Section
2 Essential features for control, alarm, monitoring and safety systems
2.1 General
2.1.1 Systems
complying with ISO 17894, Ships and marine technology –
Computer applications – General principles for the development
and use of programmable electronic systems in marine applications,
may be accepted as meeting the requirements of this Section, in which
case evidence of compliance is to be submitted for consideration.
2.2 Control stations for machinery
2.2.1 A system
of alarm and warning displays and controls is to be provided which
readily ensures identification of faults in the machinery and satisfactory
supervision of related equipment by duty personnel. This may be provided
at a main control station or, alternatively at subsidiary control
stations. In the latter case, a master alarm display is to be provided
at the main control station showing which of the subsidiary control
stations is indicating a fault condition.
2.2.2 At the
main control station (if provided) or close to the subsidiary stations
(if fitted) means of communication with the bridge area, the accommodation
for engineering personnel and, if necessary, the machinery space are
to be provided.
2.2.3 Where
operator interfaces are installed in the wheelhouse, illumination
should not interfere with night vision. All illumination and lighting
of instruments, keyboards and controls are to be adjustable to zero
illumination, except for lighting for visual indication of alarms
and the controls of dimmers, which are to remain readable.
2.2.4 Provision
is to be made at the main control station, or subsidiary control stations
as appropriate, for the operation of an engineers' alarm which is
to be clearly audible in the engineers' accommodation.
2.2.5 Provision
is to be made at the main control station and any other subsidiary
control station from which the main propulsion and auxiliary machinery
or associated equipment may be controlled to indicate which station
is in control.
2.2.6 Control
of machinery and associated equipment is to be possible only from
one station at a time.
2.2.7 Changeover
between control stations is to be arranged so that it may only be
effected with the acceptance of the station taking control. The system
is to be provided with interlocks or other suitable means to ensure
effective transfer of control.
2.3 Alarm systems, general requirements
2.3.1 Machinery,
safety and control system faults are to be indicated at the relevant
control stations to advise duty personnel of a fault condition. The
presence of unrectified faults is to be clearly indicated at all times.
2.3.2 Alarms
and warnings associated with machinery and equipment required to satisfy
this sub-Section are to be categorised according to the urgency and
type of response required by the crew, as described in the IMO
Code on Alerts and Indicators, 2009
. The
assignment of a category to each alert is to be evaluated on the basis
not only of the machinery or equipment being monitored, but also the
complete installation. Categories not included in an alarm system
may be omitted from the system design. Details of alternative alert
management proposals supported with evidence of service experience
may be submitted for consideration by LR.
2.3.3 Where
the facility to provide messages in association with alarms and warnings
exists, messages accompanying alarms and warnings are to describe
the condition and indicate the intended response required by the crew.
2.3.4 Where
the facility to provide messages in association with alarms and warnings
exists messages of different categories are to be clearly distinguishable
from each other. Alarms associated with machinery, safety and control
system faults are to be clearly distinguishable from other alarms
(e.g. fire, general alarm).
2.3.5 Where
alarms are displayed as group alarms provision is to be made to identify
individual alarms at the main control station (if fitted) or alternatively
at subsidiary control stations.
2.3.6 All
alarms are to be both audible and visual. If arrangements are made
to silence audible signals they are not to extinguish visual indications.
2.3.7 Acknowledgement
of visual alarms is to be clearly indicated.
2.3.8 Acknowledgement
of alarms at positions outside a machinery space is not to silence
the audible signal or extinguish the visual indication in that machinery
space.
2.3.9 If an
alarm has been acknowledged and a second fault occurs prior to the
first being rectified, audible signals and visual indications are
again to operate. Where alarms are displayed at a local panel adjacent
to the machinery and with arrangements to provide a group or common
fault alarm in the control room, the occurrence of a second fault
prior to the first alarm being rectified need only be displayed at
the local panel; however, the group alarm is to be re-initiated. Unacknowledged
alarms on monitors are to be distinguished by either flashing text
or a flashing marker adjacent to the text. A change of colour will
not in itself be sufficient to distinguish between acknowledged and
unacknowledged alarms.
2.3.10 For
the detection of transient faults which are subsequently self-correcting,
alarms are required to lock in until accepted.
