As previously indicated, remote platforms are the output points of gas and oil. Since they are unmanned, it is imperative that the control system used has high availability and is extremely reliable. In order to achieve this goal, PEMEX requested a fault tolerant control system that met the following requirements:

1. The control system must count with active redundancy in its controller (CPU), power supplies, communications to inputs and outputs, and communication to the habitation platforms.

2. The system must have the capacity to combine input/output modules in a single and redundant

configuration. 3. The redundancy of analog inputs and outputs must be included in the system without using

intermediate devices or relays to transfer the outputs. In addition, redundancy must be bumpless and the process completed without disturbance during the transfer.

4. The redundancy in digital inputs and outputs must be included in the system without using

intermediate devices or relays to transfer the outputs. In addition, redundancy must be bumpless and the process completed without disturbance during the transfer.

5. The system should count with redundancy in communication channels to the habitation platforms,

allowing bi-directional transfer of information with only one way in the communication ports. 6. The system should integrate up to 32 Modbus type serial ports, which should work in redundancy

while communicating to PLCs and intelligent valves. 7. The system should be able to integrate Hart type transmitters with digital communication. 8. All devices in the system should be removable while on-line and with power applied. 9. The system should be designed to work in a marine environment subject to high temperatures,

vibration, humidity and corrosion caused by extreme weather conditions. 10. The system should have communications when requested or based on reported exceptions, for

example, transferring data only when notable changes are reported.




THE SOLUTION After an intense evaluation of different distributed control equipment (DCS), programmable logic controllers (PLC), remote control units (RTU) and hybrid control systems (HCS), the company in charge for the integration and construction of the system decided to use a hybrid control system, model RTP 2200, manufactured by RTP Corporation of Pompano Beach, Florida. Figure 2 shows the general architecture that each remote platform has.

Figure 2 Remote platform system architecture




The main characteristics of the RTP 2200 system are:

• Hot standby-type redundancy, floating master • Redundancy in CPUs, power supply • Intel 586 processor at 133 Mhz, 16 MB RAM, and 16 MB flash memory. • Redundant Ethernet communication at 10 Mbps, connections 10bT or 10b2. • Communications bus to racks in inputs and parallel outputs with transfer information speed of 16

bits per microsecond (RTPBUS) • Hot insertion of all system components • Redundancy in input and output modules, including analogic signals • Active diagnostics (watchdog) in all system cards • On-line and off-line configuration • Programming and configuration with a single IP address • Self-programming of CPU when inserted after a fault • Automatic synchronization of variables in each scan sweep • Redundancy with fault-tolerant and fail-safe design • High processing speed: 300 PID per second minimum • Programming software according to IEC 1131 • 16-bit high resolution cards • High noise level protection (CMRR) from 80 to 140 db • Low energy consumption: 30 percent less than a similar system • Small size: 50 percent smaller than similar systems • IE approval for nuclear application requirements •

The system implementation addressed the following three fundamental technical issues:

1. Controller redundancy 2. Redundancy in input and output modules 3. Communications

1. Controller Redundancy Figure 3 on the next page indicates the functional scheme of the RTP 2200 system operation, which operates as follows: a. The processors are turned on. b. The bus switch card assigns the first controller to get the energy as the master. c. The next controller is assigned as the slave. d. The master controller assumes control over the outputs and communications functions. e. The slave controller only monitors and operates as a mirror for the master—and is unable to access

the output modules. f. If the master controller fails in CPU, communications, power source or bus input/output, switchover

occurs and the slave controller automatically assumes the role of the primary master controller. Because each rack side of the RTP 2200 is independent, the bus switch card is the only link between the two processors. This card gets its energy from the system’s two power supplies, operating with only one power supply at a time. Each bus switch card is responsible for a variety of functions, including transferring, diagnosing, and communicating with the single input and output bus, and each controller is responsible for operating its specific redundant bus.




Figure 3 RTP 2200 redundancy block diagram

An important characteristic of this redundancy is the capacity of each controller to work as a floating master, negating the need to drive the system in a directional way to two different IP addresses. The redundancy also allows the system to re-educate the controller that failed when its replacement is reinserted. Each controller has the capacity to manage its own inputs and outputs bus, as well as the slave bus and the common bus of inputs and single outputs. Each controller observes and diagnoses the Ethernet communication of its counterpart, allowing the net to be monitored continuously by the two controllers. If communication is interrupted in the primary controller, the secondary controller—which is listening to the communication of the primary controller—will generate a message to the bus switch card to make the transfer, allowing the secondary controller to then take over as the primary controller.




When looking at the RTP 2200 chassis, it is important to remember that even though there appears to be only a single rack, there are really two racks that are electronically isolated. With the exception of the bus switch card, which is fed by the two power sources, the power source on each side supplies energy to only one CPU and to the E/S cards for communication on its own side. The bus switch card is responsible for transferring the primary CPU to the secondary. It counts with two memories First-In-First-Out type (FIFO) used to send data to each CPU. The bus switch card also counts with a memory area for registers that allows the two CPUs to share data and states. The two CPUs continuously check the state of the bus switch card as it counts with a watch-dog timer. If the bus switch card fails, the primary controller will continue to operate and handle its inputs and outputs bus. Note that the bus switch card is not an electro mechanic device—it is an electronic card with a high diagnostics level. The RTP 2200 system is a redundant system with fault-tolerant and fail-safe design. When a failure occurs in the main controller, the secondary controller assumes control in less than three milliseconds, and the E/S signals during that time are kept in-waiting. The failed controller can be replaced “hot,” and, when done so, diagnostics are performed on the new controller. When a corrected state is detected, the bus switch card transfers the program of the active controller and it becomes the secondary controller. Because the charging of new programs and updating can be done on-line, the output state is necessarily affected. Depending on the process design involved, RTP 2200 users have two options to account for the change in state: freeze the output state until the new program is loaded, or send the state to a zero value. 2. Input and output modules redundancy Figures 4 and 5 show the two options available for the input and output redundant modules in the RTP 2200 system. Option 1—figure 4 The redundancy in the analog and digital inputs with active primaries, redundants on-hold, and operates as follows: a. The active controller reads and makes control functions using the input and output racks belonging to the active or primary bus. b. In the case of the digital inputs, both are considered primary, both are wired in parallel, and both are active; however, only the primary rack is read—the controller counts with software routines to make transfers between one rack to the other. c. In the case of the analog ione card is assigned as primary and the other as secondary. Both cards check each other with the watch-dog timer in case the primary Figure 4 RTP 2200 I/O redundancy—option 1 card fails.

nputs,




If a failure occurs, the bus switch card transfers the controller operation, and the secondary card takes

. In the case of the digital and analog outputs, a hot standby configuration is utilized wherein one card is

ption 2—figure 5 while

ne rack

ue to both input racks and

nt

jump

. Communications

he communications networks design in the system are gathered in three categories:

.1 Communication networks between remote and housing platforms

ents using Hart

.1 Communication networks between remote and housing platforms

here are a number of critical issues that must be addressed in order for communications between the

• Redundant communication between remote platforms and housing platforms

er that the data

• /IP address

control. dactive, and one card is in-hold. This configuration can cause minor over-jumps in the output signal when a transfer from the active card to the redundant card is made. OIn this configuration, both input and output racksare active in a dual configuration, only ois designated as primary—the other rack is secondary,and each card has a watch-dog to check its electronic state. Doutputs being active, the information in the redundacard is the same as that in the primary card. As a result, there is no over-in the output signal when a transfer is made.

Figure 5 RTP 2200 I/O redundancy—option 2

3 T 33.2 Modbus redundant communications networks 3.3 Communication networks to intelligent instrum 3 Tremote and housing platforms to be effective:

• Bi-directional communication• Communication should only be in one direction in the redundant networks in ord

base in the housing platform is not duplicated Managing of reports by exception

• Addressing using one Ethernet TCP




• Connection to the actual radio system using a serial connection at 19.200 bps

As e main challenge of the system was to adapt one technology that

• Network segmentation in the housing platform • Peer-to-peer communication

shown in figure 6 on the next page, thwas based on Ethernet TCP/IP networks to a radio system technology based on a frequency radio communication, UHF-type—while also keeping in mind that any new technology, such as disperse spectrum, may be adapted at a later point in time.

Figure 6 Communications networks between remote platforms and housing platforms

he RTP 2200 system adapted to this challenge in a natural way, as detailed below:

he two CPUs from the RTP 2200 controller count with an Ethernet port TCP/IP type-10BT, and are

he RTP 2200 system counts with two communication protocols:

1. The RTP 2200 protocol that allows the loading and unloading of programs, as well as local and

2. unications protocol that allows the transferring of information between the controllers of the same network.

T Tconfigured with one IP address. The system incorporates diagnostics in the communications that allow the CPU located in the redundant mode to monitor the communication in the main CPU. With this configuration, if communication is interrupted, diagnostics are performed and the redundant controller informs the bus switch card to make the transfer from the primary to the redundant controllers. T

remote configuration. The peer-to-peer comm




Witthe hou lowed without the need to have a controller operate as a master

roller has information it

for locating the information flow between ontrollers. It assigns an ID variable to be read by a tag, placing before it a GV value and adding the node

variable GV TT20 N01 is placed in the database of the controller for the housing latform, the controller will accept a report of exception broadcast, while at the same time answering with

kes the broadcast of the controller of the housing platform, it ends its information disaggregating the peer-to-peer message by the IP addresses and not with the node

IP socket is opened briefly in both controllers in order to continue transferring the information. If the ocket remains open for more than three seconds, the communication is interrupted and the socket is

aturated. • Continuous calling to locate information is eliminated.

