The document discusses several incidents involving software errors that led to accidents, including a dropped cable that killed a dockworker due to inconsistent speed readings by sensors, injuries caused by erratic behavior of elevators and bales from an outdated software patch, and a generator trip caused by an unofficial software change made by a vendor. It emphasizes the importance of software configuration management, requirements gathering, failure mode analysis, and change control to prevent such incidents.
This document contains a pre-school exercise book for well control with 769 pages of content across multiple sections. The introduction explains that the exercises were designed to help prepare students for well control school by providing up-to-date self-study questions with answers in the back. Section A contains questions about well control equipment, including blowout preventers, diverters, control systems and their components. Further sections cover topics like causes of kicks, kick indications, shut-in procedures, and example kick scenarios. Formulas for well control calculations are also included at the end.
MESA 2016 Presentation - Mark Spinks - Remote IsolationMark Spinks
Functional safety in mining processes can be improved through the use of remote isolation systems. Such systems make isolations quicker and easier to perform, reducing the risk of human error and removing personnel from hazardous areas. They also allow for more effective maintenance during outages due to faster isolations. Remote isolation systems provide constant monitoring of isolation status to ensure reliability. While requiring upfront investment, the costs of these systems can be quickly offset through increased productivity and plant uptime.
This document provides an overview of testing and verification for integrated circuits. It discusses the different types of testing, including functionality tests, silicon debug, and manufacturing tests, which can occur at various levels from wafer to system level. The document outlines the principles and techniques for logic verification, debugging, and manufacturing tests. It discusses topics like test vectors, testbenches, regression testing, fault models, observability, controllability, repeatability, and survivability.
A quality control for new equipment should start with an acceptance test to verify the equipment meets the specifications given by the vendor. The acceptance test should be performed according to accepted international standards and may require the use of instruments and phantoms not available in the department. The acceptance test forms the basis of the reference tests routinely performed in the department during the life-time of the equipment according to a schedule worked out by the medical physicist in cooperation with the nuclear medicine department. Certain parameters should be tested daily, others on weekly, monthly and yearly basis.
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Jaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers...
2015 05-07 - vu amsterdam - testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers...
DESIGN AND IMPLEMENTATION OF EMBEDDED MONITOR SYSTEM FOR DETECTION OF A PATIE...Abhishek Somayaji
The document summarizes a seminar presentation on the design and implementation of an embedded monitor system to detect a patient's breath using two webcams. The system uses temporal differencing algorithms and background subtraction on the webcam images to detect chest movement without physical contact. It outputs the breath rate and detects abnormalities to an LCD display. The system uses low-power embedded hardware, is portable, and can send alerts to a hospital if dangerous breathing stops are detected. While it avoids contact and provides privacy, the system is sensitive to environmental changes and cannot fully detect object outlines.
The document discusses several incidents involving software errors that led to accidents, including a dropped cable that killed a dockworker due to inconsistent speed readings by sensors, injuries caused by erratic behavior of elevators and bales from an outdated software patch, and a generator trip caused by an unofficial software change made by a vendor. It emphasizes the importance of software configuration management, requirements gathering, failure mode analysis, and change control to prevent such incidents.
This document contains a pre-school exercise book for well control with 769 pages of content across multiple sections. The introduction explains that the exercises were designed to help prepare students for well control school by providing up-to-date self-study questions with answers in the back. Section A contains questions about well control equipment, including blowout preventers, diverters, control systems and their components. Further sections cover topics like causes of kicks, kick indications, shut-in procedures, and example kick scenarios. Formulas for well control calculations are also included at the end.
MESA 2016 Presentation - Mark Spinks - Remote IsolationMark Spinks
Functional safety in mining processes can be improved through the use of remote isolation systems. Such systems make isolations quicker and easier to perform, reducing the risk of human error and removing personnel from hazardous areas. They also allow for more effective maintenance during outages due to faster isolations. Remote isolation systems provide constant monitoring of isolation status to ensure reliability. While requiring upfront investment, the costs of these systems can be quickly offset through increased productivity and plant uptime.
This document provides an overview of testing and verification for integrated circuits. It discusses the different types of testing, including functionality tests, silicon debug, and manufacturing tests, which can occur at various levels from wafer to system level. The document outlines the principles and techniques for logic verification, debugging, and manufacturing tests. It discusses topics like test vectors, testbenches, regression testing, fault models, observability, controllability, repeatability, and survivability.
A quality control for new equipment should start with an acceptance test to verify the equipment meets the specifications given by the vendor. The acceptance test should be performed according to accepted international standards and may require the use of instruments and phantoms not available in the department. The acceptance test forms the basis of the reference tests routinely performed in the department during the life-time of the equipment according to a schedule worked out by the medical physicist in cooperation with the nuclear medicine department. Certain parameters should be tested daily, others on weekly, monthly and yearly basis.
