OTC 24236

BOP MUX Control System: Comparing Embedded Computer Based Versus

PLC Hybrid System for Maximum Reliability
Earl Shanks, John Socco, Greg Boyle, Lynn Tinney, Robert Johnigan, Charles Whitney, Oceaneering
International

Copyright 2013, Offshore Technology Conference

This paper was prepared for presentation at the Offshore Technology Conference held in Houston, Texas, USA, 69 May 2013.
This paper was selected for presentation by an OTC program committee following review of information contained in an abstract submitted by the author(s). Contents of the paper have not been
reviewed by the Offshore Technology Conference and are subject to correction by the author(s). The material does not necessarily reflect any position of the Offshore Technology Conference, its
officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the written consent of the Offshore Technology Conference is prohibited. Permission to
reproduce in print is restricted to an abstract of not more than 300 words; illustrations may not be copied. The abstract must contain conspicuous acknowledgment of OTC copyright.

Abstract
Description of the Proposed Paper
Deepwater BOP Control Systems are typically a Multiplexed Electro-Hydraulic (MUX) System for water depths
greater than 5,000 ft. There are currently two dominate hardware philosophies in the industry; Embedded
Computers (EC) and Hybrid Personal Computer (PC) and Programmed Logic Controllers (PLC) based systems.
This paper presents Oceaneering Internationals Embedded Computer technology, and compares it to PLC/PC
Hybrid Systems.
Application
There are several different EC based and Hybrid PC/PLC based OEM systems in the market today, each
somewhat different. Each must be evaluated individually, based on its unique hardware and software design and
implementation. Information in this paper will explain the system architecture and philosophy of the EC based
system and gives a comparison with Hybrid PC/PLC based systems. This system information can be used by
interested parties to perform a more detailed comparison of other OEM systems.
Results, Observations, and Conclusions
It has been found beneficial to use components that comply with MIL Specifications whenever possible. The
electronics which are not purchased are designed in-house and built to IPC Class 3 requirements (Electronics for
Life Support and Safety Critical Systems).
This strategy gives maximum reliability and allows flexibility in form factor to develop optimal subsea electronic
packaging.
The EC system allows programming in an object oriented language which allows creating software objects once
and reuse them in many places without copying the code.
An EC based system has high data rates between surface and subsea for very high bandwidth for solenoid
control, status readback, and diagnostic capabilities when using Fiber Optic Communication. The EC type system
also allows for more robust and flexible communications options than other types of system architecture.
Significance of Subject Matter
What makes a system reliable is the complete understanding and control of the hardware/firmware/software
design, manufacturing process, and testing procedures.

