Technology
A closed, electrically driven hydraulic actuator built on the patented Drive-Drive gear pump — engineered as the fly-by-wire of hydraulics for safety-critical valves.
Core Architecture
The EHA+ platform replaces the single shaft of a conventional external gear pump with two independently driven prime movers. Each gear has its own motor; the pair is coordinated by the EHA+ controller. Production EHA+ configurations use the FIG. 3 topology, with both motors located outside the pump body.
The architecture unlocks three control regimes from a single hardware platform:
FIG. 3 Topology
External, redundant prime movers per gear. Either motor can drive the pump alone at reduced capacity; both together deliver full performance with active synchronization. The pump becomes the redundancy element — not a duplicated stack of pumps and valves.
EHA+ Circuit
The EHA+ pairs the Drive-Drive pump with a hydraulic cylinder, accumulator-backed fail-close, proportional valves, and an integrated controller. Discrete confirmation is provided by roller-actuated end-of-stroke switches that operate independently of the continuous position transducer.
A D1 LVDT continuous position transducer reports cylinder rod position to the EHA+ controller as the primary closed-loop feedback signal.
Two roller-actuated mechanical switches at the top of the cylinder — LSO (full-open, above the rod end) and LSC (full-closed, above the spring end) — report discrete confirmation of commanded end positions on independent data lines to the downhole electronics. They are not pilot solenoids.
An accumulator bank sized for at least three full strokes provides deterministic fail-close on loss of motor power — the same envelope used on conventional pipeline ESDV actuation, but housed inside a self-contained module.
Native hydraulic flow control supports a configurable two-stage profile (typically 70% fast / 30% slow) with end-of-stroke damping — keeping Joukowsky surge within 120% MAOP on large-bore liquid pipelines.
Canonical schematic reference: EHA+-Circuit.jpg — the user-maintained Simulink export.
Redundancy
Conventional redundant hydraulic actuators duplicate the pump, the manifold, the solenoids, and the lines — doubling failure surfaces along with capacity. The EHA+ places the redundancy inside the pump: two independently controlled motors share one set of gears, one manifold, and one cylinder.
The result is a smaller envelope, fewer failure modes, and an architecture that natively maps to a 1oo2 SIL2+ final element.
| Metric | Single-drive baseline | EHA+ Dual-Drive |
|---|---|---|
| Mechanical efficiency | Baseline | +24% vs single motor drive |
| Step-response settling time | Baseline | ~15× faster servo response |
| Single-motor fault tolerance | Loss of function | Degraded but continued operation |
| Final-element HFT | 0 | 1 (1oo2 SIL2+) |
Digital Twin Engine
The EHA+ is paired with a physics-based digital twin built on Simscape and Ansys. The twin ingests the site safety requirements specification — valve geometry, pipeline pressure profile, fluid properties, ambient envelope, SIL target — and solves the actuator configuration before the bill of materials is fixed. The same twin produces the certification evidence and the in-service diagnostics.
Predictive Maintenance
Two independently driven motors sharing one set of gears do more than carry redundancy — they continuously cross-check each other. The pair of current, torque, and position signatures is the richest health stream any electrohydraulic actuator can emit, and the DriveDrive Power digital twin reads it against the same physics-based model that sized the unit.
M1A and M1B run the same pump. Any divergence in current draw, torque ripple, or commanded versus delivered flow is a direct signature of bearing wear, seal drift, contamination ingress, or incipient stiction on one side.
The τ ≈ 3 ms velocity-pursuit loop samples motor and pump state at servo-grade resolution. Partial-stroke and small-amplitude moves resolve stiction signatures an order of magnitude smaller than a 50 ms simplex loop can detect.
Anomalies are flagged against the digital twin's expected envelope for that valve, that fluid, that ambient — not against fixed alarm thresholds. Condition-based maintenance, not run-to-failure.
Failure Modes Detected
Mapping common large-bore ESDV failure modes to the EHA+ signature that surfaces them — the same hooks consumed by the FMEDA and used to lift Safe Failure Fraction on the SIL2 final element.
| Failure mode | Drive-Drive signature | Detected before |
|---|---|---|
| Single-motor degradation | Current / torque divergence between M1A and M1B at matched command | Bearing failure or winding fault |
| Gear-pump wear | Tooth-by-tooth flow ripple departs from the LUT-corrected envelope | Volumetric efficiency loss > 5% |
| Cylinder seal leakage | Cap pressure decays under hold; piston creeps against commanded zero velocity | Loss of fail-close margin |
| Scotch-yoke stiction | Velocity-pursuit tracking error grows at low command — resolved by the 3 ms servo loop | PST failure or breakaway miss |
| Accumulator pre-charge drift | Pre-charge pressure trend over cycles; reduced strokes-per-charge in the model | Loss of ≥ 3-stroke fail-safe budget |
| Fluid contamination | Increased orifice resistance signature; closing-time drift toward the budget | ISO 4406 16/14/11 cleanliness breach |
| Solenoid / pilot block fault | DV command-to-response latency departs from the model | SIL voting compromise |
| Position-sensor disagreement | D1 LVDT continuous reading inconsistent with LSO / LSC discrete confirmation | Spurious trip or missed end-of-stroke |
| Thermal envelope breach | Fluid temperature and viscosity drift outside the twin's design envelope | Closing-time exceedance on S4 / S6 |
Operating Modes
The diagnostic layer runs at four different cadences — from every servo cycle to scheduled proof tests — and every result is logged against the twin baseline.