2.3.11 The
alarm system is to be arranged with automatic changeover to a standby
power supply in the event of a failure of the normal power supply.
Where an alarm system could be adversely affected by an interruption
in power supply, changeover to the standby power supply is to be achieved
without a break.
2.3.12 Failure
of any power supply to the alarm system is to operate an audible and
visual alarm.
2.3.13 The
alarm system should be designed with self-monitoring properties. Insofar
as practicable, any fault in the alarm system should cause it to fail
to the alarm condition.
2.3.15 The
alarm system is to be designed as far as practicable to function independently
of control and safety systems such that a failure or malfunction in
these systems will not prevent the alarm system from operating.
2.3.16 Disconnection
or manual overriding of any part of the alarm system is to be clearly
indicated.
2.3.17 When
alarm systems are provided with means to adjust their set point, the
arrangements are to be such that the final settings can be readily
identified.
2.3.18 Where
monitors are provided at the station in control and, if fitted, in
the duty engineer's accommodation, they are to provide immediate display
of new alarm information regardless of the information display page
currently selected. This may be achieved by provision of a dedicated
alarm monitor, a dedicated area of screen for alarms or other suitable
means.
2.3.19 Where
practicable, alarms displayed on monitors are to be displayed in the
order in which they occur. Alarms requiring manual shutdown or slow-down
action are to be given visual prominence.
2.4 Safety systems, general requirements
2.4.1 Safety
systems are to operate automatically in case of serious faults endangering
the machinery, so that:
-
normal operating conditions are restored, e.g. by the starting of
standby machinery, or
-
the operation
of the machinery is temporarily adjusted to the prevailing conditions,
e.g. by reducing the output of the machinery, or
-
the machinery
is protected from critical conditions by shutting off the fuel or
power supplies thereby stopping the machinery.
2.4.4 Safety
systems for different items of the machinery plant are to be arranged
so that failure of the safety system of one part of the plant will
not interfere with the operation of the safety system in another part
of the plant.
2.4.5 The
safety system is to be designed to `fail safe'. The characteristics
of the `fail safe' operation are to be evaluated on the basis not
only of the safety system and its associated machinery, but also the
complete installation. Failure of a safety system is to initiate an
audible and visual alarm.
2.4.6 When
a safety system is activated, an audible and visual alarm is to be
provided to indicate the cause of the safety action.
2.4.7 The
safety system is to be manually reset before the relevant machinery
can be restarted.
2.4.8 Where
arrangements are provided for overriding a safety system, they are
to be such that inadvertent operation is prevented. Visual indication
is to be given at the relevant control station(s) when a safety override
is operated. The consequences of overriding a safety system are to
be established and documented.
2.4.9 The
safety system is to be arranged with automatic changeover to a standby
power supply in the event of a failure of the normal power supply.
2.4.10 Failure
of any power supply to a safety system is to operate an audible and
visual alarm.
2.4.11 When
safety systems are provided with means to adjust their set point,
the arrangements are to be such that the final settings can be readily
identified.
2.5 Control systems, general requirements
2.5.1 Control
systems for machinery operations are to be stable throughout their
operating range.
2.5.2 Failure
of any power supply to a control system is to operate an audible and
visual alarm.
2.5.3 Control
systems should be designed to `fail safe'. The characteristics of
the `fail safe' operation are to be evaluated on the basis not only
of the control system and its associated machinery, but also the complete
installation.
2.5.4 The
control system is to be designed such that normal operation of the
controls cannot induce detrimental mechanical or thermal overloads
in the machinery.
2.5.5 Remote
or automatic controls are to be provided with suitable instrumentation
at the relevant control stations to ensure effective control by duty
personnel and to indicate that the system is functioning correctly.
2.5.6 When
control systems are provided with means to adjust their sensitivity
or set point, the arrangements are to be such that the final settings
can be readily identified.
2.6 Bridge control for main propulsion machinery
2.6.1 Means
are to be provided to ensure satisfactory control of propulsion from
the bridge in both the ahead and astern directions.
2.6.2 The
following indications are to be provided on the bridge:
-
Propeller speed.
-
Direction of rotation
of propeller for a fixed pitch propeller or pitch position for a controllable
pitch propeller, see also
Pt 5, Ch 7, 5.3 Controllable pitch propellers and transverse thrust units.