OTC 24236

MUX System Overview

A Multiplex (MUX) Electro-Hydraulic (E/H) Control System employs both surface and subsea equipment to control
the Blowout Preventer (BOP) Stack installed on the wellhead at the sea floor. The Diverter Control System
employs surface equipment to control the Diverter, Telescopic Joint (TJ), and primary mud valves. Some systems
the diverter controls are integral to the MUX systems while others are designed as stand alone control systems.
The following system overview reflects an EC based system, but the PLC/PC Hybrid System functions similarly.
The control system architecture is microprocessor based that is multiplexed and electro-hydraulically controlled.
The subsea electro-hydraulic and hydraulic systems respectively, are designed primarily as open-loop; whereby,
the environmentally friendly fluid medium is vented subsea. In addition, most systems employ a Data Acquisition
System (DAS) that incorporates several control techniques up to and including: Multiplexing which sequentially
transmits electrical control signals from the surface equipment to the subsea equipment and vice/versa.
The commands and readbacks originate at various surface and subsea devices and are transmitted over copper
and/or fiber optic cables, providing virtually instant response time for control devices and real-time monitoring and
logging of instrumentation systems in water depths up to 12,500 feet water depth.
The surface components of the MUX Control System, for controlling the Subsea BOP, consist primarily of the
Master Control Station (MCS), Drillers Control Panel (DCP), the remote Toolpusher Control Panel TCP), and the
Emergency Disconnect Sequence (EDS) Panel.
The Master Control Station (MCS) is a fully functional workstation for installation in a central protected location
such as the BOP control room. This is the main control unit, responsible for system configuration, data
acquisition, and graphic readouts for the entire control system. It operates independently and may be used as a
control station in addition to the Driller's and Toolpusher's remote Human Machine Interface (HMI) Panels. The
MCS contains the Central Control Unit consisting of a redundant microprocessor based System Control Units
(SCU) attached to a single fault tolerant power and communications structure. The MCS is to be installed in a
non-hazardous rated location.
The Driller's Control Panel is a micro-processor based unit that remotely provides a graphic representation of the
BOP Control System and auxiliary equipment and is part of the main BOP MUX Control System. The system
utilizes dedicated remote control panels, which interface to the MCS. The Drillers control panel is typically located
in the Drillers Cabin.
The Toolpusher's Control Panel is a micro-processor based unit that remotely provides a graphic representation
of the BOP Control System and auxiliary equipment and is part of the main BOP MUX Control System. The
system utilizes dedicated remote control panels, which interfaces to the MCS.
Emergency Disconnect Sequence (EDS) Panel (mounted near the Drillers chair) allows the rig to quickly
disconnect from the subsea stack under planned or unplanned (emergency) situations. The enclosure is fitted
separate from the BOP stack control section and interfaces via a cable to the network node of the Drillers panel
through intrinsically safe barriers.
Subsea the electronic and electrical components are located in redundant Control PODs. Each pod will have a
redundant power supply, transformer, and redundant controllers and processors to activate the solenoid valves
which will control the BOP functions.
The MUX BOP Control System is made up of electrical, electronic and hydraulic components. This paper will
address only the electrical and electronic areas of the system which relate to receiving and transmitting (delivery)
of the commands which activate the hydraulic functions and capture and display critical information about the
system.
Application of EC Based Systems Subsea
The use of EC based systems within Oceaneering has been continuous since 1993. The first use was with the
ROV fleet worldwide. In 2000, the BOP Controls Group was formed and has continued to use the experience
gained with the ROV Group. ROV and BOP Controls use a common operating system, software architecture, and
software development process. Over the last 19 years, from 1993 to 2012, the Oceaneering ROV fleet has
operated using OII proprietary software on Embedded Computers for the surface and subsea telemetry and
control systems. These computers have logged approximately 12 million hours of operation. Oceaneering has a

OTC 24236

dedicated software group that supports the two groups and shares resources with very little turnover. This
longevity of employees and growing knowledge base is a strong portion of the recipe in building reliable
equipment. The importance of software testing procedures cannot be overstated for either type of system
architecture. Oceaneering uses its core technology not only in the BOP MUX, but also in the existing fleet of 300+
ROVs.
Functionality Requirements of EC and PLC Hybrid Systems
The Oceaneering embedded computer control system uses a common architecture throughout the system with
the same equipment for the main system controllers, the system I/O, the HMI displays and functionality, the
subsea controllers, and the remote data acquisition located on the LMRP and the lower stack. This allows the
system to utilize a common operating system and software application, and a simplified spare parts inventory
throughout the system. Below is a simple flow chart illustrating an Embedded Computer System.

OTC 24236

The Hybrid PC / PLC type system typically uses a desktop or panel mounted computer to support HMI and user
interface functionality and a PLC based I/O and data acquisition system. This type of system will typically utilize
different communication protocols for the HMI and Data Acquisition (DAQ) systems adding system complexity and
also requires different OS platforms and software applications be implemented across the system. This type of
system may have three or more different hardware/software platforms deployed throughout the system to
accommodate the HMI applications, the surface control and DAQ applications, and the subsea control and DAQ
applications. Below is a simple flow chart illustrating the PC/PLC Hybrid Based System.

OTC 24236

Functionality Differences Between EC and PLC Hybrid Systems

From the control system operators perspective, the look and feel of the two systems could be nearly identical.
This is primarily due to the similarity of the HMI interface. Both systems will most likely employ a computer based
HMI display. The similarities would be limited to the operator stations. The two systems would be radically
different from an implementation and task completion viewpoint, due to the different system architectures.
PLC Scan Time versus IRQ (event control) of EC system: A PLC can do IRQ/Event, but is very complicated and
can't be done by all. Using an EC System allows higher priority items that can be coded and serviced properly.

