Loss of redundancy in diving bell launch and recovery PLC system

Investigation of the alarm indicated loss of automatic (LARS) PLC redundancy caused by failure of one of the PLC fibre optic processor synchronisation links.

The failure resulted in the loss of normal operation and increased the risk of single point failure of the dive bell Launch and Recovery System (LARS), so the decision was taken to return to port. No-one was injured. The divers in the saturation chambers were not affected by the system fault.

In port, an independent control system specialist reviewed the diagnostic data and confirmed the dive technician’s initial diagnosis that one of the redundancy synchronisation link fibre optic communication modules had failed.

Unfortunately, it was not possible to immediately repair the loss of automatic redundancy fault as the dive control systems spares inventory did not include spare synchronisation modules. The original equipment manufacturer who designed the dive bell LARS PLC system had made no recommendation to hold spare synchronisation modules in stock. Spares were immediately ordered but were not readily available.

The company and the client discussed a way forward, and a “return to work” protocol was discussed, risk assessed and approved. Risk assessment involved testing the LARS operation of each of the redundant PLC processors independently and manual changeover of the processors to proof test a temporary manual redundancy option. These tests were carried out successfully on both forward and aft dive bells. The DSV then returned to the field and safely completed the job for the client with no further issues.

At a subsequent port call the spare synchronisation modules were delivered and installed by the Dive Technicians and the automatic LARS PLC redundancy was restored. The repair was witnessed and signed off by the client’s diving subject matter experts. The faulty synchronisation module was returned to the manufacturer for further investigation.

A diode failed: the failure of the LARS redundant PLC synchronisation module is classed as a ‘random hardware failure.’

• The risk of random hardware failures in programmable control system can be mitigated by proof testing. The dive company did carry out annual proof tests to trigger the automatic LARS PLC redundancy and the proof test records were up to date.
  
  
• The company had followed the dive control system spares list guidance provided by the original equipment manufacturer (OEM) and did not have the spare synchronisation modules in stock.
  
  
• The redundant PLC hardware configuration used on the LARS was a standard, proven solution provided by one of the leaders in automation systems and used globally on many safety-critical applications.
  
  
• The available data led everyone involved to assume that it was highly unlikely that the synchronisation module would fail in normal use.
  
  
• Following their investigation of the faulty module, the manufacturer concluded that the synchronisation module hardware had developed a faulty transmitting diode.