PMSing about Testing (Pt1 - Basic Fail Safe & Load Logic)
Introduction:?Electrical power management systems (PMSs) need to avoid critical faults to support their vessels’ dynamic positioning (DP) redundancy.?Some designs may lack critical PMS faults, such as vessels using direct diesel driven thrusters, some may have few weak areas, due to properly isolated split operation or thruster battery backup, and some designs are highly dependent, such as designs needing closed bus tie redundancy.?In most electric-driven vessels, the PMS ranges from somewhat important to vital to redundancy and needs appropriate testing.?A supply vessel may require little PMS testing while a drill ship may require a lot, depending on the complexity of the PMS & power systems and their importance to DP redundancy.?There are a wide variety of power management system types and configurations, with an equal variety of functions, so any overview of PMS testing will necessarily need adapted to the specific system under test.?We’ll take a high-level look at testing common functions and problems, and use the example system in the picture when it makes things clearer.?The original article needed broken into separate sections because it was too long, so this first article only looks at basic fail safe and load limiting.
Basic Power Tests:?Even though some PMSs are a mere rump of the vessel management or switchboard system, and exist only to tell class that there is one, there are some basic tests that always need done, with any PMS, to verify fail safe.?While it is too difficult to test internal fault handling of most modern blackbox systems, each PMS controller should be tested to fail safely when reset or stopped, when control power is lost, when control power is restored, when the control card is pulled, and when data networks are failed (networks are next paragraph).?These are all different failure modes, and some may not be applicable to the system being tested (e.g. no reset or stop button, or no card rack).?Failing power may require failing two power supplies, or an internal breaker, to each controller.?Control power failure testing may be combined with uninterruptable power supply (UPS) output failure testing, but actual, safe, controller power failure is the goal.?Failure of one of two supplies should be alarmed, bump-less, and tested both ways.?While a typical, 2 split PMS may have two controllers, it is possible for a highly distributed system to have several.?These tests should be performed even if the PMS appears to have no dangerous functions.?Safe failure of the controller may need repeated during some of the subsequent PMS function tests.?E.g. the PMS should be limiting load and the controller is failed, what happens?
Basic Network Tests:?Similarly, the failure of data or control connections between controllers or modules needs to be verified to not cause unsafe operating conditions.?Again, internal fault handing is difficult and intrusive to test, so testing is normally limited to failing each set of network connections.?I say “set” as “dual redundant” networks normally have common failure modes and are effectively a single network with extra hardware redundancy, but not extra setting or signal redundancy.?Tests might include failing both connections to the vessel’s main “dual redundant” control network (a single failure most easily simulated with two connector pulls, restore), both internal “dual redundant” control networks (again, simulates a common network fault without having to hire a hacker, restore), dedicated links between the controllers (observe and restore), and the network or serial cards controlling the local communication (e.g. the local Modbus, CANbus, or serial cards, one at a time, restore).?Like the basic power tests, these may need repeated during subsequent PMS function tests.?E.g. the PMS should still be capable of limiting load with the vessel’s main “dual redundant” control network not available.?Vital data is generally transmitted via analog signal or contact voltage to ensure this, and controllers located close to or in the main equipment (e.g. switchboards) to keep the wire lengths short.
Basic Module Tests:?These basic fail safe tests may need expanded from controllers into individual cards or modules, depending on system function and configuration.?For example, an input/output (I/O) card that interfaces with DG1 will be crucial in tests involving DG1 functions, and will need confirmed to fail safe during different operating modes and PMS functions.?E.g. the PMS should be limiting load and the card to online DG1 is failed, what happens??There can be a number of functions where this card’s failure becomes significant, such as asymmetric loading, speed control, synchronization, etc.?PMS modules usually use the same power as the controller, but highly distributed systems may have separate supplies.?Failure modes of the PMS interface cards or modules are a typical area of weakness, as the PMS design expectations may not match the lower level power control philosophy.?Some interfaces of concern will be highlighted in subsequent function test discussions.
