BER-37 Direct On Line Energization of Subsea Power Transformers1

ENERGIZATION OF SUBSEA POWER TRANSFORMERS
Copyright Material PCIC Europe

Paper No. PCIC Europe BER-37
Terence Hazel Pierre Taillefer Scott Williams Richard Paes

Consultant Vizimax Inc. OceanWorks International Rockwell Automation
Grenoble Montréal QC Burnaby BC Calgary AB
France Canada Canada Canada
Abstract –Energizing large transformers often cannot be • Determining the status of the subsea power
done direct-on-line due to the negative effects of the equipment prior to energizing the power umbilical
inrush current. The typical schemes used in the past are (black-start function)
energization via a high impedance, or via a tertiary winding • Providing low-voltage auxiliary power for subsea
connected to an auxiliary AC power source. These loads
schemes require additional equipment resulting in • Avoiding system disturbances when energizing power
increased foot print and complexity. For offshore and transformers
subsea installations, the increase in foot print often greatly • Avoiding damage to ASD capacitors due to sudden
exceeds the cost of the additional equipment. energization
This paper presents an alternative solution allowing
direct-on-line energization of large transformers, both
topsides and subsea. Different solutions for subsea
auxiliary AC power supplies not requiring high-voltage
circuit-breakers are presented.
For offshore and subsea power systems, the circuit-
breakers supplying power to the transformers are standard
3.3 kV to 36 kV class devices having a 3-pole operating
mechanism. The solution presented allows circuit-
breakers to be switched such that the closing of the poles
occurs at the point on the voltage waveform where the
resulting inrush current is the least. For subsea power
distribution systems, the auxiliary power required for the
subsea control equipment is provided by a high-voltage
DC auxiliary power link from the shore station and the
control and communication link is via optical fiber.
The solutions presented use standard proven
technology and can be integrated within the subsea
modules required for supplying power to the loads. This
keeps the number of penetrators and subsea connector
systems to a minimum. The importance of redundancy
and maintenance in obtaining and keeping the required
system availability are discussed.
Index Terms — Transformers, Inrush Current, Subsea

and Offshore Installations, Adjustable Speed Drives
I. INTRODUCTION
Fig. 1 Subsea Processing Power System
Fig. 1 shows a generic one-line diagram for supplying In the diagram shown in Fig. 1, the main loads would be
power to subsea processing loads. The link to the topsides subsea compressors, or subsea booster/multiphase
facility is by means of a power umbilical shown connected pumps having rated power in the 1 MW to 15 MW range.
to both the topsides umbilical termination assembly (UTA) The voltage used in the power umbilical will depend on the
and its subsea counterpart, the subsea umbilical step-out distance and the subsea loads, and could be up
termination assembly (SUTA). The umbilical consists of to 110 kV. The subsea switchgear is typically operated at
the main AC power cable supplying energy to the subsea 20 or 30 kV. The compressor and/or pumps are powered
loads, the optical fiber cable for communication, and DC via ASDs which are supplied by step-down convertor
auxiliary cables to power the subsea control equipment. transformers. The other high-voltage HV motor
The one-line diagram shows the use of subsea (HV > 1000 V) in Fig. 1 is a water injection pump that is
switchgear and subsea adjustable speed drives (ASD). operated in an on/off manner. Some small subsea low-
The common alternative to this system in which the voltage loads (LV ≤ 1000 V) also require power. These LV
switchgear and ASDs are located topsides will be loads may or may not require power prior to the
discussed later. energization of the main HV power circuit. One auxiliary
There are several technical issues that must be solved load for subsea compression that requires special care is
when designing a subsea power distribution system as the magnetic bearings. This load must also be powered
shown in Fig. 1. These are:
during emergency shut-down conditions when all power is In power transmission applications, the CSD mitigation
lost. technique has been initially used with CBs having
Fig. 1 shows the use of a tertiary winding on the main independent pole operation or staggered pole mechanism.
step-down transformer to provide LV auxiliary power However, these devices are not common in HV
subsea. This auxiliary power is present only after applications with rated voltages ≤ 36 kV used in subsea
energization of the main power circuit to the subsea systems. For such systems the use of 3-phase CBs with
installation and thus cannot be used for the black-start simultaneous pole operation is a requirement.
function. After energization of the main power circuit, LV For any residual flux pattern in the transformer core,
auxiliary power is available for all LV loads not required for there is always an optimum energization moment that
the black-start function. The use of a tertiary winding results in minimum inrush current. This principle is
avoids installing a separate HV-LV subsea transformer illustrated in Fig. 2, where the inrush current is shown for
and additional HV circuit-breaker (CB). Alternative each phase relative to the CB closing angle deviation from
methods for providing LV auxiliary power are presented the ideal energization instant. For this given flux pattern,
later in the paper. the inrush current will stay at around 1 p.u. (per unit) when
The HV CB control devices are indicated by the letter C the closing angle varies ± 20° from the optimum switching
in Fig. 1. The purpose of these control devices is to close moment. A similar curve exists for each possible flux
the HV CBs at a time that minimizes the transformer pattern in the transformer, and the role of the CSD is to
inrush current. They are integrated into the overall control energize the power transformer at the optimum instant.
and protection scheme of the complete power system.
II. LIMITING INRUSH CURRENT
Power transformer inrush current has many negative

effects in power systems including:
• Rapid voltage changes (voltage dips) that may
oppose the grid code requirements defined for the
interconnection with the landline power grid. In
many countries, the voltage dip cannot be higher
than 3%, imposing the necessity to integrate inrush
current mitigation [1].
• Voltage transients and surges on cables that may
exceed their operational limits as well as those of
the interconnected electrical equipment
• Mechanical and electrical stress in the transformer
and the CB can reduce the service life of the
equipment and thus could require additional
maintenance.
• It may be necessary to desensitize the protection Fig. 2 Inrush Current vs Closing Angle Deviation
relay in order to allow transformer energization
without tripping. This reduces the reliability of the When a power transformer is not loaded, it is possible to
protection scheme. control its flux pattern to a known value by opening the CB
at a fixed instant and then close the CB at the optimum
Power transformer inrush current is mainly due to the instant that minimizes the inrush current for that flux
presence of residual flux in the transformer core resulting pattern. However, this technique cannot be used in
from its previous de-energization. The magnitude and the subsea applications because the uncontrolled de-
polarity of the residual flux depend mainly on the energization of the transformer may be due to a loss of
transformer load and the de-energization moment relative power in the umbilical from the topside, resulting in an
to the voltage waveform. unknown residual flux pattern. Therefore, the successful
mitigation of the inrush current at all times using a CB with
A. Inrush Current Mitigation simultaneous pole operation is only possible if the residual
flux resulting from the previous transformer de-
Transformer inrush current can be mitigated using energization is measured by the CSD.
conventional techniques with series impedance (pre-
insertion resistor, smoothing reactance) or by powering B. Basic device operation
the transformer at reduced voltage. While it is possible to
implement these solutions in onshore facilities, the cost Fig. 3 illustrates a typical CSD installation in a power
due to the increase in footprint for offshore installations is transformer application. The unit can be seen as a
prohibitive. Such solutions are not practical in subsea synchronization relay inserted between the commands
installations due to the additional requirements of (CB On Off) and the CB control coils. The CSD is powered
minimizing the component count and connections. from the same DC supply as the CB. Protection relays
The best option to mitigate the transformer energization are connected directly to the CB trip coils because the
inrush current is to use a controlled switching device CSD is slightly delaying the CB commands in order to
(CSD). This technology has been used successfully for synchronize the CB operation to the power system
years with HV power transformers and offers the best waveforms. In power transformer applications, both the
possible mitigation of inrush current. This solution can be closing and opening commands are synchronized to the
integrated into the subsea processing power system umbilical voltage measured using a resistive or capacitive
shown in Fig. 1. voltage divider (Vs). The load current (I) is also measured
using a Rogowski coil or a toroidal CT to determine if the inherently limited by the ASD so that the rate of charge is
CB operates properly as planned, which is equivalent to a controlled by the active front end (AFE) rectifier and DC
50BF (breaker failure) protection function. link inductor which are inherent to this topology.
The transformer residual flux is computed from the VSI drives, as mentioned earlier, typically have a large
transformer voltage measured using a 3-phase resistive or DC link capacitor. In order to limit or control inrush to the
capacitive voltage divider connected at its primary winding DC link capacitor when first energized, some form of pre-
(VL). The use of magnetic flux sensors inside the charge circuit is required. For drives with passive rectifiers
transformer core is to be avoided because that solution is (DFE), this pre-charge circuit is typically an impedance
intrusive. Each time the transformer is de-energized, the which is in series with the drive power circuit. This
residual flux is calculated from the transformer voltage. impedance is bypassed after charging of the link
The resulting residual flux pattern determines the optimum capacitors has been completed. This solution was used in
closing instant of the CB to mitigate the transformer inrush the Ormen Lange pilot project by inserting an impedance
current. in the HV circuit to the subsea ASD.
Recently, a number of HV VSI drives have come out
with rectifiers utilizing AFE technology. These topologies
typically make use of an LCL (inductor, capacitor, and
inductor) configuration ahead of the active rectifier which
will result in an inrush on energization with the magnitude
dependent on the sizing of the capacitive and inductive
elements of the circuit. Depending on the particular
topology, an external pre-charge circuit may or may not be
required.
Fig. 3 Typical CSD Installation
Since the CB characteristics are closely linked to the

accuracy of the switching operations, one CSD is required
at each CB to be controlled. For high availability
applications such as subsea installations, redundant units
can be connected in parallel to the CB. Should a CSD
need to be replaced, the residual flux pattern information
can be retrieved and uploaded to the replacement device.
III. SUBSEA ASD CONSIDERATIONS
The ASD of Fig. 4 uses current source technology (CSI)

which does not have a capacitive component either in the
rectifier or the DC link. When the ASD is energized by Fig. 5 LV ASD Capacitor Charging Circuit
closing the ASD transformer incoming CB, the inrush
current is limited to that seen by the transformer and the Another solution is charging the capacitors via a LV
snubber components of the ASD which are insignificant. connection as shown in Fig. 5. Since the capacitor
This avoids the need for a pre-charge circuit typically charging must be done prior to energization of the ASD,
required by voltage-source drives (VSI) which have a an auxiliary AC power source is required. The tertiary
capacitive DC link. winding of transformer T1 will provide AC auxiliary power
subsea as soon as it is energized. This power via the LV
switchgear is used to charge the VSI drive capacitors.
One disadvantage of this solution is that a failure in the
LV circuit between transformer T1 and the LV switchgear
could result in a total shutdown. Redundancy can be
achieved by installing two tertiary windings and having
redundant LV switchgear with interconnections between
them as shown in Fig. 6.
Fig. 4 Current Source ASD Another possibility that avoids tertiary windings on T1 is
to use a VSI drive that uses the DC link capacitor inrush
There is a machine-side capacitor which is connected at current limiting LCL described above. This solution would
the output side of the ASD. This capacitor is energized need to be studied to see if feasible for use subsea. The
only after the ASD commences gating and the current is advantage of this circuit is that the tertiary winding shown
on T1 could now be changed to be on the ASD IV. AUXILIARY POWER SYSTEMS
transformer T2. Since the precharging is internal to the
ASD, it can be switched on directly without use of any Auxiliary power is required for all process systems. Part
external precharging circuit or power supply. Typically of this is for the black-start function mentioned earlier.
more than one subsea ASD would be used and this would Prior to switching on the main power of a subsea system
provide more than one source of subsea AC auxiliary by energizing the power umbilical, it is first necessary to
power for other loads as well (equivalent to having dual know the status of the subsea equipment, and be able to
tertiary windings on T1). A single failure in the subsea LV change the configuration of the HV and LV switchgear
distribution system would not result in a loss of production. prior to energization. The power requirement for the black
start function is very small but must be independent of the
main power supply. Most of the other auxiliary power
supplies are required prior to energizing process
equipment, but this occurs after the main power has been
turned on.
For the black-start function, auxiliary power is
transmitted directly from the shore station by means of a
low-power HV DC system. The DC cables will be installed
in the power umbilical together with the main AC power
cables and the optical fibers required for the
communication and control systems. This HV DC system
can be energized and communications established without
energizing the main power. This enables the status of
subsea switchgear to be determined and modified if
necessary by tripping or closing HV and/or LV CBs prior to
Fig. 6 Subsea LV Switchgear energizing the main AC power umbilical. Thus black-start
auxiliary power is available without the need for added
Fig. 6 shows a subsea LV auxiliary power distribution. complexity in the form of a subsea UPS. The use of low-
The power comes from tertiary windings, either from T1 or power HV DC for subsea process control has been in use
T2 depending on the solution adopted for ASD capacitor for several years.
charging. A separate LV switchgear module is provided for
each power source to enhance availability. Also the LV A. General DC System Description
switchgear are interconnected via redundant circuits to
provide additional operational flexibility. The subsea auxiliary power system will receive power
A failure upstream of the incoming LV CB need not via small DC cables operating between 1.8-10kV
result in a loss of the LV switchgear, nor the transformer. It depending on the required power and step-out distance.
is possible to disconnect the LV cable from the tertiary At the subsea location, DC/DC converters and power
winding and place a voltage-withstand cap to isolate the supplies will reduce the voltage to a general low voltage
tertiary winding LV connection from seawater. The system bus level which can then be distributed to various
transformer can be energized and supply power to the loads via local power supplies and DC breakers as shown
process loads in this configuration. The LV incoming CB in Fig. 7.
must be tripped and power to the LV bus can be obtained
using an interconnection circuit with another LV
switchgear module.
In both of these solutions, DC control power is provided
to the ASD and LV switchgear via the low-power DC link
from shore as shown in Fig. 1. This power is used to
supply the part of the ASD control system needed to be
able to communicate the status of the ASD prior to
energizing it. It also provides the status of the LV
switchgear and allows reconfiguration of the main LV CBs
prior to energizing any transformers. This is part of the
black-start function and can be implemented whether
tertiary windings are on T1 or T2.
Installing an HV ASD subsea is a very good option
should there be little space available topsides for the
equipment. Where space is available however, it is cost
effective if the ASD can be installed topsides. For longer
step-out distances, the ASD output voltage is stepped up
and a subsea transformer installed at the load to lower the
voltage. The main challenge in such systems is designing
the ASD to be able to correctly control the motor with long
cables between them. Progress has been made over the
last several years, and the step-out distances for which Fig. 7 Subsea DC Distribution
this system can be used have increased. Use of lower
frequency systems (16 2/3 Hz) can also help extend this
distance. This DC power supply is completely independent of the
main AC power supply and thus can provide power to the
subsea telemetry & control and auxiliary equipment prior system capacity must be increased, or for intermittent
to energization of the main power system. The DC and loads, a subsea battery is required. The battery is trickle
fiber optic cables are integrated into the power umbilical as charged by the DC supply and after charging, the energy
shown in Fig. 7. necessary to power the process load is provided by the
Fig. 7 does not show any redundancy. Typically dual DC battery.
and optical fiber cables are provided, each connected to
separate subsea modules. Any subsea module can be D. Magnetic Bearings
disconnected and replaced without loss of the other
module, thus avoiding any loss of production. Magnetic bearings are often used subsea since there is
no wear because the bearings float in a magnetic field.
B. Power System Auxiliary Loads The power supply to magnetic bearings must be very
reliable since loss of power results in bearing contact. The
The DC system bus is routed to allow for power delivery bearing supply must be available prior to starting the
to two main types of loads. The first of these is power motor, and must remain energized until the motor has
system auxiliary loads, the principle ones being the HV come to a complete stop after switching off. Since one
and main LV CBs, protection relays, CB control equipment cause of switching off a motor is a complete loss of power,
and the communications system. some stored energy is required to allow the motor to coast
As shown in Fig. 8, separate DC power circuits are to a stop in such conditions.
provided for each subsea HV CB. Circuits A and C provide Two different solutions have been implemented to date.
power to the CSD and protection relay, circuit B provides One uses redundant subsea UPS to provide the power,
power to the CB trip and close coils, and circuit D supplies and the other redundant UPS at the shore station, each
the CB spring charging motor. It is thus possible to monitor having an individual cable to the subsea template. Another
and control each HV CB without having energized the possible solution is using normal AC auxiliary power as
main AC power cable to the subsea location. This described above for operation, and a subsea battery
provides operators with the black-start capability. trickle charged by the DC control power link for emergency
stop conditions. When there is loss of power, the battery is
discharged into the magnetic bearing control system
providing the energy necessary during coasting down.
Since magnetic bearings normally required DC power,
such a solution could be cost effective.
V. TELEMETRY & CONTROL
All telemetry and remote control is provided via optical

fiber connections. The subsea facility is connected to the
topsides control system via fiber optic cables integrated in
the power umbilical (Fig. 7). The auxiliary power required
for the subsea communication and control system is
provided by the DC from shore auxiliary power system as
described above. Although not shown in the Figs. each
device that must respond to control signals or provide
information will be connected via an optical fiber.
The general practice for subsea process systems is to
execute all control orders topsides. The subsea equipment
will respond to these orders but, with the exception of
protection relays will not act on its own.
All equipment deployed subsea must be able to
communicate via a non-proprietary communication system
that provides reliable and high-speed communication with
the topsides control system. Although it is very common in
Fig. 8 Auxiliary DC Power for HV CBs topsides installations for the power system control and
process control to be done by two independent systems, it
C. Process System Auxiliary Loads makes sense for subsea applications to attempt to do both
with the same system. Less hardware should result in a
The second type of DC loads are small process loads reduction of the number of possible failure modes.
that may need to be operated prior to energizing any of
the main subsea loads. Such loads could be motor VI. SYSTEM REDUNDANCY
operated valves (MOV) or lube pumps. The DC power
system can be designed to provide the power for such Redundancy is often seen as a means of increasing the
small loads prior to energizing the main power circuit to availability of the complete system. Failure of a single
the subsea facility. A separate DC circuit can be provided device should not cause a loss of production. Redundancy
for each of these loads. is however a double edged sword. Increasing the number
For small loads that require an AC power supply, a of components and the additional interconnections can
DC/AC converter is provided. For small intermittent loads, actually reduce the overall availability of the system.
the DC auxiliary power system can supply the power Sometimes it is also found during commercial operation
without the need for a battery. Should the power that a process shut down is required to retrieve a faulty
requirements be larger, then either the DC auxiliary power module that is being replaced, even though the redundant
module is operating satisfactorily. Great care and diligence CSD and prevent it from closing or opening a CB due to
is required when designing redundant systems to avoid misoperation. Normal operation would be with one CSD,
such unpleasant surprises. the other one having the power supply to its output
Avoiding common modes of failure is a good starting contacts isolated. Each CSD would be installed in a
point in the design of the systems. Some common modes separately retrievable subsea control module to allow
of failure will continue to exist however, and their influence replacement while the other module continues to operate.
on availability must be carefully considered. The HV CB The use of LPCTs and low power VTs provide
itself can have a mechanical fault causing it to stick in the measurement outputs that could be exposed to sea water
open or closed position. A leak in a subsea module can by connection to female wet mate connectors thus
allow sea water to enter and result in the loss of a allowing the main power circuit to remain energized.
substantial part of the subsea facility. Mechanical damage
from equipment accidentally dropped into the sea above C. Process Redundancy
the facility can cause extensive damage.
Redundancy considerations for critical loads will often
A. DC Auxiliary Power Supply Redundancy involve redundant power supplies. Some equipment will
have two auxiliary power connections, each one being
It is possible to design the DC auxiliary power system, supplied by completely independent power supplies. The
the telemetry & control system, and the protection system load must be designed such that no failure of one power
such that there are no common modes of failure. The supply will result in the incorrect operation of the other.
redundant DC/DC converters, DC breakers, power Magnetic bearings is one example of such equipment.
supplies and protection relays are housed in separately
recoverable modules [2]. This decreases the Mean Time D. LV Switchgear Redundancy
To Repair (MTTR) thus enhancing the overall availability.
The modules can be disconnected and retrieved without A possible solution to achieve redundancy in the LV
requiring a process shutdown. If dual DC auxiliary power distribution is shown in Fig. 6. Some applications have
cables are provided for redundancy, consideration should dedicated HV cables and step-down transformers to
be given to installing one cable in the power umbilical and provide a redundant LV subsea power distribution. Such a
the other one in the control umbilical or separate cable. system was provided for the Åsgard subsea compression
The same applies to the fiber optic cables. station. This is feasible in shallow water and when the
All connections between auxiliary power supplies and step-out distances are not too long. For deep-water
switchgear are made via wet mate connectors. In some applications the cost of such a solution could be
cases it may occur that the removal of a control module prohibitive.
may result in a subsea connection remaining energized
and being exposed to sea water. In such cases the E. Telemetry & Control Redundancy
system is designed such that this cable end will terminate
in the female connector. Since the conductor of the female A dual-redundant control system architecture is
connector is normally covered by oil or some other normally used for subsea applications. Completely
insulating fluid, it will not be in contact with sea water and independent systems having no common mode failure
can remain energized when in the disconnected position. points are to be used. Single device failure should never
An example of this is the signal on the terminals of a low result in loss of production. This includes the auxiliary
power current transformer (LPCT). If a redundant power supplies for the dual-redundant control equipment.
protection relay is retrieved, the terminals of the LPCT
remain energized since current is flowing through the VII. INSTALLATION AND COMMISSIONING
primary winding. The voltage levels are small (< 1 V) and
thus connection to the female wet mate connector allows One of the key factors in designing subsea electrical
continued operation even with the main power circuit systems is modularization. Having several modules makes
energized and drawing current. it easier to retrieve equipment that needs to be repaired or
Where redundant control equipment is implemented, it replaced, and in many cases this can be done without
is necessary to be able to independently shut of the having to stop production. The main disadvantage or
auxiliary power to control outputs. Thus if a device fails in modularization is that it increases the number of wet-mate
such a manner as to emit unwanted control signals, these connectors required as well as the total number of
can be neutralized by switching off the auxiliary power to penetrators. Additional equipment means additional
the output circuits. possibilities for failure. Failure of a penetrator could let salt
water into a subsea enclosure causing a major disruption
B. CB Control Redundancy in production.
After the modular design has been finalized, it is
Fig. 8 shows the basic scheme for controlling a CB. The necessary to consider installation of the equipment. ROV
protection relay's main function is tripping the CB under access is required for connecting and disconnecting
fault conditions and the CSD (CB control device in Fig. 8) modules, but ROV access is also a potential cause of
does the normal closing and opening. Protection relays failures since ROVs can damage equipment. The layout of
can be selected and configured such that each relay can the subsea modules should be designed to provide the
fully control two CBs, thus providing redundancy without best protection against falling objects and poor ROV
adding additional devices. Failure of one relay does not maneuvering.
result in any loss of production. The design of the flying leads connecting subsea
To achieve redundancy for the CSD, it is necessary to modules is also a challenge. Often the male connector is
install two devices per CB. By controlling the power supply simpler in design than the female connector and thus less
to the CSD output contacts, it is possible to isolate a faulty prone to failure. It is thus probably best to install the
female connectors on flying leads which could be retrieved many considerations into account when defining the
for maintenance. Avoiding retrieval of subsea modules redundancy that is to be used in a particular system. The
should be one of the main design criteria. availability study should be able to determine which
Submodules should also be considered. A submodule is amount of modularity, with and without redundancy will
integrated into a larger module allowing access to parts bring the most benefit.
that may have a shorter design life, thus permitting their The physical location of the modules is also important in
retrieval and leaving the main module in place. This reducing down time. When modules are retrieved and
technique can be used for electronic devices such a deployed, it may be necessary to shut down the process if
protection relays and communication equipment. the modules are located close to other equipment.
The installation design must also take into account how Damage occurring during retrieval or deployment could
the system will be tested and commissioned. ROV access result in major environmental damage should the process
is key to successful commissioning; however designing not be shut down. Process modules that are designed to
safe ROV access to the equipment is a difficult task. Also be retrieved periodically should be located remote from
consideration must be given to possible damage to the rest of the process. If this is achieved, it will not be
installed equipment when handling the modules yet to be necessary to shut down the process when retrieving such
installed. Dropped items can destroy installed equipment. modules.
Testing prior to commissioning is important but is not
easy for subsea systems. A comprehensive test plan is B. Maintenance strategy
required at the start of the design phase in order to be
sure that the required tests can be conducted during The maintenance strategy must ensure that the
installation and after installation is complete. This may minimum requirements that were used in the availability
influence the design of the equipment. All test equipment study are met during the design life of the installation. Due
is to be defined during the design phase. to the modular nature of subsea installation, the strategy
should include the following concepts:
VIII. MAINTENANCE, ASSET MANAGEMENT • Modules: One spare module of each type is
required. It shall be kept in working order so that it
A. Availability study can replace a faulty module without delay. It is
necessary to determine the best storage conditions
The design of the system is based on an availability as well as any requirements for periodic testing,
study. The starting point of the study is defining the permanent energization or condition monitoring.
functional requirements of the system that must be fulfilled • Components: Spares of all components used in the
at all times. For subsea power distribution this is the application are required. Since it may not be
aptitude to supply sufficient power within acceptable limits possible to replace obsolete components with
of voltage and frequency to the subsea loads. newly purchased spares due to the constraints of
The availability is defined as installation within compact subsea modules, it is
MTTF necessary to have an obsolescence strategy to
Availability = avoid having to purchase different components. In
MTTF + MTTR addition to the hardware, this strategy should
where MTTF is the Mean Time to Fail, and MTTR is the include all software, firmware and configuration files
Mean Time to Repair. Availability studies will provide the for the components as well as ensuring that the
probability of meeting the functional requirements for machines and software necessary to use the
different possible system configurations. Comparing component software are available. The versions of
different solutions is possible by evaluating the failure all software, firmware, configuration files and user
probabilities for each. Since improbable events happen, software that are necessary for refurbishment of
an availability study cannot be considered to guarantee a any module and repair of any component at any
particular result. time during the design life are required.
As can be seen by the definition, there are two ways of
• Repair shop: A repair shop capable of refurbishing
having high availability. The first is to have a high value of
each of the modules is necessary. This includes all
MTTF. The second is to have a very low value of
tools, handling equipment, storage space and
MTTR. [3]
skilled workmen.
Achieving a high MTTF requires the use of reliable
• Warehouse: A warehouse in which all components
components having a proven track record. Their failure
required for refurbishment can be stored is
rate, expressed as λ (lambda) is generally known. In
required. The warehouse could also be used to
addition to using components having a very low λ, it is also store the spare modules. If it is decided that any
possible to increase the MTTF by adding some spares need to be energized during their storage,
redundancy as discussed above. Hot swapping should be then the warehouse shall be equipped with all
strived for any time redundancy is provided. Adding necessary power supplies. It is recommended that
redundancy requires an extensive system analysis since the warehouse serve as the repair shop as well to
redundancy generally means more components and thus simplify the maintenance procedures.
more failure modes. Common mode failures are often
introduced unknowingly when designing redundant
One of the main problems will be ensuring the
systems. The complexity of redundant systems is higher
availability of skilled personnel. A program must be
than non-redundant systems making operations more
defined to ensure that there is a minimum staff of qualified
difficult. Many failures are the result of operator errors so
technicians and engineers in order to refurbish any
complexity can even offset the advantages redundancy
equipment. It is necessary to define the training program
can bring. Complex systems are also more difficult to
required to ensure that the necessary competence is
maintain and are more costly. Thus it is necessary to take
available at all times. Training equipment and simulators
should be considered in this program. XII. VITA
Terence Hazel graduated from the University of

IX. SIMULATIONS Manitoba Canada with a BScEE in 1970. He worked in
Perth Australia and Frankfurt Germany doing construction
For grass-root projects, simulations and calculations are and renovation of industrial power distribution systems. He
the only tools available to engineers. Subsea installations worked for Schneider Electric France where he provided
with long step-outs have very particular characteristics team leadership for several major international projects
which makes it difficult to base a new design on existing involving process control and power distribution. Since
systems [4]. Simulations are required to validate new 2014 he is a consultant. Mr. Hazel is a senior member of
designs. IEEE, a member of IEC TC-18, and Honorary Technical
Advisor to the Petroleum & Chemical Industry Committee
X. CONCLUSIONS Europe.
terry@terencehazel.com
It is possible to provide auxiliary power for subsea
processing prior to the energization of the main power Pierre Taillefer received in 1981 his degree in electrical
system. This black-start function allows operators to engineering at Sherbrooke University in Quebec, Canada.
ensure that the subsea system is in the right configuration For more than 35 years, he has developed hardware,
before energization. software and systems for the energy business, including
It is not necessary to implement complex and costly RTUs, TFRs, CSDs and control systems. He is one of the
systems to pre-energize subsea power transformers or founders of Vizimax Inc., a leading manufacturer of
precharge the capacitors of subsea ASDs. Controlling the solutions for the power industry. He is a member of IEEE
closing time of standard CBs eliminates transformer inrush and CIGRÉ A35 WG on controlled switching systems.
current issues. The drive topology utilized is another major ptaillefer@vizimax.com
factor which will impact the inrush which will be seen by
the system. The current source topology given in the Scott Williams received his degree in electrical
paper minimizes inrush by the inherent design while engineering from the University of Victoria Canada in
voltage source drives typically require a pre-charge circuit. 2009. Since graduation, he has been completing high
Tertiary windings on the subsea transformers and the reliability electrical designs in the transportation, industrial
possible use of a voltage source drive with DC link power and subsea industries. He currently works at
capacitor inrush reduction modules are means that can be OceanWorks International focusing on the power
implemented to avoid capacitor damage. distribution and control systems required to implement
The modularity of the design is a key factor that long term seafloor monitoring and instrument integration.
influences almost all aspects of the application. A detailed swilliams@oceanworks.com
availability study can help determine the optimal modular
design. The maintenance strategy is a key factor when Rick Paes received his degree in electrical/electronic
estimating the availability of the different possible engineering technology from Conestoga College, in
solutions. Kitchener, Ontario Canada in 1981. Since graduation, he
has been employed with Rockwell Automation. His
XI. REFERENCES primary roles include the application of various motor
starting methods, including medium voltage drives for
[1] Abbey Chad, Taillefer Pierre, “Mitigation of medium voltage induction and synchronous motors. He is
Transformer Inrush Current Associated with DER a Senior member of IEEE, past Chair of the PCIC
Facilities” PacWorld conference, Raleigh (North Transportation Subcommittee, current Vice-Chair of the
Carolina), September 2014 PCIC Marine Subcommittee, Chair of the IEEE 1566
[2] Terence Hazel, Adrian Woodroffe, “Power Large Drive Standard, past committee chair for the 2001 &
Distribution for Arctic Subsea Tiebacks”, Arctic 2007 PCIC conferences in Toronto and Calgary as well as
Technology Conference Houston Texas, OTC- future committee chair of 2017 PCIC in Calgary, past chair
23819, December 2012 of the 2007 Calgary and 2008 Edmonton IEEE IAS Mega
[3] F. Dewinter, R. Paes, R. Vermaas, C. Gilks, Projects workshops. Mr. Paes is a P.L. (Eng) in the
“Maximizing Large Drive Availability”, OIEEE province of Alberta, Certified Engineering Technologist in
Industry Applications Magazine, Volume 8, Issue 4, the Province of Ontario.
July/August 2002 rhpaes@ra.rockwell.com
[4] Terence Hazel, David Goulielmakis, Pierrick Andréa,
“How Subsea Constraints Influence Design Choices
for Protection Systems”, Offshore Technology
Conference Houston Texas, OTC-25329 May 2014
PCIC EUROPE
How do we know? A journey of self-verification and assurance.
Jeff McQueen Jason Couch