-
Direction and
magnitude of thrust.
-
Clutch position,
where applicable.
-
Shaft brake position,
where applicable.
2.6.3 The
propeller speed, direction of rotation and, if applicable, the propeller
pitch are to be controlled from the bridge under all sea-going and
manoeuvring conditions.
2.6.4 Remote
control of the propulsion machinery is to be from only one control
station at any one time, see also
Pt 6, Ch 1, 2.2 Control stations for machinery 2.2.6. Main propulsion control units
on the navigating bridge may be interconnected. Means are to be provided
at the control station to ensure smooth transfer of control between
the bridge and other control stations.
2.6.5 Means
of control, independent of the bridge control system, are to be provided
on the bridge to enable the watchkeeper to stop the propulsion machinery
in an emergency.
2.6.6 Audible
and visual alarms are to operate on the bridge and in the alarm system
required by Pt 6, Ch 1, 4.2 Alarm system for machinery if any power
supply to the bridge control system fails. Where practicable, the
preset speed and direction of thrust are to be maintained until corrective
action is taken.
2.6.8 Automation
systems are to be designed in a manner such that a threshold warning
of impending or imminent slow-down or shutdown of the propulsion system
is given to the officer in charge of the navigational watch in time
to assess navigational circumstances in an emergency. In particular,
the systems are to control, monitor, report, alert and take safety
action to slow down or stop propulsion while providing the officer
in charge of the navigational watch an opportunity to intervene manually,
except for those cases where manual intervention will result in total
failure of the engine and/or propulsion equipment within a short time,
for example, in the case of overspeed.
2.7 Valve control systems
2.7.2 Failure
of control system power or actuator power is not to permit a valve
to move to an unsafe condition.
2.7.3 Positive
indication is to be provided at the remote control station for the
service to show the actual valve position or alternatively that the
valve is fully open or closed.
2.7.4 Equipment
located in places which may be flooded is to be capable of operating
when submerged.
2.7.5 A secondary
means of operating the valves, which may be by local manual control,
is to be provided.
2.8 Fire detection and fire alarm systems
2.8.2 For cargo ships of less than 500 GT, the provisions of this Section are intended to
apply to new ships, as far as reasonable and practicable, or as required by the relevant
National Administration.
2.8.3 Fire detection control units, indicating panels, detector heads, manual
call points and short-circuit isolation units are to satisfy the requirements of the
Type Approval Test Specification Number 1 given in LR’s Type Approval System for an
environmental category appropriate for the locations in which they are intended to
operate.
2.8.4 When fire detectors are provided with means to adjust their sensitivity, the
arrangements are to be such that the set point can be fixed and readily identified.
2.8.5 When it is intended that a particular loop is to be temporarily switched
off, this state is to be clearly indicated at the fire detection indicating panels.
2.8.6 When it is intended that a particular detector(s) is (are) to be temporarily
switched off locally, this state is to be clearly indicated at the local position.
Reactivation of the detector(s) is to be performed automatically after a preset
time.
2.8.8 In passenger ships, the fixed fire detection and fire alarm systems are to
be capable of remotely and individually identifying each detector and manually operated
call point.
2.9 Fixed water-based local application fire-fighting systems
2.9.4 System
zones and protected areas are to be arranged to allow essential services
to be provided by machinery and/or equipment located outside areas
affected by direct spray or extended water in the event of a system
activation, where the machinery and/or equipment is duplicated or
otherwise replicated to provide redundancy.
2.9.5 A control
panel is to be provided for managing actions such as opening of valves,
starting of pumps and initiation of alarms and warnings and processing
information from detectors. This panel is to be independent of the
fire detection control unit required by Pt 6, Ch 1, 2.8 Fire detection and fire alarm systems .
2.9.6 Alarms are to be initiated upon activation of a system and are to indicate
the specific zone activated at the control panel.
2.9.7 A failure
in a manual system activation switch circuit is not to prevent system
activation using other installed manual system activation switches
or, where installed, automatic activation. The means of activation
are to be provided with self-monitoring facilities which will activate
an alarm at an attended control station in the event of failure detection.
2.9.9 A minimum
of two fire detectors are to be provided for each protected area.