Testing Safety Critical Systems (10-02-2014, VU amsterdam)Jaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers...
2015 05-07 - vu amsterdam - testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers...
DESIGN AND IMPLEMENTATION OF EMBEDDED MONITOR SYSTEM FOR DETECTION OF A PATIE...Abhishek Somayaji
The document summarizes a seminar presentation on the design and implementation of an embedded monitor system to detect a patient's breath using two webcams. The system uses temporal differencing algorithms and background subtraction on the webcam images to detect chest movement without physical contact. It outputs the breath rate and detects abnormalities to an LCD display. The system uses low-power embedded hardware, is portable, and can send alerts to a hospital if dangerous breathing stops are detected. While it avoids contact and provides privacy, the system is sensitive to environmental changes and cannot fully detect object outlines.
Introduction to Reliability Evaluation Techniques –
Reliability Models for Hardware Redundancy –
Permanent faults only - Transient faults.
Introduction to clock synchronization –
A Non-Fault-Tolerant Synchronization Algorithm –
Fault-Tolerant Synchronization in Hardware –
Completely connected zero propagation time system –
Sparse interconnection zero propagation time system –
Fault tolerant analysis with Signal Propagation delays.
The document discusses lightning protection for wind turbines. It covers the new IEC 61400-24 standard which will require lightning testing for entire wind turbine systems. Analysis of lightning damage to over 500 turbines found that delamination and shell debonding were the most common types of damage. Explanations of failure mechanisms show that improper insulation allows lightning leaders to initiate from internal parts rather than just receptors. The presentation emphasizes the importance of robust lightning protection system design, testing, monitoring, and maintenance.
Electronic pills allow for wireless transmission of high-definition video from inside the body. An electronic pill uses ultra-wideband telemetry to transmit video and images from inside the digestive tract to a nearby computer at data rates of up to 100 Mbps. The pill is small in size, has a long battery life of 40 hours, and uses biocompatible materials to avoid harming the body. While electronic pills can detect abnormalities, their resolution is still limited and they cannot perform some medical functions like ultrasound. Future developments aim to improve sensors and physiological analysis capabilities.
2016-04-28 - VU Amsterdam - testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers.
Minor project presentation on electric bell.pdfPARSHOTTAMRAJ
1. The document presents a project on an automatic electric bell circuit using an Arduino board that can replace manually operated bells.
2. The circuit uses an RTC module connected to the Arduino to schedule bell times accurately without human intervention.
3. An automatic bell circuit would save manpower and money compared to manual bell operation while providing more accurate timing.
Artificial Intelligence (AI) and Data Science (DS) are shaping the future of aviation and space industries. For example, using AI and DS in prognostics and health management can make a paradigm shift in system reliability and availability as well as improve mission safety. We will talk about how AI and DS improve complex engineering systems’ prognostics and change the maintenance strategy from fail and fix to predict and prevent. In addition, we will understand how data-driven prognostics can be seen as a forecast application from AI and DS perspective. We will discover how AI and DS are involved in remaining useful life estimation of complex engineering systems. This enables safe deep space exploration and developing highly reliable systems without having to design systems with many redundant components.
The document proposes a methodology for selectively protecting convolutional neural networks (CNNs) deployed on GPUs. The methodology involves three stages: (1) detecting faults at runtime in matrix-matrix multiplication layers, (2) cataloging diagnostics techniques, and (3) selectively applying protections based on diagnostic coverage and performance impact. An evaluation on a Tiny YOLO-v3 object detection network found higher misclassification rates in initial layers and demonstrated diagnostic coverage between 2.61-3.8x network execution time with less than 5% performance impact. The methodology aims to safely deploy CNNs for safety-critical applications.
1) The document discusses fault detection, consequence prevention, and control of defeat for critical systems. It provides information on designing redundancy, diagnostics, and fault tolerance to ensure systems can still function even if a component fails.
2) When taking a critical safety device out of service for maintenance, a formal Control of Defeat process is required to provide alternate protection and notify all relevant parties of the change.
3) Failure to follow proper Control of Defeat procedures when disabling a critical safety device, such as switching off a collision warning system without plans for alternate protection, can have severe consequences like loss of life if an incident occurs.