BP BP
Safety and Operational Risk BP Chemicals Ltd
UK UK
Abstract - Mature companies have good standards, • Risk ranking usually focusses on catastrophic events
specifications and maybe even an electrical safety program, and while an electrical incident might result in, possibly
but do they know how well these actually work? Verifying at most, 3 fatalities or the loss of power to a whole site,
how sites perform against the company internal, external managing electrical risk is usually seen of lower
standards and processes, usually will involve an element of importance as many risks that exist on such sites
self-assessment, self-verification and then an external would be considerably higher.
assurance view. • Power interruptions are usually infrequent, so the low
The paper will take the reader along the journey the likelihood of this high consequence scenario is seldom
company took of identifying key electrical risks, developing appreciated by decision makers.
mitigating barriers and bowties, creating a self-verification However, these risks may encompass process and
program and assurance program to determine if these personal risks, reliability of supply, legal health and safety
barriers are in place and strong. requirements and environmental consequences. Thus,
The key concepts, some details of how these activities electrical risks are a reality and worthy of being clearly
were initiated and examples of typical barriers across a defined.
downstream petrochemical organisation will be shared to Therefore, unless the electrical discipline has strong
offer the reader a tool for implementation at their sites. leadership, these risks may be overlooked in the company
The benefit to the reader would be to adopt a similar risk review processes leading to negative consequences.
process to better assure themselves of the integrity of their
key electrical risk barriers. B. Benefits of managing Electrical risks
Disclaimer: The views within this paper are those of the Clear risk definition starts with accurate risk identification.
authors and not the company they represent. Examples are Once known, management of these risks can follow.
fictitious and to aide explanation. The processes described Managing risks includes quantifying, mitigation and
are in the public domain. verification of the various layers of protection.
This process used by the company includes identifying the
Index Terms - Assessment, Assurance, Barriers, Bowtie, current risk landscape and associated self-assessed risks;
Risk management, Self-verification. developing an applicable barrier and bowtie model with
preventative and mitigation barriers; constructing assurance
protocols along with supporting self-verification
recommendations and finally implementing the program and
I. INTRODUCTION managing the outcome. This approach is similar to that of a
continuous improvement program. A further benefit has
A. Electrical risk been to increase appreciation and knowledge of electrical
risks by senior leadership.
On a relative scale, electrical risk identification, prevention
and mitigation within manufacturing and industrial
companies seldom receive the same profile as that of other
disciplines. This is often due to a number of factors; II. THE ASSURANCE PROCESS
• The Engineering manager or Senior leadership team
are unfamiliar with the electrical discipline, therefore A. Basic concepts
the detailed appreciation of risk is unknown or
underestimated; Self-assessment – a process of determining the site’s own
• Electrical design and manufacture of equipment has compliance against a pre-determined set of criteria and
often been to such a high standard, even when scored in terms of an agreed ranking process.
considering 60 year old equipment, that serviceability Self-verification – the process of determining what key
may appear good, when in fact there may be unknown activities are required to ensure that risks are managed, and
underlying risks. then carrying out activities to check that controls are still
• Many risks in the electrical field are covert. For strong and in place. It is answering the question “Do I do
example, partial discharge and arc flash risks cannot what I say I do?”
be seen and are often difficult to detect. Assurance - a systematic process to check, ensure, verify
Page 1
that the site “does what they say they do”. It involves an know where to focus our risk mitigation efforts. This resulted
independent review of the activities employed to ensure that in sites being ranked against each other and common
risks are identified and managed suitably. themes being identified. Notwithstanding the comparative
Barrier - a risk reduction measure that prevents a cause benchmark, conducting such a self-assessment allows the
developing into a risk event or mitigates the consequences team to review their individual approach to criteria deemed
of a risk event once it has occurred. Barriers are fully relevant by the survey tool.
functional and independent of each other.
Bowtie model - a graphical representation to communicate When the design of the survey was developed it was critical
a risk event, its causes, consequences and barriers. that the questions were specific, unambiguous and objective.
Covering a global application, the intent had to be clear,
B. Determining and managing your risks concise and simple for non-first language English speaking
respondents. The survey had to consider the design and
In order to determine and manage key risks, five processes covering complex refineries to less sophisticated
fundamental questions can be asked: industrial sites. Relevant international industry standards
were used as a basis for the questions. A few key standards
1. What are the risks? are listed in the References section below.
2. What are the barriers that control the risk?
3. Who owns them? The survey tool consisted of questions covering:
4. Are the barriers in place, strong and effective? • Site detail:
5. How do we know? o Responsible person;
o Organisation;
There are a variety of approaches available to answer these o Resources.
questions. The program chose to address each in order and • Site incidents:
this forms a core of this paper. o Personal injuries;
o Loss of power or other electrical incidents
For successful implementation of any management system, • Identification and management of risk:
it is good practice for it to be systematic and in control. Part o HSSE policies compliant with local regulations;
of this processes included a need to: o Personnel risk responsibility and the escalation
• identify site accountable representatives, process of high risk tasks;
• ensure they are competent, o Competency management;
• document the processes and o Authorization;
• verify the above with a wider team. o Control of work;
In most cases the accountable person for electrical risks was o Isolation and lock out, tag out procedures;
identified as the Electrical manager, however for smaller o High voltage switching operations;
sites, management representatives may have filled this o Management of contractors;
position. The topics of the other elements became the focus o Arc flash hazard management;
of the ensuing activity. • Managing electrical equipment and processes:
This is a useful tool and is represented by Figure 1. o Preventative maintenance strategy;
o Explosion protected (Ex) equipment maintenance
strategy;
o Electrical equipment integrity and reliability;
o Back-up systems;
o Islanding, load shedding systems;
o Earthing (grounding) integrity;
o Anti-static electricity management;
o Failure analysis and outcome management;
o Aged, obsolete, common failure equipment
management;
o Documentation management;
o Performance management;
• Electrical interfaces:
o Portable equipment management;
o Hazardous area management systems;
Fig. 1. Components towards being systematic and in control. o Loss of power response plans;
o Projects, management of change; standards and
specifications use;
C. What are the risks? Identifying the risk landscape o Quality assurance and quality control;
o Operations personnel knowledge on ignition
In order to quantify the status of the electrical risk situation prevention measures;
across 60+ sites, a risk survey was developed.
When using a self-assessment survey, the respondents Cyber security was not addressed, but on reflection could
should be aware of the purpose. This may require upfront have been, given its increasing prominence as an electrical
awareness, preparation and clear definition of the intended risk.
outcome. In the case of this survey, the product was to The survey was completed by the electrical responsible
determine a risk landscape across the company so as to person and their teams. It was noteworthy that for smaller
Page 2
sites, this person or team was hard to identify. This supports Fig. 2: Business unit performance in terms of Company
the case cited above about understanding and ownership of key management areas
electrical risk.
Most teams saw the survey as a source of knowledge, as
100
a baseline against which to identify areas of improvement
and as an opportunity to compare themselves against other 80 Level 5
similar sites. This feedback indicated an immediate benefit of
the survey. Level 4
60
Other feedback from the respondents worthy of note when Level 3
developing a similar survey included: 40
Level 2
• The completion of the survey was often not done by a 20
single individual but in a team where a debate could Level 1
take place over the answer to each topic. The benefit 0
Site XX
of this was that areas of improvement could be drawn Q1 Q2 Q3 Q4 Q5
out more effectively.
• A good approach was to have individuals of different
experience and different previous employment history Fig. 3: Site position relative to others
to offer a comparative view.
• When a question was looking for specific controls The data was also analysed for any common themes in
around a topic, for example “does a site have a robust site specific, business type and regional risks. This was
process for the issue and control of electrical represented on a companywide risk matrix. Non-electrical
authorisations?” it was necessary to consider the readers could conceptualize the risk position against a
details within the process of authorisation and not familiar format. Fig. 4 offers a typical risk matrix with themed
simply consider if there is a process and it “feels” like it outcomes plotted.
works.
• The sites considered if there were internal and external
Likelihood of Risk Event
checks and balances in place and if the processes
were recorded and auditable. 1 2 3 4 5
In Several in
The use of an on-line survey tool was made to coordinate Severity Remote Industry In Company 1-2 times in Site site's lifetime
responses. This assisted with managing over 3000 data
A
points. A scoring system was used with weighting to
prioritize some higher risk questions. This weighted scoring B
system allowed for easier management of data to report the C

site outcomes relative to the company internal management D
system metrics, business units and geographical regions. E Ex Equip't Incidents
The benefit of this allowed the reader to relate to the gaps
F Arc Flash
and reflect on what the data was telling them. It also
removed the need for detailed technical knowledge of the G CoW LOTO
topic. In, for example the question on “Control of Explosive H Competency
Protected equipment” – the non-electrical reader does not
need to understand the details of a hazardous area Fig. 4: Risk analysis plotted on matrix
management system. They can rather reflect on the
outcome relative to the familiar companywide scoring Each site then received feedback on their scores
system. benchmarked for reference against the other sites. Where a
A few examples of data analysis are shown in Figures. 2 site was found to be good or best in class this was
and 3. highlighted. This demonstrated to the sites that the study
was not only there to show areas of improvement, but to
identify strong barriers. Best in class sites could potentially
Assets
use those processes to implement actions for closure of
other improvement areas.
Sites used this information to populate department and
company risk registers and to develop action plans to
Procedures Risk address opportunities. Company standard action tracking
systems were used to assist with definition, clarity,
Excellent accountability, prioritisation and closure. This closure
Good process was not part of the survey but rather the
Business Unit 1 Basic Requirement responsibility of each site and within their chosen time frame.
Business Unit 2 Partial compliance
Business Unit 3 Little/None Some learning regarding the survey tool included:
Performance
• Adopting a weighted scoring system at the outset;
Lead & Organise
• Keeping the survey short without any possible
repetition of questions;
Page 3
• Preparing the survey respondents well ahead of
time; D. What are the barriers? Developing an Electrical Bowtie
• Pre-empting and addressing regional and cultural Model.
self-assessment tendencies;
• Considering the ease of use and the cost of the Following the survey analysis, common themes emerged. In
survey tool. order to manage mitigation of these across the discipline in a
• Managing the significant amount of data points and focussed manner, a Bowtie model was developed. Using the
what the outcomes represent. standard conventions, a distinction between personal and
process risks was made, resulting in two bowties. These can
Feedback from sites on the use of the benchmarked data be used to represent the barriers required to prevent an
included: incident and are useful for non-electrical personnel to
understand risks and the reason why certain activities are
• “When our site took an honest viewpoint of our position, necessary to manage these risks. Bowties help with
we were able to compare our own belief of where the communicating and understanding.
gaps were against that of the study. In most cases it Testing the strength of each barrier within the bowtie led to
simply reinforced our own knowledge in where the the development of an assurance program. Appendix 1
known gaps were, but when the weighting was applied, it provides an example of the bowties used. Note that per
provided a priority and starting point for an action plan.” bowtie model definition, maintenance, training, competency,
• “As with most businesses, there are many different pools etc. are not barriers in themselves, but sustaining or
of information to draw from for showing where gaps are. controlling factors. Within each barrier in the model one may
Together they can be considered as supporting find supporting information detailing the degradation factors
information when developing an action plan. The benefit and degradation controls of that barrier. The Barrier team
of this is to close off a number of gaps and build a tried to keep the text similar to that of other non-electrical
stronger system in the long term. In one example, the bowties for consistency.
survey highlighted an opportunity around the process
around control of isolation. The site also had actions from While Bowties are traditionally represented in two triangles
other site surveys that indicated deficiencies in this area. facing each other with the risk event in the centre - this
By reviewing the two reports the site was able to revamp makes for a poor presentation within slide shows and
the complete authorisation process and update the site documents. The diagrams A1 and A2 offer a similar, if not
lock out tag out policy. “ unconventional view.
• “Having multiple sites feedback analysed and compared With these bowties now representing the cause, barriers
in one report enabled those with opportunities to call and consequence for a risk, the next step was to determine
upon other high scoring sites for assistance. Amongst the strength of each barrier to prevent the risk.
other shared learning opportunities outside of the study,
the process helped build and maintain technical support E. Are the barriers in place and effective? Developing an
lines. Through these relationships, we have been able to Assurance program
share knowledge, resources, lessons learnt from safety
incidents, improvements and problem solving skills.” In order to test the strength of the barriers, it was decided
to start with the end in mind and so an assurance
The final product was a holistic electrical risk landscape of assessment tool was developed. The company differentiates
all company sites risk positions communicated in an easily between self-verification, assurance and audit. The site is
understood format for all stake holders - not just the responsible for self-verification (see details below). As
electrical teams as is usually the case. assurance and audit are performed by independent
Significant progress has been made across the discipline reviewers, it was decided to develop protocols applicable to
to address and improve risk management following this that level. At this stage, audit activities within the electrical
survey. discipline focus mainly on Control of Work and Hazardous
area management within the ATEX countries.
Figure 5 shows a dashboard or landscape of the risk The assurance protocols were seen as the minimum
positions for various sites. A quick review allows one to standards a site should meet. This was to prioritize efforts
identify common focus areas and address these accordingly. and minimize the volume of any preparation. Protocols key
function is to test the strength of the barrier. As such, the
Electrical Safety
context of the site, organisation and installation may affect
Question 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 the line of questioning and intent.
Critical Equipment reliability
The electrical safety assurance protocols covered:

Over loaded Equipment
Emergency response
Sustainability of Barrier
Inspection authority
Grounding & Static

Project processes
Self Verification
Overhead lines
Loss of power
Portable tools
Competentcy
1) Personal Safety
Safety Rules
Excavations
Demolition
RCD/GFCI
Arc Flash
Classify
Insepct
QA/QC
Certify
Labels
Install
LOTO
MOC
Legal
CoW
PPE
Site 1 • Delegation of authority;

Site 2
Site 3 • Compliance to national standards and codes;
• Use of electrical safety rules;
Site 4
Site 5
Site 6
Site 7
• Personnel competency;
• Risk management;
Fig 5 Risk profile across the business • Control of work and safe isolation;
• Protective Personal Equipment;
Page 4
• Documentation, labelling and identification; A Self-verification program evaluates the outcomes of the
• Arc flash hazard management; effectiveness of the various self-verification activities at a site
• Personal shock hazard management. level and determines if these are in support of the company
requirements. It may include dedicated personnel to
2) Process Safety develop, coordinate and manage the program. Reviewers
with the necessary expertise are required to conduct field
• Project interfaces as pertains to electrical risk; inspections to form an opinion of the barrier strength.
• Use of standards, regulations and codes; “What you measure, you manage”. Using this as a driver, a
• Application of project tools to electrical risks; robust self-verification program focusses on various levels of
• Management of change; details as follows:
• Quality control;
• Emergency preparedness for electrical related Level 1 activity: These are typically daily, weekly
incidents; or monthly field inspections or conversations. The
• Business continuity in the event of loss of power; reviewer uses prepared protocols or checklists to verify
whether the component of a barrier (operation/task) is
• Equipment reliability management;
robust. Level 1 activities provide primary information about
• Over-loaded or over-dutied equipment.
the levels of system conformance and risk management
(e.g. a monthly check to verify that shift handover
3) Ignition Prevention
procedures are being followed; a weekly check on permits
written; a regular review on maintenance checks,
• Hazardous area management including inspection inspection sheets and punch lists…)
authority, classification, certification, installation Level 2 activities: These are typically monthly
inspection and recording; reviews which use checklists, audit findings, trends and
• Earthing/grounding and anti-static management; discussions to evaluate whether Level 1 activities support
• Operator and Electrical /Instrumentation personnel a barrier. Examples include hazardous area inspection
competency; outcomes and trends; learning from incidents and
• Management of ignition prevention during Control improvements to the Level 1 activities; training and
of Work activities. competence of field inspectors; monitoring preventative
maintenance activities and the effectiveness thereof;
These protocols were then used to conduct barrier reviewing failure statistics; monitoring critical spares
strength checks at various sites. The duration of site visits holding, etc.
was 2-3 days led by one experienced electrical engineer as Level 3 activities: These are typically where the
the assurance lead with a small team from the site. leadership team takes an annual, macro view to evaluate
Preparation involved developing and agreeing on the the results and effectiveness of the self-verification
boundaries and scope in a Terms of Reference. Pre-read program in order to identify trends, emerging risks and
was provided and the review focussed on the barrier opportunities to improve risk reduction measures and
strength on the day. ultimately implement improvements. Examples include a
Site activity included interviews with personnel from the review of the changes made due to the self-verification
HSE, Operations, Mechanical engineering, Process program; action tracking, closure and effectiveness
engineering, Projects, Maintenance, Emergency services, review; confirming that resources are appropriately
Training and Electrical departments. A site visit helped to allocated; analysing findings and identifying trends,
identify and support opinions on barrier strength. Finally a themes or repeat findings, verifying results with other
draft report and feedback was presented to the site sites, etc.
leadership followed by a formal report.
Details of a good self-verification program can be found
As with the survey results, the benefit of this assurance elsewhere, and various self-verification activities were
activity was seen by the site management as a further developed for each barrier. Sharing some general electrical
means to improve their understanding of electrical risks. related examples includes:
Many highlighted the fresh viewpoint regarding the electrical • Identifying a program owner.
infrastructure. Action plans were developed and now form • Verifying the process of delegation of authority,
part of the site prioritised action tracking system. A further responsibility, competency, and work delegation.
benefit has been cross-pollination between sites. Best • Field checks on a worker’s understanding of the risks
practices from one site are shared to address weaker involved; use of any electrical safety rules or
barriers at others. Thus these summated best practices help procedures; appropriate use of PPE; awareness of
to develop a continuously improving companywide standard. arc flash risks; understanding of electric shock
This realised the intended benefits from the assurance preventative measures; portable equipment condition
program. and management; field equipment integrity; etc.
• Self-audits on control of work practices including the
F. How do we know? Self-verification
issuing of permits, understanding of risks involved by
all concerned; proper lock out, tag out processes;
Self-verification is a systematic process owned, developed
inspection results and remediation; Operation’s
and managed by the site to evaluate whether a specific
emergency response to electrical incidents, etc.
barrier is fully functional. It includes taking corrective action
• Quarterly or half-annual reviews of the effectiveness
when work is not being carried out in conformance with the
of field inspections trends and preventative
applicable requirements or if a barrier is found to be weak.
maintenance activities; management of change
Page 5
practices and documentation updates; contractor V. REFERENCES
management matters; etc.
• Annual reviews of hazardous area (Ex) management; [1] OHSA 29CFR1910 Occupational Health and Safety
preventative maintenance effectiveness; aged or Standards
obsolete equipment management; project
[2] NFPA 70E Standard for Electrical safety in workplace
effectiveness; actions identified and closed, an
overview of the effectiveness and benefits from the [3] Management of health and safety at work Regulations
self-verification program, etc. 1999 Health and Safety Executive UK
It was found that most sites are at the start of the self-
verification journey and that while many carry out various [4] Electricity at Work Regulations 1989. Health and Safety
self-verification activities, most do not record or manage Executive UK
the outcomes systematically. It may be seen by some as [5] EN 50110 Operation of Electrical Installations
additional work, but if structured correctly, a self-
verification program can actually reduce effort and [6] IEC 61482-1-1 Live working – Protective clothing against
increase alignment and effectiveness. All efforts go the thermal hazards of an electric arc – Part 1-1: Test
towards answering the question: “How do you know?” methods – Method 1: Determination of the arc rating
(ATPV or EBT50) of flame resistant materials for clothing
[7] IEC 61482-1-2 ~ Part 1-2: Test methods – Method 2:
III. CONCLUSION Determination of arc protection class of material and
clothing by using a constrained and directed arc (box
In order to address electrical risks at a company level, a test)
self-assessment electrical risk survey was conducted across
a petrochemical company. These results provided an overall [8] IEC 62271-200 High-voltage switchgear and control gear
view of self-assessed risk in the electrical discipline. – thorough arc fault and Internal Arc Classification
A Bowtie model was then used to collate the common requirements.
causes, assign these to personnel and process risks,
determine common consequences and define common [9] IEC 61439 - Low-voltage switchgear and control gear
preventative and mitigation barriers. assemblies
Thereafter, an assurance process was developed to test [10] IEC/TR 61641 - Enclosed low-voltage switchgear and
the strength of various barriers. The assurance program was control gear assemblies – Guide for testing under
implemented across the business. The bowties are now conditions of arcing due to internal fault
used as a communication tool to represent the individual [11] IEC 60079 – 17:2013 Explosive atmospheres - Part 17:
barrier performance. Electrical installations inspection and maintenance
Finally, a self-verification program has been started to
consistently check the programs, processes and procedures
established to support these barriers. This process is aimed
at managing electrical risks while increasing the VI. APPENDIX
effectiveness of assurance programs at the various sites.
This paper summarises a process to identify risk, quantify Appendix A: Electrical Bowties
its significance, develop mitigation criteria, assure these are
in place and self-verify the strength of those processes
implemented to manage the risks.
IV. ACKNOWLEDGEMENTS
The authors would like to acknowledge:

Stuart Brown, Electrical Advisor, BP, for his review of the
various tools whilst in development phases and comments
on this paper; Huw Morgan, Engineering Authority, BP Hull,
for review and comment and the various site personnel who
participated in the assurance reviews.
Page 6
APPENDIX A
Electrical Bowties
Causes Prevention Barriers Risk Event Mitigation Barriers Consequence
Isolation
Electrical Safety Rules

