3 FUNCTIONAL REQUIREMENTS
Clasification Society 2024 - Version 9.40
Statutory Documents - IMO Publications and Documents - Circulars - Maritime Safety Committee - MSC.1/Circular.1580 – Guidelines for Vessels and Units with Dynamic Positioning (DP) Systems – (16 June 2017) - Annex - Guidelines for Vessels and Units with Dynamic Positioning (DP) Systems - 3 FUNCTIONAL REQUIREMENTS

3 FUNCTIONAL REQUIREMENTS

 3.1 General

3.1.1 Insofar as is practicable, all components in a DP system should be designed, constructed and tested in accordance with international standards recognized by the Administration.

3.1.2 If external forces from mission-related systems (cable lay, pipe lay, mooring, etc.) have a direct impact on DP performance, the influence of these systems should be considered and factored into the DP system design. Where available from the DP system or equipment manufacturer, such data inputs should be provided automatically to the DP control system. Additionally, provisions should be made to provide such data inputs into the DP control system manually. These systems and the associated automatic inputs should be subject to surveys, testing and analysis specified in paragraph 5.1.

3.1.3 In order to meet the single failure criteria given in paragraph 2.2, redundancy of components will normally be necessary as follows:

  • .1 for equipment class 2, redundancy of all active components; and

  • .2 for equipment class 3, redundancy of all components and A-60 physical separation of the components.

3.1.4 For equipment class 3, full redundancy of the control systems may not be possible. (i.e. there may be a need for a single changeover system from the main computer system to the backup computer system). Such connections between otherwise redundant and separated systems may be accepted when these are operated so that they do not represent a possible failure propagation path during DP operations. Failure in one system should in no case be transferred to the other redundant system.

3.1.5 For equipment classes 2 and 3, connections between otherwise redundant and separated systems should be kept to a minimum and made to fail to the safest condition. Failure in one system should in no case be transferred to the other redundant system.

3.1.6 Redundant components and systems should be immediately available without needing manual intervention from the operators and with such capacity that the DP operation can be continued for such a period that the work in progress can be terminated safely. The transfer of control should be smooth and within acceptable limitations of the DP operation(s) for which the vessel is designed.

3.1.7 For equipment classes 2 and 3, hidden failure monitoring should be provided on all devices where the FMEA shows that a hidden failure will result in a loss of redundancy.

3.1.8 The DP control station should be arranged where the operator has a good view of the vessel's exterior limits and the surrounding area. Equipment that should be located at the DP control station includes, but is not limited to:

  • .1 DP control and independent joystick control operator stations;

  • .2 manual thruster levers;

  • .3 mode change systems;

  • .4 thruster emergency stops;

  • .5 internal communications; and

  • .6 position reference systems' HMI, when considered necessary.

3.2 Power system

3.2.1 The power system should have an adequate response time to changes in power demand.

3.2.2 For equipment class 1, the power system need not be redundant.

3.2.3 For equipment class 2, the power system should be divisible into two or more systems so that, in the event of failure of one sub-system, at least one other system will remain in operation and provide sufficient power for station keeping. The power system(s) may be run as one system during operation, but should be arranged by bus-tie breaker(s) to separate the systems automatically upon failures which could be transferred from one system to another, including, but not limited to, overloading and short circuits.

3.2.4 For equipment class 3, the power system should be divisible into two or more systems so that, in the event of failure of one system, at least one other system will remain in operation and provide sufficient power for station keeping. The divided power system should be located in different spaces separated by A-60 class divisions. Where the power systems are located below the operational waterline, the separation should also be watertight. Bus-tie breakers should be open during equipment class 3 operations unless equivalent integrity of power operation can be accepted according to paragraph 3.1.4.

3.2.5 For equipment classes 2 and 3, the power available for position keeping should be sufficient to maintain the vessel in position after worst-case failure according to paragraph 2.2.

3.2.6 For equipment classes 2 and 3, at least one automatic power management system (PMS) should be provided and should have redundancy according to the equipment class and a blackout prevention function.

3.2.7 Alternative energy storage (e.g. batteries and fly-wheels) may be used as sources of power to thrusters as long as all relevant redundancy, independency and separation requirements for the relevant notation are complied with. For equipment classes 2 and 3, the available energy from such sources may be included in the consequence analysis function required in paragraph 3.4.2.4 when reliable energy measurements can be provided for the calculations.

3.2.8 Sudden load changes resulting from single faults or equipment failures should not create a blackout.

3.3 Thruster system

3.3.1 Each thruster on a DP system should be capable of being remote-controlled individually, independently of the DP control system.