A detailed overview of endoscope handling and maintenance best practices to ensure maximum up time and minimizing repair costs. Overview covers rigid and flexible endoscopes, terminologies, common issues, best practices. Target audience include physicians, surgical technicians, OR nurses, Sterile Processing technician, biomedical engineers
The main objective of this project is to monitoring the earthquake issues by using Seismic Noise Detection Sensor and the relevant information will be displayed on the LCD display via Arduino Uno. The location of the earthquake will identified by using Accelerometer.
The document outlines the safe isolation procedure which involves identifying the point of isolation, locking it off with a warning label, testing with approved equipment to ensure no voltage is present, retesting equipment, and isolating secondary energy sources. It recommends seeking permission first if vital services could be interrupted. Key steps include locking isolation points, applying warning labels, thoroughly testing for voltage absence, and isolating backup power sources.
The document outlines the safe isolation procedure which involves identifying the point of isolation, locking it off with a warning label, testing with approved equipment to ensure no voltage is present, retesting equipment, and isolating secondary energy sources. It recommends seeking permission first if vital services could be interrupted and following any permit to work systems. Additional resources like a workflow diagram and best practice guide are available for download to aid electricians in safely isolating energy sources.
Mapping the Tohoku 2011 Tsunami event with a remote sensing satellite constel...Peter Löwe
1) The document discusses how tsunami early warning systems could provide information to remote sensing satellite operators to help speed up the production of crisis maps following tsunami events. By informing satellite operators early about what coastal areas may be affected, satellite imaging and map production could begin sooner. This could help search and rescue efforts and potentially save more lives.
2) The International Charter for Space and Major Disasters coordinates satellite-based imaging and crisis map production for disasters like the 2011 Tohoku tsunami. Integrating tsunami warnings into the planning and tasking processes of satellite constellations like RapidEye could allow imaging and mapping to start earlier.
3) Standard message formats like CAP could be used to disseminate
Mapping the Tohoku 2011 Tsunami event with a remote sensing satellite constel...Peter Löwe
This document discusses how tsunami early warning systems could provide information to satellite operators to help speed up crisis mapping after disasters. It describes a project called TRIDEC that aims to integrate tsunami warnings with satellite tasking to allow imaging of affected areas sooner. During the 2011 Tohoku tsunami, satellite imagery through the International Charter helped create maps for rescue efforts. Faster coordination between warnings and satellite tasking could produce maps even sooner to further aid response. Standard messaging formats may help disseminate early warnings to satellite operators for quicker crisis mapping following disasters.
This document discusses security issues with SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to control critical infrastructure like water treatment plants, oil and gas pipelines, electrical grids, and nuclear power plants. However, SCADA systems often have weak security protections due to using outdated protocols and hardware that cannot be easily upgraded. This makes SCADA networks vulnerable to attacks that could disrupt important systems and endanger public safety. The document outlines several past attacks on SCADA networks and control systems that demonstrate these risks. Improving SCADA security will require collaboration between different fields like control systems engineering and cybersecurity.
This document discusses security issues with SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to control critical infrastructure like water treatment plants, oil pipelines, and nuclear power plants. However, SCADA systems often use outdated protocols and hardware with no security protections. They are vulnerable to attacks that could disrupt important systems or endanger public safety. The document outlines several past attacks on SCADA systems and control failures that highlight the security risks if these systems are not properly protected from cyber threats.
The document discusses the design challenges for unmanned vehicular video streaming. It proposes using multiple low-power microprocessors in parallel to achieve high processing speeds while minimizing power consumption. Test results show that combining horizontal and vertical image scanning provides the best video quality. The document also describes the architecture of a low-power camera designed by GenieView for unmanned vehicle applications.
The document discusses the design challenges for unmanned vehicular video streaming. It proposes using multiple low-power microprocessors in parallel to achieve high processing speeds while minimizing power consumption. Test results show that combining horizontal and vertical image scanning provides the best picture quality. The document also describes the architecture of a low-power camera system designed for unmanned vehicles.
Flight testing is important for developing human-rated spacecraft as ground testing cannot fully replicate integrated systems operating together. The PA-1 and Ares I-X tests provided valuable data for validating models and designs. Key challenges for flight testing included committing to readiness despite pressure to simplify processes, determining appropriate rigor for non-human flights, ensuring consistency across organizations, and managing certification timelines. Both tests were successful and provided data to refine designs without any major issues occurring.
Power reduction techniques are important for the modern VLSI designs. Power is the today's major concern when we come to optimal trade off between area, performance and power.
Introduction to Reliability Evaluation Techniques –
Reliability Models for Hardware Redundancy –
Permanent faults only - Transient faults.
Introduction to clock synchronization –
A Non-Fault-Tolerant Synchronization Algorithm –
Fault-Tolerant Synchronization in Hardware –
Completely connected zero propagation time system –
Sparse interconnection zero propagation time system –
Fault tolerant analysis with Signal Propagation delays.