Breaking
&
Containment
Electrical Distribution Protection systems

Energise
Electrical Earthing/Grounding systems
Electrocution and/or Arc Flash

Equipment Fault containment
Electrical Protection system
Improper
Emergency Response
Control
Evacuation Systems
Operation of
Insulation & Equipment Design
equipment of Work
Exposure to
PPE
Electrical
Electrical Energy
Parameters Alarms
outside Safe and
Design Limits Operator
Response
Hazard:
Inadvertent
Electricity
Contact
Procedural
Passive
Electrical Bowtie – Personal Risk Active
Figure A-1: Personal Risk Bowtie
Causes Prevention Barriers Risk Event Mitigation Barriers Consequence
Operate
Utility Power Load
outside SOL
Failure shedding
(leading to
procedure
LOPC)
UPS&Back
Electrical up Loss or
Protection, Generators Failed
distribution, Utilities or
equipment Process
or plant Loss of Power support
power at Facility Equipment
failure
Unsafe
Loss of working/
Operation/ Operations&
Controlof operating
Maintenance Maintenance Hazard: Ignition Localwork conditions
control Procedures No electrical Prevention activities leading to
power to Injury/
operate Site fatality
Procedural
Electrical Bowtie - Loss of Electrical Power Passive
Active
Figure A-2: Process Risk Bowtie
Page 7
VII. VITA
Jeff McQueen graduated from the University of Natal, Jason Couch graduated from North Lindsey Technical
Durban, South Africa in 1990 with a BSc Electrical Collage in 1998 with a HNC in Electronic and Electrical
Engineering degree. He has worked at various chemical Engineering and a HNC in Industrial Measurement and
and manufacturing companies including oil refineries in Control. He spent 20 years in the steel industry in a
South Africa and the UK before joining BP. Working the in number of engineering roles in the UK. Latterly has join
the Downstream segment, covering Safety and BP in 2012 as the Site High Voltage Engineer
Operational Risk, he was responsible for the electrical accountable for the safe and reliable operation of a 120
discipline. He currently is the Entity Director at BP Hull MVA private network for one of the company's
site responsible for providing assurance over a wide manufacturing sites.
range of site activities. His PCIC experience includes Jason.couch@uk.bp.com
presenting a tutorial and co-authoring a paper for PCIC
Europe. jeff.mcqueen@bp.com
Page 8
ARE THE IEC REQUIREMENTS FOR OVERPRESSURE TESTING OF
FLAMEPROOF EQUIPMENT APPROPRIATE?
Jim Munro
Jim Munro International Compliance Pty
Ltd
90 Boorea Street, Blaxland NSW 2774
Australia
Abstract - For the IEC flameproof standard IEC 60079- What drove the formation of these research institutes?
1 there is an apparent lack of research data to clearly Coal mining was always recognised as a hazardous
support all the factors that are applied to the pressure industry, but in the early days it was mostly a 'pick and
determination figures in order to do the overpressure test. shovel' exercise in mining the coal. Hence sources of
Even in cases where data does exist, the tests may not ignition for methane (fire-damp) or coal dust atmospheres
reflect the best approach based on the data. The were low. The advent of technology and the push for
standard does not address impact of temperature on greater production seems to have had led to a significant
pressure figures in the standard temperature range. An increase in explosions or other events, such as roof falls,
investigation is shown into existing information and data, that pushed the death rate higher. It appears two of the
both published and unpublished. In addition, the minutes major new sources of explosions was the use of
of the first meetings of TC 31 commencing in 1948 are explosives and the use of electricity [2, 3]. There were
examined to look at the decisions leading to the three research institutes that seem to have played a key
requirements in the first standard which was issued in role in the early days. In each case the main driver
1957. The evolution of the testing requirements are then appears to have been a dramatic increase in the number
examined for subsequent revisions. A critical analysis is of deaths. I will briefly address the establishment of each
subsequently made on that evolution and the supporting of these institutes.
data, with particular emphasis on the effect of For Germany, Dill [3] reports that in Germany when
temperature. Gaps are identified in the supporting data. "the annual number of fire-damp explosions reached three
The paper recommends potential changes to the existing figures, it became necessary to act quickly". Hence in
standard based on existing data and recommends 1894 The Westphalian Mining Company Fund Mine
additional investigative testing that is needed to clarify the established an explosion gallery in Gelsenkirchen-Schalke
situation, and which could lead to changes in the next to investigate the influence of explosives on firedamp and
edition of the standard. coal dust. This subsequently became the Institute for
Explosion Protection and Blasting Technology (BVS). Its
Index Terms — flameproof, pressure determination, first Director was Beyling.
extremely low temperature, pressure piling, motors In the USA, Breslin [2] states that in the single month of
December 1907 there were a number of coal mine
I. INTRODUCTION explosions that killed more than 600 miners. In one
explosion alone, 362 miners died, making it the worst mine
The first international standard relevant to flameproof disaster in US history. This no doubt was a driving factor
equipment was published in 1957 by the International in the establishment of the Bureau of Mines in 1910 [2],
Electrotechnical Commission (IEC) 79 [1]. The standard although research had previously commenced within
was developed by IEC Technical Committee TC 31, which government departments, particularly looking at
was first established in 1948. Since then there have been permissible explosives to be used underground.
six further editions of the standard (now called IEC 60079- In the UK, Luxmore [4] provides a summary of the early
1), with the latest edition being published in 2014. IEC days. When electricity was first introduced in coal mines
60079-1 is now adopted by most countries throughout the in the 1880s, almost a million people were employed in the
world, with the most notable exception being the USA. It industry in the UK. In 1880 there were 4,231 collieries. By
has adopted the standard for situations where IEC zoning 1900 safety legislation was in place, but there were still
is used, but most US area classifications use divisions. over 1,000 miners killed every year and legislation put no
For this, the US uses a comparable technique which it restrictions on the use of electricity.
calls explosionproof (sometimes referred to as explosion- The 'flameproof' type of protection for equipment is
proof). The requirements for this technique are addressed accepted as the earliest and probably still the most widely
in local standards, or in legal instruments, such as laws or used type of protection to ensure electrical equipment
regulations. does not cause an explosion in an explosive atmosphere
There was much research resulting in the development of gas or vapour. The basic concept involves not
of individual country standards and regulations well before excluding a gas or vapour from an enclosure, but ensuring
the international standard was first published. Most of the that, if there is an explosion within the enclosure, the
early research was done in coal mines research institutes explosion does not spread to the surrounding explosive
with the explosion-protection techniques later being atmosphere. This means the enclosure needs to be
adapted for above-ground industries where explosive strong enough to withstand the explosion and there must
atmospheres of gas, vapours or dust might exist. In some be a means of ensuring the transmission of the explosion
instances research institutes for above ground industries via joints of the enclosure does not cause an external
also evolved. ignition. This type of protection goes by a few names. In
the USA it is mostly called explosionproof. It is also But it was further agreed to defer questions for "factor of
commonly called Ex d or flameproof enclosure "d" with the safety" to the second edition.
'd' coming from the German words 'druckfeste kapselung'
which translates as 'flameproof enclosure'. For the B. Publishing First IEC Flameproof "Standard"
purpose of the this document, unless otherwise indicated,
the terms flameproof, explosionproof, explosion-proof, Ex As noted earlier, in 1957 IEC published Publication 79
d and flameproof enclosure "d" may be considered to be "Recommendations for construction of flameproof
synonymous. However, it should be noted that the enclosures of apparatus". According to the TC 31 minutes
standards requirements can be different. this was originally intended to be a specification, but it was
Published literature suggests that this approach was changed to a recommendation to resolve a negative vote.
first developed in the late 1800s and early 1900s. In the The preface of the standard indicates that after the
UK, the first term used was "flame-tight". Luxmore [4] meeting in Paris and "examination by the Editing
states that this was referenced in UK by a committee Committee in Brussels" the document was circulated in
formed in 1902 "to enquire into the use of electricity in coal September 1953 for approval under the Six Months' Rule.
and metalliferous mines and the dangers attending to it" After the meeting in Philadelphia, the revised draft was
which (amongst other things) recommended that "all circulated under the Two Months' Procedure in 1955. 16
terminal (sic) should be enclosed in a flame-tight casing". countries voted in favour of the document and none voted
He also indicated that experiments had begun in Germany negative.
by Beyling in 1884. But he further provides evidence that The requirements in the first edition relevant to the
there was work going on in the UK at that time, for mechanical strength of the apparatus and enclosure, and
example Henry Davis of Davis Ltd submitted a report to hence overpressure testing, are quoted below:
the 1902 committee describing a flame-tight dc motor that 7. Mechanical strength of apparatus
he had designed. Perhaps the first major publication on The mechanical strength of the apparatus as a
this subject was a work published in 1906 by Dr Ing Carl whole, shall be such as to withstand the normal
Beyling [5] describing the results of the extensive research conditions of use in industry and for the purpose for
done at BVS. National standards or related instruments which it is intended.
began to occur in various countries , initially focussed on 7.1 The flameproof enclosure, in all its parts, shall
coal mining but with some expanding to embrace above be capable of withstanding the maximum dynamic
ground industry. The publication of British Standard BS pressure resulting from an internal inflammation of the
229 [6] in 1926 is an example. most explosive mixture with air of the gas or vapour
for which it is designed, or of a representative gas or
II. THE FIRST INTERNATIONAL STANDARD vapour for the group for which it is designed, without
suffering damage, or such deformation as would
A. First Four Meetings of IEC TC 31 weaken any part of the structure, or would enlarge
permanently any joints in the structure so as to
The first meeting of the newly formed IEC "Advisory exceed the permissible dimension. Normally the
Committee TC 31: Flameproof Enclosures" took place in maximum pressure will be ascertained with the
London from 7 to 9 July 1948. With the kind permission of enclosure having all its mechanical and electrical
the IEC some information can be provided from those parts assembled as in use. It is recommended that
meetings. Of interest is an opening statement from the motors shall be tested while not running and also
Chairman of the British National Committee on while running without load. Where necessary, control
Flameproof Enclosures as recorded in the minutes: gear shall be tested under electrical overload
during the war, much electrical equipment conditions.
imported into the United Kingdom from the U.S.A 7.2 In addition to the foregoing requirement, the
had been made to U.S.A. standards, which enclosure shall be capable of withstanding without
differed in some respects from British standards. damage a testing pressure of not less than one and a
This created problems for technical people and half times the maximum explosion pressure obtained
government officials concerned, resulting in when undergoing the flameproof tests, with a
suggestions being made to the B.S.I. that, if minimum of 3.5 kg/cm2 (50 lb/in2).
possible, international agreement should be This overpressure may be applied either statically
obtained on the requirements of flameproof or dynamically at the discretion of the competent
enclosures. national authority concerned.
TC 31 held three further meetings prior to the This standard included four groups, namely Group I,
publication of the first flameproof standard. These took Group II, Group III, Group IV based on the Maximum
place in Paris in November 1949, London in April 1953 Experimental Safe Gap (MESG). These corresponded
and Philadelphia, USA in September 1954. During the roughly to the current equipment groups of Group I,
meetings the decision was also taken to include in the Group IIA, Group IIB and Group IIC.
publication the words: "The term 'flameproof' is The following is an analysis of the above based on
synonymous with the term 'explosion-proof'." That has discussions at the meetings:
been dropped from more recent editions of the flameproof 1. The increase of one and half times is not referred
standard. At the third meeting the name of the committee to as a factor of safety in the standard and that
was changed to "Technical Committee No. 31: Flameproof term is still not used. However, that term was
Enclosures". It is clear from the minutes that the question sometimes referred to in the minutes. At the first
of what pressure an equipment enclosure should meeting the British delegation said that the "50%
withstand occupied a significant part of those meetings. A additional pressure was relied on to cover variables
decision was taken to include a test of one and a half between prototypes tested and subsequently
times the "equivalent of the maximum dynamic pressure". produced apparatus of the same type." An
obsolescent British Standard issued in the same There were some significant changes from the first
year BS 229:1957 [7] does refer to it as a factor of standard. The standard introduced the now commonplace
safety. approach to the use of groups. Enclosures were classified
2. This standard recognised the possibility of testing into two groups as follows:
either statically (commonly this is done with water) - Group I : for application in coal mining
or dynamically. For this latter approach the UK - Group II: for application in other industries
delegation indicated they normally used "an
explosive, such as gun-cotton, under controlled Enclosures in Group II were further sub-divided
conditions." according to the MESG into the same sub-groups
3. There is no indication that routine overpressure currently in the latest standard, ie Groups IIA, IIB and IIC.
testing was expected. However, the standard does But Group IIC only covered hydrogen. The test approach
indicate that testing would be done at the established is still used. Tests are broken down into the
manufacturers. following;
1. Determination of explosion pressure;
III. SUBSEQUENT EDITIONS 2. Pressure test;
3. Test to determine whether the enclosure is
Table I provides a summary of the various editions that flameproof (not addressed in this paper); and
have been published since the first edition, including 4. Routine checks and tests.
amendments. The titles can be found in the references for
this paper. For determination of explosion pressure the following
mixtures were now specified ("volumetric ratio with air")
TABLE I ˗ Group I: 9.8% methane
EDITIONS OF THE IEC FLAMEPROOF STANDARD ˗ Group IIA: either 3.6% butane or 3.1% pentane
Number Edition Date or 4.6% propane
˗ Group IIB: either 8% ethylene, or 24% of 85/15
Publication 79 Edition 1 1957 hydrogen-methane or between 3% and 4.2%
Publication 79-1 Edition 2 1971 ethyl ether
˗ Group III - no gas mixture defined
International First Supplement to 1975
Standard 79-1A Edition 2
It stated that when doing the test, the mixture should
Publication 79-1 Amendment 1 to 1979-09 be "suitably agitated" and that the test must be done at
Edition 2 least three times. For the pressure test it still used the
factor of 1.5 but applied this to the "highest of the
International Edition 3 1990-12
Standard 79-1
maximum smoothed pressures obtained". A minimum
of 3.5 bars was still applied (with the units changed).
IEC 79-1 Amendment 1 to 1990-08 For the static test the factor was increased to three
Edition 3 times the reference pressure if the rise time was less
IEC 60079-1 Amendment 2 to 1998-05 than 5 ms. It also provided for a pressure test of four
Edition 3 times for enclosures that would not be subject to routine
test (specified in 16.2). It required motors to be tested
IEC 60079-1 Edition 3.2 1998-05 at rest and running. It also required pressures to be
IEC 60079-1 Edition 4.0 2001-02 measured at the ignition end and opposite end, plus in
the terminal box where not a separate enclosure.
IEC 60079-1 Edition 5.0 2003-11 In the static pressure test it required the pressure to
IEC 60079-1 Edition 6.0 2007-04 be maintained for at least one minute. There was now a
clear responsibility for the manufacturer to carry out a
IEC 60079-1 Corrigendum 1 to 2008-09 routine test pressure test unless specifically exempted.
Edition 6.0
IEC 60079-1 Edition 7.0 2014-06 B. Amendment 1 to Second Edition 79-1
Amendment 1 to the second edition [9], issued in 1979

A. Second Edition 79-1
contained some significant changes. For determination of
explosion pressure the following mixtures were now
It took 14 years until the next edition of IEC 79-1 [8] was
specified ("volumetric ratio with air")
published (in 1975). The title also changed to "Electrical
˗ Group I: (9.8±0.5)% methane - tolerance added
Apparatus for Explosive Atmospheres Part 1: Construction
˗ Group IIA: (4.6±0.3)% propane - options of
and test of flameproof enclosures of electrical apparatus".
butane and pentane dropped and tolerance
The preface shows that this standard had now become
added for propane
part of a series of standards with other types of protection
˗ Group IIB: Normally the test mixture is (8±0.5)%
covered, such as pressurized enclosures, intrinsically safe
ethylene. In cases where pressure piling may
apparatus, sand-filled apparatus, oil-immersed apparatus
occur the test shall be made at least five times
and type of protection "e". 26 countries voted in favour of
with a mixture of (8±0.5)% ethylene and it is
Section One (General) of the standard. Slightly smaller
repeated afterwards at least five times with a
numbers voted in favour of Sections Two (Checks and
mixture of (24±1)% hydrogen-methane (85/15).
tests) and Three (Special requirements for Group IIC).
Ethylene now was mandated as only test gas
This edition was prepared by TC 31 Subcommittee SC
with tolerance added (ethyl ether dropped
31A Flameproof enclosures.
completely) and for pressure piling additional
number of tests and additional use of hydrogen- "ambient temperatures below -20 °C, stronger enclosures
methane with tolerance was mandated. may be required due the higher pressures generated at
˗ Group IIC: Still no test gas defined low temperatures and the possibility of brittle fracture of
the enclosure materials". It also referred to temperatures
Missing from the test approach was the need to agitate above 60 °C and the possible need to use smaller gaps.
the test mixture. This appears to have been replaced by For the first time reference was made on how to achieve
note that stated that "Alternative explosive mixtures to be a "smoothed pressure". A note suggested that one way to
used when turbulence is present are under consideration". do this is to use a "5 kHz ± 10% filter in the signal circuit".
Turbulence of course occurs with motors. Some changes There were no changes to the mixtures to be used for
were made to the details with the principle of testing at rest pressure determination for Groups I, IIA and IIB. The
and rotating was retained, but only as an option "at the following mixtures were included for Group IIC (which now
discretion of the testing authority". Perhaps the most included acetylene):
significant issue was the dropping of the three times ˗ 5 tests at (31±1)% hydrogen (H2); with
pressure test option for enclosures with pressure piling. ˗ 5 tests at (14±1)% acetylene (C2H2) added from
The rationale for this was not given and published the previous edition
literature seems to provide no clues. However, Note 1 in
Clause 15.2.2.4 of Edition 7.0 states: The static pressure test was still done at 1.5 times the
The need to conduct this repeat testing is based reference pressure with a minimum of 3.5 bar. The period
on the principles that (1) when pressure piling is of application of pressure was more precisely defined as
not involved, ethylene will result in worst case 10 +2 -0 s. The provision for a four times test to avoid
representative pressures, and (2) when pressure routine testing was retained. For small enclosures where
piling is involved, it will not. Therefore, under this the reference pressure could not be measured and the
premise, when pressure piling is an issue, the dynamic method was not practicable the following static
additional testing with the mixture of (24 ± 1) % test pressures were given: 10 bar for Groups I, IIA, IIB
hydrogen/methane (85/15) is included. and 15 bar for Group IIC.
For Group IIB perhaps the hydrogen-methane mixture
was expected to provide a higher pressure comparable to D. Amendments 1 and 2 to Third Edition of 79-1
when the factor of three was used. However, nothing
similar occurs for Groups I and IIA. Further, for this testing Amendments 1 [13] and 2 [14] were subsequently made
the mixture given is the stoichiometric mixture. This can to the standard addressing breathing and draining
be expected to give the highest pressure for a simple devices. A version of the standard IEC 60079-1 Edition
enclosure, but for a complex enclosure this may not be the 3.2 [15] was issued in May 1998 incorporating the two
case. There may be situations where internal flame amendments and adopting the new IEC numbering
transmissions in an enclosure only occur at mixtures other system.
than the stoichiometric mix; thus producing pressure piling
that would not occur when using the mixture in the E. Fourth Edition of 60079-1
standard. It is worth noting that in the USA local
standards, eg for UL [10] and FM Approvals [11] require Edition 4.0 of IEC 60079-1 [16] was issued in February
pressure determination testing to be done over a range of 2001. Based on the memories of the author of this paper,
mixtures. as the then relatively new Chair of TC 31, this edition had
A reason for the above change can be postulated. a short and chequered history. Using an agreement
Applying a higher factor to an already higher determination between the European Committee for Electrotechnical
pressure may be seen as a doubling the overall factor of Standardization (CENELEC) and IEC, called the Dresden
safety. However, pressure piling, and the more significant Agreement, the European version of the standard was
scenario of detonation, are complex phenomena and it is submitted for vote to the national committee members of
hard to be confident that the small number of tests and Subcommittee SC 31A. Since the number of affirmative
restricted gas mixtures will in fact provide the highest votes met the rules for acceptance, this edition of the
pressure figure. Some clear factual support for this standard was published in IEC with only editorial changes
approach seems to be needed. A further significant from the CENELEC version, for example referring to IEC
change for the pressure test, which had its name changed standards. Thus it did not directly evolve from the
to "overpressure test", was the dropping of the time to previous edition of IEC 60079-1 and there was no
apply the pressure from "at least one minute" to "not less opportunity to make technical changes. Hence some
than 10 s and not more than 1 min". Some changes technical requirements from the previous edition were lost.
occurred to the dynamic pressure test. When the ramifications of this approach were realised, a
short revision cycle was instigated to allow incorporation of
C. Third Edition of 79-1 appropriate technical changes.
A significant omission from this edition was reference to
The third edition of 79-1 [12] was published in the applicability of this standard for low and high
December 1990. This was the first time a general temperatures that was in the previous edition. The speed
requirements document had been produced, IEC 79-0. to be used when doing pressure determination on rotating
Thus some of the requirements in IEC 79-1 were electrical machines was "between 90 % and 100 % of the
presumably transferred to that document. Also for the first rated speed of the machine". Where reference pressure
time the standard clarifies the applicable ambient range of determination was impracticable a range of pressures to
temperatures which it repeats from IEC 79-0 as being be used between 10 and 20 bar, depending on Group and
from "-20 °C to +60 °C for explosive gas atmosphere enclosure size, were specified. The period for pressure
characteristics and from "-20 °C to +40 °C for the testing as "at least 10 s but shall not exceed 60 s". The
operation of electrical apparatus". It notes that for use of a frequency limit for smoothing of 5 kHz ± 10%
was mandated for the first time. auxiliary motor. The speed shall be between 90 % and
In the context of pressure determination testing, the 100 % of the rated speed of the machine.
standard introduced the following about pressure piling:
G. Sixth Edition of 60079-1
NOTE There is presumption of pressure-piling when
˗ either the pressure values obtained during a Edition 6.0 of 60079-1 [18] was issued in April 2007. It
series of tests involving the same configuration, removed reference to "electrical apparatus" and instead
deviate from one to another by a factor of ≥1,5, used the term "equipment". That was consistent with
or changes in terminology across the TC 31 standards at that
˗ the pressure rise time is less than 5 ms time. The standard introduced more detailed requirements
for extremely low temperatures as shown below.
The gas mixtures to be used for pressure determination
did not change but the number of tests for Group IIC For electrical equipment intended for use at an ambient
dropped from five to three for both acetylene and temperature below –20 °C, the reference pressure shall
hydrogen. However, where pressure piling (see above) be determined by one of the following methods:
could occur, tests had to be done "at least five times".
This applied to all Groups. • For all electrical equipment, the reference pressure
shall be determined at a temperature not higher
F. Fifth Edition of 60079-1 than the minimum ambient temperature.
• For all electrical equipment, the reference pressure
Edition 5.0 of 60079-1 [17] was issued in November shall be determined at normal ambient temperature
2013. The most significant pressure testing requirements using the defined test mixture(s), but at increased
introduced into this edition of the standard were those for pressure. The absolute pressure of the test mixture
temperatures below -20 °C. The following requirements (P), in kPa, shall be calculated by the following
were included for pressure determination: formula, using Ta, min in °C:
For electrical apparatus intended for use at an ambient P = 100[293 / (Ta, min + 273)] kPa
temperature below –20 °C, the reference pressure shall (After correction by corrigendum [19])
be determined at a temperature not higher than the • For electrical equipment other than rotating
minimum ambient temperature. electrical machines (such as electric motors,
generators and tachometers) that involve simple
As an alternative, for electrical apparatus internal geometry (see Annex D) with an enclosure
– of Groups I, IIA, or IIB; or volume not exceeding 3 l, when empty, such that
– of Group IIC with internal free volume < 2 l, pressure-piling is not considered likely, the
other than rotating electrical machines (such as electric reference pressure shall be determined at normal
motors, generators and tachometers) that involve ambient temperature using the defined test
simple internal geometry such that pressure piling is not mixture(s), but is to be assumed to have a
considered likely, the reference pressure may be reference pressure increased by the factors given
determined at normal ambient temperature using the in the table below.
defined test mixture(s), but at increased pressure. • For electrical equipment other than rotating
electrical machines (such as electric motors,
The absolute pressure of the test mixture (P), in bar, generators and tachometers) that involve simple
shall be calculated by the following formula, using Ta, internal geometry (see Annex D) with an enclosure
min in °C: volume not exceeding 10 l, when empty, such that
pressure piling is not considered likely, the
P = [293 / (Ta,min + 273)] bar reference pressure shall be determined at normal
ambient temperature using the defined test
While this is based on a common law of physics, mixture(s), but is to be assumed to have a
Amontons' Law of Pressure-Temperature, there is a lack reference pressure increased by the factors given
of published literature to demonstrate that the use of in the table below. Under this alternative, the test
increased pressure produces a result consistent with tests pressure for the overpressure type test in 15.1.3.1
at very low temperatures, especially in the case of shall be 4 times the increased reference pressure.
pressure piling, which is particularly relevant for motors. The 1,5 times routine test is not permitted.
On a more general matter the approach to smoothing
pressure now required the use of a low-pass filter with a 3 The reference to Annex D appears puzzling as that
dB point of 5 kHz ± 10 %. Presumably this made no real Annex only deals with certification of empty component
difference to actual application. The test gases to be used enclosures. However, it is likely the reference is meant to
and the number of tests to be done for pressure make use of the clarification of "simple internal geometry"
determination remained the same as the previous edition. shown in D.3.2. as follows:
This included the need to do five tests for all groups for Ex component enclosures shall consist of a basically
pressure determination when there was a presumption of simple geometry of only square, rectangular, or
pressure piling. The requirements for rotating electrical cylindrical cross-section with taper not exceeding 10 %.
machines were changed to bring some discretion into NOTE When major dimensions exceed any other dimension by
whether test running, with the provision: 4:1 for group I, IIA and IIB, or exceed any other dimension by
Rotating electrical machines shall be tested at rest and, 2:1 for group IIC, additional considerations may be necessary.
when the testing station considers it necessary, when
running. When they are tested running, they may be The table containing the test factors (the origin of which
driven either by their own source of power or by an will be discussed later in this paper) is as follows:
hydrogen are again required even if there is no pressure
TABLE II piling. This is the same as the requirement that was
TEST FACTORS originally in the third edition. For pressure piling, the
Minimum ambient Test factor requirement for testing five times with ethylene and
temperature hydrogen/methane remains for Group IIB but is dropped
°C for Groups I and IIA. This does not seem logical and may
–20 (see Note) 1,0
be an error. There was another change to specifying the
≥ –30 1,37
filter with the statement: "a low-pass filter with a 3 dB point
≥ –40 1,45
≥ –50 1,53
of 5 kHz ± 0.5 kHz shall be used". There is a new option
≥ –60 1,62 for overpressure testing introduced of three times the
NOTE This covers equipment designed for the standard reference pressure if the routine overpressure test is
ambient temperature range specified in IEC 60079-0. replaced by a batch test. Again there is change in
specifying the period of application of the pressure, which
The edition of the standard had the following is now "at least 10 s". The issue of turbulence (for other
requirement regarding the overpressure test for low than rotating electric machines) gets a mention as follows:
temperatures: The continuous effects of devices inside
For electrical equipment intended for use at an ambient enclosures, such as rotating devices, which can
temperature below –20 °C, the overpressure test shall create significant turbulence that may result in an
be conducted at a temperature not higher than the increase in reference pressure shall be
minimum ambient temperature. Where the tensile and considered.
yield strength properties of the material used are shown This is significant, as turbulence can lead to higher
by material specifications to not decrease significantly at pressures. One of the earlier references to turbulence
low temperature, the overpressure test may be was by Grice and Wheeler in 1929 in a UK Safety in Mines
conducted at normal room ambient. Research Board paper [20]. This was clearly recognised
The test gases to be used and the number of tests to be in the second edition with the requirement to agitate the
done for pressure determination remained the same as mixture for all testing. However, it seemed to get lost or
the previous edition. This included the need to do five be more narrowly required in intervening editions for
tests for all groups when there is a presumption of situations where agitation may occur in the equipment in
pressure piling. normal use, for example in motors, as shown above. The
The requirements for rotating electrical machines latest wording represents a reasonable approach to this
reinstated the mandated requirement to test while running issue.
and states the maximum speed shall be "at least 90% of
the maximum rated speed ". This last seems only to be a IV. FURTHER ANALYSIS OF OVERPRESSURE
change in wording. The standard also provides more TESTING
precise requirements on the location of pressure
transducers, including the need for three transducers if the A. Static Overpressure Testing
termination compartment is interconnected to the motor.
This reinstated information that had appeared in earlier As noted earlier, the IEC standard permits both a static
editions. and dynamic approach to overpressure testing. The most
common approach is to use static testing. Dynamic
H. Seventh Edition of 60079-1 pressure testing normally involves the use of an autoclave
style of chamber. These are not universally available in
Edition 7.0 of 60079-1 was issued in June 2014. In this test laboratories around the world and the use of dynamic
edition requirements for very low temperatures remain the pressure to achieve a four times test is likely to be
same except that the table with the factors (now called restricted due to pressure considerations for the
Table 7) includes the following statement under the note autoclave. The author has inspected the majority of
"Consideration should be given to applications in which testing bodies around the world in this field in his role as
the temperature inside the flameproof enclosure may be an IECEx lead assessor and has not seen it done. He has
substantially lower than the rated ambient temperature". also not seen anyone in recent times using explosives,
For testing small enclosures, reference to ambient such as gun-cotton. So the analysis in this paper is
temperatures below –20 °C has been introduced; see focussed on pressure determination and the static
information from Table 8 of the standard below: overpressure testing that is applied as a result of the
pressures from the pressure determination.
TABLE III
PRESSURES FOR SMALL ENCLOSURES BELOW -20 °C B. Pressure determination
Volume Group Pressure a
cm3 kPa Of significance is that for equipment intended for the
≤10 I, IIA, IB, IIC 1 000 standard range of temperatures contained in IEC 60079-0
>10 I 1 000 [21] of - 20 °C to +40 °C, no allowance is made for the
>10 IIA, IIB 1 500 variation in pressure that may result from the ambient
>10 IIC 2 000
a
pressure at the time of testing. It is likely that the impact of
For equipment intended for use at an ambient temperature
below –20 °C, the above pressures shall be increased by the
temperature on pressure was not appreciated at the time
appropriate test factors noted in Table 7. the first standard was developed. There have been very
few published papers providing data from experiments
The mixtures for pressure determination remain the looking at the impact of temperature on pressure in
same, but five tests for Group IIC for acetylene and flameproof enclosures. But there are two relevant
investigations that address the issue. One by George
Lobay [22-24] is 38 years old and the other by PTB in work regarding the lowest temperature. The range of
Germany is about 20 years old. Only the former study gases used is more restricted as only hydrogen and
addresses pressure piling. It has been published in one acetylene were used.
report [22] and two papers [23, 24]. The data from the No editions of the standard take account of the effect of
PTB study was purportedly used to develop factors to be temperature on pressure in the standard range of -20 °C
applied in IEC 60079-1 for testing equipment designed for to +40 °C. Based on the data from Lobay, the potential
very low temperatures but a report on the testing was change in pressure over that range can be as high as
never published (internally or externally). PTB have 2.75. TABLE IV below shows an analysis done by the
provided the raw data from that testing to the author. The author on the Lobay results for three scenarios; (1) no
work of Lobay above looked at the effect of ambient pressure piling (PP), (2) pressure piling based on low
temperature upon maximum explosion pressure in a pressure piling figure, and (3) pressure piling based on low
single chamber test apparatus and in a pressure piling test no pressure piling figure.
apparatus. The experiment covered hazardous
atmospheres in (USA) Groups A, B, C, D and coal mining TABLE IV
applications. These are equivalent to IEC Groups I, IIA, ANALYSIS OF LOBAY'S PRESSURE FIGURES - LOW
IIB and IIC. The results for the test temperature range of TEMPERATURE RANGE
approximately -50 °C to +40 °C indicated a linear increase Increased pressure (as a factor) for temperature
change from +40 °C down to -20 °C
in explosion pressures as temperature is reduced. This is
Gas No PP PP based on PP based on
not unexpected. If there is predictable geometry which low PP figure low no PP
provides confidence that pressure piling or detonation figure
cannot occur, then the pressure is very closely linked to Methane 1.31 1.56 2.75
the gas density which increases as temperature Propane 1.32 1.41 2.25
decreases. The following concentrations of gas were Ethylene 1.39 1.36 1.72
used: propane 4.6%, methane 9.8%, ethylene 8.0%, Hydrogen 1.42 1.28 1.47
hydrogen 32% and acetylene 14.5%. The series of Acetylene 1.30 1.35 1.36
explosions started at -50 °C and was increased at
increments of not more than 3 °C to +40 °C. The The most likely scenario for pressure piling is that
concentrations used fall within the tolerance of those in the shown in the third column. However, the fourth column is
IEC 60079-1, although the concentrations for hydrogen included to address situations where the test sequence
and acetylene are different to the median figure specified has not produced pressure piling even though it may in
in the latest edition of the standard. No tests are reported fact be feasible (for example at a slightly different gas
for the mixture of (24 ± 1) % hydrogen/methane (85/15) mixture). It can be seen that the most dramatic increases
which is now included in the standard for Group IIB for for the pressure piling scenario come with methane and
cases where pressure piling may occur. The results propane (Groups I and IIA), with highest factor
published in IEEE in 2001 [24] and are shown redrawn in approaching three. Hydrogen and acetylene (Group IIC or
Fig 1. below. Group IIB plus H2) show the least increase. Ethylene
(Group IIB) is somewhere between. But since the
experiments did not include the hydrogen 85/methane 25
2000 ------ Pressure-piling apparatus mixture shown in the later editions of the flameproof
Single-chamber apparatus
1900 Methane standard, the factor for that gas combination is not known.
Maximum Explosion Pressure (kPa)
1800 Propane The above scenarios indicate that the factor that the
1700 Ethylene
1600 Hydrogen pressure varies by could be larger than the factor of 1.5
1500
Acetylene currently often applied for overpressure testing. Thus it
1400 would seem appropriate to address this in the testing
1300 specification in the standard.
1200
A similar analysis can be done for the figures in the
1100
1000
Lobay tests for very low temperatures. Assuming testing
900 is generally done around +20 °C the analysis is done for
800 that temperature down to -60 °C by extrapolating the
700 Lobay figure from -50 °C. TABLE V below shows the
600
results and compares them with the factors in the
500
-50 -40 -30 -20 -10 0 10 20 30 40 standard. The approach involving factors for very low
Temperature (°C) temperature testing can only be used where pressure
piling is not present.
Fig. 1 Maximum explosion pressure versus ambient
temperature TABLE V
ANALYSIS OF LOBAY'S PRESSURE FIGURES - STANDARD
It can be seen that the temperature range tested only RANGE - NO PRESSURE PILING
goes down to -50 °C. IEC 60721-2-1 [25] shows Gas Increased pressure (as a factor) for
temperatures can be as low as -60 °C in areas designated temperature change from +20 °C down to
as 'polar'. Personal communication has suggested that -60 °C
temperatures can occasionally get down to -70 °C. The Lobay results Factor in standard
data supplied by PTB shows testing in the range of -50 °C Methane 1.33 1.53
Propane 1.33 1.53
to -20 °C with hydrogen and acetylene only. The
Ethylene 1.40 1.53
concentrations shown for hydrogen and acetylene fall Hydrogen 1.43 1.53
within the tolerance of those in IEC 60079-1. The PTB Acetylene 1.32 1.53
work has the same temperature restriction as Lobay's
The table only shows the analysis for one point (-60 °C) V. CONCLUSIONS
but since results are linear, it is reasonable to postulate
from the table that the factors in the standard are This study indicates that further research is desirable in
appropriate. However, it might be wise to consider making a number of areas to provide confidence in the
some allowance for experimental error. requirements in the existing IEC standard, or to provide
There are other factors that can introduce variation into recommendations for change if the need is indicated in the
the test result. While not dealt with in detail in this paper, outcomes of the research; these include:
the following are some factors that are known to affect 1. Investigating the applicability of the formula for
pressure figures: (1) the temperature of the gas mixture in applying initial higher pressures when determining
the enclosure which may be different to ambient, (2) pressures for temperatures below -20 °C,
ambient pressures (generally due to the height of the test particularly for cases involving pressure piling.
facility above see level); (3) position of ignition source; (4) 2. Investigating the impact of varying gas
power of ignition source; (5) position of pressure sensors; concentrations from those specified in the standard
(6) the testing equipment; and (7) the procedures used. when pressure piling is present to see if higher
Another factor that could impact on the pressures, pressures can be obtained in certain
particularly when pressure piling is present, is that the circumstances.
mixtures used for pressure testing are at the stoichiometric 3. Examining the applicability of the hydrogen
mix. This does not take account possible complexities in 85/methane 15 mixture for pressure determination
pressure piling; for example the scenario when the in the case of pressure piling for Group IIB,
explosion may only propagate through a restriction including correlation with ethylene.
between compartments at a mixture other the 4. Given the improvement of instrumentation in the
stoichiometric mix. In contrast in the US, UL [10] and FM past 20 years and more, there may be value in re-
[11] test over a range of mixtures validation of experiments done by Lobay and PTB
The IECEx proficiency testing program run by PTB on with hydrogen 85/methane 15 included and with
pressure determination using hydrogen and ethylene testing down to temperatures of -60 °C.
showed a significant spread of results. This displays the
variation that can occur when testing identical equipment It is recommended that the specification for testing in
with many of the test factors above removed, for example the standard ambient range of -20 °C to +40 °C be more
location of the ignition source and location of pressure closely specified. There are a number of potential options
transducers. that could be adopted, including restricting the allowable
range. However, the best approach might be: (1) to allow
C. Overpressure testing testing in the current range; (2) define a narrower band
where no factors apply; and (3) define factors to be
The use of a factor of 1.5 (often shown as 1,5) as the applied for temperatures outside the narrow band but
factor to be used for the overpressure testing has been inside the current range. It is likely the narrow band could
consistently applied since the first standard, despite embrace most of ambient temperature conditions present
uncertainty by the committee during development of the in laboratories around the world.
first standard as to whether it was correct. However, other It is also recommended that the current factors applied
options for certain circumstances have appeared, for overpressure testing be reviewed, possibly along the
including factors of 3 and 4 . Factors that may be applied following lines:
to the maximum pressure for very low temperatures also 1. Consider increasing factor of 1.5 when pressure
now appear in Table 7 of the standard as shown in TABLE piling is not present, at least for Group II where
II earlier in this standard. Hence two factors may be ambient temperature ranges are likely to be larger.
multiplied together for the overpressure test. 2. Dependent on how the above is applied, consider
The factor when pressure piling occurred increased at increasing factors used for very low temperatures
one stage to three times the reference pressure. As noted to include provision for experimental error.
earlier, it was introduced in the second edition in 1975 and 3. Consider restoring the factor of three when
then dropped in amendment 1 of that edition in 1979. pressure piling is present that was in the second
The analysis earlier in this standard suggests that factor is edition of the standard prior to the first amendment.
appropriate and consideration should be given to Finally it is recommended that the requirement from
reintroducing this factor into the standard. earlier editions that five tests should be done in the case
The factors applied in the IEC standard do appear low of pressure piling should be restored for Groups I and IIA.
when compared with UL [10] and FM [11] standards TC 31 has not yet achieved the aim that was proposed
where the factors can range for 2 up to 5. However, the in its first meeting of TC 31 in 1948 of alignment between
requirements do vary between the two standards. But it US and IEC standards and it does seem IEC TC 31 may
should be recognised that these enclosures may be used have something to learn from those US standards when it
in equivalent to Zone 0 area and so this may lead to a comes to pressure determination and overpressure
more conservative approach. Nevertheless, based on the testing. But the reverse may also be true for other aspects
variety of reasons articulated in this paper, there appears of the standards, noting also that the US standards vary
to be good cause to critically review some of the factors between bodies.
currently in the IEC flameproof standard. However, it does
appear that in any circumstance where the four times VI. ACKNOWLEDGEMENTS
overpressure is applied, this can be expected to exceed
any pressure that may be developed during an explosion This research has been carried out as part of my PhD
and so may be considered to be appropriate. candidature at Sydney University, and the support of my
supervisors, Associate Professor Dylan Lu and Professor
Joe Dong is acknowledged for this research.
05, IEC.
VII. REFERENCES [16] IEC, IEC International Standard 60079-1 Edition 4.0.
Electrical apparatus for explosive gas atmospheres -
[1] IEC, IEC Publication 79 Edition 1: Part 1: Flameproof enclosures "d". 2001, IEC.
Recommendations for construction of flameproof [17] IEC, IEC International Standard 60079-1 Edition 5.0.
enclosures of apparatus. 1957, IEC. Electrical apparatus for explosive gas atmospheres -
[2] Breslin, J.A., One hundred years of federal mining Part 1: Flameproof enclosures "d". 2003, IEC.
safety and health research. 2010: Department of [18] IEC, IEC International Standard 60079-1 Edition 6.0.
Health and Human Services, Centers for Disease Explosive atmospheres - Part 1: Equipment
Control and Prevention, National Institute for protection by flameproof enclosures "d". 2007, IEC.
Occupational Safety and Health, Pittsburgh [19] IEC, Corrigendum 1 to IEC International Standard
Research Laboratory. 60079-1 Edition 6.0. Explosive atmospheres - Part 1:
[3] Dill, W., 100 years of the explosion test station “BVS” Equipment protection by flameproof enclosures "d".
_100 years of explosion protection. 1995. 2008, IEC.
[4] Luxmore, S. Early applications of electricity to coal [20] Grice, C.S.W. and R.V. Wheeler, Firedamp
mining. in Proceedings of the Institution of Electrical Explosions within Closed Vessels: "Pressure Piling".
Engineers. 1979. IET. Safety in mines Research Board paper no 49. 1929:
[5] Beyling, C., Versuche zwecks Erprobung der His Majesty's Stationery Office.
Schlagwettersicherheit besonders geschützter [21] IEC, IEC 60079-0 Edition 6.0 Explosive atmospheres
Motoren und Apparate. Glückauf, 1906. 42: p. 1-13. – Part 0: Equipment – General requirements. 2011,
[6] British_Standards_Institution, No. 229 Revision 1. IEC.
British Standards Specification Number 229 Revision [22] Lobay, G., An Investigation of the Effect of Low
1 for Flameproof Enclosures for Electrical Apparatus Ambient Temperatures upon Explosive
(for use in mines and other places where an Atmospheres. 1977, Canadian Explosive
explosive atmosphere may be encountered) and Atmospheres Laboratory Mining Research
Tests for Flame-Proof Enclosures. 1929, British Laboratories.
Standards Institution [23] Rowe, V.G., G.F. Howell, and G. Lobay, Cold
[7] British_Standards_Institution, British Standard BS weather affects on Class I hazardous electrical
229:1957 Amendment 5224. Specification for installations. IEEE Paper No. PCIC--99-09, 1999.
Flameproof enclosure of electrical apparatus. 1987, [24] Rowe, V.G., G.F. Howell, and G. Lobay, Cold-
British Standards Institution weather effects on Class I hazardous electrical
[8] IEC, IEC Publication 79-1 Edition 2. Electrical installations. Industry Applications Magazine, IEEE,
Apparatus for Explosive Atmospheres. Part 1: 2001. 7(5): p. 33-40.
Construction and test of flameproof enclosures of [25] IEC, IEC 60721-2-1:2013 Classification of
electrical apparatus. 1971, IEC. environmental conditions - Part 2-1: Environmental
[9] IEC, IEC Publication 79-1 Amendment 1 to Edition 2. conditions appearing in nature - Temperature and
Electrical Apparatus for Explosive Atmospheres. humidity. 2013, IEC.
Part 1: Construction and test of flameproof
enclosures of electrical apparatus. 1975, IEC. VIII. VITA
[10] ANSI/UL, ANSI/UL 1203:2015 Standard for
Explosion-proof or Ignition-Proof Electrical Jim Munro graduated from the University of Sydney in
Equipment for Use in Hazardous (Classified) 1972 with a BE (Elect) degree. He is currently a PhD
Locations. 2015. student at the same university investigating the impact of
[11] FM_Approvals, FM 3615 Approval standard for extremely cold temperatures on the safety of flameproof
explosionproof electrical equipment General motors. He has been involved in the explosive
requirements Class number 3615. 2006, FM atmospheres field for over 35 years, with particular
Approvals LLC. involvement in testing, certification and standards
[12] IEC, IEC International Standard 79-1 Edition 3. development. For 15 years until 2014 he was chair of the
Electrical apparatus for explosive gas atmospheres - international IEC Committee TC 31. He remains active in
Part 1: Construction and verification test of numerous international and Australian committees and
flameproof enclosures of electrical apparatus. 1990, working groups in the field, including IEC MT60079-1
IEC. which maintains IEC 60079-1 and IEC TC 31 WG39 which
[13] IEC, Amendment 1 to IEC International Standard 79- is developing requirements for extremely low
1 Edition 3. Electrical apparatus for explosive gas temperatures. For 12 years he has been Managing
atmospheres - Part 1: Construction and verification Director of his consulting firm, Jim Munro International
test of flameproof enclosures of electrical apparatus. Compliance Pty Ltd, and prior to that was Director of
1993, IEC. TestSafe Australia. In 2014 he was awarded the IEC
[14] IEC, Amendment 2 to IEC International Standard Thomas A Edison Award in recognition of his international
60079-1 Edition 3. Electrical apparatus for explosive standards work. He is a fellow of Engineers Australia with
gas atmospheres - Part 1: Construction and whom he is a Chartered Professional Engineer and
verification test of flameproof enclosures of electrical registered APEC Engineer. He is a senior member of
apparatus. 1998, IEC. IEEE.
[15] IEC, IEC International Standard 60079-1 Edition 3.2. mail@jimmunro.org
Electrical apparatus for explosive gas atmospheres -
Part 1: Construction and verification test of
flameproof enclosures of electrical apparatus. 1998-
PARTIAL TORQUE RIDE THROUGH WITH
MODEL PREDICTIVE CONTROL
Thomas Besselmann Pieder Jörg Terje Knutsen

ABB Corporate Research ABB MV Drives Statoil Res. & Technol.
Segelhofstr. 1k Austrasse Martin Linges vei 33
5405 Baden-Dättwil 5300 Turgi 1364 Fornebu
Switzerland Switzerland Norway
Erling Lunde Tor Olav Stava Sture Van de moortel

Statoil Res. & Technol. Gassco AS ABB MV Drives
Arkitekt Ebbells veg 10 Bygnesvegen 75 Austrasse
7005 Trondheim 4250 Kopernik 5300 Turgi
Norway Norway Switzerland
Abstract - Symmetric and asymmetric dips of the grid a load commutated inverter (LCI). Reasons for this choice
voltage pose serious problems to gas compression are the proven reliability of the LCI combined with its
stations powered by drives such as load commutated competitive price in high power applications [3].
inverters (LCI). Drive control systems used in industrial One of the gas compression sites is the basis for the
practice are not capable to handle reduced grid voltage technical innovation described in the paper. This gas
situations appropriately, and execute a ride-through treatment plant is located at a remote location and is
procedure instead during which no drive torque is affected by disturbances in the Norwegian electricity grid.
provided by the drive. Without drive torque compressors Weather phenomena such as storms occasionally cause
may quickly enter surge conditions, under which the gas brief impairments of the power lines, resulting in a sudden
flows rapidly back and forth, causing wear and risking reduction of the grid voltage in one or more phases.
damage to the equipment. In this paper we describe a Typically the grid voltage is affected over a time span of
novel control approach developed for load commutated 50 to 150 ms.
inverters based on model predictive control (MPC). Model While of short duration, the consequences of these
predictive control is an optimization-based control voltage dips can be severe. They can cause the LCI to
method, where a mathematical model of the system is trip, e.g. due to inrush currents at the return of the grid
used to determine control inputs which are optimal with voltage. Or, due to the sudden loss of drive torque, the
respect to some objective function. With the revised compressor may enter unstable operating conditions such
control system, the drive is capable to provide partial drive as surge or rotating stall, and is tripped as a precaution to
torque during grid disturbances; thus resulting in avoid mechanical damage and wear. In either case the
robustness improvements for electrically-driven gas operation of the gas compressor, and after a short time
compression stations. In the case of a voltage dip, the the upstream plant, is stopped and a time-consuming
compressor is still supplied with partial drive torque, restarting procedure needs to be carried out. Since the
decreasing the probability of the compressor diverging amount of exported gas is considerable, the financial cost
into surge. The paper includes experimental results of such an incident can be immense.
executed on two real 41.2 MW LCI-fed synchronous The paper describes a novel torque control scheme
machines each powering a gas compressor. and its commissioning on load commutated inverters
powering two 41.2 MW gas compressors. The goal of this
Index Terms — Gas compressors, variable speed new control scheme is to increase the robustness of the
drive, load commutated inverter, model predictive control. torque controller in the case of grid disturbances. In
particular partial torque shall be provided during partial
I. INTRODUCTION loss of grid voltage. The proposed control scheme is
based on model predictive control (MPC), an optimization-
Electrically-driven gas compressors have a number of based control method [4], and requires the solution of a
advantages compared to compressors driven by gas mathematical optimization problem at each millisecond on
turbines: (a) the drive torque can be varied much quicker, an embedded system [5].
(b) the variable-speed drive system can be operated with The paper is structured as follows: After this
high efficiency in a much broader operation range and (c) introduction, preliminaries are summarized in Section II.
there are no local greenhouse gas emissions. In Section III states technical information about the gas
situations such as subsea installations a variable speed processing plant of interest. The proposed MPC solution
drive (VSD) system may be the only option to power gas is outlined in Section IV. The verification of the control
compressors [1], [2]. Due to the aforementioned reasons, solution during grid disturbances is shown on a Hardware-
a number of large gas processing plants in Norway in-the-Loop (HIL) simulator, Section V. Subsequently
employ electrically-driven gas compressors. measurements from the commissioning of the novel
Gas compression is energy-intensive, such that high control algorithm on site and from a real voltage dip event
power solutions for the variable speed drive are sought. A are reported in Sections VI and VII, respectively. A list of
typical solution consists of a synchronous machine fed by abbreviations can be found in Table 1.
TABLE 1
LIST OF ABBREVIATIONS
Abbreviation Meaning
AC alternating current
DC direct current
FPGA field programmable gate array
HIL hardware in the loop
I/O input / output
LCI load commutated inverter
MPC model predictive control
MV medium voltage
QP quadratic program
SQP sequential quadratic program
VSD variable speed drive
II. PRELIMINARIES
Fig. 2: Example for asymmetric grid disturbance.
In this section we take a closer look on grid
disturbances. Depending on the reaction of the frequency
converter, different types of ride through behaviour are B. Ride-Through Characteristics
distinguished. More information is provided in [6].
The reaction of the frequency converter to grid
A. Symmetric Vs. Asymmetric Voltage Dips disturbances depends on the physical properties of the
frequency converter as well as on the implemented ride-
In an ideal three-phase system, the voltages in the through procedure. As was emphasized in [6], the amount
three phases are sinusoidal with the same amplitude, of energy stored in a frequency converter is negligible
succeeding each other with a phase shift of 120 degree. compared to the transmitted power. The provided power
By means of the alpha-beta transformation (also known and thus the drive torque is thus dependent on the type
as Clarke transformation), the three phase voltages can and depth of the voltage dip.
be mapped into the two-dimensional plane, where the We distinguish three classes of ride-through
ideal voltages correspond to a voltage vector rotating on a procedures:
circle, [7]. 1) Zero-Torque Ride Through: The operation of the
In the case of symmetric grid disturbances the frequency converter is interrupted such that no drive
amplitude of all three phases is reduced by the same torque is provided by the converter. Operation is resumed
amount, whereas the phase difference is unaffected. In when normal grid voltage is available again.
the alpha-beta plane this corresponds to circles with 2) Full-Torque Ride Through: The frequency
varying radii. Figure 1 shows a practical example of a converter continues its operation without reduction of the
symmetric voltage dip, as measured on the primary side drive torque.
of the transformer at a large gas processing plant in 3) Partial-Torque Ride Through: The frequency
Norway. converter continues operation, however only partial torque
is provided.
C. Requirements for power loss ride through
The amount of torque necessary to prevent the

compressor from going into surge depends on the
operating point of the compressor. However, even if the
available drive torque is not sufficient to prevent surge,
increasing the available drive torque delays the point in
time when the compressor enters surge conditions. There
is a longer grace period for the grid voltage to recover,
and for the initiation of protective measures for the
equipment.
The requirements for the ride-through procedure can be
summarized as follows:
1. Ensure the frequency converter does not trip e.g. due
Fig. 1: Example for symmetric grid disturbance. to overcurrent.
2. Supply either the requested drive torque, or, if that is
In the case of an asymmetric grid disturbance, the not possible, as much torque as possible to prevent
amplitudes of the three phase voltages are different, and the compressor from entering surge.
also the phase separation of 120 degrees is not 3. Compromise on agreed-upon secondary
guaranteed. In the alpha-beta plane asymmetric grid performance targets in order to increase the drive
conditions are typically identified by the voltage vector torque during a ride-through. Examples would be
rotating on an ellipse. Figure 2 illustrates such an increased torque ripple or a small short-term DC
asymmetric grid condition, which was also measured on voltage on the VSD transformer.
the primary side of the transformer at a large gas
processing plant in Norway.
Conventional LCI control schemes assign separate
tasks to the control variables: The firing angle β on the
machine side are predetermined in order to minimize the
reactive power in the machine. The excitation voltage vf is
used to control the stator voltage of the machine. The
firing angle α on the line side is actuated to control the
current flowing in the DC link, and thus the drive torque.
The technical specifications of the variable speed drive
system are summarized in Table 2.
IV. PROPOSED CONTROL SOLUTION
In this section the novel model predictive control

Fig. 3: Variable speed drive system comprised of solution for the LCI is outlined. We start with a generic
transformer, load commutated inverter and synchronous description of the chosen MPC algorithm, before
machine. discussing the application at hand.
A. Generic Description of the MPC Algorithm

III. SYSTEM DESCRIPTION
Firstly we provide a generic description of the employed
The plant processes natural gas from different oil fields model predictive control algorithm [4]. At the heart lies a
in the Northern Sea. It has a capacity of 143,000,000 mathematical model describing the system, and which is
standard cubic metres (3.8×1010 US gal) of natural gas used for finite-horizon predictions. This model can be
per day. Dry gas is compressed and pumped through four stated as
pipe systems to Belgium, France, Germany and the
United Kingdom. Six 41.2 MW export compressors are dx/dt = f( x(t), u(t) ) (1a)
powered by variable speed drive systems comprising dual y = g( x(t), u(t) ) (1b)
winding synchronous machines and load commutated
inverters. where:
Fig. 3 depicts a schematic of the employed variable u(t) control inputs
speed drive system comprising a transformer, the load x(t) system states
commutated inverter and a synchronous machine. The y(t) system outputs
LCI is in a 2x6/6 pulse configuration with two parallel f system equation
branches to reduce torque-pulsations. Each branch g output equation
possesses a six pulse thyristor bridge as line commutated
rectifier, a direct current (DC) link and a six pulse thyristor Apart from the dynamic model, a cost function is
bridge as load commutated inverter. Not shown on this defined which describes the control objectives,
figure are the connection of the drive shaft to the
compressor and the connection of the transformer to the kTs+Tp
medium voltage grid. The transformer employed on site is J= ∫ (x-xref )T Q (x-xref )+(u-uref )T R (u-uref ) dt ,
actually a four-winding three-phase transformer, which is kTs
(2)
also connected to electric filter banks used for power
factor correction and input current harmonic
where reference values are indicated by the subscript ref,
compensation.
k is the sampling instance, Ts the sampling time and Tp
The control variables of the variable speed drive system
the prediction horizon. Q and R are weight matrices to
are the firing angles (also called control angles) of the line
prioritize the objectives for the MPC controller. Moreover,
commutated rectifier and the load commutated inverter,
constraints on the control inputs, states and outputs can
as well as the excitation voltage for the rotor windings. By
be defined:
means of the firing angle of the thyristor bridges, the
rectified DC voltages urec and uinv as well as the direction
x_min ≤ x ≤ x_max
of power flow can be determined. The machine excitation
u_min ≤ u ≤ u_max (3)
can be adapted by the excitation voltage vf.
y_min ≤ y ≤ y_max
TABLE 2 The continuous-time optimal control problem can thus

DESIGN DATA OF VSD SYSTEM be stated as
Parameter Value Unit
Line voltage, prim. side 132 kV minimize (2) subject to (1), (3). (4)
u
Line voltage, sec. side 6200 V
Line frequency 50 Hz The chosen approach to solve the nonlinear problem (4)
Rated line current, sec. side 2529 A
DC link inductance 7.5 mH
is a sequential quadratic programming (SQP)-type
Rated DC current 3342 A approach known as real-time iteration scheme with
Rated stator voltage 5900 V Gauss-Newton approximation of the second-order
Rated stator current 2415 A derivatives. At each time instance a discrete-time
Rated stator frequency 60 Hz linearization of problem (4) is obtained, which
Rated shaft power 39.2 MW corresponds to a quadratic programming (QP) problem.
Rated rotational speed 3600 rpm A more detailed description of this solution approach is
Fig. 4: Schematic of the simulation model on the Hardware-in-the-loop system.
beyond the scope of this paper, and can instead be found Compared to the classical control method, the MPC
in [8]. A highly efficient implementation of this approach is has the following advantages: (a) Instead of selecting the
provided by making use of the code generation firing angle on the machine side by means of a
functionality of the ACADO Toolkit [9]. The resulting QP predetermined lookup table (i.e. feedforward control), the
problem is solved by the on-line QP solver qpOASES angle is actively controlled, and can be changed in the
[10]. case of grid disturbances; (b) instead of executing
independent control actions of the firing angles on the line
B. Application to Load Commutated Inverters side and the machine side, the MPC coordinates both
firing angles to reach the defined objectives; (c) both
Some information on the application of the alternating current (AC) voltage magnitudes are taken into
aforementioned MPC algorithm is given in this section. account by the controller; and (d) a constraint on the DC
For a more elaborate discussion, see [11], [13], [13]. current can be defined to change the control behaviour
The model predictive controller is based on a nonlinear when the DC current is close to its boundary, thus helping
dynamic model of the LCI, i.e. of the DC link and the to avoid overcurrent trips.
thyristor bridges, which can be stated as
d iDC V. VERIFICATION ON A HIL SYSTEM

=A iDC + B1 cos α + B2 cos β, (5a)
dt
τe = - iDC cos β , (5b) Before applying the proposed control solution to a
medium voltage drive, its effectiveness was verified on a
where: Hardware-in-the-loop (HIL) system. In this section the
iDC DC link current findings during this verification are presented.
α Control angle line side (rectifier)
β Control angle machine side (inverter) A. Description of the HIL System
τe Electric torque
A, B Constants For the verification of the model predictive controller on
a HIL system, the control system, consisting of the control
The control inputs u are the firing angles on the rectifier hardware and the control software, is exactly as on site.
and on the inverter. The states are the currents in the DC The HIL system is connected via analogue and digital
link, and the output is the drive torque of the VSD system. I/Os to the control boards running the control software for
Apart from constraints on the firing angles, an upper the load commutated inverter. The HIL system comprises
bound on the DC link current is defined. Both the control an FPGA on which a model of the variable speed drive
angles of the rectifier and the inverter are selected by the system is simulated in real-time. The dynamics of the
model predictive controller, whereas the excitation voltage drive shaft and the compressor are not included in these
control remains independently controlled. simulations, however the compressor behaviour is
The MPC algorithm was implemented on a control approximated by a quadratic load torque curve. Another
board, which is based on a 32-bit dual-core Power PC simplification is taken on the grid side. The grid voltages
processor with a clock cycle of 1.2 GHz. The board also are imposed on the transformer, however the impact of
includes a field programmable gate array (FPGA) and a the load commutated inverter on the grid voltage is
64-bit floating point unit. The sampling time was chosen to neglected.
be 1 ms, i.e. at each millisecond a nonlinear mathematical A schematic of the simulation model is depicted in Fig.
optimization problem is discretized, linearized and solved. 4. The upper part contains both branches of the LCI,
Thereby the MPC solution consumes only a minor fraction whereas the lower part shows the electric harmonic filters
of the computational resources, such that the whole connected to the transformer.
control system can be executed on time.
Fig. 6: Simulation results: Grid voltage magnitude and
Fig. 5: Simulation results: Grid voltage magnitude and
drive torque during single-phase dip series with
drive torque during symmetric dip series with conventional
conventional control (black) and MPC (grey).
control (black) and MPC (grey).
B. Simulations Results
In this section the simulation results on the HIL system

are reported. The behaviour of both the conventional
control system and the novel MPC solution are compared
during series of symmetric and asymmetric dips.
1) Symmetric Dips: In the first scenario the grid
voltage magnitude is decreased in a series of voltage dips
with increasing dip depth. Each voltage dip lasts for 200
ms, and the voltage magnitude changes without transition
within a microsecond.
Figure 5 depicts the grid voltage magnitude and the
electric torque, once with conventional control and once
with the novel model predictive controller. No trip occurred
regardless of the used controller. However the drive
torque provided during the scenario differs significantly.
While the conventional control executes a zero-torque
ride through procedure for a grid voltage magnitude of 80 Fig. 7: Estimate of the residual power during voltage dips.
% and below, the model predictive controller continues
operations and is able to provide partial torque. After the
instantaneous reduction of the grid voltage magnitude, the VI. COMMISSIONING ON MV DRIVE
MPC requires about 25 ms to stabilize the drive torque to
the steady-state. The amount of residual drive torque After verifying the effectiveness of the novel control
decreases with the magnitude of the grid voltage. Full approach on the HIL system, the control system was
drive torque is guaranteed for a grid voltage magnitude commissioned on site. Two out of six export compressors
higher than 0.93 pu, i.e. already the step to 0.9 pu voltage on the gas treatment plant were chosen as pilots for the
magnitude coincides with a reduction of drive torque. proposed MPC solution. In this section it is shown that
2) Single-Phase Dips: The second scenario equals under normal grid conditions, the novel control solution
the first one, the difference being that instead of varying works as expected. Fig. 8 shows the speed, the DC
the grid voltage magnitude of all phase voltages, only a current, the control angles and the voltage magnitudes
single phase voltage is changed. That way the controllers during the first 16 hours of operation. The control
are tested under asymmetric grid conditions. behaviour during the commissioning is as expected. The
As can be seen in Figure 6, both controllers are able to DC link current follows it reference, as provided by the
provide more drive torque if only a single phase is speed controller. A number of speed changes are
affected. The MPC however outperforms the conventional requested by the process controller, which are delivered
controller in terms of residual torque. swiftly.
Based on the conducted simulations, an estimate of A closer look on the start-up of the machine is provided
the available drive power as a function of the remaining in Fig. 9. Again the behaviour is as expected. First the
grid voltage can be derived. This estimate is visualized in pulse mode is traversed, then we observe a normal start-
Fig. 7. As is shown in the Figure, the amount of residual up, with switch in of the electric harmonic filters, and
power depends not only on the remaining voltage reduction of the current reference after the requested
magnitude, but also on the number of phases which are speed is reached. The startup procedure is virtually
affected by the grid disturbance. For very low grid unaffected by the new control system.
voltages operation of the drive is not possible due to Fig. 10 provides an even closer zoom to show the
problems with estimating the orientation of the grid waveforms of the signals under steady-state conditions.
voltage vector.
Fig 8: Experimental results: Speed, DC current, control Fig 10: Experimental results: Zoom to waveforms under
angles and AC voltage magnitudes during the steady-state conditions.
commissioning of the novel control solution.
1.5
line voltage [pu]
0.5
0
1.7 1.75 1.8 1.85 1.9 1.95
1
torque est. [pu]
0.5
0
1.7 1.75 1.8 1.85 1.9 1.95
time [s]
Fig 11: Experimental results: Estimated torque during
an undervoltage event. Conventional control (black) vs.
MPC solution (dark and light grey).
In Fig. 11 the course of the grid voltage magnitude and