Advanced Power Tests:?Systems with important control functions, like generator shutdown, load limiting, or speed/voltage control, may need additional power testing to ensure safe electronic failure in unusual voltage conditions.?Spikes, brownouts, and grounding faults can cause problems.?Ideally, spikes should be blocked by overvoltage protection and not need tested.?Safe shutdown, before a voltage sag makes operation unreliable, is usually but not always proven during type approval and requires a variable voltage supply for testing, if a problem is suspected.?Older electronic modules may no longer reliably stay safe during a brownout.?Usually, this testing is limited to checking power module and UPS protections.?Depending on the UPS protections and distribution, the PMS controller may require a power conditioning module (e.g. overvoltage, current limiting, boost, filter, etc.) and the testing of that should be confirmed in the maintenance log, or tested at least every 5 years.?Ground faults can have interesting effects, if the system is not consistently and safely grounded, so ground fault testing, by grounding a floating system or biasing what should be a grounded system, is important to ensuring redundancy.?Grounds inside the PMS control power distribution should cause alarms or trips, as should grounds outside.
Advanced Network Testing:?Beyond simple network failure testing, there are more advanced network tests that can be performed on vital networks to verify noise levels, noise rejection, collision rates, net storm protection, multicast protection, communication mismatch handling, voltage and resistance windows, etc.?It is typically easier to assume that both networks can fail and test the effects, but advanced testing can be used to verify network health and protections, and can reduce the likelihood of failure by detecting developing problems.?It can’t be used to prove that there can be no such failures - not when operating experience provides so much contrary evidence.?Even when it isn’t possible or worthwhile to do this testing, it is worthwhile to see what network health measures the operator can monitor (data load levels, collisions, rejected messages, etc.).?Of course, connection to remote access or poor system isolation can leave even the best system subject to malware or external influence.?Shore offices like this access, but providers have a habit of overpromising security – nothing stops someone clever getting through secure connections.
Intro to Overload Prevention:?One of the major functions of a PMS is to prevent demand from overloading the available power generation.?This should include absolute amount of load and rate of loading.?It is such a popular and important function that it is commonly duplicated in different PMS systems.?For example, the DP system will ramp its thrust demand up and down to stay within set power limits while trying to maintain position.?This DP PMS function is normally independent of the main vessel PMS.?Similarly, some major industrial mission systems will attempt to stay within power limits, may request start permission, and may reserve power blocks to ensure safe mission function.?Examples of such systems include drilling, crane, and pipelay systems.?The PMSs of these mission systems are usually subordinate to and dependent on the main PMS, but not always.?After all, the industrial mission is the purpose of the vessel, power and DP are part of the means, and it is not safe to overly restrict mission power in some circumstances.?The main vessel PMS tries to prevent generator overload by limiting allowed demand based on individual generator load, average bus load or frequency, restricting heavy equipment starts until sufficient power is available, preventing or delaying generator stops if it will overload the remaining generators, automatically starting and connecting generators to prevent overload, tripping non-vital equipment to clear overloads, and triggering fast phase back to rapidly reduce DC drive, or variable speed drive (VSD), loads.?Each of those functions is a subject all by itself.
Load Limitation Conflict:?With two or more PMSs performing overload reduction and restricting different loads with different priorities, there is a potential for conflict between the systems.?The two, three, or more systems need to be coordinated in their action, and that coordination verified during testing.?Operating philosophy differences and equipment can change these priorities.?For example, one vessel could not be allowed to ever lose power to heave compensation during drilling, so a block of power needed reserved for it before any other system was allowed power.?Most vessels don’t have that vulnerability and many reduce mission power before thruster power, as position is more safety critical for their expected missions and equipment.?An example might be a huge crane that can hold load without power, slow its motion, or perform an emergency lift with accumulator power, but must not change vessel position during the lift.?It is important to understand each vessel’s priorities and ensure the systems reflect them.?For example, mission load limitation may start at 90-95% and thruster limitation might start at 95-100% bus load.?Main PMS limitation is usually faster than DP or mission PMS, but DP and mission PMSs generally understand their power priorities better than the main PMS and can allocate the available power to meet those priorities.?For example, a particular thruster or hydraulic power unit may need the available power more than the others.?The best way to test this is to first confirm correct operation of each PMS, and then test them together.?If the main PMS limits some systems at 90% load, the mission PMS limits at 95% load, and the DP PMS limits at 100% load, then reducing one PMS’s limit to 80% allows that PMS’s function to be tested separately from the others.
