Application Note Note dapplication

info@redcamex.com www.redca.com

Implementation of a Fault Tolerant Controller for Offshore Platforms Control

Victor Machiavelo Salinas, Mr. REDCA, Mexico D.F., Mexico November, 2006
ABSTRACT Over the last years, Petrleos Mexicanos (PEMEX) has carried out an intense modernization job in all of its facilities around the country. As part of the modernization project, automation and optimization of the control equipment, instrumentation and communications play a fundamental role. INTRODUCTION The purpose of this paper is to describe in general terms the strategy being used by PEP PEMEX Exploracin and Perforacin (Exploration and Perforation)for automating its remote offshore platforms located just outside the oil camp of Cantarell. Remote drilling platforms are marine installations whose main function is to extract oil and natural gas from the wells. They are part of a marine offshore complex that includes different platforms, including habitation, production, compression, link, and communications. Remote platforms are separated from the rest of the complex, normally located within two to six kilometers (one to four miles), and communicate with the complex via radio systems, microwaves and frequency linking to the habitation platform, which has a master controller that can communicate with other remote platforms within the marine complex. The remote platforms have between three to eight extraction wells, and are unmanned, that is, there are no people living on them. As a result, reliability and availability of the control systems and instrumentation are not only fundamental to ensuring the security and safety of the entire installation, but they are also essential for maintaining the oil fields production and protecting the ecological environment. The project involved automating 23 remote platforms that belong to six different marine complexes located in the Cantarell Field. Although the complete project includes different levels in the automation of the complexes, this document only describes automating the six remote platform complexes, as shown in Figure 1 below.

Figure 1 General diagram of project, showing the six remote platform complexes www.safetyusersgroup.com Page 1 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

IMPLEMENTATION As previously indicated, remote platforms are the output points of gas and oil. Since they are unmanned, it is imperative that the control system used has high availability and is extremely reliable. In order to achieve this goal, PEMEX requested a fault tolerant control system that met the following requirements: 1. The control system must count with active redundancy in its controller (CPU), power supplies, communications to inputs and outputs, and communication to the habitation platforms. 2. The system must have the capacity to combine input/output modules in a single and redundant configuration. 3. The redundancy of analog inputs and outputs must be included in the system without using intermediate devices or relays to transfer the outputs. In addition, redundancy must be bumpless and the process completed without disturbance during the transfer. 4. The redundancy in digital inputs and outputs must be included in the system without using intermediate devices or relays to transfer the outputs. In addition, redundancy must be bumpless and the process completed without disturbance during the transfer. 5. The system should count with redundancy in communication channels to the habitation platforms, allowing bi-directional transfer of information with only one way in the communication ports. 6. The system should integrate up to 32 Modbus type serial ports, which should work in redundancy while communicating to PLCs and intelligent valves. 7. The system should be able to integrate Hart type transmitters with digital communication. 8. All devices in the system should be removable while on-line and with power applied. 9. The system should be designed to work in a marine environment subject to high temperatures, vibration, humidity and corrosion caused by extreme weather conditions. 10. The system should have communications when requested or based on reported exceptions, for example, transferring data only when notable changes are reported.

www.safetyusersgroup.com

Page 2 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

THE SOLUTION After an intense evaluation of different distributed control equipment (DCS), programmable logic controllers (PLC), remote control units (RTU) and hybrid control systems (HCS), the company in charge for the integration and construction of the system decided to use a hybrid control system, model RTP 2200, manufactured by RTP Corporation of Pompano Beach, Florida. Figure 2 shows the general architecture that each remote platform has.