One is to be a flame detector and the other is to be a smoke or heat
detector, as considered appropriate to the nature of the risk and
ambient conditions. The system is to be activated upon detection by
two of the detectors. A fault in one detector is to initiate an alarm
at an attended control station and is not to inhibit activation of
the system under the control of the other detector or manually.
2.9.10 The
fire detectors are to be arranged (located, oriented, guarded, etc.)
to ensure that a fire in one protected area will not result in the
inadvertent automatic activation of a system for another protected
area. Guards or barriers provided to comply with this requirement
are not to reduce the ability to detect a fire in the protected area.
2.9.12 The system's fire detection systems and control units are to be type
approved in accordance with Test Specification Number 1 given in LR’s Type
Approval System for an environmental category appropriate for the locations in
which they are intended to operate.
2.10 Programmable electronic systems - General requirements
2.10.1 The requirements of this sub-section are to be complied with where control,
alarm, moinitoring or safety systems incorporate programmable electronic equipment.
Systems for essential services and safety critical applications, systems incorporating
shared data communication links and systems which are integrated are to comply with the
additional requirements of Pt 6, Ch 1, 2.11 Data communication links, Pt 6, Ch 1, 2.13 Programmable electronic systems - Additional requirements for essential services and safety critical systems and
Pt 6, Ch 1, 2.14 Programmable electronic systems – Additional requirements for integrated systems as applicable. For systems complying with ISO 17894, Ships and
marine technology – Computer applications – General principles for the development
and use of programmable electronic systems in marine applications, see
Pt 6, Ch 1, 2.12 Additional requirements for wireless data communication links.
2.10.3 Programmable
electronic equipment is to revert to a defined safe state on initial
start-up or re-start in the event of failure.
2.10.4 In
the event of failure of any programmable electronic equipment, the
system, and any other system to which it is connected, is to fail
to a defined safe state or maintain safe operation, as applicable.
2.10.7 Programmable
electronic equipment is to be provided with self-monitoring capabilities
such that hardware and functional failures will initiate an audible
and visual alarm in accordance with the requirements of Pt 6, Ch 1, 2.3 Alarm systems, general requirements and, where applicable, Pt 6, Ch 1, 4.2 Alarm system for machinery. Hardware failure indications
are to enable faults to be identifiable at least down to the level
of the lowest replaceable unit and the self-monitoring capabilities
are to ensure that diagnostic information is readily available.
2.10.10 Where
it is necessary to store data required for system operation in volatile
memory, a back-up power supply is to be provided that prevents data
loss in the event of loss of the normal power supply. The submission
required by Pt 6, Ch 1, 1.2 Documentation required for design review 1.2.6 is to include
details of any routine maintenance necessary and the measures necessary
to restore system operation in the event of data loss as a result
of power supply failure.
2.10.11 Back-up
power supplies required by Pt 6, Ch 1, 2.10 Programmable electronic systems - General requirements 2.10.10 are
to be rated to supply the connected load for a defined period of time
that allows sufficient time to restore the supply in the event of
loss of the normal power supply as a result of failure of a main source
of electrical power. This period is not to be less than 30 minutes.
2.10.13 Access to system configuration, programs and data is to be restricted by
physical and/or logical means providing effective security against unauthorised
alteration, both for local and remote access.
2.10.14 Where
date and time information is required by the equipment, this is to
be provided by means of a battery backed clock with restricted access
for alteration. Date and time information is to be fully represented
and utilised.
2.10.15 Displays
and controls are to be protected against liquid ingress due to spillage.
2.10.16 Display
units are to comply with the requirements of an acceptable National
or International Standard, e.g. IEC 60950-1:Information technology
equipment – Safety - Part 1: General requirements, in
respect of emission of ionising radiation.
2.10.17 Where
systems detect fault conditions, any affected mimic diagrams are to
ensure that the status of unreliable and incorrect data is clearly
identified.
2.10.18 Multi-function
displays and controls are to be duplicated and interchangeable where
used for the control or monitoring of more than one system, machinery
item or item of equipment. At least one unit at the main control station
is to be supplied from an independent uninterruptable power system
(UPS).
2.10.19 The
number of multi-function display and control units provided at the
main control station and their power supply arrangements are to be
sufficient to ensure continuing safe operation in the event of failure
of any unit or any power supply.
