Section 2 Essential features for control, alarm, monitoring and safety systems

2.1.1 Systems complying with ISO 17894, Ships and marine technology - Computer applications - General principles for the development and use of programmable electronic systems in marine applications, may be accepted as meeting the requirements of this Section in which case evidence of compliance is to be submitted for consideration.

2.2.1 A system of alarm and warning displays and controls is to be provided which readily ensures identification of faults in the machinery and satisfactory supervision of related equipment by duty personnel. This may be provided at a main control station or, alternatively at subsidiary control stations. In the latter case, a master alarm display is to be provided at the main control station showing which of the subsidiary control stations is indicating a fault condition.

2.2.2 At the main control station (if provided) or close to the subsidiary stations (if fitted) means of two way voice communication with the bridge area, the accommodation for engineering personnel and, if necessary, the machinery spaces are to be provided.

2.2.3 Where operator interfaces are installed in the wheelhouse, illumination should not interfere with night vision. All illumination and lighting of instruments, keyboards and controls are to be adjustable to zero illumination, except for lighting for visual indication of alarms and the controls of dimmers, which are to remain readable.

2.2.4 Provision is to be made at the main control station, or subsidiary control stations as appropriate, for the operation of an engineers' alarm which is to be clearly audible in the engineers' accommodation.

2.2.5 Provision is to be made at the main control station and any other subsidiary control station from which the main propulsion and auxiliary machinery or associated equipment may be controlled to indicate which station is in control.

2.2.6 Control of machinery and associated equipment is to be possible only from one station at a time.

2.2.7 Changeover between control stations is to be arranged so that it may only be effected with the acceptance of the station taking control. The system is to be provided with interlocks or other suitable means to ensure effective transfer of control.

2.3.1 Machinery, safety and control system faults are to be indicated at the relevant control stations to advise duty personnel of a fault condition. The presence of unrectified faults is to be clearly indicated at all times.

2.3.2 Alarms and warnings associated with machinery and equipment required to satisfy this sub-Section are to be categorised according to the urgency and type of response required by the crew, as described in the IMO Code on Alerts and Indicators, 2009. The assignment of the category to each alert is to be evaluated on the basis not only of the machinery or equipment being monitored, but also the complete installation. Categories not included in an alarm system may be omitted from the system design. Details of alternative alert management proposals supported with evidence of service experience, may be submitted for consideration by LR.

2.3.3 Where the facility to provide messages in association with alarms and warnings exists, messages accompanying alarms and warnings are to describe the condition and indicate the intended response required by the crew.

2.3.4 Where the facility to provide messages in association with alarms and warnings exists, messages of different categories are to be clearly distinguishable from each other.

2.3.5 Where alarms are displayed as group alarms provision is to be made to identify individual alarms at the main control station (if fitted) or alternatively at subsidiary control stations.

2.3.6 All alarms are to be both audible and visual. If arrangements are made to silence audible signals, they are not to extinguish visual indications.

2.3.7 Acknowledgement of visual alarms is to be clearly indicated.

2.3.8 Acknowledgement of alarms at positions outside a machinery space is not to silence the audible signal or extinguish the visual indication in that machinery space.

2.3.9 If an alarm has been acknowledged and a second fault occurs prior to the first being rectified, audible signals and visual indications are again to operate. Where alarms are displayed at a local panel adjacent to the machinery and with arrangements to provide a group or common fault alarm in the control room then the occurrence of a second fault prior to the first alarm being rectified need only be displayed at the local panel, however the group alarm is to be reinitiated. Unacknowledged alarms on monitors are to be distinguished by either flashing text or a flashing marker adjacent to the text. A change of colour will not in itself be sufficient to distinguish between acknowledged and unacknowledged alarms.

2.3.10 For the detection of transient faults which are subsequently self-correcting, alarms are required to lock in until accepted.