Figure 2 Remote platform system architecture

www.safetyusersgroup.com

Page 3 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

The main characteristics of the RTP 2200 system are: Hot standby-type redundancy, floating master Redundancy in CPUs, power supply Intel 586 processor at 133 Mhz, 16 MB RAM, and 16 MB flash memory. Redundant Ethernet communication at 10 Mbps, connections 10bT or 10b2. Communications bus to racks in inputs and parallel outputs with transfer information speed of 16 bits per microsecond (RTPBUS) Hot insertion of all system components Redundancy in input and output modules, including analogic signals Active diagnostics (watchdog) in all system cards On-line and off-line configuration Programming and configuration with a single IP address Self-programming of CPU when inserted after a fault Automatic synchronization of variables in each scan sweep Redundancy with fault-tolerant and fail-safe design High processing speed: 300 PID per second minimum Programming software according to IEC 1131 16-bit high resolution cards High noise level protection (CMRR) from 80 to 140 db Low energy consumption: 30 percent less than a similar system Small size: 50 percent smaller than similar systems IE approval for nuclear application requirements

The system implementation addressed the following three fundamental technical issues: 1. Controller redundancy 2. Redundancy in input and output modules 3. Communications 1. Controller Redundancy

Figure 3 on the next page indicates the functional scheme of the RTP 2200 system operation, which operates as follows: a. b. c. d. e. f. The processors are turned on. The bus switch card assigns the first controller to get the energy as the master. The next controller is assigned as the slave. The master controller assumes control over the outputs and communications functions. The slave controller only monitors and operates as a mirror for the masterand is unable to access the output modules. If the master controller fails in CPU, communications, power source or bus input/output, switchover occurs and the slave controller automatically assumes the role of the primary master controller.

Because each rack side of the RTP 2200 is independent, the bus switch card is the only link between the two processors. This card gets its energy from the systems two power supplies, operating with only one power supply at a time. Each bus switch card is responsible for a variety of functions, including transferring, diagnosing, and communicating with the single input and output bus, and each controller is responsible for operating its specific redundant bus.

www.safetyusersgroup.com

Page 4 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

Figure 3 RTP 2200 redundancy block diagram

An important characteristic of this redundancy is the capacity of each controller to work as a floating master, negating the need to drive the system in a directional way to two different IP addresses. The redundancy also allows the system to re-educate the controller that failed when its replacement is reinserted. Each controller has the capacity to manage its own inputs and outputs bus, as well as the slave bus and the common bus of inputs and single outputs. Each controller observes and diagnoses the Ethernet communication of its counterpart, allowing the net to be monitored continuously by the two controllers. If communication is interrupted in the primary controller, the secondary controllerwhich is listening to the communication of the primary controllerwill generate a message to the bus switch card to make the transfer, allowing the secondary controller to then take over as the primary controller.

www.safetyusersgroup.com

Page 5 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

When looking at the RTP 2200 chassis, it is important to remember that even though there appears to be only a single rack, there are really two racks that are electronically isolated. With the exception of the bus switch card, which is fed by the two power sources, the power source on each side supplies energy to only one CPU and to the E/S cards for communication on its own side. The bus switch card is responsible for transferring the primary CPU to the secondary. It counts with two memories First-In-First-Out type (FIFO) used to send data to each CPU. The bus switch card also counts with a memory area for registers that allows the two CPUs to share data and states. The two CPUs continuously check the state of the bus switch card as it counts with a watch-dog timer. If the bus switch card fails, the primary controller will continue to operate and handle its inputs and outputs bus. Note that the bus switch card is not an electro mechanic deviceit is an electronic card with a high diagnostics level. The RTP 2200 system is a redundant system with fault-tolerant and fail-safe design. When a failure occurs in the main controller, the secondary controller assumes control in less than three milliseconds, and the E/S signals during that time are kept in-waiting. The failed controller can be replaced hot, and, when done so, diagnostics are performed on the new controller. When a corrected state is detected, the bus switch card transfers the program of the active controller and it becomes the secondary controller. Because the charging of new programs and updating can be done on-line, the output state is necessarily affected. Depending on the process design involved, RTP 2200 users have two options to account for the change in state: freeze the output state until the new program is loaded, or send the state to a zero value. 2. Input and output modules redundancy Figures 4 and 5 show the two options available for the input and output redundant modules in the RTP 2200 system. Option 1figure 4 The redundancy in the analog and digital inputs with active primaries, redundants on-hold, and operates as follows: a. The active controller reads and makes control functions using the input and output racks belonging to the active or primary bus. b. In the case of the digital inputs, both are considered primary, both are wired in parallel, and both are active; however, only the primary rack is readthe controller counts with software routines to make transfers between one rack to the other. c. In the case of the analog inputs, one card is assigned as primary and the other as secondary. Both cards check each other with the watch-dog timer in case the primary card fails.
www.safetyusersgroup.com