2.10.20 Software lifecycle activities, e.g. design, development, supply and
maintenance, are to be carried out in accordance with an acceptable quality management
system which has lifecycle models suitable to the nature of the software project,
considering its size, complexity, safety, risk and integrity. Project specific software
quality plans are to be submitted. These are to demonstrate that the provisions of
ISO/IEC 90003: Software engineering – Guidelines for the application of ISO 9001:2015
to computer software, or equivalent, are incorporated. The plans are to define
responsibilities for the lifecycle activities, including verification, validation,
software module testing and, integration with other components or systems and security
policies to be applied.
2.11 Data communication links
2.11.1 Where
control, alarm or safety systems use shared data communication links
to transfer data, the requirements of Pt 6, Ch 1, 2.11 Data communication links 2.11.2 to Pt 6, Ch 1, 2.11 Data communication links 2.11.10 are to
be complied with. The requirements apply to local area networks, fieldbuses
and other types of data communication link which make use of a shared
medium to transfer control, alarm or safety related data between distributed
programmable electronic equipment or systems.
2.11.2 Data
communication is to be automatically restored within 45 seconds in
the event of a single component failure. Upon restoration, priority
is to be given to updating safety critical data and control, alarm
and safety related data for essential services. Components comprise
all items required to facilitate data communication, including cables,
switches, repeaters, software components and power supplies.
2.11.4 The
properties of the data communication link, (e.g. bandwidth, access
control method, etc.), are to ensure that all connected systems will
operate in a safe, stable and repeatable manner under all operating
conditions. The latency of control, alarm and safety related data
is not to exceed two seconds.
2.11.5 Protocols
are to ensure the integrity of control, alarm and safety related data,
and provide timely recovery of corrupted or invalid data.
2.11.8 Means
are to be provided to prevent unintended connection or disconnection
of any equipment where this may affect the performance of any other
systems in operation.
2.11.10 The
installation is to provide adequate protection against mechanical
damage and electromagnetic interference.
2.11.11 Components
are to be located with appropriate segregation such that the risk
of mechanical damage or electromagnetic interference resulting in
the loss of both active and standby components is minimised. Duplicated
data communication links are to be routed to give as much physical
separation as is practical.
2.12 Additional requirements for wireless data communication links
2.12.3 For
services not required to operate continuously, wireless data communication
links may be considered where an alternative means of operation can
be brought into action within an acceptable period of time.
2.12.4 Wireless
data communication is to employ recognised international wireless
communication system protocols that incorporate the following:
-
Message integrity:
fault prevention, detection, diagnosis and correction, ensuring that
the received message is not corrupted or altered when compared to
the transmitted message.
-
Configuration
and device authentication: is to permit connection only of devices
that are included in the system design.
-
Message encryption:
protection of the confidentiality and/or criticality of the data content.
-
Security management:
protection of network assets and prevention of unauthorised access
to network assets.
2.12.5 The
wireless system is to comply with the radio frequency and power level
requirements of the International Telecommunications Union and any
requirements of the National Administration with which the ship is
registered.
2.12.6 Compliance
with different port state and local regulations pertaining to the
use of radio-frequency transmission that would prohibit the operation
of a wireless data communication link, due to frequency and power
level restrictions, is not addressed by these requirements and is
the responsibility of the Owner and Operator.
2.13 Programmable electronic systems - Additional requirements for
essential services and safety critical systems
2.13.1 The requirements of Pt 6, Ch 1, 2.13 Programmable electronic systems - Additional requirements for essential services and safety critical systems
2.13.2 to Pt 6, Ch 1, 2.13 Programmable electronic systems - Additional requirements for essential services and safety critical systems
2.13.10 are to be complied with where control, alarm,
mointoring or safety systems for essential services, as defined by Pt 6, Ch 2, 1.6 Definitions,
or safety critical systems, incorporate programmable electronic equipment.
-
Safety critical
systems are those which provide functions intended to protect persons
from physical hazards (e.g. fire, explosion, etc.), or to prevent
mechanical damage which may result in the loss of an essential service
(e.g. main engine low lubricating oil pressure shutdown).
-
Applications
that are not essential services may also be considered to be safety
critical (e.g. domestic boiler low water level shutdown).