2.3.11 The alarm system is to be arranged with automatic changeover to a standby power supply in the event of a failure of the normal power supply. Where an alarm system could be adversely affected by an interruption in power supply, changeover to the standby power supply is to be achieved without a break.

2.3.12 Failure of any power supply to the alarm system is to operate an audible and visual alarm.

2.3.13 The alarm system should be designed with self-monitoring properties. Insofar as practicable, any fault in the alarm system should cause it to fail to the alarm condition.

2.3.14 The alarm system is to be capable of being tested during normal machinery operation, see Pt 16, Ch 1, 7.1 General 7.1.2.

2.3.15 The alarm system is to be designed as far as practicable to function independently of control and safety systems such that a failure or malfunction in these systems will not prevent the alarm system from operating.

2.3.16 Disconnection or manual overriding of any part of the alarm system is to be clearly indicated.

2.3.17 When alarm systems are provided with means to adjust their set point, the arrangements are to be such that the final settings can be readily identified.

2.3.18 Where monitors are provided at the station in control and, if fitted, in the duty engineer's accommodation, they are to provide immediate display of new alarm information regardless of the information display page currently selected. This may be achieved by provision of a dedicated alarm monitor, a dedicated area of screen for alarms or other suitable means.

2.3.19 Where practicable, alarms displayed on monitors are to be displayed in the order in which they occur. Alarms requiring manual shutdown or slowdown action are to be given visual prominence.

2.4.1 Safety systems are to operate automatically in case of serious faults endangering the machinery, so that:

1. normal operating conditions are restored, e.g. by the starting of standby machinery, or

2. the operation of the machinery is temporarily adjusted to the prevailing conditions, e.g. by reducing the output of the machinery, or

3. the machinery is protected from critical conditions by shutting off the fuel or power supplies thereby stopping the machinery.

2.4.2 The safety system required by Pt 16, Ch 1, 2.4 Safety systems, general requirements 2.4.1.(c) is to be designed as far as practicable to operate independently of the control and alarm systems, such that a failure or malfunction in the control and alarm systems will not prevent the safety system from operating.

2.4.3 For safety systems required by Pt 16, Ch 1, 2.4 Safety systems, general requirements 2.4.1 and Pt 16, Ch 1, 2.4 Safety systems, general requirements 2.4.1.(b) complete independence from other control systems is not necessary.

2.4.4 Safety systems for different items of the machinery plant are to be arranged so that failure of the safety system of one part of the plant will not interfere with the operation of the safety system in another part of the plant.

2.4.5 The safety system is to be designed to `fail safe'. The characteristics of the `fail safe' operation are to be evaluated on the basis not only of the safety system and its associated machinery, but also the complete installation. Failure of a safety system is to initiate an audible and visual alarm.

2.4.6 When a safety system is activated, an audible and visual alarm is to be provided to indicate the cause of the safety action.

2.4.7 The safety system is to be manually reset before the relevant machinery can be restarted.

2.4.8 Where arrangements are provided for overriding a safety system, they are to be such that inadvertent operation is prevented. Visual indication is to be given at the relevant control station(s) when a safety override is operated. High speed craft are to be provided with arrangements for overriding automatic shutdown systems except in cases where there is a risk of complete breakdown or explosion.

2.4.9 The safety system is to be arranged with automatic changeover to a standby power supply in the event of a failure of the normal power supply.

2.4.10 Failure of any power supply to a safety system is to operate an audible and visual alarm.

2.4.11 When safety systems are provided with means to adjust their set point, the arrangements are to be such that the final settings can be readily identified.

2.5.1 Control systems for machinery operations are to be stable throughout their operating range.

2.5.2 The control system is to be designed such that normal operation of the controls cannot induce detrimental mechanical or thermal overloads in the machinery.

2.5.3 When control systems are provided with means to adjust their sensitivity or set point, the arrangements are to be such that the final settings can be readily identified.