Figure 4 RTP 2200 I/O redundancyoption 1

Page 6 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

If a failure occurs, the bus switch card transfers the controller operation, and the secondary card takes control. d. In the case of the digital and analog outputs, a hot standby configuration is utilized wherein one card is active, and one card is in-hold. This configuration can cause minor over-jumps in the output signal when a transfer from the active card to the redundant card is made.

Option 2figure 5 In this configuration, while both input and output racks are active in a dual configuration, only one rack is designated as primary the other rack is secondary, and each card has a watchdog to check its electronic state. Due to both input racks and outputs being active, the information in the redundant card is the same as that in the primary card. As a result, there is no over-jump in the output signal when a transfer is made.

Figure 5 RTP 2200 I/O redundancyoption 2

3. Communications The communications networks design in the system are gathered in three categories: 3.1 Communication networks between remote and housing platforms 3.2 Modbus redundant communications networks 3.3 Communication networks to intelligent instruments using Hart 3.1 Communication networks between remote and housing platforms There are a number of critical issues that must be addressed in order for communications between the remote and housing platforms to be effective: Redundant communication Bi-directional communication between remote platforms and housing platforms Communication should only be in one direction in the redundant networks in order that the data base in the housing platform is not duplicated Managing of reports by exception Addressing using one Ethernet TCP/IP address
Page 7 of 11

www.safetyusersgroup.com

Application Note Note dapplication

info@redcamex.com www.redca.com

Connection to the actual radio system using a serial connection at 19.200 bps Network segmentation in the housing platform Peer-to-peer communication As shown in figure 6 on the next page, the main challenge of the system was to adapt one technology that was based on Ethernet TCP/IP networks to a radio system technology based on a frequency radio communication, UHF-typewhile also keeping in mind that any new technology, such as disperse spectrum, may be adapted at a later point in time.

Figure 6 Communications networks between remote platforms and housing platforms

The RTP 2200 system adapted to this challenge in a natural way, as detailed below: The two CPUs from the RTP 2200 controller count with an Ethernet port TCP/IP type-10BT, and are configured with one IP address. The system incorporates diagnostics in the communications that allow the CPU located in the redundant mode to monitor the communication in the main CPU. With this configuration, if communication is interrupted, diagnostics are performed and the redundant controller informs the bus switch card to make the transfer from the primary to the redundant controllers. The RTP 2200 system counts with two communication protocols: 1. The RTP 2200 protocol that allows the loading and unloading of programs, as well as local and remote configuration. 2. The peer-to-peer communications protocol that allows the transferring of information between the controllers of the same network.
www.safetyusersgroup.com Page 8 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

With the peer-to-peer, bi-directional protocol, the transferring of information from the remote platform to the housing platform and vice versa is allowed without the need to have a controller operate as a master which helped eliminate the need to call each controller to verify the informationa critical issue if, for example, you have a problem of wide band in the communications in the network. For this specific project, a node number that each controller has assigned to it in the network makes addressing and transferring information. The IP address is required when the controller has information it wishes to send and, while operating under the concept of report by exception, the Ethernet TCP/IP card makes a broadcast to indicate that it has information. Then, the controller located in the housing platform detects this message as well the other devices in the network. RTP has implemented a more simple and effective method for locating the information flow between controllers. It assigns an ID variable to be read by a tag, placing before it a GV value and adding the node number of the variable. For example, if a global variable GV TT20 N01 is placed in the database of the controller for the housing platform, the controller will accept a report of exception broadcast, while at the same time answering with its own broadcast indicating its IP address. If the controller with a node value of 01 takes the broadcast of the controller of the housing platform, it sends its information disaggregating the peer-to-peer message by the IP addresses and not with the node value. A TCP/IP socket is opened briefly in both controllers in order to continue transferring the information. If the socket remains open for more than three seconds, the communication is interrupted and the socket is closed. The controllers should then generate broadcasts to help in locating them. This method is very effective because: The network does not become saturated. Continuous calling to locate information is eliminated. Any controller can initiate the information transfer. Communication is interrupted when there is no further information available to transfer. Standard Ethernet network devices such as a hub, switch, bridge, etc., can be used.

