Section
4 Electronically controlled engines
4.1 General
4.1.1 The
requirements of this Section are applicable to engines for propulsion,
auxiliary or emergency power purposes with programmable electronic
systems implemented and used to control fuel injection timing and
duration, and which may also control combustion air or exhaust systems.
The requirements of this Section also apply to programmable electronic
systems used to control other functions (e.g. starting and control
air, cylinder lubrication etc.) where essential for the operation
of the engine.
4.1.2 These
engines may be of the crosshead or trunk piston type. They generally
have no direct camshaft driven fuel systems, but have common rail
fuel/hydraulic arrangements and may have hydraulic actuating systems
for the functioning of the exhaust systems.
4.1.3 The
operation of these engines relies on the effective monitoring of a
number of parameters such as crank angle, engine speed, temperatures
and pressures using programmable electronic systems to provide the
services essential for the operation of the engine such as fuel injection,
air inlet, exhaust and speed control.
4.1.4 Details
of proposals to deviate from the requirements of this Section are
to be submitted and will be considered on the basis of a technical
justification produced by the Enginebuilder.
4.1.5 Each
engine is to be configured for the specified performance and is to
satisfy the relevant requirements for propulsion, auxiliary or emergency
engines.
4.1.6 During
the life of the engine details, of any proposed changes to control,
alarm, monitoring or safety systems which may affect safety and the
reliable operation of the engine are to be submitted to LR for approval.
4.2 Risk-based analysis
4.2.1 An analysis
is to be carried out in accordance with relevant standards acceptable
to LR to demonstrate compliance with the applicable requirements of
this sub-Section appropriate to the engine application. The analysis
is to be a risk-based consideration of engine operation and ship and
personnel safety, and is to demonstrate adequate risk mitigation through
fault tolerance and/or reliability in accordance with the specified
criteria in Pt 5, Ch 2, 4.2 Risk-based analysis 4.2.2 to Pt 5, Ch 2, 4.2 Risk-based analysis 4.2.4 relevant to the engine application.
4.2.2 For
ships with a single main propulsion engine, a Failure Mode and Effects
Analysis (FMEA), or alternative recognised analysis of system reliability,
is to be carried out and is to demonstrate that an electronic control
system failure:
-
will not result
in the loss of the ability to provide the services essential for the
operation of the engine, see
Pt 6, Ch 1, 2.5 Control systems, general requirements 2.5.7 and Pt 6, Ch 1, 2.13 Programmable electronic systems - Additional requirements for essential services and safety critical systems
2.13.2;
-
will not affect
the normal operation of the services essential for the operation of
the engine other than those services dependent upon the failed part, see
Pt 6, Ch 1, 2.14 Programmable electronic systems – Additional requirements for integrated systems 2.14.4 and Pt 6, Ch 1, 2.14 Programmable electronic systems – Additional requirements for integrated systems 2.14.5; and
-
will not leave
either the engine, or any equipment or machinery associated with the
engine, or the ship in an unsafe condition, see
Pt 6, Ch 1, 2.3 Alarm systems, general requirements 2.3.13, Pt 6, Ch 1, 2.4 Safety systems, general requirements 2.4.5, Pt 6, Ch 1, 2.5 Control systems, general requirements 2.5.3, Pt 6, Ch 1, 2.10 Programmable electronic systems - General requirements 2.10.3, Pt 6, Ch 1, 2.10 Programmable electronic systems - General requirements 2.10.4 and Pt 6, Ch 1, 2.14 Programmable electronic systems – Additional requirements for integrated systems 2.14.5.
4.2.3 A risk-based
analysis is to be carried out for:
-
main engines on
ships with multiple main engines or other means of providing propulsion
power; and/or
-
auxiliary engines
intended to drive electric generators forming the ship’s main
source of electrical power or otherwise providing power for essential
services.
The analysis is to demonstrate that adequate hazard mitigation has been
incorporated in electronically controlled engine systems or the overall ship
installation with respect to personnel safety and providing propulsion power and/or
power for essential services for the safety of the ship. Arrangements satisfying the
criteria of Pt 5, Ch 2, 4.2 Risk-based analysis 4.2.2 will also be acceptable.
4.2.4 For
engines for emergency power purposes, a risk-based analysis is to
be carried out to demonstrate that the design incorporates adequate
hazard mitigation such that the likelihood of an electronic control
system failure resulting in the loss of the ability to provide emergency
power when required has been reduced to a level considered acceptable
by LR and that means are provided to detect failures and permit personnel
to restore engine availability to operate on demand. Failures which
would result in engine failure and/or damage or loss of availability
are to be identified and the report is to include documentation of:
-
component reliability
evidence;
-
failure detection
and alarms; and
-
failure response
required to restore engine availability and maintain personnel safety.
4.2.5 The
risk-based analysis report is to:
-
Identify the standards
used for analysis and system design.
-
Identify the engine,
its purpose and the associated objectives of the analysis.
-
Identify any assumptions
made in the analysis.
-
Identify the equipment, system or sub-system and the mode of
operation.
-
Identify potential
failure modes and their causes.
-
Evaluate the local
effects (e.g. fuel injection failure) and the effects on the system
as a whole (e.g. loss of propulsion power) of each failure mode.
-
Identify measures
for reducing the risks associated with each failure mode (e.g. system
design, failure detection and alarms, redundancy, quality control
procedures for sourcing, manufacture and testing, etc.).
-
Identify trials
and testing necessary to prove conclusions.
4.2.6 At sub-system
level it is acceptable to consider failure of equipment items and
their functions, e.g. failure of a pump to produce flow or pressure
head. It is not required that the failure of components within that
pump be analysed, and failure need only be dealt with as a cause of
failure of the pump.
4.3 Control engineering systems
4.3.2 The
engine control, alarm monitoring and safety systems are to be configured
to comply with the relevant requirements (e.g. operating profile,
alarms, shutdowns, etc.) of this Chapter and Pt 6, Ch 1 Control Engineering Systems for an engine for main, auxiliary or emergency power
purposes. Details of the engine configuration are to be submitted
for consideration, see
Pt 5, Ch 2, 1.4 Submission requirements 1.4.3.
4.4 Software
4.4.2 Appropriate
safety related processes, methods, techniques and tools are to be
applied to software development and maintenance by the Enginebuilder.
Selection and application of techniques and measures in accordance
with Annex A of IEC 61508-3, Functional safety of electrical/electronic/programmable
electronic systems: Software requirements, or other relevant
standards or codes acceptable to LR, will generally be acceptable.
|