Servo-loop diagnostics: motor currents, torque divergence, position tracking error, and gap-control residual evaluated each control cycle.
Per-stroke metrics: flow ripple against LUT, cap pressure profile, accumulator delta-P, end-of-stroke confirmation latency.
10–20% stroke moves at τ ≈ 3 ms tracking. Servo-loop bandwidth resolves stiction signatures invisible to a 50 ms simplex actuator. Drop to 87% recovery 100% in the RevA scenarios.
Full-stroke proof test against the twin envelope. PST coverage extends the interval; full-stroke proof testing is not replaced by it.
SIL Coverage Benefit
In an FMEDA, each dangerous failure mode is split into λDD (dangerous detected) and λDU (dangerous undetected) by the diagnostic coverage factor: λDD = λ · DC and λDU = λ · (1 − DC).
The Drive-Drive architecture lifts DC on the modes that dominate large-bore ESDV failure rates — pump wear, seal leakage, stiction, contamination — which moves Safe Failure Fraction up the band that supports a SIL2 final-element claim under Route 1H of IEC 61508-2 with HFT = 1.
On the PST math, realistic partial-stroke coverage values are 50–70% for ball valves and 60–80% for gate valves. The EHA+'s servo-grade PST execution gives a defensible position toward the upper end of those ranges — without the marketing-grade 90%+ claims that fail audit.
| Lever | Effect on the SIL case |
|---|---|
| Cross-channel diagnostic coverage | Higher DC → more λD reclassified as λDD → SFF up |
| Servo-grade PST | Defensible PTC at the high end of 50–70% ball / 60–80% gate |
| Twin-referenced anomaly detection | Catches drift before it crosses a fixed threshold — condition-based maintenance |
| FMEDA hooks | Per-mode detection paths documented for Route 1H certification |
| HFT contribution | 1oo2 dual-drive gives HFT = 1 in addition to the diagnostic coverage |
Operational Implications
Maintenance is triggered by twin-detected drift, not by elapsed-time schedules. The EHA+ can flag the specific motor, pump section, seal, or accumulator that needs attention.
Single-motor degradation is detected and announced while the actuator continues to operate in surviving mode. MTTR is scoped to a planned intervention rather than an unplanned trip.
The diagnostic layer cross-checks sensor readings against the twin envelope — reducing the chance that a single sensor fault produces an unwanted close on a 1oo2 voting topology.
Every diagnostic call, every PST result, every anomaly is logged against the twin baseline — ready for FSA 3 pre-startup review and the periodic FSA 4 in-operation gate.
Detection envelopes are computed for the actual valve, fluid, ambient, and SIL target — not for a generic catalog actuator. Detection sensitivity matches the safety case.
Rich per-component health data lets operators stock against forecast wear, not against worst-case generic intervals. Inventory carrying cost drops while uptime rises.
Defense in Depth
Eight independent layers across the SIL2 family. The prime-mover layer is the highest-leverage addition because of motor MTBF dominance — converting the simplex motor single-point-of-failure into an active-active redundant pair.
| Layer | SIL2 (single-drive) | SIL2+ (Dual Drive) |
|---|---|---|
| Prime mover | Single motor M1 (PMSM) | M1A + M1B independently driven |
| Pump | Simplex external gear pump | P1 Drive-Drive (one set of gears, two motors) |
| Final element | DV1 + DV2, 1oo2 voted | DV1 + DV2, 1oo2 voted |
| Sensors | Single PG1 · single D1 · LSO + LSC discrete cross-check | Single PG1 · single D1 · LSO + LSC discrete cross-check |
| Logic solver | Simplex Downhole Electronics | Simplex Downhole Electronics |
| Mechanical fail-safe | Single concentric spring | Single concentric spring |
| Hydraulic | Accumulator-backed fail-close, ≥ 3 strokes | Accumulator-backed fail-close, ≥ 3 strokes |
| Availability impact | Motor fault → actuator out of service | Motor fault → surviving-motor mode (no service interruption) |
Engineering target from the simulation thread: PFDavg ≈ 5 × 10−3, HFT = 1, 12-month proof test — both variants. Working engineering estimate, not an external certification result.
Quantified Advantages
Each gain is documented in the SIL2 baseline and the SIL2+ EHA+ Circuit Simulation reports.