领英推荐
DP PMS:?We will start with the DP PMS, as it is the simplest example.?We will begin by looking at the DP power mimic and comparing it with the PMS, vessel management, and alarm system mimic.?Is it laid out and numbered the same or can the differences cause operator confusion??Is the layout and display poor??Are the load values and breaker states on the DP mimic the same as on the other mimics??Vary the load and configuration to ensure each value actively matches.?The DP PMS signals are typically not redundant, so operators need to regularly compare mimic values to ensure safe operation.
DP PMS Bus Load Limiting:?We will set load limit to 80%, so the DP PMS functions can be tested independent of the other systems.?Using our pictured system as an example, we will open the bus ties and make the bus bar loading uneven by stopping DG3, emergency stopping diesel generators (DGs) 2&3 so they can’t be started, tripping the starboard, aft, azimuth thruster (T4), and starting DG5, so the stbd switchboard bus has less load and more power.?Thruster bias or partial joystick control will then be used to increase thruster load as high as possible.?DG1 should not be able to go past 80% load and DGs 4/5/6 & T2 should not be affected by the power limit on the port switchboard bus.?DGs 2&3 should have similar results to DG1 when each is tested.?Reversing the power/load imbalance (1 thruster & 3 DGs port, 2 thrusters & 1 DG stbd) and repeating the test for each starboard switchboard bus DG should find similar results.?With DG6 and the stbd bus limited to 80%, fail the DG6 breaker’s digital input into the DPC card (or appropriate manufacturer designation & location).?Newer systems generally recognize that DG6 load and T2&4 running means the breaker indication is wrong, but older systems may not.?Restore the breaker signal and fail the DG6 kW signal.?No load reference is available for use in controlling load limitation, so DG6 load increases until it hits the main PMS limit levels.?This change in load should be slowly ramped like all DP commands.?Restore the load signal and watch load ramp back down to 80%.?Synchronize the two buses together and close the bus ties.?The power limit on the stbd bus generator and thrusters should disappear and not affect the port bus, as there is now lots of power available.?Fail the digital input from one of the bus tie breakers (e.g. to a DPC card) and nothing appears to change.?The DP PMS has reverted to split calculation (no redundant contacts in the DPC) but the shared DG load prevents DG6 from having a higher load.?Use PMS asymmetric loading to raise DG6 load to 80% or higher and see thrust reduction on T2&4 without affecting T1.??
DP PMS DG Load Limiting:?Reduce DG6 load and restore the bus tie contact, so the bus is seen as common.?Use asymmetric loading to increase DG6 load above 80% and see if all thrusters are power limited.?This old function should be disabled, but is still common.?If a DG has a speed control problem, this function can stop all thrust until the faulty DG is tripped.?Reduce DG6 load, start and connect DG4 & T3, and open the bus ties.?Use asymmetric loading to increase DG6 above 80% load and see if T2&4 power is limited and T1&3 unaffected.?Restore and repeat with a generator on the other bus.?Again, individual DG load reduction should not normally be enabled.?Some of the logic for the function is good, a weak DG could be saved until replaced and this might reduce the chance of power failure, but the same function logic allows a healthy but fast DG to seize load and stop all thrust, and this single point failure can cause loss of position.?The setting is less critical if the vessel has an advanced generator protection system to quickly and automatically remove the fast DG.
DP PMS Other:?I’ve not seen any DP PMS with reactive power or frequency limitation, or active functions that effect the power plant through more than thruster load.?Some DP systems monitor thruster load (an excellent source of thrust magnitude feedback fault detection) and can use these values in their power data validation.?Some of the previous testing sounds basic but sometimes mistakes are found.?Some problems are hidden by the usual even loading, but the unbalanced power systems used in the test make it easier to see the power limit logic at work.?Vary the DGs tested and sample size.?This is just an example of the test logic and expected results.?Other tests are possible.?For example, what happens with two parallel DGs and one lost kW signal??Different DP manufacturers’ systems and setups will cause variation in the expected results.