3.3.2 The thruster system should provide adequate thrust in longitudinal and lateral directions, and provide yawing moment for heading control.

3.3.3 For equipment classes 2 and 3, the thruster system should be connected to the power system in such a way that paragraph 3.3.2 can be complied with even after failure of one of the constituent power systems and the thrusters connected to that system.

3.3.4 The values of thruster force used in the consequence analysis (see paragraph 3.4.2.4) should be corrected for interference between thrusters and other effects which would reduce the effective force.

3.3.5 Failure of a thruster system including pitch, azimuth and/or speed control, should not cause an increase in thrust magnitude or change in thrust direction.

3.3.6 Individual thruster emergency stop systems should be arranged in the DP control station. For equipment classes 2 and 3, the thruster emergency stop system should have loop monitoring. For equipment class 3, the effects of fire and flooding should be considered.

3.4 DP control system

3.4.1 General

  • .1 In general, the DP control system should be arranged in a DP control station where the operator has a good view of the vessel's exterior limits and the surrounding area.

  • .2 The DP control station should display information from the power system, thruster system and DP control system to ensure that these systems are functioning correctly. Information necessary to safely operate the DP system should be visible at all times. Other information should be available upon the operator's request.

  • .3 Display systems and the DP control station in particular should be based on sound ergonomic principles which promote proper operation of the system. The DP control system should provide for easy accessibility of the control mode, i.e. manual joystick, or automatic DP control of thrusters, propellers and rudders, if part of the thruster system. The active control mode should be clearly displayed.

  • .4 For equipment classes 2 and 3, operator controls should be designed so that no single inadvertent act on the operator's panel can lead to a loss of position and/or heading.

  • .5 Alarms and warnings for failures in all systems interfaced to and/or controlled by the DP control system should be audible and visual. A record of their occurrence and of status changes should be provided together with any necessary explanations.

  • .6 The DP control system should prevent failures being transferred from one system to another. The redundant components should be so arranged that any failed component or components may be easily isolated so that the other component(s) can take over smoothly with no loss of position and/or heading.

  • .7 It should be possible to control the thrusters manually, by individual levers and by an independent joystick, in the event of failure of the DP control system. If an independent joystick is provided with sensor inputs, failure of the main DP control system should not affect the integrity of the inputs to the independent joystick.

  • .8 A dedicated UPS should be provided for each DP control system (i.e. minimum one UPS for equipment class 1, two UPSs for equipment class 2 and three UPSs for equipment class 3) to ensure that any power failure will not affect more than one computer system and its associated components. The reference systems and sensors should be distributed on the UPSs in the same manner as the control systems they serve, so that any power failure will not cause loss of position keeping ability. An alarm should be initiated in case of loss of charge power. UPS battery capacity should provide a minimum of 30 minutes operation following a main supply failure. For equipment classes 2 and 3, the charge power for the UPSs supplying the main control system should originate from different power systems.

  • .9 The software should be produced in accordance with an appropriate international quality standard recognized by the Administration.

3.4.2 Computers

  • .1 For equipment class 1, the DP control system need not be redundant.

  • .2 For equipment class 2, the DP control system should consist of at least two computer systems so that, in case of any single failure, automatic position keeping ability will be maintained. Common facilities such as self-checking routines, alignment facilities, data transfer arrangements and plant interfaces should not be capable of causing failure of more than one computer system. An alarm should be initiated if any computer fails or is not ready to take control.

  • .3 For equipment class 3, the main DP control system should consist of at least two computer systems arranged so that, in case of any single failure, automatic position keeping ability will be maintained. Common facilities such as self-checking routines, alignment facilities, data transfer arrangements and plant interfaces should not be capable of causing failure of more than one computer system. The two or more computer systems mentioned above do not include the backup computer system; thus, in addition, one separate backup DP control system should be arranged, see paragraph 3.4.2.6. An alarm should be initiated if any computer fails or is not ready to take control.

  • .4 For equipment classes 2 and 3, the DP control system should include a software function, normally known as "consequence analysis", which continuously verifies that the vessel will remain in position even if the worst-case failure occurs. This analysis should verify that the thrusters, propellers and rudders (if included under DP control) that remain in operation after the worst-case failure can generate the same resultant thruster force and moment as required before the failure. The consequence analysis should provide an alarm if the occurrence of a worst-case failure were to lead to a loss of position and/or heading due to insufficient thrust for the prevailing environmental conditions (e.g. wind, waves, current, etc.). For operations which will take a long time to safely terminate, the consequence analysis should include a function which simulates the remaining thrust and power after the worst-case failure, based on input of the environmental conditions.

