Evaluate the System Architecture
In order to execute a “live” migration from the legacy system to the new system, designers need to exploit the inherent redundancy built into the legacy safety system. Given that most legacy systems have an “A” and “B” side, each executing the same logic, one “side” can be switched off and removed without shutting down the system. It should be noted that while the system is in this degraded state, it is fully operational and, if designed that way, fail-safe.
However, by switching off one “side,” the system redundancy and fault-tolerant capabilities will no longer be available, the implications of which need to be understood through an appropriate risk review.
This configuration will allow the new system to be installed and run in parallel to the legacy system, allowing a safer, quick and effective migration between the systems during live plant operations.
Build, Test and Document
Once the new system is built, it is essential that it is fully tested against the defined and agreed-upon baseline before it is installed in the field. By testing the system before the live changeout in the field occurs, you can be confident that the functionality will meet the operational requirements. Any functional enhancements can only be implemented and tested after these tests are completed.
During this phase, it also is critical to get the buy-in from all interested parties, particularly the oil and gas company’s operators and the relevant certifying authority. Oil and gas producers will focus on safety concerns, the functionality of the new system, how it will be migrated and any operational constraints that will need to be addressed. The certifying authority will need to be assured that you have clear and demonstrable processes in place to show that the system build, test and – later on – commissioning and operation is safe and complies with legislative requirements, as well as local and international standards.
In addition to the build and test records that the system manufacturer produces, the engineering team should produce comprehensive and detailed work packs that include method statements, implementation details, reversionary plans and check sheets to verify the installation, commissioning and handover of the system. This is essential in recording – to the satisfaction of the certifying authority – the work undertaken in implementing the upgraded system.
Installing and Migrating to the New System
Once the new system has been tested and shipped, it can be installed and commissioned. The following is an overview of the steps needed to migrate from the legacy system to the new system during live operations. It is at this phase of the project that the detailed planning and preparation already undertaken will prove critical to the successful migration of your safety system.
- Fully verify the functionality of the existing legacy system, including any standing inhibits or overrides retained from that system.
- Install the new system in its final location. Once installed, carry out basic functional tests – often called “travel-well” tests – to help ensure that the system is fully operational ahead of the system migration.
- Remove one “side” of the legacy system (in this case, side “B” – see Figure 1). This is one of the risk areas due to the possibility of inadvertent operation of the system, such as loose wiring disturbance. The system is now in the degraded state.
- Hook up the field inputs, such as fire and gas detectors, to the new system, while retaining the inputs to the legacy system. The new system can now “see” the same inputs as the existing system but, because the outputs are not hooked up, the new system is not carrying out any executive actions.
- Fully test that both systems see all inputs and that logic solver output actions implemented are identical to the legacy system. In this instance “like for like” functionality (i.e., both the old and new systems respond in exactly the same manner to field input conditions) is critical unless otherwise noted. This can be done by temporarily disabling the appropriate outputs, which can be time-consuming and may not be operationally acceptable, or by observation of the new logic solver against the design documentation.
- Fully verify the human machine interface (HMI) functionality for the new system.
- The outputs of the safety system can now be migrated from the legacy to the new system. At this stage, the new system will assume control. This also is where the major difference between the migration of an F&G and ESD system occurs. F&G outputs tend to be normally de-energised, or “energise to action,” whereas ESD outputs tend to be normally energised, and therefore “de-energise to action.” This is considered to be a fail-safe design philosophy. Transferring the outputs from one system to another without inadvertently tripping the plant or falsely setting off your fire and gas protection system can be challenging for system migrations of this nature.
Migrating a normally de-energised output is relatively straightforward and is normally done in under a minute per output. During this time, there is no protection for that output.
Migration of normally energised outputs present a different challenge that can be addressed by either electrically “holding up” the output using a temporary supply or locking off the output device. This takes more planning and operational permits and is consequently more time consuming, taking typically one to two hours per output.
Once all safety system outputs have been migrated, full control of the safety functions will have passed from the legacy system to the new system.
The new system will now be subjected to full system tests. Since the facility is still live, the tests carried out may be an agreed-upon subset of the full functionality and are often guided by the requirements of the operators and the certifying authority. Any tests that cannot be carried out while the plant is live will need to be delayed until the next facility shutdown when full system tests can be carried out.
Once the upgraded system is fully operational, the legacy system can then be deconstructed. The final system, which has redundancy and fault tolerance built into its design, is shown in Figure 2 below.
Finding the Best Approach
Significant cost savings and productivity benefits can be gained from an intelligently designed and properly implemented safety system upgrade strategy. It is important to remember that not all safety systems are created equal and each project has different performance, risks and cost goals. Striking the right balance requires careful consideration of the implementation approach and the specific capabilities, limitations and advantages of available technology options.
Live migration of safety systems during plant operations is possible with careful analysis of the system design and operational requirements and a thorough and detailed approach to the engineering and migration strategies. In addition, the need for detailed and comprehensive planning and preparation cannot be overemphasised.
However, the preparatory work can pay off in the long run for the plant operator, and one of the best resources you have available is your system’s vendor. Many safety system providers can provide guidance, design recommendations and on-site assistance to help ease the migration, minimise downtime and optimise your system’s performance.
For example, the strategy outlined in this article is based on an actual safety system upgrade of over 3,000 I/O on an operational production platform project managed by Rockwell Automation. The upgrade caused the end user minimal disruption to their operational requirements while providing the upgraded system needed to meet their functional safety requirements.
Author: Adam Howard, EPC operations manager, Rockwell Automation.
Read the article online at: https://www.oilfieldtechnology.com/drilling-and-production/11102012/a-practical-live-migration-strategy-for-upgrading-safety-systems-pt-2-/