The document discusses lightning protection for wind turbines. It covers the new IEC 61400-24 standard which will require lightning testing for entire wind turbine systems. Analysis of lightning damage to over 500 turbines found that delamination and shell debonding were the most common types of damage. Explanations of failure mechanisms show that improper insulation allows lightning leaders to initiate from internal parts rather than just receptors. The presentation emphasizes the importance of robust lightning protection system design, testing, monitoring, and maintenance.
Electronic pills allow for wireless transmission of high-definition video from inside the body. An electronic pill uses ultra-wideband telemetry to transmit video and images from inside the digestive tract to a nearby computer at data rates of up to 100 Mbps. The pill is small in size, has a long battery life of 40 hours, and uses biocompatible materials to avoid harming the body. While electronic pills can detect abnormalities, their resolution is still limited and they cannot perform some medical functions like ultrasound. Future developments aim to improve sensors and physiological analysis capabilities.
2016-04-28 - VU Amsterdam - testing safety critical systemsJaap van Ekris
Presentation about the steps required for Verifying and Validating safety critical systems, as well as the test approach used. It goes beyond the simple processes, and also talks about the required safety culture and people required. The presentation contains examples of real-life IEC 61508 SIL 4 systems used on stormsurge barriers.
Minor project presentation on electric bell.pdfPARSHOTTAMRAJ
1. The document presents a project on an automatic electric bell circuit using an Arduino board that can replace manually operated bells.
2. The circuit uses an RTC module connected to the Arduino to schedule bell times accurately without human intervention.
3. An automatic bell circuit would save manpower and money compared to manual bell operation while providing more accurate timing.
Artificial Intelligence (AI) and Data Science (DS) are shaping the future of aviation and space industries. For example, using AI and DS in prognostics and health management can make a paradigm shift in system reliability and availability as well as improve mission safety. We will talk about how AI and DS improve complex engineering systems’ prognostics and change the maintenance strategy from fail and fix to predict and prevent. In addition, we will understand how data-driven prognostics can be seen as a forecast application from AI and DS perspective. We will discover how AI and DS are involved in remaining useful life estimation of complex engineering systems. This enables safe deep space exploration and developing highly reliable systems without having to design systems with many redundant components.
The document proposes a methodology for selectively protecting convolutional neural networks (CNNs) deployed on GPUs. The methodology involves three stages: (1) detecting faults at runtime in matrix-matrix multiplication layers, (2) cataloging diagnostics techniques, and (3) selectively applying protections based on diagnostic coverage and performance impact. An evaluation on a Tiny YOLO-v3 object detection network found higher misclassification rates in initial layers and demonstrated diagnostic coverage between 2.61-3.8x network execution time with less than 5% performance impact. The methodology aims to safely deploy CNNs for safety-critical applications.
1) The document discusses fault detection, consequence prevention, and control of defeat for critical systems. It provides information on designing redundancy, diagnostics, and fault tolerance to ensure systems can still function even if a component fails.
2) When taking a critical safety device out of service for maintenance, a formal Control of Defeat process is required to provide alternate protection and notify all relevant parties of the change.
3) Failure to follow proper Control of Defeat procedures when disabling a critical safety device, such as switching off a collision warning system without plans for alternate protection, can have severe consequences like loss of life if an incident occurs.
A detailed overview of endoscope handling and maintenance best practices to ensure maximum up time and minimizing repair costs. Overview covers rigid and flexible endoscopes, terminologies, common issues, best practices. Target audience include physicians, surgical technicians, OR nurses, Sterile Processing technician, biomedical engineers
The main objective of this project is to monitoring the earthquake issues by using Seismic Noise Detection Sensor and the relevant information will be displayed on the LCD display via Arduino Uno. The location of the earthquake will identified by using Accelerometer.
The document outlines the safe isolation procedure which involves identifying the point of isolation, locking it off with a warning label, testing with approved equipment to ensure no voltage is present, retesting equipment, and isolating secondary energy sources. It recommends seeking permission first if vital services could be interrupted. Key steps include locking isolation points, applying warning labels, thoroughly testing for voltage absence, and isolating backup power sources.
The document outlines the safe isolation procedure which involves identifying the point of isolation, locking it off with a warning label, testing with approved equipment to ensure no voltage is present, retesting equipment, and isolating secondary energy sources. It recommends seeking permission first if vital services could be interrupted and following any permit to work systems. Additional resources like a workflow diagram and best practice guide are available for download to aid electricians in safely isolating energy sources.