an estimate of the drive torque is shown. Since no direct
measurement of the drive torque was available, an
estimate was calculated from the electric signals of the
drive. The black line belongs to an LCI with conventional
control, whereas the dark and the light grey lines refer to
two LCIs controlled with the new MPC solution.
Fig. 9: Experimental results: Zoom to recorded signals at As can be seen from the plot, the grid voltage is
start-up procedure during commissioning. affected by a deep symmetric voltage dip down to about
0.3 pu of the rated grid voltage for a duration of approx.
I. VOLTAGE DIP EVENT 80 ms. The effect is a significant reduction of the available
drive torque. While the conventionally-controlled LCI
During the course of the winter, a number of grid executes a zero-torque ride through, both MPC-controlled
voltage disturbances occurred. In this section the results LCIs are subject to an undershoot, from which they
of one such case are reported. recover to provide 0.23 pu of rated drive torque. This
result matches the expectations raised by the HIL
simulations quite well (0.23 pu torque is a bit more than [10] H. Ferreau, C. Kirches, A. Potschka, H. Bock, and
anticipated). However, the protection system of the gas M. Diehl, “qpOASES: A parametric active-set
compressor, which is a timer-based solution not taking algorithm for quadratic programming,” Mathematical
into account the available drive torque, trips the operation Programming Computation, vol. 6, no. 4, pp. 327–
of the gas compressor approx. 30 ms after the start of the 363, 2014.
voltage event. [11] T. Besselmann, S. Van de moortel, S. Almér, P.
Jörg and H.J. Ferreau, “Model Predictive Control in
II. CONCLUSION the Multi-Megawatt Range”, IEEE Transactions on
Industrial Electronics, to appear, 2016.
In this paper the application of a novel model predictive [12] T. Besselmann, S. Almér, H.J. Ferreau, „Model
control scheme to load commutated inverters was Predictive Control of Load Commutated Inverter-fed
presented. Simulations on a HIL system have shown its Synchronous Machines“, IEEE Transactions on
ability to provide partial torque during grid disturbances, Power Electronics, to appear, 2016.
and thereby to increase the robustness of electrically- [13] S. Almér, T. Besselmann, and J. Ferreau,
driven gas compression stations. “Nonlinear model predictive torque control of a load
The control scheme was implemented on two LCIs commutated inverter and synchronous machine”,
each powering a 41.2 MW gas compressor on a large gas International Power Electronics Conference, ECCE-
processing plant in Norway. During voltage dip events in ASIA, Hiroshima, Japan, pp 3563–3567, May 2014.
the winter, the ability of the model predictive controlled
LCIs to provide partial torque was verified in practice. VIII. VITA
What remains to be done in order to reap the economic
benefits of the solution is a systematic relaxation of the Thomas Besselmann graduated from the Hamburg
compressor protection system, taking into account the University of Technology in 2005 with a Dipl.-Ing. degree
amount of partial torque which is available. in mechatronics. In 2010 he received his Ph.D. degree at
the Automatic Control Laboratory, ETH Zurich. Currently
VI. REFERENCES he is employed as senior scientist in the Control &
Optimization group at ABB Corporate Research.
[1] A. Cortinovis, D. Pareschi, M. Mercangoez, and T. thomas.besselmann@ch.abb.com
Besselmann, “Model predictive anti-surge control of
centrifugal compressors with variable speed drives,” Pieder Jörg received his M.Sc. degree 1995 from
Automatic Control in Offshore Oil and Gas the Swiss Federal Institute of Technology, Zurich. He
Production, Proceedings of 2012 IFAC Workshop joined ABB at Corporate Research in the area of
on, pp 251–256, 2012. power electronics. In 2002 he joined the business
[2] H. Rognø: “Statoil Subsea Factory”, Trondheim Gas unit Medium Voltage Drives as head of product
Technology Conference, June 2014. development. Since 2010 he is focusing on business
[3] E. Wiechmann, P. Aqueveque, R. Burgos, and J. and technology development for demanding drives
Rodriguez, “On the Efficiency of Voltage Source applications. He has been involved in various studies
and Current Source Inverters for HighPower and improvement projects involving large VSD
Drives,” Industrial Electronics, IEEE Transactions systems with demanding rotor dynamics.
on, vol. 55, pp. 1771–1782, April 2008. pieder.joerg@ch.abb.com
[4] J. Rawlings and D. Mayne, Model Predictive
Control: Theory and Design. Nob Hill Pub., 2009. Terje Knutsen received his M.Sc. degree in Electrical
[5] H. Peyrl, A. Zanarini, T. Besselmann, J. Liu, and M.- engineering from the Norwegian University of Technology
A. Boéchat, “Parallel implementations of the fast and Science (former NTH) in Trondheim in 1985. He has
gradient method for high-speed MPC,” Control held various positions within Siemens in Norway and
Engineering Practice, vol. 33, no. 0, pp. 22–34, Germany with main topic Variable Speed Drives Systems
2014. before he joined Statoil January 2013 and is currently
[6] T. Wymann and P. Jörg, “Power loss ride-through in working as a Principal Engineer in Facilities Technology.
a variable speed drive system,” PCIC Europe tekn@statoil.com
Conference Record, Amsterdam, Netherlands, pp
1–9, June 2014. Erling Lunde received his PhD in Engineering
[7] W. C. Duesterhoeft, M.W. Schulz and E. Clarke, Cybernetics, Robot control theory, from the Norwegian
"Determination of Instantaneous Currents and University of Technology and Science (former NTH) in
Voltages by Means of Alpha, Beta, and Zero Trondheim in 1991. Since then he worked as a consultant
Components". Transactions of the American in cybernetics for a large number of industrial clients
Institute of Electrical Engineers, vol 70 (2), pp within marine automation, process control, hydraulics, and
1248–1255, July 1951. more. He was employed by Statoil in 2012 and is
[8] M. Diehl, H. Bock, J. Schlöder, R. Findeisen, Z. currently working as a Principal Researcher in Facilities
Nagy, and F. Allgöwer, “Real-time optimization and Technology.
Nonlinear Model Predictive Control of Processes elunde@statoil.com
governed by differential-algebraic equations,”
Process Control, Journal on, vol. 12, no. 4, pp. 577– Tor Olav Stava graduated from the Stord/Haugesund
585, 2002. University College in 2009 with a bachelor degree in
[9] B. Houska, H. Ferreau, and M. Diehl, “An Auto- process and energy technology. Currently he is employed
Generated Real-Time Iteration Algorithm for as a senior engineer in the Technology department in
Nonlinear MPC in the Microsecond Range,” Gassco.
Automatica, vol. 47, no. 10, pp. 2279–2285, 2011. toros@gassco.no
Sture Van de moortel graduated from the University of
Applied Science in Lucerne in 2006 with a Dipl.-Ing.
degree in electrical engineering. In 2007, he started his
professional career at ABB Medium Voltage Drives and
held different positions over the past years. His focus has
been LCI control and application software until he recently
joined a Drive System Expert team focusing on large VSD
systems, rotor dynamics, advanced regulation and
interdisciplinary collaboration with our partners from
industry.
sture.vandemoortel@ch.abb.com
ALL-ELECTRIC FPSO: ONSHORE AND OFFSHORE
COMMISSIONING EXPERIENCE
Patrick Pandele
TOTAL S.A.
2, Place Jean Millier
F-92078
Paris La Défense
France
patrick.pandele@total.com
Abstract – The increasing scope of electrical equipment in ICSS: Integrated Control and Safety System
an offshore facility without turbo-driven End-Users has a FAT: Factory Acceptance Tests
known impact on the design of such facilities that has been FPSO: Floating Production Storage and Offloading
discussed in the recent years [1]. The intent of this paper is to GTG: Gas Turbine Generator
recall the historical events and present the specificities of HV: High Voltage
such project execution from Vendor delivery (equipment FAT) HVAC: Heating Ventilation Air Conditioning
until start-up of the facility (first oil and ramp-up). LQ: Living Quarters
As such project is executed in many locations changing N.O.: Normally Open
throughout time, from Vendor to yard, then towing to O&G: Oil and Gas
offshore, we will review splitting and sequencing of testing OEM: Original Equipment Manufacturer
activities at the various locations and phases of project OTP: Operational Test Procedure
execution. PMS: Power Management System
A selection of the different issues encountered and solutions POB: People On Board
implemented eventually, will be covered with highlights on RMS: Root Mean Square
the priorities leading to the decisions which were taken. SAT: Site Acceptance Test
Feedbacks and lessons learned from designing, SOLAS: Safety Of Life At Sea
commissioning, operation and maintenance team perspective UCP: Unit Control Panel
will be discussed in order to propose future roadmaps’ items UPS: Uninterruptible Power Supply
for the industry. VSDS: Variable Speed Drive System
WHRU: Waste Heat Recovery Unit
Index Terms — All-Electric, FPSO, Commissioning and
Start-up. III. TESTING REQUIREMENT
I. INTRODUCTION A. Testing need

Testing (FAT, SAT, commissioning) has become such a
The successful start-up of a project heavily rests on the standard feature in our industry, that sometimes one may
successful execution of the commissioning which is the last lose sight of the ultimate purpose of this activity. In projects,
active technical step of the ‘project life’. Commissioning will the main objective of testing is to demonstrate that the item
consolidate all the achievements done during design and (single equipment, complete package, whole process unit…)
construction as well as inherit of all the issues left. is fit for purpose for both operational and safety requirements
Therefore, it becomes the last adjustment stage before the during the life of the production facility. Secondary objectives
project ends and the production facility is handed over to are to verify the contractual performance requirements, to
Operation team for plant start-up and eventual operation. enable operation team to begin the “learning curve” before
Commissioning is very largely consisting of tests and the actual start-up. The ideal methodology to review the
verification of equipment installed in their final configuration. testing requirement is to consider the full project lifecycle and
Thus, mastering the complete testing activity throughout the to define the optimum stage for which one test is to be
project life is an important contributing factor to a successful performed.
start-up of the plant. Obviously, the later tests are carried out in the project life,
the more meaningful the results are. But we shouldn’t be
II. ACRONYMS blinded by this consideration as the capability to test
everything and exhaustively just before start-up is simply
CB: Circuit Breaker impossible to achieve.
CCR: Central Control Room Indeed the offshore man-power capabilities are strongly
DC: Direct Current reduced, the working hours are costly and the testing
ECS: Electrical Control System activities limited by the amount of material resources.
1
Therefore, the aim of any offshore project will be to minimize Most often, the lighting subsystems will be split by area and
offshore works as much as practical. type of duty (normal / emergency).
Moreover, in the unfortunate event of test failure, the The commissioning execution of one subsystem is meant
corrective actions may take a significant amount of time to be to be done as independently as possible from the other
defined and also to be implemented. Hence the late subsystems, which is believed to optimize time wise this set
discovery of damaged equipment or improper design or of activity. However, there is a relationship between systems
construction may lead to catastrophic delay of the project and subsystems to be defined in order to sequence properly
start-up. the activity. For instance: the commissioning of telecom
cannot start if the UPS and relevant distribution boards have
B. Design stage not been completed. The commissioning of low voltage
The testing requirement definition will start no later than the motors cannot start if the commissioning of their feeding
BASIC Design stage. This testing requirement will be switchgear is not complete.
influenced by a large variety of considerations such as: Assuming all conditions are met to start the
Equipment criticality commissioning, the activity is structured in two main parts:
Amount of equipment considered Individual test / Basic function sheets
Material technology maturity Operational test procedure
End-User internal policy The individual test sheets are applied systematically for
Contractor and Vendor experience and know-how each type of component (a motor, a protection relay, a
Commissioning execution strategy transformer, a lighting circuit). They list in a systematic way
Project schedule and cost constraints the checks to be performed for that individual component.
Legislative requirements Example, each motor will undergo insulation resistance test,
License constraints starting current recording, verification of rotation direction,
vibration checks etc… without consideration for the motor
And many more…
surroundings (i.e. it does not matter whether this motor is
For standard electrical components (switchgears,
driving a pump, a fan or a compressor). Once the individual
transformers, UPS,…) the testing requirements will be less
tests and checks have been carried out successfully, the
sensitive to the above mentioned considerations and a more
operational test procedure is being run. It can be a single
detailed definition can take place during detailed design
discipline document (e.g. key interlocking checks for a
stage. But for more specific equipment (ECS, Power
complete switchgear), but most cases it is mutli-discipline, it
generation, large drives with variable speed drive systems…)
will verify the proper operation of the functional entity in the
the objective should be to finalize the testing scope of such
various operating conditions that have been defined:
equipment at the end of the BASIC Design stage.
Once the specific equipment list has been identified and Start-up
agreed within the Project team, the methodology to define the Duty-standby features
testing requirement is to review (ideally backwards) the Guaranteed operation points
testing steps that the package will undergo. Regulation system
At this stage the Project team shall ensure that all checks Normal and safety shutdowns
are performed and functions tested at least once before plant Etc.
start-up. In many cases, one testing item will be repeated at The assignment of functional sheets to the items can be
different times and different locations as the equipment may partly or fully automated depending on the use of database
be partly dismounted for transportation or preservation tools since the engineering phase. But each OTP is a custom
purposes. document with inputs from Vendor documentation, Contractor
functional specification, and Commissioning and Operation
C. Commissioning stage teams’ requirements.
For electrical discipline, in the vast majority of cases, the Clearly, the commissioning role is not to redo the
commissioning start is matching the energization of the engineering, but it still needs to understand the engineering
equipment. intent. This will serve as input with the same level as the
As per our Company practice, electrical components are successful and unsuccessful testing outcomes as well as the
assigned to system and subsystems which are autonomous cancelled tests. The subsequent outcome may be an
entities meant for one specific purpose. increase of the testing scope during commissioning phase.
Example: “Gas” is a system within which gas compression Hence, this means that commissioning team needs to be
train “A” is a subsystem, gas compression train “B” is informed of all adjustments done in earlier testing activities
another, gas dehydration is another, and gas lift another and be capable of readjusting its own scope of work.
subsystem. In that case, all the electrical loads that are This is not the wishful thinking of what an ideal project
directly involved in the gas compression train 1 and their should be. It is rather the acknowledgement that when a
relevant feeders and cable will also be grouped under this project is drifting from the initial plan, adjustments may be
subsystem. This rule applies to all disciplines (mechanical, required. It is being done for cost and schedule, likewise, it
piping, instrumentation…). When all items of all disciplines needs to be ensured to testing activities.
have reached sufficient completeness: the ready for
commissioning certificate is signed by all involved parties and
commissioning activities may start.
A good all electrical example is lighting. Plant lighting is
one system in which multiple subsystems will be declared.
2
IV. TESTING BY LOCATION
C. Back to back tests & String tests
A. Factories Back to back and string tests apply to mechanical drives.
Factory Acceptance Tests (FAT) are the most conventional The back to back test does not include the driven
tests. Supposedly, the factory is the ideal location to clear equipment (e.g. compressor), it consists in bringing the full
any issue as it is where the equipment was manufactured or driving train (e.g. transformer, converter, and electric motor)
at least assembled. The typical test plan will be defined by: and make it perform mechanically ‘as if’ there was a real
Standards - national and/or international mechanical load. The load may be a twin package, in which
Vendor internal procedures and quality plans case two strings may be tested in one shot, or a permanent
Client requirements factory test bench. There are several advantages for back to
This test plan will be mostly “equipment” oriented and not back tests:
customized for the equipment final application. But the results Complete electrical line is being tested
it will provide are very important. They allow validating many Strong electrical skills of the testing team
basic features of the supplied items. In addition, FAT results Energy efficiency of the test: as only the losses are
provide a first reference of the equipment performance, which consumed it makes it a more environmentally friendly
may be used as a reference both for further tests in a test and the test costs are also reduced.
different environment and, for the longer term maintenance, The string test is the closest “real life” testing experience
to compare the evolution of various parameters (insulation the package may undergo before its final installation location.
resistance, partial discharges…) in time. In addition, in most It requires almost complete package assembly and it is
of the cases, it is the first contact of commissioning team with dedicated only for the most critical applications. In our case,
the equipment and it is a useful input for developing the all power generators and one type of each large compressor
future operational test procedures (OTP). The main limitation and pump driven by VSDS underwent a string test.
of the FAT is that the individual component being tested is
“the center of the world” and little (if any) consideration is
given for the outer world in which this component will be
inserted.
As it is the first testing step, FAT are always an important
milestone, however its meaning and outcome will be different
from one package to another, for relatively standard
equipment such as switchgear and UPS, it will more likely be
a ‘foundation stone’ on which the project will build further and
potentially proceed with adjustments to the surroundings of
the equipment. For more customized items (typically control
systems) it will often lead to further design developments.
Fig.1: Moto-compressor string test arrangement
B. iFAT
An iFAT: is an integrated FAT of two packages, one being The drawback of the string test is that electrical equipment
a control system, most of the time seen from the control sometimes comes as a last priority and it is not completely
system point of view. The schedule of the iFAT depends on part of the test plan. It is not monitored and controlled with
the execution schedule of the main system (usually the the same level of attention and as continuously as the
ICSS). ‘process’ equipment (compressor, pump or turbine). In
Typical execution of the iFAT for electrical items is to bring addition, testing means and qualified personnel for the
one package UCP to be tested with another control system. electrical scope, may not be available as this test is not
But it may also be the other way around e.g.: ECS occurring at an electrical factory.
representative attending switchgear FAT to perform It is then important that electrical End-Users attend such
communication and time response tests tests and have their say during the introduction meeting and
iFAT requires both entities, interfacing each other, to be at during the tests in order not to miss any important part of the
a sufficient development stage. Common and sufficient electrical validation steps.
development stage is not very often the case as the In addition, the complete extent of protection is not always
packages have different award and delivery dates. Because available and even if it is physically in place, it does not
of these different schedules, one entity is using this test just automatically imply that it has been properly set-up. There
as “communication protocol” validation test. This is not are multiple records of damages that could have been
enough nor satisfactory: we have observed that simply avoided if the proper protection had been put in place.
validating the communication mode along with the address
does not clear further instances on site. In particular the D. Onshore Commissioning
complete communication configuration should be reproduced Onshore commissioning will cover all the commissioning
to verify and validate the correct operation of redundancy, activities done at the construction or integration yards. In the
and switching of lines. case of an FPSO the Onshore commissioning shall at least
For specific packages that are similar to a stand-alone cover a very large part of the Hull and LQ, because these will
process unit (e.g. containerized technical room for a subsea need to be very close to completeness during towing (SOLAS
pump). The iFat may also refer to the complete package and classification requirements applicable to a ship with
testing. This case is not addressed in the frame of this article. people onboard).
3
This set of activity will likely be mostly managed by the with other components (switchgears, UPS, generator
Contractor, as there will be concurrent commissioning and UCPs,…) and the availability of real equipment for FAT, the
construction works. It is done with a large amount of available scope of testing may be quite different from one case to
workforce, in particular many Vendors may be working in another.
parallel. Despite our preference to have several real equipment of
During this stage, the main focuses of the commissioning each type (in particular switchgear protection relays) the
team are: trend is that more and more FAT are being done with
Collect all necessary inputs simulator interfaced to the ECS. The use of such simulator
Populate database and write OTPs introduces several limitations. The simulator is done by the
Make sure that safety standards are applied ECS Vendor, it reproduces what the ECS Vendor expects as
satisfactorily on site an interface, and some cases may be missed or eluded. The
Attend/witness the most significant activities as their simulator may create some completely inconsistent
amount may be higher than the available people configurations in which the ECS behavior and display will be
The commissioning preparation activities start during the satisfactory to the End-User. It is not always an easy task to
detailed design. The engineering team will sometime need to identify that such wrongly simulated configurations do not
adjust their documentation to suit the commissioning team require any type of correction. Hence the simulator is a
needs. double edge sword in terms of testing. It does allow carrying
out a large volume of testing, but this does not mean that all
E. Offshore Commissioning significant cases are properly reviewed and it can make all
As soon as the production facility leaves the yard, we may parties lose time on non applicable cases.
consider that the offshore commissioning has begun. For FAT are a good opportunity to test each item type in a very
complex projects in terms of sourcing and local content, it is detailed manner, to review mimics and to test the sequence
theoretically possible to have several alternated phases of with simulator. Some sequences (typically the ones which
onshore and offshore commissioning. But such case is still deal with the network topology) can be tested to a very large
considered as rare. extent and give a good degree of confidence. But the ones
Offshore commissioning is associated to a sudden and which have more interaction with the process (e.g. load
drastic reduction in terms of manpower. This workforce shedding) cannot be considered as fully functional at FAT
reduction will be amplified by higher logistics constraint stage.
(capability to load and unload material). It is also an opportunity for the commissioning team (if
involved during FAT as we recommend to do) to discuss
directly with Vendor on the future site mobilization, expected
Offshore phasing of activities and testing means.
commissioning In the various issues we have experienced, one in
particular was quite puzzling: we identified in multiple
instances inconsistencies between the ECS Vendor
functional specifications and the actual coding of the system.
This kind of issue was found among other instances in the
particular case of load shedding.
To briefly explain the purpose of a load shedding: it is a
mitigation mean that prevents a complete shutdown of the
power generation when the generation capacity becomes
significantly lower than the power demand. Typical triggering
Fig.2: Commissioning manpower curve example conditions for load shedding are:
Tripping of one GTG
This will also be the time when the maintenance and Opening of one coupler CB
commissioning teams will start working in close coordination. Frequency drop
In particular: shutdowns and restarting of the electrical The load shedding sequence will then disconnect some load
network of the facilities (both in case of planned exercises according to a predefined priority table to enable steady state
and unplanned upsetting events). condition for the power generation.
Finally, it is a good opportunity for maintenance team to get As we tested the load shedding, we expected that when a
familiar with the operational and safety feature of the GTG would trip and sufficient spinning reserve was available
electrical network and its components: on the remaining ones, no load shedding would be launched.
Basic automation functions (e.g. source transfer) This was confirmed by the reviewed and approved Vendor
Black start of UPS documentation. However, the way the system acted was to
Periodic tests of generators trigger a load shedding sequence without any load
Mechanical key interlocking disconnection. This may look as inoffensive from the ECS
point of view. But in fact, it had quite a few collateral
V. TESTING PRIOR TO OPERATION consequences on the overall plant: an alarm message would
be sent to the operators creating confusion and would freeze
A. ECS automatic duty/standby feature on the process side. In
Electrical Control System usually benefits from a relatively addition, other ECS sequences would be frozen for a few
extensive FAT. Depending on the interface tests performed
4
seconds in order not to interfere with a potentially unstable try to verify and optimize the GTG dynamic performance;
transient period during the load shedding. again this decision impacted the further commissioning work
As a lesson learned, we have organized workshops upfront offshore.
with our main ECS suppliers to communicate on this kind of Practically the regulation set onshore was so inefficient,
issues. We have discussed document format and content in that it would take over 5 minutes for the GTG to recover
order to minimize the gap between what the ECS specialist speed from a 30% load impact (from 33% loading to 66%
are programming and what the End-Users read and loading).
understand.
Moreover, as the early availability of ECS is more critical
for offshore projects, as part of the electrical network and
some equipment are energized during towing, the way
forward that we have decided to take is to have more upfront
detailed description of ECS functionalities at head quarter
level. During the BASIC stage, our specialist will have to pick
predefined features and adjust them to their project
specificities.
B. Power Generation Fig.3: Frequency response on load impact

The power generation is one of the most expensive and
complex items considered in this paper. The testing was in Considering such result and the issues faced during the
line with this level of complexity. Thus, each main sub- commissioning phase, it is legitimate to question the added
component has had its own individual FAT (the gas turbine, value of the extended FAT and string tests of the GTG.
the alternator, the UCP,…). However, we remain confident that the benefit of testing
Then, each Gas Turbine Generator (GTG) package was cannot only be measured by the end result of the dynamic
string tested but to different extent. Some were tested at full behavior of the GTG. Starting sequence (including WHRU),
load while others were tested at no load full speed only. noise and vibration verification, capability to synchronize and
Many other tests, which were not directly related to the share load (even with a slow response time), etc. remain
electrical performance were also performed (noise, fuel important milestones and should be cleared as early as
change over…). possible. Both because they will enable to proceed further
The full load testing of a large electrical generator (20MW and because the later you discover issues, the more difficult it
and over) is difficult to achieve. Obviously, there is a need for is to solve them.
large amount of fuel, but the main issue is to be able to It is also part of our lessons learned to test the GTG in
export the amount of energy produced. In most cases, the droop mode during FAT in addition to the OEM standard
energy will be simply lost into load banks. procedure.
Then the load banks introduce another type of limitation:
they are quite often purely resistive while the real load of the C. Large Drives
GTG will have an inductive content. Moreover, the voltage As there were few references of VSDS being used in
level of the loads is not always matching with the rated offshore O&G projects, our aim was to have a very ambitious
alternator output which will then have its excitation system testing plan. Indeed, any component was required to be
regulating at a set point which is not the correct one. In tested at full voltage and full current (but not always
addition, as the GTG will run in islanded mode the regulation simultaneously). As a base case, we had defined that each
mode generally selected will be isochronous. Thus all the component would at least undergo either a type test or a
GTG settings could not be applied to the future stages of the back to back test or a string test. In practice some
Project. components made two of the above tests.
In our case, the extensive scope of string testing was Type tests did not reveal any significant issue according to
largely motivated by the use of a new GTG configuration, our experience.
combined with the unusual arrangement of direct coupling on Our detrimental experiences during back to back or string
a two pole generator (i.e. no gearbox). Such arrangement tests have been to damage some auxiliary equipment such
had led us to some concerns regarding the dynamic as:
response of the power generation package, and many Bearing damages as well as minor scratches on shafts
simulations were run to assess the potential issues. for motors, due to lube oil system failure,
However, the string test could not reproduce as much as
VSDS semi-conductor failure due to cooling issue and
we expected the site conditions: each GTG being tested one
absence of temperature monitoring activation
by one their regulation mode was set to isochronous rather
Fortunately, we did not record any main equipment damage
than droop, due to load bank availability a different voltage
during such tests. But it enabled us to discover mechanical
than the one of the project was set. It relied on the sole GTG
resonance issues [2].
UCP regulation and did not test the regulation performance
As a consequence, it is recommended that a technical
with the PMS. We later had to spend a significant amount of
workshop is held prior to such complex test. It should
time offshore to compensate for the lack of regulation testing
determine all gaps (protection, auxiliaries,…) between string
between PMS and GTG UCP.
test and design case. When no gap is identified: validation of
At yard, the GTG (dual fuel type) were commissioned with
the protection setting and effectiveness of the configuration
diesel fuel. For this reason, there was little effort by Vendor to
arrangement needs to be ensured. Then for each gap
5
identified, additional precautions have to be defined, put in Such kind of internal issue is actually quite hard to solve
place and, last but not least: tested prior to the main test. during commissioning as:
First, UPS Vendor representative will come at very
D. UPS specific stages onboard and for a very limited time
UPS are typically tested twice: during FAT and during Second, the focus during commissioning stage will be
onshore commissioning. As it is one of the most vital items, the outer part of the package (i.e. the distribution)
their readiness is usually needed before departure from yard. This example, once explained, is actually quite obvious
The FAT limitation will typically be: and banal, but the time between first identification of the
Absence of batteries issue and the complete resolution lasted over 6 months.
Limitation of load (often purely resistive and Our lesson learned regarding this particular item is that the
sometimes power limitation) FAT of UPS which work in a redundant mode with parallel
Downstream distribution not present operation and load sharing need exhaustive testing. FAT
Twin item (when applicable) not available on the same should not be the testing of two single units.
bench for redundancy verification The reliability and availability of UPS is by definition
This equipment will be one of the first to be commissioned. paramount. With every project trying to capitalize on the
The challenges faced will be to: lessons learned, we have observed that increase in the
Perform the first battery charging while final HVAC variety of architecture and other more subtle items. Even
system is not available after start-up, operation and maintenance team are keen to
Properly preserve this operating equipment in unclean make the design evolve to their priorities. Such evolutions do
environment (typically UPS have forced air cooling) not always qualify as real improvement. Whatever the
Manage all safety by-passes technology breakthroughs, we shall bear in mind that no
Keep a daily vigilance on the insulation levels as the single technical solution is the best answer to all priorities and
distribution is progressively put into service (valid for choices need to be made. Once the priorities are clearly
IT neutral management) presented, it is possible to provide an optimal solution that
This last point remains actually valid throughout the may be updated later on when inputs are changed. In this
complete commissioning phase (onshore and offshore). regard, our Company objective is now to develop into more
Keeping track of all activities is time consuming and tedious, details a selection of architecture and to provide both design
but the very nature of UPS loads are to stay energized. Once and operational guidance and selection criteria.
a problem needs to be solved on the distribution side, the
testing means are limited because shutdowns are difficult to E. HV Switchgear
achieve. At switchgear FAT, it is common practice not to test the
One of the unexpected issues we had to face during protection settings as they will be exhaustively tested during
commissioning were internal design mistakes by our DC UPS commissioning. In addition, the relay coordination and
supplier. As our internal practice is to be able to charge selectivity study has not always been finalized by the time
battery B with charger A (and vice versa) a N.O. coupler is equipment is ready to undergo FAT and shipped due to the
installed between the two chargers. An electric interlock yard construction schedule requirement. However,
prevents the closing of this N.O. coupler in normal conditions. experience has shown us that there may be some protection
Our issue was that the polarization voltage used for the inconsistencies such as the management of earth/tank
interlock was taken from both chargers without galvanic protection of large transformers or earthing transformer unit
segregation. In normal configuration (two chargers in parallel protection (64 REF, 87G,…). Then, even if set points have
and sharing the load), only one insulation monitoring system not been finalized, it is recommended to test the operational
was on line, and no issue observed. However, every time we logic of the protection (is the neutral current calculated by
split the distribution network into two parts: the two insulation phase summation, is it directly measured,…).
monitoring systems would be on line and disturb each other. With respect to this consistency requirement, End-User
should promote that both design and commissioning team
members attend the switchgear FAT.
VI. TESTING DURING OPERATION
A. General
Before the actual start-up of the plant, also known as “first-
oil” the overall plant management is being transferred to
Operation team. This is done to ensure the best safety level
as the operation team will start enforcing their work permit
system which is more complete than the one of the contractor
commissioning team.
The work permit request becomes more formalized and
stringent. One will need to apply for a work permit with a very
complete and detailed work description and job safety
analysis 48h before start of the job. It will systematically be
reviewed and validated by the operation team. The start of
Fig.4: DC UPS configuration (circled interlocked CB) the activity will be conditioned by the verification by Operation
6
team representative that all people involved in the activity actually extremely penalizing and is a significant reason for
took part to the safety tool box meeting, that all required activities to be executed more slowly.
safety precautions have been implemented and that the CCR
operators do not observe unplanned event or upset condition C. HV Switchgear
which would cancel or postpone the activity. The power demand increase combined with the limitation
Hence there is a major change in the operational mode, of voltage levels due to weight and space optimization in the
the timing and the way of thinking and acting of the various offshore environment, it becomes more and more common to
teams. The work needs to be more explicitly described and find short circuit limiting devices using pyrotechnic technology
one cannot modify its further actions in case the testing [3]. These devices enable connecting more short-circuit
outcome is not as per plan without referring to the operation capacity (i.e. more generators) to a switchboard than the
authority to indicate a change in scope. This change is short circuit withstand of that switchboard (either RMS and/or
absolutely not intuitive for the commissioning members who peak). The firing logic needs to be extremely fast in order to
have proceeded otherwise for months. A significant effort in blow the cartridge, i.e. clear the fault, in a time which is
terms of awareness and training is required for Company, typically less than a quarter of cycle (5ms at 50Hz). We have
Contractor and Vendor’s team. observed that the collateral effect of such speed is an
extreme sensitivity of the firing logic that is sometimes
B. Production and Operation Constraints triggered for no valid reason. Indeed we have experienced
Offloading is a major event for the production: it is the very several times, in some particular cases of dead bus being
reason for the plant to exist. Delivering the cargo in a marine energized, the short-circuit limiting device has blown one of
environment can be critical at the early stage of the its phases. While the physical explanation of this spurious
production lifecycle. The first offloading may be done while was never really agreed between End-User and the OEM,
not all systems are in place. For instance.: the absence of the behavior (from commissioning team standpoint) is as
offloading terminal / buoy will impose a tandem offloading described as follows: during energization with a very low
with more exposure to risks and therefore more stringent connected load and a low short circuit capacity, upon the
safety monitoring, which will imply less work permit energization of the half busbar with the short-circuit limiting
authorization due to manpower limitation and intent to limit device was activated instantaneously, while the bus was fault
disturbing events. Moreover the mobilization time of a tanker free, and did not have any load being connected to it.
cannot be extended free of charge. Our solution to this issue was to add an inhibition switch
This will have a severe impact on all non routine activities: (standard feature for this kind of devices) that enabled us to
usually they are simply prohibited one day before the energize the switchgear (and its short circuit limiting device)
offloading is started and during the complete offloading with a light load and a reduced power generation.
sequence which can last from 18h to 36h. However our final lesson learned was to consider the
Hence, considering the work permit request to be issued 2 automatic activation from the ECS in addition to the capability
days prior to job execution and that offloading will occur every to manually activate the firing logic (i.e. automatic and
five days, it is quite possible that 4 days in a week are days manual activation operating in parallel). As we want to avoid
where the forecasted testing activities will remain on hold. relying on the sole human application of the procedure, but
There is a dedicated process to manage simultaneous on the other hand we need to make sure that a safety feature
operation per area which will limit the amount of work and does not only rely on the ECS whose primarily role is not to
associated manpower that can be organized in a given time. maintain safety and which is not designed according to our
As an example: hot work permits (such as outdoor welding internal Company rules of a safety related system. And finally
activities) are limited in amount for the complete plant they the ECS will also be recording the status of the firing logic at
require enhanced safety supervision that may prevent the all times for post event analysis.
electrical testing activities to be performed.
Another potential issue is the limitation of POB and its D. Power Generation Testing
indirect consequences. The amount of people present on an It has to be made absolutely clear that in the case of “all-
offshore installation will be limited by two main criteria: the electrical” plant, the statement “full load testing will be done
capacity of the LQ (number of available beds and meals that offshore” is incorrect. When the full load is reached, the
will be served) but even if this limitation is overcome with the production is ongoing and there is very little chance that the
use of a flotel, the means of evacuation (freefall boats, and Offshore Installation Manager will let the commissioning team
availability of other boats in the close vicinity) will be another perform tests with high risks of tripping the GTG.
limitation factor. Again, this will limit the amount of activities This initial statement may be applicable where the large
that could be held in parallel and independently. But there is machines (typically gas compressors and water injection
another side effect for such POB limitation: one individual will pumps) are turbo driven and it is possible to reach significant
combine multiple roles: the crane operator may be also the loading before the production is ongoing, but for all electrical
helideck officer and he will not be available for crane projects, this does not apply.
operations during crew changes. The electrical maintenance Practically, the onshore testing of the power generation will
supervisor may be part of the firemen team and will be be split in two types:
requested for some special exercise and not be readily 1. What the operation team will allow
available to lock or un-lock the electrical feeder to the 2. What the commissioning engineers can interpret and
equipment you had planned for work. improve from real life event
Each of these internal constraints seen individually may not As a general rule, it must be understood by all electrical
be so impacting, but the cumulated effect of all the above is engineers that from the production standpoint, electrical
7
power supply is a utility: it has to be available at all times and
testing with risks of partial or complete power outage are
almost a taboo.
Significant pressure will be applied on commissioning team
for the scope of testing, and to make things even worse, the
less successful the tests, the less testing will be allowed.
Practically it takes all resources from technical authority at
headquarters, down to maintenance team who wants to have
the best possible knowledge of the GTG capabilities to
convince Operation team to test the power generation.
Additionally, for such complex item, the Vendor
mobilization is permanent, but unlike the onshore stage the
main priority of the Vendor is now to demonstrate that its
package is reliable, not to fine tune it. Fig.6: Broken rotor teeth exiting through the air gap
As an example, it took over 6 months and two third parties
audit to have the GTG Vendor representative improve the This issue had of course many impacts on the operation of
regulation so that frequency value would be completely our plant but it also slowed down drastically the electrical
recovered in less than 20s instead of more than 2 minutes commissioning of other items (mainly GTGs and ECS) as
after a 15% load impact: more that 50% of the load became unavailable for testing. It
shall be stated that despite the initial wrong design of the
motor, our supplier did a lot of efforts to support us in
overcoming this crisis.
The magnitude of the issues encountered and their
associated impact have been so high that our internal
lessons learned are still not finalized. The general trend is
that we are considering major modification on our
specification for design and testing requirement.
However some rules and practices already in place were
strongly confirmed: our motor standardization policy enabled
us to benefit from common analysis and solutions. Moreover,
the common spare for identical motors was made available in
a short time to perform tests and allow Vendor and End-User
Fig.5: 4MW Impact - “Before & After” speed recovery
to validate and finalize the root cause analysis that would
eventually lead to finding the corrective actions. Finally the
As a lesson learned, it is confirmed to be of prime
spare motors as well as identical motors from another project
importance in the Contract that the dynamic performance of
on a less critical path were used for replacement campaign
the GTG is an acceptance criterion at the same level as its
and helped reducing the impact on production.
guaranteed output power and its reliability figure.
F. ECS Testing & Operation
E. Large Drives
For various reasons the ECS item which was most tested
The large drives testing, was by far, the most traumatic we
during operation was the load shedding. As good as previous
endured during commissioning. Some minor issues with
studies and simulations can be: it will not be possible to
relatively easy resolution were faced: as the internal cooling
reproduce real life experience of a GTG tripping, followed by
loop being inactive for a long time contaminated to a large
a load shedding sequence with further collateral trips due to
extent the deionized water and we rapidly run out of all
process condition that are fully ignored by electrical specialist
spares for the filtering cartridges of our converter.
and sometimes not identified by the process and operation
But the main issue we faced was a motor generic design
specialists. To summarize: the load shedding table will likely
issue which impacted all our main drives (7 units) and was
be modified after a few shutdowns along with the triggering
not identified during FAT. Our motor supplier had modified its
set points.
rotor design: changing the rotor slots number which modified
The first real life load shedding experiences will be in a
the natural frequency of the rotor lamination teeth.
configuration which is not the full rated one. For items such
This natural frequency would be found in the operational
as seawater lift pumps or air compressors which are usually
speed range of our drives, but it did not correspond to any
in relatively large amount (sparing strategy of: 3x50%,
guaranteed point and therefore went unnoticed despite our
4x33%, 5x25%...) the fact that there is less machines in
extensive upfront testing plan (FAT, back to back and string
service combined with a static priority table may lead to total
tests) described here above. However, on site, as we had to
black out of the plant, because unfortunately the few
adapt to different conditions (changing gas flow due to
machines that are running are on top of your list while the
increase of production level), we operated the drives on more
ones which were in the bottom of that list are actually
set points and unfortunately it lead to motor damage within a
stopped. This issue generated a strong internal feedback with
few hundred hours of operation.
direct consequences on the way we will specify our load
shedding.
8
As a lesson learned, we decided to communicate with our shedding triggering condition, but shorter than the GTG trip
most common ECS Suppliers in order to prepare a new value.
feature in the load shedding sequence: the automatic Another lesson learned from the same experience is to
reallocation of priorities to loads based on their running implement correction factors inside the ECS to be able to
status. adjust the real dynamic spinning reserve capability based on
real life events. One should remember that unfortunately, this
dynamic performance is not frozen once and for all and will
evolve with the GTG ageing, the climatic conditions, and fuel
type.
VII. CONCLUSION
The follow-up by one specialist of a project from the early