  • .5 Redundant computer systems should be arranged with automatic transfer of control after a detected failure in one of the computer systems. The automatic transfer of control from one computer system to another should be smooth with no loss of position and/or heading.

  • .6 For equipment class 3, the backup DP control system should be in a room separated by an A-60 class division from the main DP control station. During DP operation, this backup control system should be continuously updated by input from at least one of the required sets of sensors, position reference system, thruster feedback, etc. and be ready to take over control. The switchover of control to the backup system should be manual, situated on the backup computer, and should not be affected by a failure of the main DP control system. Main and backup DP control systems should be so arranged that at least one system will be able to perform automatic position keeping after any single failure.

  • .7 Each DP computer system should be isolated from other on-board computer systems and communications systems to ensure the integrity of the DP system and command interfaces. This isolation may be effected via hardware and/or software systems and physical separation of cabling and communication lines. Robustness of the isolation should be verified by analysis and proven by testing. Specific safeguards should be implemented to ensure the integrity of the DP computer system and prevent the connection of unauthorized or unapproved devices or systems.

3.4.3 Position reference systems

  • .1 Position reference systems should be selected with due consideration to operational requirements, both with regard to restrictions caused by the manner of deployment and expected performance in working situations.

  • .2 For equipment class 1, at least two independent position reference systems should be installed and simultaneously available to the DP control system during operation.

  • .3 For equipment classes 2 and 3, at least three independent position reference systems should be installed and simultaneously available to the DP control system during operation.

  • .4 When two or more position reference systems are required, they should not all be of the same type, but based on different principles and suitable for the operating conditions.

  • .5 The position reference systems should produce data with adequate accuracy and repeatability for the intended DP operation.

  • .6 The performance of position reference systems should be monitored and warnings should be provided when the signals from the position reference systems are either incorrect or substantially degraded.

  • .7 For equipment class 3, at least one of the position reference systems should be connected directly to the backup control system and separated by an A-60 class division from the other position reference systems.

3.4.4 Vessel sensors

  • .1 Vessel sensors should at least measure vessel heading, vessel motions and wind speed and direction.

  • .2 When an equipment class 2 or 3 DP control system is fully dependent on correct signals from vessel sensors, these signals should be based on three systems serving the same purpose (i.e. this will result in at least three heading reference sensors being installed).

  • .3 Sensors for the same purpose which are connected to redundant systems should be arranged independently so that failure of one will not affect the others.

  • .4 For equipment class 3, one of each type of sensor should be connected directly to the backup DP control system, and should be separated by an A-60 class division from the other sensors. If the data from these sensors is passed to the main DP control system for their use, this system should be arranged so that a failure in the main DP control system cannot affect the integrity of the signals to the backup DP control system.

3.5 Cables and piping systems

3.5.1 For equipment class 3, cables for redundant equipment or systems should not be routed together through the same compartments. Where this is unavoidable, such cables may run together in cable ducts of A-60 class, the termination of the ducts included, which are effectively protected from all fire hazards except that represented by the cables themselves. Cable connection boxes may not be provided within such ducts.

3.5.2 For equipment class 2, piping systems for fuel, lubrication, hydraulic oil, cooling water and cables should be located with due regard to fire hazards and mechanical damage.

3.5.3 For equipment class 3, redundant piping systems (e.g. piping for fuel, cooling water, lubrication oil, hydraulic oil, etc.) should not be routed together through the same compartments. Where this is unavoidable, such pipes may run together in ducts of A-60 class, the termination of the ducts included, which are effectively protected from all fire hazards except that represented by the pipes themselves.

3.6 Requirements for essential non-DP systems

For equipment classes 2 and 3, systems not directly part of the DP system, but which in the event of failure could cause failure of the DP system (e.g. common fire suppression systems, engine ventilation, heating, ventilation and air conditioning (HVAC) systems, shutdown systems, etc.), should also comply with relevant requirements of these Guidelines.

3.7 Independent joystick system

3.7.1 A joystick system independent of the automatic DP control system should be arranged. The power supply for the independent joystick system (IJS) is to be independent of the DP control system UPSs. An alarm should be initiated upon failure of the IJS.

3.7.2 The IJS should have automatic heading control.

Parent topic: Annex - Guidelines for Vessels and Units with Dynamic Positioning (DP) Systems
Copyright 2022 Clasifications Register Group Limited, International Maritime Organization, International Labour Organization or Maritime and Coastguard Agency. All rights reserved. Clasifications Register Group Limited, its affiliates and subsidiaries and their respective officers, employees or agents are, individually and collectively, referred to in this clause as 'Clasifications Register'. Clasifications Register assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Clasifications Register entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract.