MTS’s 7 Pillars of DP Redundancy

Intro:?The Marine Technology Society DP Committee’s (MTS) excellent and free dynamic positioning (DP) design and operation guidelines introduce their seven pillars of redundancy.?I’ve never really been comfortable with those pillars.?I’m not sure there is anything wrong with them but I find them to be awkward - they are not quite how I approach the subject.?Perhaps it is a difference in terminology, natural language vs slightly different forced meanings, or thinking of systems as an integrated whole rather than piecemeal.?I’m probably not the only one with this difficulty, so let’s look at each abstract pillar and apply them to some real systems.

Redundant:?We should probably start by defining what redundant is.?Redundant could just mean duplicated systems that do the same thing and are unlikely to fail together.?If one fails, the other usually gets the job done.?That is a realistic definition but a more idealistic definition reveals the overall design and operation goal - duplicated systems, each of which is capable of doing a task together or independently, and are truly independent with no common failure modes.?If one fails, the other always gets the job done.?These ideal systems do not exist but they are an important goal to understand.?In the real world, we want this to be true within certain probability limits, but those are beyond the scope of this article, so let’s keep things simple and keep the goal in mind.?Redundancy can greatly improve the trustworthiness of reliable systems.

3 Systems:?Let’s consider three DP functions that we need to be redundant.?In order to maintain position, we need to know where we are, so we need redundant position references.?Something needs to control the DP system, so we need redundant controllers.?The controllers need power, so we need redundant power supplies – let’s say uninterruptable power supplies (UPSs).?In the ideal case, none of those should have common failure modes.?We could perform a similar look at thrusters, power generation, power distribution, system sensors, etc. but three simple systems are easier to look at than dozens.??

7 Pillars:?We will compare each MTS redundancy pillar against UPSs, position references, and DP controllers.?The seven MTS pillars of redundancy are autonomy, independence, segregation, differentiation, fault tolerance, fault resistance, and fault ride through.?It’s not that they don’t define what they mean by each one, but as a natural English speaker, I trip over the attempted differentiation of normal synonyms and prerequisites for independence or redundancy.?I use the concepts all the time but couldn’t tell you the MTS names for them.?It’s obviously clear to the writer but I find it confusing, so let’s look at each one.

Autonomy:?This is a familiar term from autonomous vehicles and autonomous groups.?It means a sub-system can control itself and operate on its own to reliably achieve appropriate goals.?MTS expects minimum common control functions and support systems.??

• The two UPSs should have separate control systems and power supplies but each might receive an isolation command from the emergency shutdown system (ESD) based on gas detection.?UPS autonomy would require the ESD control to be distributed, separated, and validated to avoid a common fault.?UPSs with common controllers, control functions, or power supplies are not autonomous.?This does not discuss fault handling or other common elements, such as HVAC, but they are implied.
• The two position references cannot be dependent on the same controller, power, or system references.?There can be no master controller or common contributing controller or reference influencing both.?Their data cannot be poled as these interrupt the process and may provide a common fault.?Two DGPSs can be autonomous but they are not redundant or independent as they depend on common signals from other computers.?They may not even be autonomous, if they have common design or manufacturing problems, so DGPSs from different manufacturers are preferred.
• Two Kongsberg DP controllers are never fully autonomous, as each monitors the other for faults and takes over if the other is faulty.?Faults in this process can disrupt the control of both controllers.?Distributed networks and control systems can similarly threaten autonomy.?This is generally accepted, because they are useful, efficient, and the risk of failure is considered low, but should be kept to a minimum.?Autonomy cannot be fully achieved in hierarchical control, but designs should aim to maximise autonomy.

Independence:?If something is truly independent then it has no common dependencies or faults.?Game over.?We are done.?A single pillar has achieved all.?This isn’t what MTS means.?They expect minimum common control functions and support systems.?Sound familiar??Autonomy and independence are synonyms and there is a lot of overlap in MTS’s discussion.?It might be fair to say that MTS “autonomy” leans more towards control independence, while MTS “independence” leans toward support system independence and recommends each major individual element have separate support.?It is preferred that each diesel generator or thruster have its own control, control power, cooling, lubrication, etc.

• The UPSs aren’t the best example as they are normally used to provide the independence from the power system.?The UPSs are meant to block noise and faults from the main power system and provide cleaner, regulated power to the loads.?MTS “independence” would expect more and smaller UPSs to support each engine, thruster, or switchboard section.?Fewer, larger UPSs increase risk of a common fault taking out a group of equipment.?This might be a limited to a single redundancy group, but individual failures are still preferable to that of a whole group.
• Two DGPSs are not independent, as they have a common dependency on satellite and correction signals.?This doesn’t appear to be what MTS means, if they have separate control and support systems.?A hydro-acoustic position reference (HPR) can be mostly independent of a DGPS.
• Some old DP designs used to supply both DP controllers from each power supply and both Ethernets.?Dedicating one supply and network to each controller increased controller independence and reduced the chance of common faults through those interconnections.

Segregation:?We all know what this means, from sins of the political past to disease control in the present, separation is used to prevent the transmission of perceived faults.?DP3 compartment segregation immediately jumps to mind, as a means to limit fire or flood faults to a single redundancy group.?MTS means something different.?They mean that redundant groups should be independent or at least minimize interdependencies.

• There needs to be at least one UPS for every redundancy group and they should avoid feeding common loads.?Common loads and environments can be accepted with adequate protection but should be avoided where possible as the protections are difficult to verify and maintain.
• Two DGPSs can’t really be segregated, due to their common external dependencies, despite separate controllers and support systems.?An HPR and DGPS can be, but this might be degraded by DP controller fault handling.
• In two split, we have a DP controller for each redundancy group.?In three split, it’s possible but may not be available.?In four split, it isn’t available.?With duplicated hardware and firmware, and a common operating environment, DP controllers are not going to give us any real segregation.

MTS “segregation” is a scaling back of ambitions and reemphasis of the importance of maintaining redundancy group independence, after recommending as much individual independence as possible in MTS “autonomy” and “independence”.?Where independence cannot be established, effective protection must be proven and maintained.

Differentiation:?If your only tool is a hammer, then everything looks like a nail.?If everything works the same way, then they have the same weaknesses.?Different approaches help identify problems.?MTS recognizes this and gives partial credit for improvements, such as different sensor makes or protections.

• While using different UPSs might prevent the same hidden fault, it is accepted to use the same well designed type on separated power systems.?Given adequate protections, verification, and maintenance, one of the most important differentiations could be staggering the replacement of batteries to ensure each UPS does not have batteries of the same age.?One 2-split ship lost its second UPS a few weeks after losing its first and before replacement batteries were available.
• Two DGPSs lack differentiation, as they use the same principle and those from a common supplier use the same firmware and may have additional common faults.?The HPR provides differentiation.?A third different reference is needed to decide between the DGPS and the HPR, if they disagree.
• There is no differentiation in DP controllers.?This has been done in some safety critical industries but not in ours.?Our differentiation comes from DP operator (DPO) or engineer corrective action, whether stopping or deselecting faulty equipment, or taking independent joystick control.

Differentiation is needed to handle some problems regardless of system independence or protection.

Fault Tolerance/Resistance/Ride-Through:?Although broken into three separate pillars, all three fault pillars are about surviving faults.?From the names, you might guess that fault tolerance is the ability to operate in a noisy, sub-optimal environment, that resistance is about stopping a fault, and that ride-though is about surviving one.?MTS notes that “fault tolerance” can come from eliminating fault paths (“segregation”) or use of protections, but that maintaining and proving protections can be burdensome.?So, their “fault tolerance” is stopping faults rather than operating with them.?MTS “fault resistance” is about reducing the chances of faults, so the undependable protections are less critical.?So, their “fault resistance” is reliability rather than protective functions or barriers.?MTS “fault ride-through” is about surviving a fault or at least recovering from one.

• The UPSs could have MTS “fault tolerance” by being segregated or by having adequate protection from load, supply, and ground faults.?The UPSs could have MTS “fault resistance” by having a cleaner supply, more robust construction, a cleaner environment, and less demanding loads.?For MTS “fault ride through”, the UPSs need overvoltage protection to survive supply spikes, battery capacity to survive under voltages, and load limiting to survive load faults.
• The position references don’t fit as well into this model.?Differentiation improves MTS “fault tolerance” by giving different weaknesses to each sensor.?Sensor improvements improve MTS “fault resistance” by improving the quality of the fix and its reliability.?An inertial aided position reference has enhanced “fault ride-through” against quick faults or short delays.?In the end, a lot of the fault handing is dependent on the sensor configuration, DP control system, and DPO.
• This is the main focus of protection from DP controller faults.?They cannot be segregated from each other, so protection (MTS “fault tolerance”), reliability (MTS “fault resistance”), and fault detection/correction (MTS “fault ride-through”) are critical.?The DPO needs to be careful to avoid putting the system in situations it cannot handle (e.g. quick changes) and ready to identify and takeover if it fails.

I find the terminology awkward and think slightly differently than the MTS writer, but all three could be lumped into fault survival.

3 Pillars:?I can see why I have been unhappy with the seven pillars before.?There are naming problems and overlap, and they could be summarized into three principles – separation, differentiation, and fault survival.?There are other things that I want:

• Duplication – there is no redundant operation without system duplication,
• Capacity – the ability to do the task at the rate required for long enough,
• Detection – if you don’t know something is wrong, what can you do?
• Operation – how something is really operated can be more important than the design or theoretical operations and processes.?Culture can be important.

I could add a few more but MTS already knows these things.?They offer other models such as their redundancy, reliability, and resilience; control, monitoring and protection; and performance, protection, and detection triads.?While the seven pillars don’t work for me, they do not exist in isolation and the other guidance helps put people on the right track.