Mapping the Tohoku 2011 Tsunami event with a remote sensing satellite constel...Peter Löwe
1) The document discusses how tsunami early warning systems could provide information to remote sensing satellite operators to help speed up the production of crisis maps following tsunami events. By informing satellite operators early about what coastal areas may be affected, satellite imaging and map production could begin sooner. This could help search and rescue efforts and potentially save more lives.
2) The International Charter for Space and Major Disasters coordinates satellite-based imaging and crisis map production for disasters like the 2011 Tohoku tsunami. Integrating tsunami warnings into the planning and tasking processes of satellite constellations like RapidEye could allow imaging and mapping to start earlier.
3) Standard message formats like CAP could be used to disseminate
Mapping the Tohoku 2011 Tsunami event with a remote sensing satellite constel...Peter Löwe
This document discusses how tsunami early warning systems could provide information to satellite operators to help speed up crisis mapping after disasters. It describes a project called TRIDEC that aims to integrate tsunami warnings with satellite tasking to allow imaging of affected areas sooner. During the 2011 Tohoku tsunami, satellite imagery through the International Charter helped create maps for rescue efforts. Faster coordination between warnings and satellite tasking could produce maps even sooner to further aid response. Standard messaging formats may help disseminate early warnings to satellite operators for quicker crisis mapping following disasters.
This document discusses security issues with SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to control critical infrastructure like water treatment plants, oil and gas pipelines, electrical grids, and nuclear power plants. However, SCADA systems often have weak security protections due to using outdated protocols and hardware that cannot be easily upgraded. This makes SCADA networks vulnerable to attacks that could disrupt important systems and endanger public safety. The document outlines several past attacks on SCADA networks and control systems that demonstrate these risks. Improving SCADA security will require collaboration between different fields like control systems engineering and cybersecurity.
This document discusses security issues with SCADA (Supervisory Control and Data Acquisition) systems. SCADA systems are used to control critical infrastructure like water treatment plants, oil pipelines, and nuclear power plants. However, SCADA systems often use outdated protocols and hardware with no security protections. They are vulnerable to attacks that could disrupt important systems or endanger public safety. The document outlines several past attacks on SCADA systems and control failures that highlight the security risks if these systems are not properly protected from cyber threats.
The document discusses the design challenges for unmanned vehicular video streaming. It proposes using multiple low-power microprocessors in parallel to achieve high processing speeds while minimizing power consumption. Test results show that combining horizontal and vertical image scanning provides the best video quality. The document also describes the architecture of a low-power camera designed by GenieView for unmanned vehicle applications.
The document discusses the design challenges for unmanned vehicular video streaming. It proposes using multiple low-power microprocessors in parallel to achieve high processing speeds while minimizing power consumption. Test results show that combining horizontal and vertical image scanning provides the best picture quality. The document also describes the architecture of a low-power camera system designed for unmanned vehicles.
Flight testing is important for developing human-rated spacecraft as ground testing cannot fully replicate integrated systems operating together. The PA-1 and Ares I-X tests provided valuable data for validating models and designs. Key challenges for flight testing included committing to readiness despite pressure to simplify processes, determining appropriate rigor for non-human flights, ensuring consistency across organizations, and managing certification timelines. Both tests were successful and provided data to refine designs without any major issues occurring.
Power reduction techniques are important for the modern VLSI designs. Power is the today's major concern when we come to optimal trade off between area, performance and power.
1. What do we know about the ICT-
systems on Deepwater Horizon?
ESRA-seminar 07 April, 2011, Stavanger
Jon Espen Skogdalen
Tlf: 99024171
jon.espen.skogdalen@gmail.com
2. Deepwater Horizon Study Group
– http://ccrm.berkeley.edu/deepwate
rhorizonstudygroup/index.shtml
• Finar Report 01. March:
– http://ccrm.berkeley.edu/pdfs_pape
rs/bea_pdfs/DHSGFinalReport-
March2011-tag.pdf
• Working paper:
– Looking Forward - Reliability of
Safety Critical Control Systems on
Offshore Drilling Vessels
– http://ccrm.berkeley.edu/pdfs_pape
rs/DHSGWorkingPapersFeb16-
2011/Reliability-of-
SafetyCriticalControlSystemsOffshor
eDrillingVessels-JES_OS_DHSG-
Jan2011.pdf
Jon Espen
Skogdalen
3. Control systems
• Monitoring, recording and logging of plant status and
process parameters;
• Provision of operator information regarding the plant
status and process parameters;
• Provision of operator controls to affect changes to the
plant status;
• Automatic process control and batch/sequence control
during start-up, normal operation, shutdown, and
disturbance. i.e. control within normal operating
limits;
• Detection of onset of hazard and automatic hazard
termination (i.e. control within safe operating limits),
or mitigation;
• Prevention of automatic or manual control actions
which might initiate a hazard.