Healthy dual-motor mode runs at ηvol = 0.99 and ηmech = 0.99 (overall ηpump ≈ 0.98) versus 0.92 / 0.90 for the simplex baseline. Peak shaft input drops from 32.1 kW to 27.1 kW on S1 nominal-open.
Velocity-pursuit time constant τ ≈ 3 ms in healthy dual-motor mode versus 50 ms simplex. Most visible on S1 ramp smoothness, S2 partial-stroke-test tracking, and hold stiffness against process disturbance.
Two synchronized motors start the loaded pump more cleanly than one. Captured as τ = 35 ms dual-motor synchronized startup versus 50 ms simplex / 60 ms single-motor surviving.
Single-Motor Compatibility
The EHA+ can continue to operate with a single motor in service. The condition is a design-time sizing rule: each motor must independently meet the single-motor performance envelope — not just its share of the dual-motor load.
The ESDV reference uses a 55 kW continuous / 90 kW peak servo PMSM per motor — comfortably above the ≥ 33 kW continuous and ≥ 240 Nm peak required for solo operation. The result is active-active redundancy, not a fail-degraded fallback.
| Scenario | Result | Budget |
|---|---|---|
| S1 nominal open (healthy dual-motor) | 43.4 s | ≤ 60 s |
| S3 closing (nominal trip) | 21.7 s | ≤ 25 s |
| S5 closing (degraded 130 bar) | 21.7 s | ≤ 25 s |
| S6 closing (worst-case combined) | 22.7 s | ≤ 25 s |
| S9 single-motor open (M1B failed) | 78.9 s | ≤ 90 s |
| Peak motor power | 44.8 kW | ≤ 110 kW peak |
| Peak cap pressure | 99 bar | ≤ 215 bar |
Simulation Scenarios
S1–S8 verify the SIL2 final-element behavior. S9 is unique to the dual-drive variant — it explicitly exercises the prime-mover redundancy claim with one motor failed.
| ID | Scenario | What it proves |
|---|---|---|
| S1 | Nominal open | Healthy dual-motor open within 60 s; servo τ ≈ 3 ms keeps the ramp tight |
| S2 | Partial-stroke test (PST) | Servo tracking advantage — cleaner PST curves and smaller minimum detectable stiction |
| S3 | Nominal trip close | Accumulator-driven close within 25 s, two-stage profile honored |
| S4 | Hot/cold close | Temperature-bracketed close-time envelope |
| S5 | Degraded supply close (130 bar) | Worst-case spring-only behavior at the closed seat |
| S6 | Worst-case combined | Process pressure + degraded supply + thermal extremes stack |
| S7 | Spurious-trip recovery | Restart and reset characteristics after an unwanted close |
| S8 | Diagnostics / health | Gear-pump diagnostic checks per US 2025/0035111 reflected in the loop |
| S9 | Single-motor-fault open (EHA+ only) | M1B failed at t = 0; M1A solo opens the cylinder within the 90 s degraded budget |
Two Systems, One Architecture Family
Both reports are formatted identically — only the architectural deltas the dual-drive layer adds differ.
Single drive, two dump valves voted 1oo2, simplex Downhole Electronics, single PG1, single D1, LSO/LSC discrete cross-check. PFDavg ≈ 5 × 10−3, HFT = 1.
EHA+ Circuit Simulation — SIL2, Rev A
EHA+ Drive-Drive at the motor/pump layer plus 1oo2 dump-valve voting. Adds prime-mover redundancy (M1A + M1B), ηpump ≈ 0.98 dual, τ ≈ 3 ms servo loop, and the S9 single-motor-fault scenario.
EHA+ Circuit Simulation — SIL2+, Rev A
Standards Stack
| Standard | Scope | Application to EHA+ |
|---|---|---|
| IEC 61508 | Functional safety of E/E/PE safety-related systems | Generic baseline for FMEDA, SFF, HFT, PFDavg |
| IEC 61511 / ANSI-ISA-84 | Process-sector application standard | ESDV as part of a SIF |
| API 6D / ISO 14313 | Pipeline and piping valves | 36″ reference valve body & trim |
| API 6A / ISO 10423 | Wellhead & Christmas tree equipment | Upstream production ESDV applications |
| API 6FA / ISO 10497 | Fire-test qualification of valves | Fire-safe certification of the assembled ESDV |
| API RP 14C | Offshore production-platform safety systems | Closure-time and shutdown-logic requirements |
| ISO 12490 | Mechanical integrity and sizing of pipeline-valve actuators | Actuator sizing methodology |
| ATEX 2014/34/EU · IECEx | Equipment for explosive atmospheres | Hazardous-area certification path |
| NACE MR0175 / ISO 15156 | Materials for sour service | Wetted-part material selection |
| ISO 15848-1 | Fugitive emissions of industrial valves | Class B emissions target on stem seals |
The full EHA+ circuit, dual-drive redundancy, and SIL2 package are available under NDA.