design to the early production stage is one of the best ways
to gain proper feedback on project and start-up execution. It
also allows keeping continuity and trying to achieve the initial
design intent whilst taking into account the external
Fig.7: Load shedding table automatic configuration constraints that occur throughout the execution of a project.
This continuity should be extended by smooth coordination
Another item to be considered is the load shedding and its with commissioning team and eventually operation and
interaction with power generation dynamic response. maintenance team.
According to our experience, the spinning reserve provided Despite the numerous issues presented, we remained able
by the GTG UCP is not corrected by the load impact to achieve a smooth start-up and rapid ramp-up to plateau.
capacity. Hence it is possible that the theoretical capacity of This is one more positive argument to the credit of all-
the power generation would make believe that it can electrical concept robustness and it validates our strategy to
withstand the trip of one GTG, but in fact, the remaining ones keep a strong technical follow-up from throughout our
will drop so much in speed (i.e. frequency) that the electrical projects’ course.
protection will actuate before the GTG are able to recover. These are key elements to the sound technical execution
Hence, it is required to have multiple events, either and the successful production of the plant.
planned or coming from operational upsets to perform an
analysis. The results are then used to properly fine tune the VIII. REFERENCES
maximum impact capability of the GTG in conjunction with
the under-frequency settings (both in time and amplitude) to [1] P. Pandele, E. Thibaut, E. Meyer: “All-Electrical FPSO
ensure: Scheme with Variable Speed Drive Systems”. PCIC
1. Activation of the load shedding sequence Europe Conference Record, June 2011
2. Trip of less critical loads by protection relay [2] J. Seon, X. Coudray, A. Lucas, A. Gelin, B. Quoix
3. Trip of GTG by protection relay “Electrical Driven Centrifugal Compressor – Super
in this order. Synchronous Vibrations of the High Speed Shaft Line:
Initially, we had set all high voltage motors under- Observations, Assessment and Resolution”,
frequency protection with the same setting. After multiple Proceedings of the Forty-Second Turbomachinery
unfortunate outcomes, we re-thought this scheme to stagger Symposium, October 2013
the disconnection of these loads for two main reasons: [3] B. Leforgeais, J. Lavaud, T. Hazel “Pyrotechnic Current
1. If all HV loads are stopped at once, the GTG will Limiting Devices – From Design to Operation”, PCIC
rapidly trip because its utilities have been shutdown Europe Conference Record, June 2014
(no more air, no more cooling water…)
2. Even if the utilities were kept, they would represent a IX. VITA
relatively low power demand. In case of a very large
power tripped in one single event (e.g. all gas
Patrick PANDELE of TOTAL Exploration & Production,
compression), the GTG would still undergo an over-
Technologies division. He graduated as an electrical
speed that would again lead to a black out
engineer from Ecole Nationale Supérieure d’Ingénieurs
Therefore, our lesson learned is that we may have a typical
Electriciens de Grenoble (ENSIEG). He has been involved in
setting for motors under-frequency set point, provided that:
several major international O&G projects both onshore and
depending on the amount of power and the service of the
offshore. He has been acting as lead electrical engineer for
motors, different time setting shall be set. The basic rules for
both design and eventually commissioning on TOTAL’s first
defining this time setting should be: longer than the load
all-electrical FPSO with VSDS from call for tender prior to
BASIC until few months after first oil.
9
RESPONSIBLE PERSONS – ARE THE RESPONSIBILITIES FULLY
UNDERSTOOD?
Paper No. PCIC Europe – BER - 45
Martin Jones Paul Hague Mike Ellis Peter Bennett

CompEx JTLimited CompEx JTLimited EEMUA EEMUA
Wrexham Wrexham London London
UK UK UK UK
Abstract Alpha Oil & Gas platform in the UK sector of the North
In relation to explosive atmospheres, the IEC 60079 Sea. More recently the explosion at the Texas City Oil
rd
Standard Part 14 covers the Electrical installations Refinery on 23 March 2005 where 15 workers were
design, selection and erection, with Part 17 covering the killed and the Deepwater Horizon explosion and Oil Spill
th
Electrical installations - inspection and maintenance in on 20 April 2010 which killed 11 workers illustrates the
addition to the European legal requirements in the ATEX human cost of getting it wrong. The financial impact and
Directive 1999/92/EC (ATEX 137) that provide the damage to a company’s reputation can be no better
minimum requirements for improving the safety and illustrated than that of the Deepwater Horizon incident.
health protection of workers potentially at risk from Costs that run into the 10’s of billions of dollars have had
explosive atmospheres. Competency schemes are well a huge and long term impact that is still felt today and
established to assist employers meet their legal will be felt for many years to come.
obligations under the ATEX Directive or appropriate in- Given that the impact highlighted above is so well
country Regulation for Electrical and known and understood it is somewhat surprising that the
Mechanical Operatives/Technicians and Application role of the responsible person is not well understood.
Design Engineers, but what about the Responsible Companies not only face the prospect of dealing with
Person's competency - are these duties well understood the human and financial effects but the impact of various
across industry and do these Responsible Persons have regulatory bodies can be severe especially after a major
access to the appropriate 'tools' to enable them to incident. Whilst legislation should be adhered to,
adequately carry out their responsibilities? standards and industry codes of practice help
This paper will examine the scenarios where these companies and individuals meet their obligations in
responsibilities have been carried out inappropriately terms of protecting life, property, the environment as
and in some cases contracted-out to third parties, well as the financial balance sheet.
leaving both the Responsible Person and the Employer In Europe, two ATEX Directives [1] have been
exposed to enforcement action when there is an incident implemented that cover equipment and protective
in the workplace. The difficult part is getting it right in a systems, intended to be used in hazardous locations as
cost effective manner and being able to demonstrate a well as the safety of workers in these areas. The US has
professional attitude to embracing the spirit of both the a comprehensive National Electrical Code (NEC)
applicable IEC Standards and the ATEX Directives developed by the National Fire Prevention Association
to maintain both a safe workplace and protect the Committee (NFPA). The NEC is approved as an
expensive capital assets of the major user. The paper American National Standard by the American National
will provide direction to assist the Responsible Person Standards Institute (ANSI). It is formally identified as
conduct their duties in this manner. ANSI/NFPA 70, Section 5 lists the Special Occupancies
and Articles 500 – 505 consider hazardous location
electrical activities. The American Petroleum Industry
I. INTRODUCTION (API) provides recommended practice for Design,
Installation and Maintenance of Electrical Systems for
When it comes to incidents involving explosive Fixed and Floating Offshore Petroleum Facilities; 14F for
atmospheres it can be in no doubt that the cost of Unclassified, Class 1, Division 1 and Division 2
“getting it wrong” can be devastating to victims, their Locations as well as 14FZ for Unclassified and Class 1,
families and communities. The wider issue of the Zone 0, Zone 1 and Zone 2 Locations.
environmental impact as well as the commercial cost Internationally, the International Electrotechnical
and effects to companies and industry can be far Commission (IEC) is a leading global organization that
reaching. The negative impact to capital assets, financial prepares and publishes International Electrical
balance sheets and company and industry reputations Standards for all electrical, electronic and related
can be felt long after the actual incident. One of the most technologies. The IEC 60079 Standard Parts 14 & 17
significant and tragic events occurred on the night of applies to classification of hazardous areas and
July 6th 1988, when 167 men lost their lives during an installation & inspection requirements. It is imperative
explosion and resulting meltdown of the offshore Piper that the responsible person who helps protect the
1 of 5
interests of the oil, gas, chemical and fuel industries strategy and actions for the prevention of explosions.
understands these directives, standards, and The term employer appears in numerous pieces of
recommended practices that are applicable, as well as is legislation. Examining the two ATEX directives we can
being able to correctly apply them to further enhance see that the term employer is used to describe some of
safety and protect the large capital investment assets of the general duties as well as some more specific
the major users. requirements.
1
When dealing with explosive atmospheres Annex A of In Europe the ATEX “product” directive 94/9/EC
the international standard IEC 60079-14:2013 [2] and covers equipment and protective systems intended for
Annex B of IEC 60079-17: 2013 [3] state in some detail use in potentially explosive atmospheres whereas the
the knowledge, skills and competencies of responsible ATEX “user” directive 99/92/EC covers minimum
persons but what of their duties under these standards? requirements for improving the safety and health
The general duties of the operative/technicians and protection of workers potentially at risk from explosive
designers appear to be well understood by most parties, atmospheres. Taken from section II “Obligations of the
indeed this is at least inferred in the actual title of the Employer”, Article 3 of ATEX directive 99/92/EC
above standards in so far as part 14 covers electrical “Prevention of and protection against explosions” states:
installations design, selection and erection and part 17
covers electrical installations inspection and With a view to preventing, within the meaning of
maintenance. Clearly the designer will participate in or Article 6(2) of Directive 89/391/EEC [4], and providing
take a lead role in ensuring the design (including protection against explosions, the employer shall take
equipment selection) of any installation meet the technical and/or organisational measures appropriate to
relevant clauses of part 14. The operative/ technician on the nature of the operation, in order of priority and in
the other hand will subject to the design involve accordance with the following basic principles:
themselves in the equipment selection, and erection the prevention of the formation of explosive
(installation) of the equipment. Referring to part 17 the atmospheres, or where the nature of the activity
operative/ technician may actively participate in the does not allow that,
initial and subsequent inspection as well as the avoidance of the ignition of explosive
maintenance post installation. atmospheres, and
So what of the actual role of the responsible person? the mitigation of the detrimental effects of an
Annex A and B of parts 14 and 17 respectively state explosion so as to ensure the health and safety
they should engage with the management of operatives of workers.
covering selection, installation, inspection and These measures shall where necessary be combined
maintenance duties. So what is management? and/or supplemented with measures against the
Management of these persons will involve ensuring that propagation of explosions and shall be reviewed
individuals are competent and that they carry out their regularly and, in any event, whenever significant
respective duties by following the requirements laid changes occur.
down in the standards.
The role can also be expanded to include the More specifically and in terms of documentation Article 8
management of processes, procedures and of directive 99/92/EC “Explosion protection document”
documentation thus ensuring that the correct technical states:
and organisational measures are in place to control the
risks associated with explosive atmospheres effectively. In carrying out the obligations laid down in Article 4,
the employer shall ensure that a document, hereinafter
II. TECHNICAL PERSONS WITH EXECUTIVE referred to as the ‘explosion protection document’, is
FUNCTION drawn up and kept up to date.
The explosion protection document shall demonstrate
Given its reference in Annex B of IEC 60079-17 it is in particular:
first worth clearing up a common misunderstanding as to that the explosion risks have been determined
the use of the term “technical persons with executive and assessed,
function”. This term is often used to describe a person that adequate measures will be taken to attain
who has overall responsibility for inspection and the aims of this Directive,
maintenance activities. In fact this term only applies to those places which have been classified into
persons who have responsibilities under the type of zones in accordance with Annex I,
inspection “Continuous supervision by skilled those places where the minimum requirements
personnel”, i.e. where an installation is visited (and set out in Annex II will apply,
inspected) by skilled personnel on a regular basis in the
that the workplace and work equipment,
normal course of their work. The role of “technical
including warning devices, are designed,
persons with executive function” is covered in some
operated and
detail under section 4.5 of part 17 and not discussed
maintained with due regard for safety,
further in this paper.
that in accordance with Council Directive
89/655/EEC [5], arrangements have been
III. LEGAL ASPECTS OF THE RESPONSIBLE
made for the safe use of work equipment.
PERSON
The explosion protection document shall be drawn up
prior to the commencement of work and be revised
The position of the responsible person is likely defined
in legal terms as the responsibilities under the term
employer as someone within a company’s hierarchy 1
ATEX directive 94/9/EC is to be replaced in April 2016 by the
must take ownership (responsibility) for a company’s new ATEX directive 2014/34/EU
2 of 5
when the workplace, work equipment or organisation of this will drive future equipment design and selection as
the work undergoes significant changes, extensions or well as subsequent installation, inspection and
conversions. maintenance techniques and activities.
The employer may combine existing explosion risk
assessments, documents or other equivalent reports B. Electrical installation design, selection and erection
produced under other Community acts.
The duties of the responsible person as discussed
IV. THE REQUIREMENTS OF THE RESPONSIBLE previously will involve the management of competent
PERSON persons carrying out design, selection and erection
(installation) activities. The knowledge, skills and
Given that the requirements of IEC60079 parts 14 and competencies of these individuals should be aligned
17 require the responsible person to possess a general with the requirements of Annex A of IEC60079-14:2013.
understanding of relevant electrical engineering as well Adequate training should take place alongside
having the ability to understand, read and assess competency validation which has been internationally
engineering drawings it stands to reason that the person accredited to a recognised standard covering the
must have an electrical bias, i.e. have come from an certification of persons, i.e. ISO/IEC 17024:2012 [8].
electrical background. Training and competency validation should also be
Not only must the responsible person ensure the refreshed on a regular basis and therefore the
competence of operatives/ technicians carrying out their responsible person should be responsible for the
duties under IEC 60079 parts 14 and 17 they must also management of any personnel records as well as the
ensure the effective management of the requirements mechanisms adopted to prompt such refresher training.
laid down in these standards. These measures include In terms of the activities associated with installation
technical measures that relate to specific protection design, selection and erection then the responsible
concepts assigned to equipment, systems as well as the person should ensure that the relevant standards are
organisation measures required to control and being followed and that the documentation required
administer them. The role can be further expanded to ensuring compliance is recorded and retained for future
include hazardous area classification where the release reference. IEC 60079 parts 14 makes specific reference
(leak) of flammable material such as a gas, vapour, mist to the verification dossier that records information on the
or dust is categorised into zones based on its frequency site, equipment installed as well as the actual
and duration. installation. Here, specific reference is made to
information such as hazardous area classification
A. Hazardous area classification details, external influences and ambient temperatures,
manufacturer’s information, certification, intrinsically safe
Hazardous area classification is used to identify system documentation, wiring diagrams, drawings and
places where, because of the potential for an explosive schedules, etc. The responsible person should also
atmosphere, special precautions over sources of ignition ensure that the initial inspection is completed post
are needed to prevent fires and explosions. Hazardous installation and prior to first use and that this information
area classification should be carried out as an integral is also contained within the verification dossier.
part of the risk assessment to identify areas (places) How initial inspections are handled is also of prime
where controls over ignition sources are needed importance as key decisions can be made at the on-set
(hazardous areas) and also those places where they are of any project through effective management. Inspecting
not (non-hazardous areas). and recording the information should be an integral part
Hazardous area classification is covered under Article of a projects installation, commissioning and handover
4 “Assessment of explosion risks” of ATEX Directive activities. Missing documentation can hinder the efficient
99/92/EC as well as specifically required under Article 7 progress of inspection activities therefore clear
“Places where explosive atmospheres may occur” and instructions and requirements for the type and format of
Annex I “Classification of places where explosive any documentation should be agreed at an early stage
atmospheres may occur”. Hazardous area classification between groups such as design, construction,
is outlined in standards IEC 60079 parts 10-1 [6] and 10- commissioning and operations.
2 [7] covering explosive gas and dust atmospheres Effective planning and auditing can help with the
respectively. It is also covered under a number of transfer of information between all parties involved. The
publications (codes of practice) such as EI15 [8] and timing of initial inspections should also receive careful
IGEM/SR/25 [9]. consideration so that equipment covers go undisturbed
Area classification is an activity that should not be post initial inspection.
carried out in isolation from others; it should be carried Creating an asset or “Ex” equipment register is also a
out as a team exercise where it is highly likely that the vital part of the initial inspection process. Sufficient
lead for such a team is a process safety engineer or information should be recorded against every item of
other such specialist individual. The role of the equipment installed whether it is in the hazardous area
responsible person here is to play an active part in the or outside the hazardous area but performs a safety
group discussions be it an initial/ periodic study or a function on equipment and systems inside the
review prompted by a plant modification. The results of hazardous area. Without the equipment register sites
this study displayed as an area classification drawing may not know what equipment they have installed
showing the type and extent of the zones, relevant making future inspections and on-going maintenance
equipment protection level, gas/ dust group and impossible to manage accurately. This could lead to
temperature classification as well as any supplementary equipment going undetected and therefore increasing
information such as reports or schedules are of infinite the risk of introducing hazards into the workplace
importance as, forming part of a plants ‘basis of safety’
3 of 5
through poorly maintained and potentially dangerous work activities will be undertaken in accordance with
equipment. agreed standards, rules and procedures”.
The most important aspect is that any competency
C. Electrical installations inspection and maintenance validation of Operatives/Technicians and Application
Design Engineers is conducted by third party
The duties of the responsible person will be similar to organisations, totally independent of the major users.
those duties imposed under design, selection and The Certification Body must be accredited to an
erection in so far as the knowledge skills and International Standard IEC/ISO 17024: 2012 -
competencies of the operative/ technician. The specific Conformity Assessment – ‘General requirements for
requirements associated with inspection and bodies operating Certification of persons’, to ensure the
maintenance is described in Annex B of IEC 60079- validation process meets an agreed international
17:2013. standard and not just an interpretation of requirements
In addition to these requirements the duties of the which could introduce variability.
responsible person also covers the type, grade and By meeting the requirements of this International
information recorded as part of the inspection. Initial Standard, a company who send employees or direct
inspections should already have been completed prior to contracting staff to attend competency validation
first use therefore the main focus here will be on the courses, do so safe in the knowledge that there will be a
grade of inspection be it visual, close or detailed as well uniform, structured approach to the validation process
as time between periodic inspections including any worldwide and that variability from different course
sample inspections required. Inspections are not set for providers will not occur. The Certification Body must
the life of the installation and the responsible person have access to Technical Experts who fully understand
should review the results of the inspections in order to the scope of IEC 60079 Parts 14 & 17 and continue to
inform themselves whether the frequency and grade of develop the courses in line with the ongoing revision of
inspection including that of sample inspection needs to the International Standards.
be amended. Annex A of IEC 60079-17 provides a It is the advancement of standards, equipment,
sample flowchart that provides guidance on how workplace area, systems design and management and
periodic inspections including sample inspections can be the technical understanding of practitioners who install,
managed. maintain and inspect equipment that will change over
Remedial repairs that result from the inspection also time. Without recognising these changes, more
need special consideration. Regulatory authorities are variability can be introduced and weak links will start to
increasingly examining the way inspections are appear again.
assigned and how subsequent remedial repairs are Whether it is design, installation or inspection and
handled. It is not acceptable simply to stack up the maintenance utilising external organisations to provide
repairs and adopt the “top of the pile” approach where such services can be fraught with risk if this process is
the next repair on the list is tackled with little regard to not managed carefully. Not only should the competency
the type of fault and how serious a risk it poses. of on-site staff be examined but careful scrutiny should
Regulatory authorities are looking for a “smart” approach be exercised as to the level of support and supervision
where inspection results are reviewed and frequencies they receive. Enquiries as to methodologies employed
and grades of inspection amended dependent upon the for inspection and the quality systems in place to
results. Remedial repairs are also ranked and therefore support it such as ISO 9001 [10] are obvious questions.
tackled in order of risk. Factors such as the type of plant What about technical support? Having access to the
or facility, i.e. the consequence of a hazardous event, correct standards as well as supporting documentation
the hazardous area zone, protection concept and is an absolute must. Having senior staff available for
whether a piece of equipment is ignition capable all technical guidance and support is also required.
need careful consideration. Other factors such as the Supervision can vary dependent upon the type of site,
type of fault as well as environmental effects will also level of knowledge, skills and experience. Clearly
play a part in the decision making process of how to risk someone with a high level of knowledge, skills and
rank repairs. experience will require less on-site supervision than a
Resources assigned is also a major factor as to few new employee.
can often mean that inspections are not completed in a So how is the process managed? Training and
timely manner resulting in potentially serious faults going competency records should be retained and a frequency
undetected. Assigning insufficient resources to remedial of refresher training and validation decided upon. For
repairs can also have a similar effect in so much as “major” sites this documentation should form part of a
repairs are not completed in a timely manner and that quality system approach such as ISO 9001 and as such
repairs including those of a serious nature are not form part of a Competency Management System (CMS).
closed out between inspections. Ultimately the CMS should be integrated into or form
part of the Explosion Protection Document (EPD) which
D. Management of competence in turn may form part of a sites overall Safety
Management System (SMS).
What does competency mean? The Regulatory body in
the UK, the Health and Safety Executive state in their E. Outsourcing responsibilities
COMAH [9] operational delivery guide: “Competence
means the ability to undertake responsibilities and Outsourcing the role of responsible persons should be
perform activities to a relevant standard, as necessary to given very careful thought and consideration. It should
ensure process safety and prevent major accidents. be remembered that the employer has overall
Competence is a combination of knowledge, skills and responsibility regardless of what has been outsourced.
experience and requires a willingness and reliability that Competencies need to be checked and verified against
4 of 5
an agreed benchmark. Holding basic awareness training [3] IEC 60079-17:2013 Explosive Atmospheres –
even with some form of basic validation is hardly enough Electrical installations inspection and maintenance.
when addressing the requirements of the responsible [4] EU Directive 89/391/EEC – measures to improve
person. Qualifications including competency records, the safety and health of workers at work.
verifiable experience and endorsement are all aspects [5] EU Directive 89/655/EEC was repealed and
that require consideration. replaced with 2009/104/EC – use of work
Ultimately whoever is employed should be subject to equipment.
regular discussions and even auditing to ensure that the [6] IEC 60079-10-1:2015 Explosive atmospheres –
correct philosophies and practices are being followed. Classification of areas. Explosive gas atmospheres.
Remember outsourcing does not remove blame from the [7] IEC 60079-10-2:2014 Explosive atmospheres –
employer should things go wrong! Classification of areas. Explosive dust atmospheres.
[8] ISO/IEC 17024:2012 Conformity assessment.
V. CONCLUSION General requirements for bodies operating
certification of persons
A company’s legal obligations are set out under the [9] COMAH – Control of Major Accident Hazards
ATEX directive 1999/92/EC supported by the Regulations 2015 (UK implementation of the
requirements set out in standards such as IEC 60079-14 Seveso III Directive 2012/18/EU).
and 17 as well as other related standards such as IEC [10] ISO 9001:2015 Quality management systems –
60079-10-1 and 10-2. The employer should therefore be Requirements.
aware of the duties required under these regulations and
standards and ensure that persons have been identified
to take responsibility for its effective management as VII. VITA
well as implementation.
Ensuring that all persons who play an active role in First Author
achieving a safe site and therefore business cannot be Paul Hague is the UK and global business development
underestimated and here the Responsible person must manager for the internationally accredited CompEx Core
be aware of their own competency requirements as well Competency Validation scheme. Having spent over 25
as those of any supporting persons such as engineers/ years associated with and working in explosive
designers, technicians and operatives. atmospheres enhancing workplace safety through
Documentation and the ability to manage this via a raising the awareness of the scheme and increasing the
quality driven process is key to its effective management number of centres and candidates has become his main
providing an auditable trail that can satisfy regulatory focus.
authorities as well as acting as a measure for continual He has presented numerous courses internationally
improvement. and was the principal author of the new Ex14 CompEx
Outsourcing various roles is an option but one that module covering the roles and responsibilities of the
should be given very careful consideration as the Responsible Person. paulhague@jtlimited.co.uk
employer cannot remove their own legal responsibilities
set out under the term Responsible Person. Being the Second Author
‘intelligent’ customer is key here where an organisation Martin Jones manages the global operations of the
possesses a very clear understanding and knowledge of CompEx Core Competency Validation scheme for
the service being supplied and is able to lead not follow JTLimited. A qualified Electrical Engineer and a lifelong
the activities provided by the service provider. learner, promoting Core Competency Validation of
Neglecting to identify a person or persons as the Personnel in explosive atmospheres has become his
responsible person or worse simply ignoring the role all main focus, increasing the number of competency
together is fraught with risk and can compromise a validation centres across the globe from 11 to 53
company’s ability to operate a site safely and effectively. currently, to further enhance workplace safety.
Further to this, failure to act puts a business at risk from He has authored several papers and tutorials
being able to operate as the repercussions from an worldwide. martinjones@jtlimited.co.uk
incident could affect a company’s value as well as
reputation. Legal proceedings by the regulatory Third Author
authorities such as enforcement notices and even Mike Ellis is EEMUA’s Technical Expert representing
prosecutions could also prevent a business from the interests of users on a number of BSI Committee’s,
operating. IEC Committee’s and the CompEx Scheme Committee
Mike.Ellis@IEE.org
VI. REFERENCES
Fourth Author
[1] ATEX directive 94/9/EC, Equipment and protective Peter Bennett
systems intended for use in potentially explosive Throughout his career Peter has been dedicated to the
atmospheres and ATEX directive 99/92/EC, enhancement of safety within industry, being active in
Minimum requirements for improving the safety and the work of BSI Technical Committees and as the
health protection of workers potentially at risk from appointed UK Convenor for a number of Hazardous
explosive atmospheres. Area safety initiatives for CENELEC and IEC. On his
[2] IEC 60079-14:2013 Explosive Atmospheres – retirement from Shell, Peter became an independent,
Electrical installations design, selection and part-time Consultant for EEMUA and is Chairman of the
erection. CompEx Scheme. peter@bennetti.co.uk
5 of 5
IEC 61850-based EMCS training simulation tools ensure operational efficiency and
peace of mind.