Source: HSE UK
Jon Espen
http://www.hse.gov.uk/comah/sragtech/techmeasconts
Skogdalen yst.htm
4. Background
• The drilling industry is characterized by a rapid and up
front technology development to conquer larger ocean
and drilling depths.
• The level of automation on offshore drilling vessels has
been steadily increasing over several decades, growing
from manually operated sledge-hammer technology to
space-age computer-based integrated systems.
• Automation systems are essential for the safety,
reliability, and performance of the vessels:
– Dynamic Positioning (DP) computer systems
– Power Management Systems
– Drilling Control Systems
– BOP Control System
– Ballast Systems
– Fire and Gas systems
– …
Jon Espen
Skogdalen
5. Characteristics of deepwater
drilling GoM
• Great costs
• Integrated operations (ICT)
• Using up front technology (software based)
• Complex casing programs
• Narrow drilling margins
• High pressure and high temperatures (HPHT)
• Tight sandstone reservoir and fluids with extreme
flow assurance
• Subsea operations
• Problematic formations
• Uncertain seismic
• Lack of experienced personnel
Jon Espen
Skogdalen
6. potential consequences of failures in the
DP control system are
• Drive-off, where the vessel drives off position by
use of its thrusters and propellers, typically due
to an error in the position reference and sensor
systems, or fail-to-full of a thruster or main
propeller.
• Drift-off, where the vessel drifts off
position/heading due to insufficient available
thrust, typically due to some single failure
combined with errors in specialized software
functions like consequence analysis or thrust
allocation.
• Unnecessary loss of DP class, causing an
abortion of the ongoing drilling operation.
Jon Espen
Skogdalen
7. potential consequences of failures in the
Power Management System are
• Complete black-out, causing a drift-off and loss
of power to all drilling operations.
• Partial black-out, causing abortion of ongoing
drilling operations and loss of DP class.
• Failure on PMS blackout recovery after a
complete or partial black-out leading to a
sustained blackout and possible loss of the ability
to perform an emergency disconnect (EDC) from
the subsea BOP.
• Loss of position due to incorrect load reduction
of the thrusters and following lack of thrust
capacity.
Jon Espen
Skogdalen
8. potential consequences of failures in a
Drilling Control System are
• Dropping of Marine Riser segments or
tubulars (pipes) on the drill floor, causing
equipment damage and possibly serious injury to
personnel.
• Collision between two drilling machines,
causing equipment damage and possible serious
injury to personnel.
• Machine malfunction causing stoppage to or
slowing down of the drilling operation and
possible equipment damage.
• Damage to the wellbore, with possibility of
follow-on environmental damage.
Jon Espen
Skogdalen
10. Deepwater Horizon accident
• From the Deepwater Horizon Incident Joint
Investigation it has been revealed that:
– The BOP did not close as intended
– General alarms were inhibited, and not understood
– The Emergency Disconnect System did not
disconnect
– The engine control systems did not work as
intended
– The emergency generators did not work as
intended
– ……………….
Jon Espen
Skogdalen
11.
12. Were the systems working?
• Transocean Chief Electronics Technician :
– “the A-chair is located in the dog house. That is the
main operating point for the driller to control all
drilling functions. It controls everything from mud
pumps to top drive, hydraulics. It controls
everything. For three to four months we've had
problems with this computer simply locking up. I
forget what we -- We even coined a term, the
blue screen of death, because it would just
turn to a blue screen. You would have no data
coming through.”
Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Ocean Energy
Jon Espen 8 Management, Regulation and Enforcement
Skogdalen
13. Are failures common?
“they could not get the bugs worked out of the new
operating system. They couldn't get the old
software to run correctly on the new operating
system.”
• “Now, you said there was something called the
blue screen of death. Is that a phrase you used
or was that a phrase of common knowledge
within the crew?”
• “Common knowledge.”
Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen
Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
14. Are failures common?
• “Okay. And what did the blue screen of death refer to?
• “The complete lack of video to the chair.”
• “So the driller sitting in the chair has got a screen in front of
him. Right?”
• “He has two screens in front of him.”
• “Okay. Fair enough. He's got screens in front of him, and we've
heard previously that the problem was, at least in the A-chair,
the screens would lock up or freeze. Are you familiar with that?”
• “Yes.”
• “Okay. Did that also happen in the B Chair?”
• “Occasionally.”
• “Okay. And when they froze, was that what you were referring
to as the blue screen of death, the driller wasn't getting the
necessary information?”