Mission PMS Load Limiting:?The power management functions associated with the industrial mission equipment can vary widely.?They can vary from a shadow on the main PMS to coordinated functions to a full-blown independent PMS, but most work closely with and depend on the main PMS.?Mission equipment requirements reflected onto the PMS range from a requirement to never limit drill power (unusual and sometimes dangerous but risk can often be mitigated procedurally), to reserved power blocks (similar but usually more flexible and limited), to heavy load start permission requests, to simple load reduction commands, to load available signals, to full mimic information, so the mission PMS and operator can make their own decisions.?We will currently limit ourselves to systems that use direct switchboard or main PMS mimic information to act partially independently, like the DP PMS, and cover other potential mission PMS functions in a later article.?Like the DP PMS, the mission PMS mimic signals are usually not redundant, but can be, and are sometimes backed up by the previously mentioned functions (e.g. power mimic data for local control and monitoring plus load available signals from each redundant power group, in case the mimic data fails).?During new build trials, the interfaces between these systems have often not been fully tested and DP trials may encounter differences in control and signal logic between the systems (e.g. open is closed, high is low, DG1 is DG6, etc.).?It may not be possible to fully test some mission load limiting functions, as the major mission equipment usually isn’t fully commissioned until after DP proving trials.?Testing interaction between the mission PMS and main PMS, for DP effects, may have to wait until mission system testing.?As a result, many DP professionals do not test this interaction and associated problems may not be detected until they have operational effect.?Document the need (put it in the DP trial program), so the interaction testing can be done (becomes visible), even if it has to be delayed until the first annual trials.?As a minimum, the interface logic and its failure modes should be verified as correct, compatible (e.g. not reverse logic), and safe, when viewed from either side of the interface.?The testing described for previous systems gives an overview of what needs done, but the tests will need adapted to the actual systems.
Main PMS Load Limiting:?Main PMS load limit testing will be very similar to the previously described DP PMS testing except the PMS mimic will be compared directly to the switchboard, there are many more breakers and variables monitored, many are now directly controlled, and vital signals should be redundant.?That last statement doesn’t mean that every signal should be duplicated but the many signals used should provide at least two ways of generating and verifying each critical value.?No single signal failure should leave the main PMS unclear if load limiting is needed or not.?There are so many signals that failing them all to ensure fail safe and redundancy would be onerous and possibly counter-productive, as it might introduce restoration errors.?Samples are recommended to ensure correct system function and careful restoration of function and security of connection always needs confirmed.?For load limit testing, breaker closure state and generator load signals are of most interest.?While performing the unbalance load limit testing, keep an eye on changing power system configuration and values and continue verifying switchboard and main PMS mimic correspondence, so frozen or delayed values or displays can be caught.?The main PMS will usually have additional functions whose testing will be discussed in subsequent articles.
Coordinated Action:?Once all the PMS systems are tested, their coordinated load limiting can be tested.?Usually the main PMS acts first and quickly while the mission and DP PMSs act later and more slowly in their particular areas of concern.?If the main PMS fails to act (controller failed, module failed, etc.), the other PMSs can act as backups.?This should always be true of the DP PMS and should be true of independent mission PMSs, but may not be directly applicable to many simple mission PMSs.?Failure of DP or mission PMS load limiting should not affect main PMS power limiting.?Tests need performed to demonstrate each of these requirements and overall coordination.
Conclusion:?This provides the first look at and first article on PMS testing.?I apologize for writing too much, for not writing enough, and for breaking the subject into multiple articles.?This article is too long and yet not fully detailed, as it had to be flexible for multiple systems and the description of later system testing was condensed to limit article length.?I was daft when I thought I could write a single article on PMS testing, when my article on the DP box test was already 40% longer than my writing goal.?I hope some of the article’s information was useful and informative to you.?Feel free to share your insights, experience, and questions in the comments.