Paper No. PCIC Europe (BER-46)
Yann-Eric Bouffard Vercelli Gagan Kapoor Guillaume Bruandet

Schneider Electric Schneider Electric Schneider Electric
Avenue de Figuières BP 75, Sector 126,Noida Avenue de Figuières BP 75,
34970 Lattes, France India 34970 Lattes, France
Abstract - Power system in Oil & Gas Installation necessary to upgrade solutions, end users seek to reduce
requires complex and automated Energy Management ownership and maintenance costs.
and Control Systems (EMCS). Operators use different
control systems (DCS, EMCS…) using different HMIs and To manage energy and meet expected outcomes,
Intelligent Electronic Devices (IEDs), controllers, sensors. various control systems are used – electrical, process,
Remote and actual site learning is usually not feasible, safety, and security control systems. EMCS is one such
and certainly not during abnormal or crisis scenarios. control system that provides a complete electrical system
overview and helps ensuring maximum energy availability
EMCS architecture is composed of a hierarchy of various to critical loads, thus an uninterrupted process.
communication network topologies. Software-based
simulation tools offer a very effective way to better Due to the criticality of electrical energy for processes to
understand system behaviour. Simulation can be done in run bumpless; the efficiency of EMCS operation is
two ways- Emulation which is replacing the actual devices extremely important. It integrates switchgears at different
with on Communication Simulation and Excitation which is voltage levels (LV/MV/HV) with a generation system and
injection by hardware simulation. Simulation can emulate has IT/OT convergence.It has power management
most electrical data and control by emulating IEC 61850 functionalities (load shedding, load sharing, etc.) for
protection or LAN concentrators. A selection of IEDs can demand and supply management of energy needs.
be activated by simulated embedded hardware that Because technology is evolving and systems and
allows (while keeping coherency of electrical data) to equipments are becoming increasingly connected,
learn real IED maintenance or setting operations. A operators want tools and systems to support the
limited set of IEC devices are often used, including an optimization of CAPEX and OPEX.
EMCS HMI, DCS gateway, central automation such as
iFLS, iPMS, and black start, in order to exactly replicate The motives and drivers behind meeting these challenges
site behavior, settings and maintenance procedures (such are to save time (commissioning, start-up) and
as patch management, upgrades, or site evolution). expenditure (reduction of total cost of ownership) by
expanding system and device knowledge and readiness
This paper presents an Operator & Maintenance Training and with the practice of various contingencies.
System (OTS & MTS) solution. Its inner basis is a site
EMCS IEC 61850 System Configuration Description EMCS training via simulation provides one option to
(SCD, according to IEC naming). In EMCS simulation set- respond to these challenges.
up, IEDs can be physically replicated then can be excited
physically if needed, or emulated (replaced) in 2. What can simulation do for operators?
communication network for the majority of time. Simulator
reacts to direct control or automation settings reactions in Operator Training System (OTS)
case of contingency. A trainer can specify multiple sets of
electrical data and initial status, schedule events, or re- The domain expertise of an electrical system provider,
inject captured IEC data exchange of current real project and convergence of IT/OT with the use of relevant
EMCS. This paper describes this top-down approach of technology, can significantly help end users by adopting
simulation and solution modularity required by end user, simulation.
from real to and emulated IED, and from simple electrical
behaviors to real-time dynamic load flow injection. The first and most important aspect is training and
building operator confidence in EMCS, so that human
1. Challenges with EMCS and other control error is minimized. This can be referred to as the Operator
Training Simulation and can also be part of simulation for
systems testing and maintenance personnel.
Industries worldwide are striving toward more connected, OTS is a key solution to deploy energy-saving control
more efficient, and more distributed operations. Apart strategies and improve sites’ energy performance by
from these needs, energy optimization is also targeted. letting the personnel in charge of site operation acquire
The ever-present challenges of this industry include and retain a high level of experience and expertise.
safety and continuous operations with the use of It presents an easy-to-use software application that
technology and processes aimed at energy optimization. simulates real site situations in a safe, non-energized
In addition to ease of maintenance and the flexibility
(offline) environment to learn, practice, and improve and a reduction of downtime, which results in greater
EMCS users’ operational aptitudes. efficiency and significant cost savings.
OTS leads to safe and efficient operator performance that
3.1. Real-time, dynamic, post-mortem analysis
benefits users, workers, and the overall profitability and
productivity of the company. and study of IED settings/parameterization
2.1. Actual project replication IEDs or numerical protection relays form the center of
electrical power system networks. Technology is driving
Simulation of the same single line diagram as an electrical toward one-box solutions capable of performing control,
distribution system with the same power management monitoring, protection, and analysis. Simulation capable
settings (i.e., priority and contingency for load shedding, of changing and emulating IEDs can train operators and
spinning reserve requirements) gives an experience of maintenance engineers to use IEDs to their maximum
existing operation. It trains and builds confidence in the potential (settings optimization). Unfamiliarity with devices
operator about full system awareness. By simulation, limits their use to a basic minimum, and any electrical
operators can also learn how to use graphical user disturbance or inappropriate operation or circuit breaker
interfaces (GUIs), navigation, alarm and event handling, tripping cannot be effectively diagnosed. Specific tools
and control procedures. The linkage of dynamic can help to capture network data to be replayed on
simulation enables end users to simulate real-time power emulated IEDs in a safe environment to facilitate post
system disturbance mismatches in demand and supply, mortem analysis and diagnose the disruption root causes.
and prepares operators to confidently address those
eventualities. An end user can have not only a complete 3.2. Real life contingency analysis and load flow
system replica but also IED replica. solutions
2.2. Solution simulation The closer simulations can bring operators and
maintenance engineers to real environments and
Simulation can be performed in different ways: operating conditions, the higher the impact. Simulations
should include an exact replica of the installed electrical
• By emulating devices or solutions-Replacing
network, simulate it, create scenarios of fault and
actual device by Communication Simulation.
contingency, and demonstrate the impact on the demand
• By excitation - Hardware stimulation or and supply of electrical power. This can be extended to
excitation by forcing some values. analysis of complete load shedding, load sharing, and
restoration of the system in a simulated environment of
Both options can give end users different experiences and changing priority, contingency, and islanding scenarios.
more knowledge to tackle any eventualities. Emulation is The operator can gain expertise by becoming deeply
simply replacing actual equipment and keeping the same familiar with the IED by utilizing IEC 61850 logic node
replica by using IEC 61850. IEDs can be emulated by definitions and attributes and identifying IED parameters
following IEC 61850 definitions of their functionalities. for protection. Power system behavior (i.e., due to
contingency generation vs. consumption) and complete
Alternatively, a system’s performance can be stimulated flow analysis in a simulated system can be performed.
by injecting values through hardwired I/O and creating Such elements can increase operator confidence.
scenarios as close as possible to the real case.
3.3. Capture communication between devices
2.3. Configurable scenarios
and scenario reproduction
End users can leverage the flexibility and learning
experience the simulation can provide. Therefore, the Ideally the simulation should provide the flexibility to
more customizable the simulation solution, the more recreate scenarios to investigate site data between
realistic the experience and the better the operator can devices and reproduce any contingency condition or
relate to the system during actual scenarios. The key abnormal situation. IEC 61850 functionality, e.g., GOOSE,
element is to have the use case scenario configurable by can allow a high-speed communication Capture action
the user. between various devices, making diagnosis and analysis
very easy.
3. What can simulation do for maintenance IEC 61850-based simulation allows the spread of a
engineers? massive flow of data coming from IEDs, PLCs, servers,
etc. In the case of failure or post-mortem analysis, data
Maintenance Training System (MTS) must be presented to electrical and system engineers in a
way that facilitate this complex cross analysis, mixing
MTS is a simulation solution for training field engineers on electrical, operator, and EMCS system data. To help, all
real devices to prepare them for safe and accurate components are synchronized and all data are time
operations in an actual electrical network. This simulation stamped at the source.
takes place by injecting electrical analog (CT/VT) values.
MTS software allows for hands-on training with real IEDs
that are identical to plant devices. Engineers can
therefore obtain experience and expertise prior to working
with real installations.
MTS allows better scheduling of maintenance operations
3.4. Scenarios with and without hardware • Simulation devices as Communication
injection Simulation and optional Hardware
Simulation.
In some cases, simulation will be limited to software “Copies” (also called “replicated”
“replicate and “duplicated”) are
emulation for operator training. The real EMCS uses exact “spares” of those on site, with the same hardware,
some components that can be easily plugged into the software, configuration,
ation, and settings. The IED copy is
simulated environment. The goal is to validate the impacts powered and behaves exactly as the one on site because
of any modifications prior to deploymentt on site: simulation can place the same site excitation value on its
• Algorithm modifications interface (and inject all kinds of signals, including CT/VT).
In the case of maintenance, it is then possible
poss to practice
• Cyber security and patch management
on IED site settings to learn and to reproduce reactions.
• Firmware and software updates In a second stage of maintenance actions, it is possible
• Server replacement before site implementation to test any new patch:
• IED setting modifications hardware, operating system (OS), software version
• Fast load shedding priority changes (evolution or correction),
), configuration, or setting.
• Etc.
3.5. Ability to accept load flow analysis

software from any vendor
The Simulator is not using its own predefined reflex value,

but results of load flow computation. We feed the value of
circuit breaker status, position, etc.
The Load Flow low software is fed by EMCS simulator with
the current breaker values using an OPC Link. Load
Loa Flow
software computes dynamic value and return to EMCS
simulator accurate analog values and possible threshold,
threshold
e.g. trip. From the EMCS HMI, operator can control any
circuit breakers, and the simulator transmits
transmit the new
dynamic load balance situation.
Figure 1 Offline Global Simulation
The combination of these two bricks allows the
implementation of: Whatever the simulation type the “copy” of the EMCS
project must be replicated in the simulation environment.
environment
• “What if” feature. This simulation environment uses the actual EMCS
• State Load Estimator (SLE) feature.
feature project database without any rework.
“What if” helps operators control the plant. The sequence EMCS HMI replicate is mandatory in OTS to be
of operations can be reproduced in a simulated mode comfortable with electrical operating sequences.
sequences
before being carried out on the plant. It prevents any
misuse and/or electrical collateral disturbances. For MTS, HMI is useful to check all IED system interfaces
(communication signals, remote setting, administration,
administrat
A State Load Estimator feature can raise alarms when synchronization, disturbance recording, and all mass
real measurements are too far from simulated values. It archiving).
helps operators make decisions during abnormal
circumstances and maintenance
intenance people replace critical For advanced electrical control functions, the simulation
sensors. environment contains an “exact replica” of IEDs managing
automation logics (iFLS, Load Sharing, PMS, ATS, etc.).
It allows reproducing the exact reactions in the simulated
4. The solution
environment as it applies on the plant in real time.
4.1. A simulation solution based on a set of Then, depending on budget, and especially for
exact replica/ copies of EMCS IEDs maintenance purpose, we recommend creating a
“duplicate” of the IEDs of each range (protections, meters,
As previously pointed out, simulations can be of two etc…).
types:
1. Emulation of missing IEDs over EMCS LAN,
4.2. Simulation device interface to EMCS IED:
by communication means.
Communication Simulation
2. Excitation of existing IEDs by hardware or by
communication means. The simulation devices can act via communication means
The second case requires an n OTS to have some real or hardware signals that define two main devices:
IEDs as “copies” of those on site. Choices can be made Communication Simulation and Hardware Simulation
during implementation of a simulation solution to compose Nowadays an EMCS is composed of several LANs to
it of: reduce inner communication traffic, possible congestion,
cyber risk against intrusion, etc. The EMCS LANs
• Exact “copies” of site EMCS IEDs, as EMCS
commonly use Ethernet with IEC 61850 protocol. The
partial replicate.
Communication Simulation device can operate with
several
veral Ethernet boards to act on several EMCS physical
LANs (validated with up to 4 physical LANs). This feature Simulation needs to log operator actions, and store IED
can be degraded to operate using VLAN and a single reactions. This monitoring can be split in two: file archives
Ethernet board. Ethernet switch boards can be embedded and runtime operator log displays. All logs contain
when required to handle various Ethernet redundancy electrical naming and communication addresses (IEC
cases, and to study specific aspects of this transmission 61850).
layer.
File archives contain standard logs (everything seen or
The Communication Simulation device mainly uses the done in Communication Simulation), specific GOOSE
IEC 61850 protocol. Two IEC tasks are used depending archives, and operator can export archives in csv, html
on the selected simulation. When Communication and COMTRADE (only for goose data).
Simulation emulates/replaces an IED, it uses an IEC The main HMI contains two working areas. The central
server task to publish all data that the replaced IED could one is always displayed. The second allows data filtering
have exposed (with report and GOOSE). When (input on the left of the browser, output on the right) or
Communication simulation captures/sends control to the manually generated output changes (status change of
IED “Copy”/”Duplicate”, it uses a second IEC task called emulated IED, control on present IED).
IEC Client to subscribe to the IED data set, and optionally
sends control to the IED. Both IEC tasks are based on The operator’s HMI log display and the browser can be
real EMCS IEC 61850 SCD (System Configuration switched during runtime from electrical context to IEC
Description). For example, in simple OTS, there is an 61850 modeling context (In OTS and MTS, electrical
exact replica of the EMCS HMI and a Communication naming is normally used because it displays the same
Simulation that emulates via up to 400 IEC server tasks names as those used in the EMCS HMI “copy” used by
and all possible IEDs on various LANs (some of the trainee. Whatever kind of display (electrical or IEC),
emulated IEDs like gateways are a concentration of data tooltips provide complementary information (IEC or
normally provided by sub-LAN or legacy network). electrical).
Separate tasks are selected for modularity and the
possibility of generating degraded exploitation cases Three logs are used - Action/Reaction, goose_Spy and
(killing or disconnecting specific IEDs). SOE. All cells of these logs can be exported or copied to
an external editor (text or Excel) for reporting. The
The Communication Simulation configuration should be Action/Reaction viewer logs each computed event, inputs,
based not only on IEC specific but also on electrical and outputs. The goose Spy monitors all goose
labeling. exchange between IEDs.
4.3. Simulation device interface to EMCS IED: A double naming is used to cover operator skill (Electrical
Hardware Simulation or automation based on IEC61850).
Hardware Simulation is the second main simulation

device– the device interface part. It provides physical
input and retrieves output from the related “Copy” of the
EMCS IED. Based on a PLC, it can provide time-tagged
hardware excitation to the created EMCS IED, and
retrieve time-tagged responses.
We have two ways for simulation – Emulation is the most
common, also the Communication Simulation should log
everything that happens in hardware or communication
simulation, and trigger all actions in both types of
simulation.
Communication Simulation should have several
independent LANs to be replica in real site
implementation. Figure 3 HMI General View
The principle of Communication Simulation is simple. Via

appropriate configuration, when there is an action (input)
there is a reaction (output). One input action can trigger
several outputs. One output status can be triggered by
several inputs.
An important part for running an OTS/MTS is the scenario
part called Use Case. The Use Case is defined by:
• Action/Reaction.
• Initial Status.
• Scheduler.
• Or combination defined by macros.
Figure 2 Offline Simulation Architecture

4.4. Simulation HMI: Logs/Scenario/Use Case
To help the trainer, the dedicated HMI (especially in 5. Conclusion:
electrical mode) can be used to define new initial status or
via “Activity” to define the sequence of events that the The OTS, MTS, and the Dynamic Simulation Solution
trainee should handle. Globally, this user friendly way to enable users to optimize both CAPEX and OPEX. Trained
configure new scenarios allows direct use of the and up-skilled operators and maintenance engineers
configured Communication Simulation without special contribute to an enhanced operational efficiency.
training.
OTS Benefits:
All scenario files, action/reaction (as configuration),
initial status, scheduler (as Activity) should be defined in a CAPEX Impact:
readable format e.g., csv formats for easy flexibility of
scenario generations. • Increased operational efficiency ensuring
increased asset efficiency.
For electrical engineers, the electrical data is mapped to
• Increased safety and reduced risk.
several communication addresses (main, back-up
• Optimized electrical distribution management.
computer, or protection device, in one LAN or above a
LAN concentrator). In order to face this redundancy, the • Confidence building for future projects.
LAN/IED names appear below the electrical name in the
browsers when such acquisition redundancy appears. OPEX Impact:
• Operator skills enhanced with full knowledge of
4.5. Enhanced Load Flow Computation: the EMCS capabilities - efficient operation.
Process and Analog Simulation • Shorter turnaround time impacts on operation.
• Faster and on-time operator reaction.
Basically, the previous simulation devices are specialized • Shorter commissioning times.
in interfacing with EMCS. They use predefined • Minimized operator turnover impact.
action/reaction and pre-computed analogues, not
accurate in complex simulation (but sufficient in common MTS Benefits:
trainings).
CAPEX Impact;
Process and Analog Simulation is a complementary
component in charge of electrical dynamic computation • MTS is the simulation solution designed to train
and all load flow variation. In an OTS, the trainee is active field engineers and prepare them for safe and
and sends controls to simulated primary devices and their accurate operations in the actual Electrical
controlling IEDs. It could also be exciting to introduce Network.
contingency to the test operator and system reactions. In • Initial start-up costs are reduced with awareness
both cases, the electrical topology is changed then, load of IEDs, their parameterization and the system.
flow is also changed. • Increased safety and reduced risk by familiarity
with IEDs.
o Subscribe (report/GOOSE) to capture data.
o IED communication reactions. OPEX Impact:
o Optionally, send control/settings to replicated
IED via communication. • Engineers’ skills are enhanced with full
o Optionally, act on the simulation hardware knowledge of EMCS capabilities.
device to change/react to actual IED hardware • With MTS, maintenance operations can be
configuration. better scheduled as well as downtimes reduced,
resulting in greater efficiency and significant
Communication Simulation uses several LANs, EMCS cost-savings.
labeling, and handles IEC tasks via EMCS SCD files. A • Faster and more efficient testing and
configuration tool running in Excel is used to configure maintenance.
Communication Simulation first, but also links to hardware
• Shorter or eliminated production downtimes.
simulation and Process and Analog Simulation.
• Minimized field engineer turnover impact.
Several load flow software applications can be used as • Problem analysis.
long as they use a communication interface. Such • Evolution testing and corrections.
dynamic configuration is complex engineering as it is
often hard job to select the correct model and then identify
the exact parameters of the electrical data. Two families
of load flow software can be considered with short circuit
analysis software (used to define protective IED settings)
or enhanced process simulators (including electrical and
industrial process dynamic).
REFERENCES
[1] The benefits of using dynamic simulation and

training systems for expanding operator knowledge
and understanding.
[2] Hazel,T. et al (2004), "Facilitating plant operation
and maintenance using an electrical network
monitoring and control simulation tool,” IEEE PCIC
conference 2004 vol IA-18, pp 632-640, Nov/Dec
1982.
[3] Frankwaterer, S. (2012), "Enhancing power
equipment reliability with predictive maintenance
technologies”.
Authors
Yann-Eric BOUFFARD-VERCELLI earned his PhD in

Automation CAD Systems in 1992 from the University of
Montpellier II. He started working in Electrical
Automation for Schneider Electric in Lattes, France in
1998, first in R&D validation, then as manager in 2000,
and currently works as an expert in the Energy
Automation Center of Excellence.
yann-eric.bouffard-vercelli@schneider-electric.com
Gagan KAPOOR graduated from MANIT, Bhopal –India

and received his MBA from Warwick University, UK and
Project Management certification from APM. He has
worked in sales support, application, and product
development and marketing during his career and from
1997 onwards on electrical automation. Currently he is
Automation Marketing Manager for Oil & Gas and MMM
Segment.
Gagan.kapoor@schneider-electric.com
Guillaume BRUANDET graduated from the University

of Grenoble in 1988 with an honors degree in computer
science. He is R&D Senior Project Manager and Global
Solution Architect for O&G at Schneider Electric since
2000.
guillaume.bruandet@schneider-electric.com
Glossary
ATS SCD
Automatic Transfer Switch. System Configuration Description: An IEC 61850 term
for a file containing descriptions of all IEDs including the
configured data flow and needed DataTypeTemplates,
CB
a communication configuration section and a substation
Circuit Breaker
description section.
Specific dipole switches with the capability to power on
and break on fault current. Some have not isolation
capability (nominal-ground at each side). SLE
State Load Estimator.
CT/VT
Current Transformer / Voltage Transformer. VLAN
Virtual Local Area Network.
DCS
Distributed Control System.
EMCS
Energy Management and Control System.
HMI
Human Machine Interface.
HV
High Voltage.
IED
Intelligent Electronic Device.
iFLS
Intelligent Fast Load Shedding.
IT/OT
Information Technology/Operational Technology.
LAN
Local Area Network.
LV
Low Voltage.
MTS
Maintenance Training System.
MV
Measurement Value.
Medium Voltage.
OS
Operating System.
OTS
Operator Training System.
PLC
Programmable Logic Controller.
PMS
Power Management System.
ADVANCES IN MOTOR PROTECTION RELAY FEATURES
Ricardo Abboud Dibyendu Bhattacharya Paulo Lima

Schweitzer Engineering BP Exploration Operating Co., Ltd. Schweitzer Engineering
Laboratories, Inc. Chertsey Road, Sunbury Laboratories, Inc.
2350 NE Hopkins Court United Kingdom Avenida Pierre Simon de Laplace, 633
Pullman, WA 99163 Condomínio Techno Park
USA Campinas, São Paulo 13069-320
Brazil
John Needs Alejandro Rodriguez

Schweitzer Engineering Schweitzer Engineering
Laboratories, Inc. Laboratories, Inc.
Unit 19, Hollins Business Centre Hurksestraat 43, 3rd Floor
Rowley Street, Stafford, ST16 2RH Eindhoven 5652 AH
United Kingdom Netherlands
Abstract—The algorithms used by numerical relays in Thermal protection is required to detect and protect
motor thermal protection accurately simulate the electric motors against abnormal conditions like
characteristics of the motor. These algorithms use the overload, locked rotor, frequent starts, unbalance, low-
motor speed to calculate rotor heat. This results in voltage operation, and others.
proper starting for high-inertia loads connected to Installations using electromechanical relays have
motors and minimizes the cooling time, providing limited or no capabilities to accurately track motor
quicker restarts. These algorithms are performed in a heating conditions. In the case of large industrial motors,
numerical relay that also performs logging and plotting only numerical relays or intelligent electronic devices
of starting characteristics. An accurate record of motor (IEDs) with special algorithms are able to adequately
performance can therefore be obtained, providing an simulate actual rotor and stator thermal conditions.
indication of possible motor failure. Broken rotor bars Modern numerical relays are the natural choice for
cause reduced accelerating torque, increased motor retrofit applications, and they offer many improvements
heating, and increased vibrations, which can inflict over electromechanical or static relays. These
severe damage on a motor. Modern numerical motor enhancements include improved thermal modeling of
relays monitor the stator current spectrum for frequency motor heating, event reporting, sequential event
components associated with this phenomenon and use reporting, motor start reports, motor operating statistics,
motor current signature analysis to detect broken rotor additional protection features (such as the detection of
bars. For added safety, these devices can also include broken rotor bars in induction motors), and additional
arc-flash protection, allowing faults in the switchgear to control functions (such as synchronous motor starting).
be quickly detected and cleared. A comprehensive thermal model that precisely
represents motor heating is discussed later in this paper.
Index Terms—Motor protection, thermal model, According to surveys performed by the Electric Power
arc-flash protection, broken rotor bar. Research Institute (EPRI) and IEEE, 5 percent of motor
failures happen because of problems in the rotor cage
I. INTRODUCTION [2]. Early detection of a broken rotor bar is very
important to minimize motor damage and reduce the
Electric motor systems account for about 60 percent time out of operation, which consequently reduces repair
of global industrial electricity consumption [1]. They are and operation costs. The broken-bar condition can be
fundamental to industrial processes. An undesired initiated by a fracture at the junction between the rotor
operation of the system protecting the motor can lead to bar and the end ring as the result of thermal and
substantial economic losses and may even compromise mechanical stressors. Motors with high-inertia loads are
the safe operation of the plant. more susceptible to a broken rotor bar condition when
The main function of industrial electrical power starting [2]. Motor current signature analysis (MCSA) is
systems is to provide energy for these electric motors. the most popular method to detect rotor cage faults and
Motors are subject to faults and abnormal conditions is discussed later in the paper.
that can cause extensive damage. Motor damage can There are ten Occupational Safety and Health
cause delays in industrial processes, with corresponding Administration-reportable (OSHA-reportable) arc-flash
economic losses. For this reason, a reliable motor incidents every day in the United States [3]. In addition,
protection system is fundamental for increasing the up to 80 percent of all electrical worker injuries are due
reliability of industrial processes. This paper discusses to external burns created by the intense radiant heat
key elements of creating a reliable motor protection energy of an electrical arc flash [3].
system, including thermal modeling, the detection of Arc-flash detection sensors provide a cost-effective
broken rotor bars, and arc-flash detection. method to reduce arc-flash energy by minimizing
1
detection times. High-speed light detection combined the motor torque. When the rotor is locked, the stator
with high-speed overcurrent element supervision and mimics a transformer with a resistance-loaded
high-speed output contacts can provide a dependable, secondary and experiences current that is typically
secure, and fast method for tripping. This, in turn, can 6 times the rated current. Because of the rotor
contribute to reducing damage to equipment and resistance during a locked rotor being 3 times greater
significantly increasing personnel safety. Numerical than during running conditions, the effective heating due
motor relays can use multiple sensors for arc-flash to rotor ohmic losses is 108 times that of normal
detection. The most common sensors are lens-point operation [5].
sensors and bare fiber-optic sensors.
B. First-Order Thermal Model
II. THERMAL MODELS
Motor thermal protection is responsible for removing
A. Motor Thermal Limits power before a motor’s temperature reaches values
above of the maximum level permitted by the thermal
The thermal limitations of induction motors are limit curves. The actual motor heating can be calculated
specified by thermal limit curves that are plots of the with a thermal model that represents the motor thermal
limiting temperatures of the rotor and stator in units of system, as shown in Fig. 2.
I2t, where I is the positive-sequence, balanced stator
current for a three-phase motor and t is time. The curves θA
for a 7,000 hp, 6.6 kV, 900 rpm motor are shown in θM
Fig. 1.
1,000 Rth
r
Running Overload Heat
Dissipation
100 Cth
Locked Rotor (Cold)
Starting Current (80% Vn)

Fig. 2 Motor thermal system
Time (s)
10 Locked Rotor (Hot)