ransfer. information available to transfer.

switch, bridge, etc., can be used. As o rnet TCP/IP

etwork, and the information is transferred to radios with 121,200 bps serial connection using two bridges

monly used in the industry include diagnostics and utilities to e communications that can in some cases cause the RTP 2200 controller to ignore the information.

message roadcast flow, interrupted the communication and introduced time off in the communication caused by

ding housing platforms, potential problems saturation emerge. Moreover, a security issue even more dangerous developed that was unacceptable

, hich allowed for segmenting the network and addressing information. It also allowed for transferring data

h the peer-to-peer, bi-directional protocol, the transferring of information from the remote platform to sing platform and vice versa is al

which helped eliminate the need to call each controller to verify the information—a critical issue if, for example, you have a problem of wide band in the communications in the network. For this specific project, a node number that each controller has assigned to it in the network makes addressing and transferring information. The IP address is required when the contwishes to send and, while operating under the concept of report by exception, the Ethernet TCP/IP card makes a broadcast to indicate that it has information. Then, the controller located in the housing platform detects this message as well the other devices in the network. RTP has implemented a more simple and effective method cnumber of the variable. For example, if a global pits own broadcast indicating its IP address. If the controller with a node value of 01 tasvalue. A TCP/sclosed. The controllers should then generate broadcasts to help in locating them. This method is very effective because:

• The network does not become s

• Any controller can initiate the information t• Communication is interrupted when there is no further • Standard Ethernet network devices such as a hub,

sh wn in figure 6 on the previous page, the controller counts with a redundant Ethenat a level of layer one of the OSI/ISO model. It is important to mention that the bridges comthTherefore, careful selection of bridges is needed in order to make the system perform properly. As a test, PEMEX placed routers from different companies; however, the routers only limited thebthe transfer operation and the search for IP addresses. When counting with a network for all the remote and corresponinby PEMEX: Personnel on one platform were able to see and manipulate any of the other five platforms. This security issue was solved by placing a switch with technology layer three in the housing platformw




directly from the remote platforms to the housing platforms in a more direct way, which meant that the remote platforms could only see the housing platform, and not the other remote platforms. Another advantage to using the switch is that it allowed for transferring of the IP addresses by hardware

stead of by tables as commonly done with routers. As a result, the flow of information is faster and more

system—and one that presented a problem—was e ability to use redundant Modbus serial communication cards, which, by design, can handle only one

mmunication and redundant cards. By design, the RTP 2200 fulfilled this quest because the dual redundant hybrid control system assigns one card in the primary rack as the

serial ports for a total of 32 serial ports. he redundancy is a unique characteristic of the RTP 2200 and was a critical factor in our decision to

struments using Hart

to transfer information using field struments on the remote platforms to the main platform using report by exception.

m Control System.

e thernet TCP/IP network port. Using Hart and Modbus protocols, the Director II RTU is used to also

insecure since the broadcast messages cannot be modified. 3.2 Modbus redundant communications networks A very important technical requirement for the controlthmaster controller (in this particular control system, the RTP 2200 was designed to be the master and the device equipment the slaves). PEMEX requested redundant coreprimary and another card in the redundant rack to be the standby. With the redundant configuration, each rack has 16 cards and two Tselect the RTP 2200 for use in this application. 3.3 Communication networks to intelligent in A requirement for the system was to provide personnel with the ability inAs shown in figure 7 on the next page, in order to accomplish this task, PEMEX selected the Hart, multi-drop, serial communication protocol along with an external Director II RTU from Arco The Director II RTU provides high communications capabilities, and features four serial ports and onEtransfer the Modbus information from the TMR safety systems. Finally, addressing an IP direction and encapsulating protocols is accomplished using Ethernet.




Figure 7 Shown: Arcom Director—used for Hart and Modbus transfer; and serial communications DCS

CONCLUSION The offshore oil and petroleum industry in Mexico is working to implement new technologies in system information and process control. During this period of transition, we have been highly involved in evaluating various new hardware and software technologies, both from an implementation standpoint as well as from a service, support and experience standpoint. A critical application, such as automating PEP’s remote offshore oil platforms, requires high availability and a highly reliable control solution—like the RTP 2200. The RTP 2200 is capable of managing a wide variety of process controls, including:

• PID control • Active redundancy • Modbus and Hart communication • Analog and digital control • Standard IEC 61131 programming software • Ethernet communication • Redundant analog output • Online modifications

With its long and successful history serving the nuclear industry, RTP Corporation has designed its RTP 2200 to be a powerful, redundant hybrid control system that is also ideally suited for the oil and gas industry.

Implementation of a Fault Tolerant Controller for Offshore Platforms Control.pdf

Documents

Transcript of Implementation of a Fault Tolerant Controller for Offshore Platforms Control.pdf