• “Yes. It would do either/or. Sometimes it would get a
blue screen of death, sometimes it would just lock up and
no data would change.”
Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
15. Are failures common?
• “Did you ever complain to anyone about the blue
screen of death?”
• “All the time.”
• “Who did you complain to on board the vessel?”
• “Electrical supervisor.”
• “Okay. Did you ever complain to Mr. Harrell
(OIM)?”
• “He complained to me.”
• “Mr. Harrell complained to you about it?”
• “He wanted them fixed.”
• “Okay. So he wanted you to fix them?”
Examination of MICHAEL K. WILLIAMS, Chief
• “Everybody did.” electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen
Ocean Energy
Skogdalen
8 Management, Regulation and Enforcement
16. Software causes precursor incidents?
• “Now, you said that -- not on this well, not on
the MACONDO 252 but on a prior well prior to
the DEEPWATER HORIZON arriving on site at the
MACONDO well there had been a problem with
the drilling chairs and that led to a kick.”
• “Do you recall that testimony?”
• “Yes, I do.”
Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
17. Software – causes precursor
incidents – part 2
• “When the chair went down, it was brought back up, and
there's a software program that runs inside the other program
called a tag replicator. The tag replicator is -- All three chairs
are connected via servers, and in order to get that chair back
fully functioning, the tag replicator must go to the other two
chairs and verify the data it's receiving so that it will display to
the driller the correct values for everything on the screen from
mud pump pressure to how many strokes a minute to all the
different tags. There's several hundred tags that the software is
looking at all the time. Upon the reboot of the chair, getting it
back up, the tag replicator did not function, and the driller was
looking at data that was erroneous.”
• “And as a result of the driller looking at data that was
erroneous after the screen and the computer returned to
its functionality, did a kick happen?”
• “We took a kick in -- During that process a kick was
discovered.”
Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Ocean Energy
Jon Espen 8 Management, Regulation and Enforcement
Skogdalen
18. Technology is not understood? –
quick fixes
• “Okay. And the BOP panel being dead, was that in the
driller shack?”
• “Yes, sir.”
• “Okay. So that if the driller was sitting in the driller
shack and he had a well control situation and wanted
to activate the BOP and the panel was dead, he
couldn't do anything about it, is that what you're
telling us?”
• “Not at that time he couldn't.”
• ………
• “Is that a good maintenance practice to use a bypass
when the panel is dead rather than fixing it?”
• “Not in my opinion.” Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
19. Not managed by the safety management
system?
• “When I started in the ET shop officially in April 2009,
the fire and gas system was a wreck. There were
several detectors that were faulted, overridden, and
completely ignored out of the system due to lack of
maintenance. I took it upon myself, and my assistant,
Stenson Roark, to rectify that, and we got the fire and
gas system back up to snuff, and I made it a point
every hitch, when I got out there the first day, the
first thing I did was go to the SIMRAD station and go
to the fire and gas page and see how many detectors
were inhibited, how many sensors were inhibited, how
many were overridden, how many were faulted,
because that was my primary concern when I got
to the rig is my own safety.”
• “Throughout that or prior -- During that time
period, there was no tracking of the fire and gas
system, to my knowledge.” Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
20. Systems are run in a way they where not
intended?
“Thank you, sir. So if the Sperry flowout sensor was
being bypassed there would be no way for the
mud logger to monitor the returns, would there?
Would you agree with that?”
• “If the sensor was bypassed? No, there wouldn't
be a way. For the mud logger to monitor?”
• “Right.”
Examination of Stephen Ray Bertone, Chief
engineer, Monday, July 19, 2010 The
transcript of The Joint United States Coast
Jon Espen Guard/The Bureau of Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
21. Errors are known – but, when it comes to
software it is not known how to fix them?
• “Okay. Were the audits in part to help
Transocean identify maintenance or equipment
issues that needed attending or fixing?”
• “We didn't need them identified. We knew
what they were.”
Examination of Stephen Ray Bertone, Chief
engineer, Monday, July 19, 2010 The
transcript of The Joint United States Coast
Jon Espen Guard/The Bureau of Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
22. Do we understand the errors?
• “You're saying that the explosion -- what you're
thinking is, the explosion did something to the
logic in the control system so that it was giving
you all kinds of weird signals?”
• “Yeah. I would think so.”
Examination of Jimmy Wayne Harrel, OIM.,
Thursday, May 27, 2010, 2010 The transcript
of The Joint United States Coast Guard/The
Jon Espen Bureau of Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
23. Adequate testing?
• About the ESD and ESD panel:
– “We never tested the automatic feature, to my
knowledge. I never tested the automatic function
of it. We did not go introduce gas somewhere to
see what it would do. It was just understood that it
would work.”