OTC 24236

Drilling conditions can change from well to well. One control sequence that occasionally gets changed is the
Emergency Disconnect Sequence (EDS). For a PLC system to change the EDS sequence requires a re-compile
of the code if the EDS is executed in the PLC portion of the system. On Embedded Computer systems this can be
read from separate files (so re-compiling is not required).
The Oceaneering EC System has one (1) program that is installed on all of the Embedded Computer nodes. This
one (1) program can be inserted into the entire system and all nodes be updated with the latest version in
approximately 35 minutes. This has many advantages, one being system reliability. A PLC system has multiple
programs. The EC System gives the ability to verify software version for each computer from a central control
point (Master Control Station).
For a PLC based system, each PLC will need to be physically connected to a computer to install / modify the
ladder logic code. Each PLC will run a different set of ladder logic instructions, so each PLC will need to have a
separately documented program. All HMI interface PCs will require individual access to load new software due to
HMI changes. This may also require different programs for each HMI location.
EC Based MUX BOP Control System Communications Architecture
The Oceaneering BOP control software is written in a general purpose programming language and runs on top of
an embedded operating system. It is not constrained to run a single control loop, but instead is event driven with
all activity in the system originating from a multitude of timers. The software is also modular and can be thought of
as a collection of independent modules. Each module is responsible for doing a small piece of the work of the
control system. Some modules are responsible for controlling various types of I/O devices; others process data
from the serial ports; others show various graphics pages on the display, and so forth. Rather than having the
actions of these modules hard coded into a fixed, linear control loop, the modules are stimulated independently by
timers to perform various functions.
Figure 1, below, shows timers, HMI control modules and I/O device control modules in the system control node.
The period of each timer can be configured independently which allows the system to more readily adapt to
different physical constraints and speed requirements. In other words, the system does not need to monitor inputs
from all devices at the same rate. More critical inputs can be allotted more processing time and bandwidth.
Because the embedded operating system is multi-threaded, they can also be given a higher processing priority.
In a common scenario, a timer stimulates a device controller. The device controller then prepares a message that
contains the output information for its device. The controller then hands off the message to other pieces of the
software that is responsible for sending the message (usually over a real hardware telemetry link, such as RS232)
to a device driver. The driver is then responsible for communicating with the device in a format that the device
understands and passing back the input data to the controller. The device controllers also requests various kinds
of diagnostic data from the device drivers, however those requests are usually stimulated by a different timer so
that the data rates of control and diagnostic data can be controlled separately for optimal use of the available
bandwidth and processing resources. The controller / driver architecture itself also allows for efficient use of
umbilical bandwidth in that we have complete control over the format of the message between the controller and
driver and are not constrained by the telemetry format used by the I/O device. It also allows all topside / subsea
communications to be in a CRC checked, proprietary format that resists undetected message changes due to
noise and would be difficult for a malicious interceptor to understand or replicate.
Because device controllers are driven by timers and operate independently, messages to any number of I/O
devices can be sent essentially in parallel with the only normal constraint being the speed of the communications
link.

OTC 24236

OPEN

BLOCK

CLOSE

LOCK

BLOCK

Surface Node

UNLOCK

OPEN

VENT

VENT

Surface Node

CLOSE

Surface Node

MCS

TCP

DCP Mon 4

System Control
Node
User
Interface
Controllers

User
Interface
Timer

User
Interface
Controllers

Control
Data
Timer

Logic

User
Interface
Timer

User
Interface
Controllers

User
Interface
Timer

Diagnostic
Data
Timer

(Device)
Controller

Digital I/O Card

Controller

Analog
Controller

Solenoid
Controller

Subsea Node

Solenoid
Driver

Subsea Device

Solenoid
Card

Digital I/O Card

Driver

Subsea Device

Analog
Driver

Subsea Device

Digital I/O
Card

Analog
Card

(Device)
Driver

Subsea Device

(Device)

Figure 1.
Embedded Computer System Features
The following system features are found on the Oceaneering EC Based System and may not be found on other
OEM EC Based Systems.
A SAFE Cassette (Solenoid ARM & FIRE Electronics) is an Amphenol replaceable module (Cassette) that is the
power electronics portion to control 24 individual solenoids. Therefore, to control 144 solenoids, six (6) cassettes
will be required. The SAFE Cassette houses a redundant A & B side embedded computer which includes data
acquisition and digital IO, along with the redundant A & B side power electronics.
A SAFE Cassette communicates (gets commands and provides analog digital feedback) to upstream Embedded