Starting Current (100% Vn)
The electric power applied to a motor is partially
converted into heat that is stored in the motor, causing
the temperature to rise. Thus, the temperature is a
function of current and time. These variables are the
1
basis of the thermal model that represents the motor
temperature. A first-order thermal model is used to
calculate the motor heating and is applied to the motor
thermal protection [6].
0.1 Consider the motor heating caused by the current
1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 6 6.5
Current (per unit [pu]) flowing through a resistor (r) that represents the
resistance of the motor windings, as shown in Fig. 2.
Fig. 1 Thermal limit curves for a 7,000 hp motor The environmental temperature is θA and the motor
The starting curves are an indication of the amount of temperature is θM.
time and associated current for the motor to accelerate This simple first-order thermal system is modeled by a
from a stop condition to a full running condition. In Fig. 1 thermal resistance (Rth) to the environment and a
there are two starting curves: the solid curve represents thermal capacitance (Cth), with the motor considered a
the motor starting at rated voltage and the dashed curve homogeneous body.
represents the motor starting at 80 percent of the rated Fig. 3 illustrates the first-order thermal model used to
voltage. represent the motor heating [5]. The major components
Thermal protection is required to detect and protect of the model are as follows:
electrical motors against abnormal conditions. 1. Heat source. Heat flow from the source is
Unbalances produce negative-sequence currents that I2 • r watts (J/s).
can cause rotor overheating [4]. A low-voltage condition, 2. Thermal capacitance (Cth). This represents the
if it occurs during normal motor operation, can cause the capacity of the motor to absorb heat from the
motor to jam. If a low-voltage condition occurs during heat source. The unit of thermal capacitance is
starting, the motor may not start normally because the J/°C.
motor torque might be less than the load torque. In both 3. Thermal resistance (Rth). This represents the
cases, the resulting overcurrent can damage the motor. heat dissipated by a motor to its surroundings.
Motor stall occurs during the start operation when the The unit of thermal resistance is °C/W.
motor torque cannot overpower the load torque and the 4. The comparator. This creates a trip condition
motor cannot start moving. when the calculated motor pu temperature
The cause of a locked rotor may be a failure of the exceeds a preset value that is based on the
load bearings, a failure of the motor bearings, a low motor manufacturer’s data, as explained in more
supply voltage, single phasing, or a load that exceeds detail later in the paper.
2
θtrip + When a motor is de-energized, it does not require
–
Trip thermal protection per se; however, it does need to be
θM locked out and not allowed to re-energize until it cools
down sufficiently to offer further service. When current
Heat Source
ceases to flow in the thermal circuit shown in Fig. 3, the
Cth Rth circuit reconfigures, as illustrated in Fig. 5, and the
I2 • r
capacitor discharges according to the value of Rth.
Motor Heat
θtrip +
Dissipation Trip
–
θM
Fig. 3 First-order thermal model
Heat produced by the heat source is transferred to the
motor, which in turn dissipates the heat to the Cth Rth
surrounding environment. Motor thermal protection is
implemented in modern numerical relays based on this
Motor Heat
thermal model. The relay input current is the phase Dissipation
motor current. The purpose of motor thermal protection
is to allow the motor to start and run within the Fig. 5 Thermal model for motor stopped state
manufacturer’s published guidelines and to trip if the
By applying the presented approach to thermal
motor heat energy exceeds those ratings due to
modeling, it is possible to emulate the dynamic thermal
overloads, negative-sequence current, or locked-rotor
behavior of a motor, as shown in Fig. 6, to prevent
starting.
damaging temperatures for any operating condition.
Because the positive- and negative-sequence rotor
resistances (Rr1 and Rr2) are functions of the motor’s θ
speed, the model becomes nonlinear. An approach used
by some relay designers employs two linear models for
two different stages of the motor, as shown in the Fig. 4.
The limit current (ILIM), which determines when each
Heating Cooling Time
model applies, is defined by the designer. Certain relays
use a limit of 2.5 times the full load current of the motor. Fig. 6 Example of thermal model response for different
motor states
Start/Stall State
C. Stator and Rotor Thermal Models
3 • (I12 + I22 ) C'th R'th θ
For I1 > ILIM To accommodate the differences in stator and rotor

thermal properties, the first-order thermal model can be
Relay
divided into two separate thermal models, as follows:
Running State 1. The rotor model consists of the following
(I 2
1 + 5 • I22 ) Cth Rth θ elements:
− A starting element that protects the rotor
For I1 < ILIM
during the starting sequence.
− A running element that protects the rotor
Fig. 4 Thermal models for start/stall and running states when the motor is up to speed.
Because locked-rotor heating occurs over just a few 2. The stator model protects the stator during
seconds, the start/stall state thermal model assumes starting and when the motor is up to speed.
that no heat is lost to the surroundings and the resistor 1) Rotor Model
is removed from the thermal circuit. The motor’s rated
In the rotor model, the transition from one element to
locked-rotor current defines the thermal trip value.
the other is set at 2.5 times the rated full load current of
When the motor is running, it returns heat energy to
the motor. The high-inertia starting solution using the
its surroundings through radiation, conduction,
slip-dependent thermal model described in the following
convection, and (in some cases) forced cooling. The
subsection only affects the rotor element design.
running state thermal model provides a path for that
It is valid during a starting or stalled-motor condition to
energy return through the thermal resistance (Rth)
neglect ambient heat losses. This results in a
resistor, as shown in Fig. 4.
conservative estimate of the temperature to ensure good
The motor thermal characteristics (Rth and Cth)
operation. This is equivalent to eliminating (making
depend on many design factors. Among others, they
infinite) the thermal resistance from the model.
depend on the motor size (mass). This explains why it is
The rotor starting thermal limit is expressed in terms
so difficult or impossible to emulate large motor thermal
of the maximum time (motor safe stall time) that the
behavior with small bimetal devices. This is a clear
corresponding locked-rotor current (ILRA) can be applied
advantage for numerical relays, in which it is possible to
to a motor, as calculated in (1).
set different values for the motor parameters.
A slip-dependent thermal model of the rotor is θtrip = ILRA
2
• TSTALL (1)
discussed later in the paper.
3
The rotor resistance at a speed of zero is typically θtrip –
3 times that of the rotor resistance when the motor is at +
Trip
its rated speed. For this reason, the effect of the Running
State
positive- and negative-sequence currents is multiplied
by a heat source factor of 3 in the starting motor rotor (I
2
1 + 5 • I22 ) Cth Rth θ
thermal model.
Incorporating all of these changes results in the I2t
starting element of the first-order thermal model Fig. 9 Running motor rotor thermal element
illustrated in Fig. 7.
2) Stator Model
θtrip – The running motor overload curves show the stator
Trip
+ thermal limit. These curves fit the time-current equation
Start/Stall
State (2), where τ is the stator thermal time constant, I is the
3 • (I12 + I22 ) Cth Rth θ stator current in pu of rated current, I0 is the initial
current in pu of rated current, and SF is the motor
service factor. This equation has the form of a first-order
thermal model.
Fig. 7 I2t starting element
I2 − I02
To match the heat source factor of 3, the selected t = τ • ln (2)
thermal capacitance is also 3. When the motor positive- I − SF2
2
sequence current is equal to the locked-rotor current,

the estimated heat reaches the trip value within the The motor stator thermal time constant is a setting
locked-rotor time limit. Therefore, for starting protection, parameter for the running motor thermal model, and it
only the motor nameplate data are needed for the can be calculated from the stator thermal limit curves by
starting motor rotor thermal model. applying (2).
If the temperature response of this model is plotted Fig. 10 depicts the equivalent circuit that corresponds
against the line current of the motor, the response curve to the stator first-order thermal model. In this case, the
is a straight line, as illustrated in Fig. 8. thermal capacitance (Cth) equals the stator thermal time
constant (τ). Assigning a value of 1 to the thermal
1.0 10
resistance (Rth) resistor provides a value equal to τ for
Temperature (U/UL), Rotor R • 0.01
0.9 9 θ the time constant (Rth • Cth) of the equivalent circuit.

0.8 8
Because the positive- and negative-sequence currents
0.7 7 Rotor Temperature
have the same heating effect on the stator, the heat
0.6 6
source equals I12 + I22 . When Rth = 1, the trip threshold
Current
0.5 5 Motor Current

0.4 4 should equal SF2.
0.3 3
R1 = RM Constant SF2 –
0.2 2
Trip
0.1 1 Motor Torque +
0 0
0 5 10 15 20 25 30
Time (s) (I 2
1 + I22 ) Cth Rth θ
Fig. 8 I2t starting element response curve

Note that this model keeps the rotor resistance
Fig. 10 Stator running thermal model
constant at RM, which occurs at a standstill, where the
slip (S) is equal to 1.0 pu. D. Slip-Dependent Thermal Model
Fig. 9 depicts the electric analog of the first-order rotor
thermal model for the motor running condition. When the Reference [7] derives an expression for slip-
motor is running, it returns heat energy to its dependent rotor resistance [Rr(S)] in terms of the
surroundings. The running motor rotor thermal element maximum rotor resistance (RM), which occurs at a
provides a path for that energy return through the standstill (S = 1), and the normal rotor resistance (RN),
thermal resistance (Rth) resistor. In this state, the trip which occurs at the rated motor speed (S = rated slip).
threshold “cools” exponentially from a locked-rotor This expression is shown in (3):
threshold to the appropriate threshold for the running
condition using the motor thermal time constant. This Rr (S) = (RM − RN ) • S + RN (3)
emulates a motor temperature that cools to the steady-
state running condition. In the running condition, the
model considers the rotor resistance to have the rated
speed value (Rr = RN).
4
Fig. 11 shows the rotor resistance during starting. θtrip –
Trip
0.024 Start/Stall State +
0.022 Rr1 ( S ) Rr 2 ( S )
I12 • + I22 • Cth Rth θ
RM RM
Rotor Resistance Rr (pu)
0.02
0.018
Fig. 12 Slip-dependent thermal model
0.016
E. High-Inertia Starting
0.014
In high-inertia starting, the time to accelerate a motor
0.012 up to its rated speed is equal to or longer than its
0.01
locked-rotor time limit. High-inertia loads, such as
0 5 10 15 20 25 30 induced-draft fans, require long accelerating times and
Time (s) can exceed the allowable locked-rotor thermal limit.
Fig. 11 Rotor resistance during starting Prolonged starts are safely permitted in some situations
because the rotor resistance Rr(S) is a function of slip
The values in pu of the maximum rotor resistance and decreases as the motor accelerates.
(RM) and the normal rotor resistance (RN) can be The starting current of an induction motor at the
calculated by using (4) and (5) [8]. beginning of the start nearly equals the locked-rotor
current magnitude but has a lesser heating effect during
SLR
RM = TLR • 2
(4) the start because rotor resistance decreases as the
ILRA motor accelerates to rated speed.
A comparison of the conventional I2t starting element
where:
response curve to the slip-dependent starting element
TLR is the locked-rotor torque in pu. response curve is shown in Fig. 13. The comparison
SLR is the slip when the locked-rotor clearly shows that, because of the decreasing rotor
condition = 1. resistance as the motor accelerates, rotor temperature is
ILRA is the locked-rotor current in pu. not a linear relationship. This provides the ability to
facilitate high-inertia starts without premature motor
SN
RN = TN • 2
(5) trips.
IFLA
1.0 10
Temperature (U/UL), Rotor R • 0.01
where: 0.9 9
I2t
TN is the nominal torque in pu. 0.8 8
0.7 7 Slip
SN is the slip at the rated speed. Dependent
0.6 6
IFLA is the motor’s rated current in pu.
Current
0.5 5 Motor Current

To establish the slip-dependent thermal model, it is 0.4 4
necessary to incorporate the slip-dependent rotor 0.3 3
resistance into the heat source of the thermal model 0.2 2
shown in Fig. 7. 0.1 1 Motor Torque
Expressing the slip-dependent resistance value Rr(S) 0 0
in terms of its maximum value (RM) and substituting it 0 5 10 15 20 25 30
Time (s)
into the heat source equation provides (6):
Fig. 13 Comparison of starting element response
Rr (S)
W = I2 • r = I2 • (6) curves
RM
III. DETECTING BROKEN ROTOR BARS
Breaking (6) down into positive-sequence (Rr1) and
negative-sequence (Rr2) components accommodates The detection of a broken rotor bar as soon as it
motor heating caused by balanced current (positive occurs is essential to minimize damage and reduce the
sequence) and any current unbalance (negative time and cost to repair the motor. According to [2], the
sequence) that is present. broken-bar condition results from mechanical and
Replacing the heat source of Fig. 7 with (7) provides thermal stresses that lead to a fracture at the junction
the slip-dependent thermal model shown in Fig. 12. between the rotor bar and the end ring.
In order to detect a broken-bar condition, MCSA can
Rr1(S) 2 Rr 2 (S) be applied [9] [10]. With this method, the frequency
WTOTAL = I12 • + I2 • (7)
RM RM spectrum of the stator current is calculated and analyzed
to check whether lower and upper sidebands (i.e.,
[1 ± 2S]f0, where f0 is the nominal frequency) are present
in the stator current, indicating that the rotor has broken
bars. The magnitude of the sidebands is proportional to
the number of bars that are broken.
5
A. Broken-Bar Detection Element Low-frequency load oscillations can cause current
signatures similar to those of a motor with broken bars
Reference [2] describes a broken-bar detection [2]. One method of differentiating the two is to apply an
element (BBDE) with zero settings. The BBDE algorithm algorithm that detects the presence of a greater-than-
runs periodically to detect a broken-bar condition. It is normal frequency component, which may indicate a
composed of three steps: initialization, data collection, broken-bar condition.
and data processing. During the initialization step, the To detect broken rotor bar conditions in different
algorithm calculates a new current from the phase situations and monitor how they evolve, the event
currents that does not include the portion that flows to history and fast Fourier transform function can be
ground. It then records this current magnitude and the applied in conjunction. This makes it possible to
system frequency. A motor-running condition is detected differentiate situations involving voltage sources with
during the data collection step using these values as a low-frequency components and oscillating loads from
reference. the broken-bar condition.
During the data collection step, the algorithm squares
the current calculated in the initialization step to IV. ARC-FLASH DETECTION
decouple the frequency of interest from the power
system frequency and to move both sidebands into the Applying traditional time coordination for industrial
same frequency. This squared current is also passed systems, like motor control centers (MCCs), can lead to
through a low-pass filter. Finally, the algorithm stores a high fault-clearing times. Fault clearing times are
collection of consecutive samples, referred to as a typically between 0.5 and 1.0 second. However, high
samples window, in digital memory. fault current in combination with long fault clearing times
During the data processing phase, the algorithm causes a very high arc-flash energy, which is a highly
computes the fast Fourier transform of the samples undesirable situation [11]. Therefore, the goal is to
window data and then calculates the magnitude reduce the fault clearing time in order to reduce the arc-
associated with each frequency component. Finally, the flash energy.
average magnitudes of the frequency components are One option to reduce arc-flash energy in radial
compared with a healthy motor threshold. Figure 14 in substations is to apply a simple and economical zone-
[2] shows the thresholds on the frequency spectrum of a interlocked blocking scheme, sometimes called a fast
motor running at 50 percent load with one broken bar. bus-tripping scheme. This scheme provides relatively
high-speed fault clearing for buses that do not have
B. Experimental Results differential protection. Instead of relying on a traditional
coordination interval in the bus main relay, this scheme
Reference [2] also presents some experimental only requires a short delay to allow the feeder relays to
results of the method described in this section using block the bus main relay for a fault external to the bus.
actual broken rotor bars. For the experimental tests, a The scheme can operate for bus faults in approximately
healthy motor and motors with one, two, or three broken 2 to 3 cycles.
bars had their current frequency spectrums compared Fig. 14 shows an event report for a real fault on a
when running at 50 percent of the nominal load. The 480 V bus with an arc flash. The fault started as a
results are shown in Figure 27 in [2]. The values of the single-line-to-ground (SLG) fault on Phase B. After
sideband peaks clearly increase as the number of 1 cycle it evolved into a three-phase fault with a
broken bars increases. considerable increase in the fault current level. Even in
Different load conditions were also experimentally impedance-grounded systems that have low current
tested, and the results are shown in Figure 28 in [2]. The levels for SLG faults, such faults represent a high risk in
frequency of the sideband peaks decreases as the load terms of arc flash because of the fault evolving.
level decreases, and the peaks become undetectable Another interesting observation about Fig. 14 is the
when the motor is unloaded. fact that the fault current is not a pure sine wave at the
Reference [2] describes how broken bars can be fundamental frequency. This is because the arc
erroneously detected during low-frequency source resistance is not constant, and it plays an important role
voltage oscillations. It also recommends some strategies in low-voltage systems. Overcurrent relays that operate
to differentiate a broken-bar condition from a voltage based on fundamental components calculate an
oscillation (e.g., verify if all motors connected to the incorrectly low value for the fault current, which can
same feeder show the same current spectrum, and compromise the tripping of the instantaneous
measure the voltage farther away from the motor and overcurrent element.
closer to the source to confirm the presence of low- The most effective method to reduce fault clearing
frequency components on the power supply). In times is applying arc-flash protection with light sensors
addition, these low-frequency voltage oscillations may combined with fast overcurrent elements. Some modern
not be present in the system all of the time. They numerical motor relays have incorporated arc-flash
typically appear when the system is heavily loaded or detection and support the connection of multiple
very lightly loaded. sensors.
6
Fault Inception
(Phase B to Ground)
Fault Evolves to
Three-Phase
Fig. 14 An event report for a real fault on a 480 V bus with an arc flash
The purpose of detecting arc flashes is to accelerate makes possible the detection of arc flashes in large
accurate decisions to trip the circuit breaker and areas with only one sensor.
interrupt the fault. Arc-flash detection in a protective
relay minimizes trip time, cost, and complexity. Enabling
arc-flash detection in the relay makes use of the current
monitoring and protection already in the circuit.
Arc-flash detection sensors provide a clear
measurement of an arc flash because the light emitted
during an arc-flash event is significantly brighter than the
normal background substation light. It is also possible to
supervise their operation with a fast overcurrent
element, as discussed later in this section. The light
surge is visible from the initiation of the flash and is
easily detected using proven technology. The most
common sensors are lens-point sensors and bare fiber-
optic sensors.
The light is channeled from the sensor to the detector
located in the protective relay. Monitoring the system
Fig. 16 Bare fiber-optic cable
integrity is accomplished using a fiber-optic loop. In the
case of lens-point sensors (see Fig. 15), each lens has Arc-flash detection systems typically use a
an input and an output connection. The input is combination of lens-point and bare fiber-optic sensors.
connected to a transmitter in the relay, and the output is Proper installation of the sensors and relays provides
connected to a detector in the relay. This loop logical detection and trip points in any system.
connection allows periodic testing of the system by Sensors should be located where arc-flash detection
injecting light from the transmitter through the loop and can trip the corresponding upstream circuit breaker.
back to the detector. This loop connection system works Using multiple sensors and having motor and feeder
with either a lens-point sensor or a bare fiber-optic relays that support connections to light sensors, as
sensor. shown in Fig. 17, provides 100 percent coverage for arc-
flash protection that operates in the order of 2 to 3 ms.
Relay Relay
Bare Fiber- Lens-Point

Optic Sensor Sensor
Fig. 15 Lens-point sensor

Relay Relay Relay Relay
A bare fiber-optic sensor consists of a high-quality
plastic fiber-optic cable without a jacket (see Fig. 16).
The clear fiber-optic cable becomes a lens that captures
Fig. 17 Typical arc-flash detection system with sensors
light from the area. Using a bare fiber-optic sensor and relay-to-relay communication
7
The installation of sensors varies depending on the designs, processes, and procedures. The addition of
switchgear manufacturer, type of gear, and number of arc-flash detection improves the safety of installations.
sections. Multiple sensor inputs provide coverage and Arc-flash detection systems can be designed into new
sectioning options. One bare fiber-optic sensor can switchgear or retrofitted into existing gear. The security
provide excellent coverage for an entire bus section. of arc-flash detection systems can be increased by
Lens-point sensors provide better detection in small, parallel overcurrent and light-detection systems.
confined spaces.
One obstacle to using light sensors is the need to VI. REFERENCES
measure and adjust for changing ambient light levels.
Relays store analog measurements of light and current [1] T. Fleiter, W. Eichhammer, and J. Schleich,
values. Users can view these measurements and set the “Energy Efficiency in Electric Motor Systems:
normal light levels for the application. Relay event Technical Potentials and Policy Approaches for
reporting also provides a commissioning and Developing Countries,” United Nations Industrial
troubleshooting tool with time-tagged events, including Development Organization, Vienna, Austria,
sensor light levels. November 2011. Available: https://www.unido.org.
In order to add security to an arc-flash detection [2] C. Pezzani, P. Donolo, G. Bossio, M. Donolo,
scheme, a high-speed overcurrent element can be A. Guzmán, and S. E. Zocholl, “Detecting Broken
applied in conjunction with the light sensors, as shown in Rotor Bars With Zero-Setting Protection,”
Fig. 18, without sacrificing trip speeds. The high-speed proceedings of the 48th Industrial & Commercial
overcurrent element is based on raw samples in order to Power Systems Technical Conference, Louisville,
avoid the long delays of filtering. The added advantage KY, May 2012.
of processing the arc-flash detection in the protective [3] T. E. Neal and R. B. Hirschmann, “The Myths and
relay is the ability to use a true overcurrent Realities of Arc Flash Protection,” Electric Energy
measurement as a supervising element to improve Magazine, May/June 2004.
security. Setting the current level below the normally [4] P. Whatley, M. Lanier, L. Underwood, and
expected load enables the arc-flash detector as the trip S. Zocholl, “Enhanced Motor Protection With the
mechanism and removes any time lag; however, it Slip-Dependent Thermal Model: A Case Study,”
sacrifices security and makes the system dependent on proceedings of the 34th Annual Western Protective
light detection alone and must be avoided. Relay Conference, Spokane, WA, October 2007.
[5] S. E. Zocholl, AC Motor Protection. Schweitzer
Light Sensor Engineering Laboratories, Inc., Pullman, WA,
& Arc-Flash
Protection
2003.
[6] S. E. Zocholl, “Optimizing Motor Thermal Models,”
Current Input
proceedings of the 53rd Annual Petroleum and
Chemical Industry Conference, Philadelphia, PA,
Fig. 18 Light detection in combination with high-speed September 2006.
overcurrent element [7] S. E. Zocholl and G. Benmouyal, “Using Thermal
Limit Curves to Define Thermal Models of
V. CONCLUSIONS
Induction Motors,” proceedings of the 28th Annual
Motor protection is greatly enhanced by numerical Western Protective Relay Conference, Spokane,
relays. Induction motors require thermal protection to WA, October 2001.
prevent overheating for cyclic as well as steady-state [8] S. E. Zocholl and E. O. Schweitzer, III, “Protection
overloads. of Large Induction Motors – Practice vs. the Actual
The heat rise in a motor caused by I2 • r watts is a Model,” proceedings of the 39th Annual Georgia
first-order process that can be represented by a first- Tech Protective Relaying Conference, Atlanta, GA,
order thermal model, which a motor relay can use to May 1985.
continuously calculate the temperature in real time. The [9] H. W. Penrose, Electrical Motor Diagnostics,
calculated temperature is monitored to prevent 2nd ed. Success by Design, 2008.
overheating. [10] G. B. Kliman, R. A. Koegl, J. Stein, R. D. Endicott,
The slip-dependent thermal model tracks the motor and M. W. Madden, “Noninvasive Detection of
temperature more accurately than the I2t model, thus Broken Rotor Bars in Operating Induction Motors,”
facilitating high-inertia starts without the use of speed IEEE Transactions on Energy Conversion, Vol. 3,
switches. Issue 4, December 1988, pp. 873–879.
BBDE algorithms that apply MCSA in modern [11] J. Buff and K. Zimmerman, “Application of Existing
numerical motor relays, in conjunction with the event Technologies to Reduce Arc-Flash Hazards,”
history and the fast Fourier transform function, permit proceedings of the 60th Annual Conference for
the detection of broken rotor bars under a wide variety of Protective Relay Engineers, College Station, TX,
motor conditions. The detection element identifies the March 2007.
most common broken-bar cases. The event history
records and makes possible more accurate analysis of
when problems start and how they evolve.
Arc flashes present a clear danger to personnel.
Worker safety should always be at the forefront of
8
VII. VITAE Alejandro Rodriguez graduated from the Universidad
Metropolitana, Venezuela, in 2006 with an M.Sc. in
Ricardo Abboud received his B.S.E.E. degree in electrical engineering. In 2006, he joined Honeywell in
electrical engineering from Universidade Federal de Caracas, Venezuela, as a junior engineer in sector
Uberlândia, Brazil, in 1992. In 1993, he joined CPFL automation, programming and configuration of control
Energia as a protection engineer. In 2000, he joined strategies, and human-machine interface development.
Schweitzer Engineering Laboratories, Inc. (SEL) as a In 2009, he joined Gruppo Loccioni in Angeli di Rosora,
field application engineer in Brazil, assisting customers Italy, as a junior electrical engineer in electrical industrial
in substation protection and automation. In 2005, he system design and power generation systems. He joined
became the field engineering manager, and in 2014, he Schweitzer Engineering Laboratories, Inc. in 2010 as a
became the engineering services manager. In 2016, he junior engineer and is currently working as an
transferred to Pullman, Washington, and is currently an application engineer in protection in Eindhoven,
international technical manager. He is a certified Netherlands. He is a licensed professional electrical
instructor at SEL University, and has authored and engineer.
coauthored several technical papers. alejandro_rodriguez@selinc.com
ricardo_abboud@selinc.com
Dibyendu Bhattacharya graduated from Jadavpur

University, India, in 1991 with a bachelor of electrical
engineering first-class honours degree. He worked for
14 years with the Indian Oil Corporation Ltd. refineries
division, testing, commissioning, troubleshooting, and
maintaining electrical equipment and power systems. He
worked for the Kuwait National Petroleum Company, as
well as Fluor Limited and KBR, as a lead engineer for oil
and gas projects before joining BP. He has presented
papers at PCIC London and coauthored one paper. He
is a Chartered Engineer and a Fellow of the Institution of
Engineering and Technology (IET) in the United
Kingdom.
dibyendu.bhattacharya@uk.bp.com
Paulo Lima received his B.S.E.E. from Federal

University of Itajubá (UNIFEI), Brazil, in 2012. He has
been an application protection engineer for Schweitzer
Engineering Laboratories, Inc. since 2012, providing
technical support for industrial customers in Brazil.
paulo_lima@selinc.com
John Needs graduated from the University of Bath in

1981 with a degree in physics with physical electronics.
He started work with GEC Measurements in 1982 as a
development engineer, initially working in type testing
and then programming distance relays. Next, he was a
relay engineer for National Grid and later joined Alstom,
first as an application engineer and then as an instructor
in the training department. In 1998, Mr. Needs joined
Schweitzer Engineering Laboratories, Inc., where he
currently works as a regional technical manager.
john_needs@selinc.com

BER-37 Direct On Line Energization of Subsea Power Transformers1

Uploaded by

Copyright:

Available Formats

BER-37 Direct On Line Energization of Subsea Power Transformers1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BER-37 Direct On Line Energization of Subsea Power Transformers1

Uploaded by

Copyright:

Available Formats

ENERGIZATION OF SUBSEA POWER TRANSFORMERS

Copyright Material PCIC Europe

Terence Hazel Pierre Taillefer Scott Williams Richard Paes

Index Terms — Transformers, Inrush Current, Subsea

II. LIMITING INRUSH CURRENT

Power transformer inrush current has many negative

Fig. 3 Typical CSD Installation

Since the CB characteristics are closely linked to the

III. SUBSEA ASD CONSIDERATIONS

The ASD of Fig. 4 uses current source technology (CSI)

V. TELEMETRY & CONTROL

All telemetry and remote control is provided via optical

Terence Hazel graduated from the University of

Jeff McQueen Jason Couch

system allowed for easier management of data to report the C

The electrical safety assurance protocols covered:

Grounding & Static

Site 1 • Delegation of authority;

The authors would like to acknowledge:

Causes Prevention Barriers Risk Event Mitigation Barriers Consequence

Electrical Safety Rules

Electrical Distribution Protection systems

Electrocution and/or Arc Flash

Figure A-1: Personal Risk Bowtie

Causes Prevention Barriers Risk Event Mitigation Barriers Consequence

Figure A-2: Process Risk Bowtie

Amendment 1 to the second edition [9], issued in 1979

Thomas Besselmann Pieder Jörg Terje Knutsen

Erling Lunde Tor Olav Stava Sture Van de moortel

C. Requirements for power loss ride through

The amount of torque necessary to prevent the

IV. PROPOSED CONTROL SOLUTION

In this section the novel model predictive control

A. Generic Description of the MPC Algorithm

TABLE 2 The continuous-time optimal control problem can thus

d iDC V. VERIFICATION ON A HIL SYSTEM

In this section the simulation results on the HIL system

In Fig. 11 the course of the grid voltage magnitude and

I. INTRODUCTION A. Testing need

B. Power Generation Fig.3: Frequency response on load impact

VI. TESTING DURING OPERATION

The follow-up by one specialist of a project from the early

Martin Jones Paul Hague Mike Ellis Peter Bennett

Copyright Material PCIC Europe

Yann-Eric Bouffard Vercelli Gagan Kapoor Guillaume Bruandet

3.5. Ability to accept load flow analysis

The Simulator is not using its own predefined reflex value,

Hardware Simulation is the second main simulation

The principle of Communication Simulation is simple. Via

Figure 2 Offline Simulation Architecture

[1] The benefits of using dynamic simulation and

Yann-Eric BOUFFARD-VERCELLI earned his PhD in

Gagan KAPOOR graduated from MANIT, Bhopal –India

Guillaume BRUANDET graduated from the University

Ricardo Abboud Dibyendu Bhattacharya Paulo Lima

John Needs Alejandro Rodriguez

Starting Current (80% Vn)

10 Locked Rotor (Hot)

For I1 > ILIM To accommodate the differences in stator and rotor