2.13.2 Alternative
means of safe and effective operation are to be provided for essential
services and, wherever practicable, these are to be provided by a
fully independent hard-wired back-up system. Where these alternative
means are not independent of any programmable electronic equipment,
the software is to satisfy the requirements of LR's Software
Conformity Assessment System - Assessment Module GEN1
(1994).
2.13.3 Items
of programmable electronic equipment used to implement control, alarm
or safety functions are to be Type Approved in accordance with LR's Type Approval System Test Specification Number 1 (2013). Type
approval to an alternative and relevant National or International
Standard may be submitted for consideration.
2.13.4 The
system is to be configured such that control, alarm and safety function
groups are independent. A failure of the system is not to result in
the loss of more than one of these function groups. Proposals for
alternative arrangements providing an equivalent level of safety will
be subject to special consideration.
2.13.5 For
essential services, the system is to be arranged to operate automatically
from an alternative power supply in the event of a failure of the
normal supply.
2.13.6 Volatile
memory is not to be used to store data required for:
- an essential service or safety critical functions; or
- ensuring safety or preventing damage, including during start-up
or re-start.
Alternative proposals which demonstrate that an equivalent level
of system integrity will be achieved may be submitted for consideration.
2.13.8 Where
it is intended that the programmable electronic system implements
an emergency stop function or safety critical functions, the software
is to satisfy the requirements of LR’s Software Conformity
Assessment System - Assessment Module GEN1 (1994). Alternative
proposals providing an equivalent level of system integrity will be
subject to special consideration, e.g. fully independent hard-wired
back-up system, redundancy with design diversity, etc.
2.13.9 Control,
alarm and safety related information is to be displayed in a clear,
unambiguous and timely manner, and, where applicable, is to be given
visual prominence over other information on the display.
2.13.10 Means
of access to safety critical functions are to be dedicated to the
intended function and readily distinguishable.
2.14 Programmable electronic systems – Additional requirements
for integrated systems
2.14.1 The
requirements of Pt 6, Ch 1, 2.14 Programmable electronic systems – Additional requirements for integrated systems 2.14.2 to Pt 6, Ch 1, 2.14 Programmable electronic systems – Additional requirements for integrated systems 2.14.7 apply to integrated systems
providing control, alarm or safety functions in accordance with the
Rules, including systems capable of independent operation interconnected
to provide co-ordinated functions or common user interfaces. Examples
include integrated machinery control, alarm and monitoring systems,
power management systems and safety management systems providing a
grouping of fire, passenger, crew or ship safety functions, see
Pt 6, Ch 2, 17 Fire safety systems to Pt 6, Ch 2, 19 Ship safety systems.
2.14.2 System
integration is to be managed by a single designated party, and is
to be carried out in accordance with a defined procedure identifying
the roles, responsibilities and requirements of all parties involved.
This procedure is to be submitted for consideration where the integration
involves control functions for essential services or safety functions
including fire, passenger, crew, and ship safety.
2.14.4 Reversionary
modes of operation are to be provided to ensure safe and graceful
degradation in the event of one or more failures. In general, the
integrated system is to be arranged such that the failure of one part
will not affect the functionality of other parts, except those that
require data from the failed part.
2.14.5 Where
the integration involves control functions for essential services
or safety functions, including fire, passenger, crew, and ship safety,
a Failure Mode and Effects Analysis (FMEA) is to be carried out in
accordance with IEC 60812: Analysis techniques for system reliability
– Procedure for failure mode and effects analysis (FMEA),
or an equivalent and acceptable National or International Standard
and the report and worksheets submitted for consideration. The FMEA
is to demonstrate that the integrated system will 'fail-safe', see
Pt 6, Ch 1, 2.4 Safety systems, general requirements 2.4.5 and Pt 6, Ch 1, 2.5 Control systems, general requirements 2.5.3, and that essential services
in operation will not be lost or degraded beyond acceptable performance
criteria where specified by these Rules.
2.14.6 The
quantity and quality of information presented to the operator are
to be managed to assist situational awareness in all operating conditions.
Excessive or ambiguous information that may adversely affect the operator's
ability to reason or act correctly is to be avoided, but information
needed for corrective or emergency actions is not to be suppressed
or obscured in satisfying this requirement.
|