OTC 24236

Computers in the SEM, via RS232 for A and/or B side. Control for each solenoid, by a unique circuit, is activated
through the A and/or B subsea computers via the Arm/Fire commands initiated from the surface controllers.
To control a solenoid, the SAFE Cassette has an A side ARM (sinking switch) and Fire (sourcing switch) and B
side ARM (sinking switch) and Fire (sourcing switch). A & B sides are combined with ORing diodes. This
prevents a single fault from turning on the solenoid and a single fault from preventing the solenoid from being
turned off. Either power supply can fail and not affect the solenoid as well.
By separately controlling both the (-)/Arm and (+)/Fire direct current electrical sides of the solenoid, fault tolerance
is improved and reduces the risk of unintended actuation of a solenoid due to a short circuit or sea water intrusion
into the connectors.
Digital feedback is provided from each of these ARM/FIRE switches along with analog voltage and feedback
going to the solenoid.
The system monitors the feedback to the control system, verifying that the solenoid commanded action has
occurred. In addition, the solenoid circuit captures the electro-mechanical signature of the solenoid/valve
assembly by measuring the voltage and current levels plotted against time thus making a profile of each solenoid
when it is energized. A date/time stamp is generated and attached to each solenoid every time it is energized.
That signature is recorded and logged, then archive stored for future comparison should that solenoid event
profile be needed for maintenance evaluation, historical prediction or proof of performance.
In order to have self-diagnostics of the solenoid (Voltage/Current Signature Capture during turn-on) and the digital
feedback, the Embedded Computer and data acquisition system must be appropriately small to get the required
IO density into the required space. There is roughly 360 IO points per SAFE Cassette. One SEM contains 6 SAFE
Cassettes (2160 points of IO). The IO density would make using a PLC very difficult, if possible at all.
System fault tolerance, redundancy, reliability, maintainability, availability, and integrity are major considerations
in the design and configuration of the BOP Control System.
The system is Fault Tolerant, meaning a component or subsystem failure, will not cause an undesired change in
status of devices controlled by this system; thereby enabling the system to remain operational for
controlling/securing the well. This equipment includes real-time/self-test and diagnostics that can identify nonoperative or defective circuits and functions in the control system, and describe the fault to the logging systems
and alarm circuitry.
Surface to Subsea Communications from the Comms/Power Distribution Panels A and B to the Mux Blue and
Yellow Cable Reels is modem to modem via a proprietary protocol.

Subsea to Subsea - All equipment in the Oceaneering EC BOP Control system communicate
via proprietary packet framing using standard RS232, RS232 to fiber optic, and RS232 to
RS485.
Subsea to Subsea - All equipment in the Oceaneering EC BOP Control system communicate via proprietary
packet framing using standard RS232, RS232 to fiber optic, and RS232 to RS485.
The EC System allows for extensive Self Diagnostics. The system has an architecture that is aware and therefore
this requires the appropriate amount of sensor feedback. This drives the IO count up and once again requires the
system to have the appropriate IO size density in the hardware.
Oceaneering EC System doesn't use the Windows Operating System anywhere inside the control system
software nor is it used it for HMI. The system uses a non-windows based real-time operating system.
The Oceaneering software group runs a complete MUX electronics package at their facility simulating actual MUX
field conditions. This system allows all software and electronic hardware changes to be fully tested/simulated for
long periods of time before modifying the system in the field. It also allows the software team to introduce and test
errors that would be difficult or impossible to test without simulation capabilities.

OTC 24236

In addition to complying with the API's recommended redundancy practices for BOP Control System equipment,
the BOP Control System specifies single-fault tolerance features in critical components and command
communication circuits. In the event of an anomaly, the BOP Control System evaluates the anomaly and if
command integrity is in doubt, switches to a redundant system and alerts the operator. This single fault tolerance
in critical command paths permits operations to continue in the event of specified hydraulic or electronics faults in
the pod, central control unit, or critical communication paths.
Conclusion
Historically both EC and PC/PLC Hybrid MUX systems have been used successfully. However both type systems
have also had problems to some degree. The Embedded Computer Systems offer advantages to the PC/PLC
Hybrid systems when it comes to the amount of data that can be collected for system status and diagnostics
capability. EC systems can also benefit from more flexible programming strategies and best practices which can
enhance system reliability when used correctly.
From a Hardware, Software and support perspective, Oceaneering believes that the Embedded Computer control
system is superior to the PC/PLC Hybrid control system. The Oceaneering EC system contains common
hardware throughout the system allowing the rig to stock common spare parts for use on any system node. The
Oceaneering software design uses only one (1) software application for the entire system thus simplifying
software updates and loading on spare hardware. Changes to rig configuration or EDS Sequences can be made
without recompiling the software or modifying code, allowing for short turnaround when the rig changes locations
or when drilling conditions change.
Acknowledgement
The authors would like to thank Ray Dextraze for his contributions to MUX BOP Control Systems in the paper and
his insight to industry control systems for the past 37 years.