Examination of MICHAEL K. WILLIAMS, Chief
electronics technician Transocean., FRIDAY,
JULY 23, 2010 The transcript of The Joint
United States Coast Guard/The Bureau of
Jon Espen Ocean Energy
Skogdalen 8 Management, Regulation and Enforcement
24. Findings – Close interaction
“It is important to realize that there are very few
limits to how software may be designed. An
apparently small fix to one part of the software
may cause unexpected behavior in another part
of the software, potentially causing a complete
failure to comply with the designed system
functionality.”
Skogdalen, J.E. and Ø.N. Smogeli, White Paper
Looking forward - Reliability of safety critical
Jon Espen control systems on offshore drilling vessels.,
Skogdalen DHSG, Editor. 2010 p. 18.
25. No fail safe
“Often, technological systems are made to be so
called “fail safe”. Fail safe describes a device or
feature which, in the event of failure, responds in
a way that will cause no harm, or at least a
minimum of harm, to other devices or danger to
personnel. This “fail safe” terminology is often
misapplied and misused, and for most of the
safety critical systems there are no truly “fail
safe” conditions. Either the system works as
intended and maintains safety, or it does not and
may cause or fail to prevent an incident or
accident.”
Skogdalen, J.E. and Ø.N. Smogeli, White Paper
Looking forward - Reliability of safety critical
Jon Espen control systems on offshore drilling vessels.,
Skogdalen DHSG, Editor. 2010 p. 18.
26. Common cause failures
“Safety critical systems are usually engineered
according to the principles of barriers and
independent systems to ensure redundancy. In a
control system, many of these barriers will exist
only in software. Failures in software can
therefore act as common cause failures, and
significantly reduce the reliability of the system.“
Skogdalen, J.E. and Ø.N. Smogeli, White Paper
Looking forward - Reliability of safety critical
Jon Espen control systems on offshore drilling vessels.,
Skogdalen DHSG, Editor. 2010 p. 18.
27. Finding – precursor incidents are often
not reported (?)
“Malfunction software may be totally hidden to the
user until it fails, but in several do the user get
precursor incidents in form of e.g. “blue screens”
and not responding systems. The precursor
incidents may be just for a short time (1-3
seconds), and it is the author`s experience and
view that many of these precursor incidents do
not get reported due to the fact that the systems
do work again and that the user do not
understand what happened. We use with
intention the word “precursor incident” due to
this incidents might be warnings about serious
failures in the software.”
Skogdalen, J.E. and Ø.N. Smogeli, White Paper
Looking forward - Reliability of safety critical
Jon Espen control systems on offshore drilling vessels.,
Skogdalen DHSG, Editor. 2010 p. 18.
28. Designing the systems
“We are designing systems with potential
interactions among the components that cannot
be thoroughly planned, understood, anticipated,
or guarded against. The operations of some
systems are so complex that it defies the
understanding of all but a few experts, and
sometimes even they have incomplete
information about its potential behavior.”
Leveson N. A new accident model for
engineering safer systems. Safety Science.
2004;42:237-70.
Jon Espen
Skogdalen
36. The seven ultra-deepwater semis are a $3 billion-plus commitment. Four have
been delivered, and three are under construction. In the last five years we’ve
built four jackups and spent $550 million enhancing our existing fleet. With the
semis, all seven are the same design and being built with Keppel FELS,
probably the best shipyard in the world. Our rigs have been on time and on
budget. A lot of the equipment is software-driven, and that was probably the
biggest challenge. I think that’s what most people are finding with these new
rigs – getting the bugs out of the software is the biggest issue.
38. Looking forward
• Incidents related to software bugs must be
reported:
– Training must be given to operators (what can be
expected by the system?).
– Training in “bug-reporting”.
• Data related to malfunctioning software must be
collected across installations and companies.
• Safety indicators related to the status of safety
critical systems must be worked out.
Jon Espen
Skogdalen
39. Looking forward
• Independent verification and validation of safety-
critical control system software/hardware:
– Class standards related to verification of safety
critical systems (software/hardware) should be
introduced/common practice (DNV, ABS…..).
e.g. DNV Enhanced System Verification.
– Hardware-In-the-Loop (HIL) testing
• Procedures related to go/stop/start-rules for
malfunctioning software/hardware in safety
critical systems must be worked out
• Safety audits focusing on safety critical systems
depending on software/hardware
Jon Espen
Skogdalen
40. Looking forward
• The requirements related to safety critical
systems should be in accordance with the safety
barrier principles and requirements at Norwegian
and UK Shelf.
Jon Espen
Skogdalen