As shown in figure 6 on the previous page, the controller counts with a redundant Ethernet TCP/IP network, and the information is transferred to radios with 121,200 bps serial connection using two bridges at a level of layer one of the OSI/ISO model. It is important to mention that the bridges commonly used in the industry include diagnostics and utilities to the communications that can in some cases cause the RTP 2200 controller to ignore the information. Therefore, careful selection of bridges is needed in order to make the system perform properly. As a test, PEMEX placed routers from different companies; however, the routers only limited the message broadcast flow, interrupted the communication and introduced time off in the communication caused by the transfer operation and the search for IP addresses. When counting with a network for all the remote and corresponding housing platforms, potential problems in saturation emerge. Moreover, a security issue even more dangerous developed that was unacceptable by PEMEX: Personnel on one platform were able to see and manipulate any of the other five platforms. This security issue was solved by placing a switch with technology layer three in the housing platform, which allowed for segmenting the network and addressing information. It also allowed for transferring data
www.safetyusersgroup.com Page 9 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

directly from the remote platforms to the housing platforms in a more direct way, which meant that the remote platforms could only see the housing platform, and not the other remote platforms. Another advantage to using the switch is that it allowed for transferring of the IP addresses by hardware instead of by tables as commonly done with routers. As a result, the flow of information is faster and more secure since the broadcast messages cannot be modified. 3.2 Modbus redundant communications networks A very important technical requirement for the control systemand one that presented a problemwas the ability to use redundant Modbus serial communication cards, which, by design, can handle only one master controller (in this particular control system, the RTP 2200 was designed to be the master and the device equipment the slaves). PEMEX requested redundant communication and redundant cards. By design, the RTP 2200 fulfilled this request because the dual redundant hybrid control system assigns one card in the primary rack as the primary and another card in the redundant rack to be the standby. With the redundant configuration, each rack has 16 cards and two serial ports for a total of 32 serial ports. The redundancy is a unique characteristic of the RTP 2200 and was a critical factor in our decision to select the RTP 2200 for use in this application. 3.3 Communication networks to intelligent instruments using Hart A requirement for the system was to provide personnel with the ability to transfer information using field instruments on the remote platforms to the main platform using report by exception. As shown in figure 7 on the next page, in order to accomplish this task, PEMEX selected the Hart, multidrop, serial communication protocol along with an external Director II RTU from Arcom Control System. The Director II RTU provides high communications capabilities, and features four serial ports and one Ethernet TCP/IP network port. Using Hart and Modbus protocols, the Director II RTU is used to also transfer the Modbus information from the TMR safety systems. Finally, addressing an IP direction and encapsulating protocols is accomplished using Ethernet.

www.safetyusersgroup.com

Page 10 of 11

Application Note Note dapplication

info@redcamex.com www.redca.com

Figure 7 Shown: Arcom Directorused for Hart and Modbus transfer; and serial communications DCS

CONCLUSION The offshore oil and petroleum industry in Mexico is working to implement new technologies in system information and process control. During this period of transition, we have been highly involved in evaluating various new hardware and software technologies, both from an implementation standpoint as well as from a service, support and experience standpoint. A critical application, such as automating PEPs remote offshore oil platforms, requires high availability and a highly reliable control solutionlike the RTP 2200. The RTP 2200 is capable of managing a wide variety of process controls, including: PID control Active redundancy Modbus and Hart communication Analog and digital control Standard IEC 61131 programming software Ethernet communication Redundant analog output Online modifications

With its long and successful history serving the nuclear industry, RTP Corporation has designed its RTP 2200 to be a powerful, redundant hybrid control system that is also ideally suited for the oil and gas industry.

www.safetyusersgroup.com

Page 11 of 11