2.5.4 Control systems are to be designed to `fail safe'. The characteristics of the `fail safe' operation are to be evaluated on the basis not only of the control system and its associated machinery, but also the complete installation.

2.5.5 Failure of any power supply to a control system is to operate an audible and visual alarm.

2.5.6 Where machinery is fitted with automatic or remote controls so that under normal operating conditions it does not require any manual intervention by the operators, it is to be provided with the alarms and safety arrangements required by the appropriate Chapter(s). Alternative arrangements which provide equivalent safeguards will be considered.

2.5.7 Remote or automatic controls are to be provided with sufficient instrumentation at the relevant control stations to ensure effective control by duty personnel and to indicate that the system is functioning correctly.

2.5.8 Where machinery is arranged to start automatically or from a remote control station, interlocks are to be provided to prevent start-up under conditions which could hazard the machinery.

2.5.9 Where machinery, controlled in accordance with Pt 16, Ch 1, 2.5 Control systems 2.5.6, is required to be provided with a standby pump, the standby pump is to start automatically if the discharge pressure from the working pumps falls below a predetermined value.

2.5.10 Failure of a control system is not to result in the loss of ability to provide essential services by alternative means. This may be achieved by manual control or redundancy within the control system or redundancy in machinery and equipment, see also Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.2. Instrumentation is to be provided at local manual control stations to ensure effective operation of the machinery by duty personnel.

2.6.1 Means are to be provided to ensure satisfactory control of propulsion from the bridge in both the ahead and astern directions.

2.6.2 Two independent means are to be provided on the bridge to enable the watchkeeper to stop the propulsion machinery in an emergency.

2.6.3 Audible and visual alarms are to operate on the bridge and in the machinery alarm system if any power supply to the bridge control system fails. Where practicable the preset speed and direction of thrust are to be maintained until corrective action is taken.

2.6.4 Cargo (B) high speed craft are to be provided with a standby system for controlling propulsion machinery. A standby system controllable from an engine control space such as an engine control room outside the bridge is acceptable.

2.6.5 Passenger (B) high speed craft are to be provided with a standby system for controlling propulsion machinery from the bridge.

2.6.6 Passenger (B) high speed craft are to be provided with additional control of propulsion and manoeuvring at the same location as the emergency functions referred to in Ch 2,16.5.6. Such stations are to have direct communication with the bridge area.

2.6.7 For high speed craft, failure of the operating propulsion control system or of transfer of control is to bring out the craft to low speed without hazarding passengers or craft.

2.7.1 Where cargo, bilge, ballast, fuel oil transfer and sea valves for engine services are operated by remote or automatic control, the requirements of Pt 16, Ch 1, 2.7 Valve control systems 2.7.2 are to be satisfied.

2.7.2 Failure of actuator power is not to permit a valve to move to an unsafe condition.

2.7.3 Positive indication is to be provided at the remote control station for the service to show the actual valve position or alternatively that the valve is fully open or closed.

2.7.4 Equipment located in places which may be flooded is to be capable of operating when submerged.

2.7.5 A secondary means of operating the valves, which may be by local manual control, is to be provided.

2.7.6 For requirements applicable to closing appliances on scuppers and sanitary discharges, see Pt 3, Ch 4, 9.4 Scupper arrangements. For power supplies on passenger craft, see Pt 16, Ch 2, 3.2 Emergency source of electrical power in passenger craft and for yachts that are 500 gt or more.

2.8.1 Fire detection and fire alarm systems are to comply with Chapter 9 – Fixed fire detection and fire alarm systems of the Fire Safety Systems Code (FSS Code), Pt 17 Fire Protection, Detection and Extinction and the requirements in this Section as applicable.

2.8.2 Fire detection control units, indicating panels, detector heads, manual call points and short-circuit isolation units are to be type approved in accordance with Test Specification Number 1 given in LR’s Type Approval System for an environmental category appropriate for the locations in which they are intended to operate.

2.8.3 The alarm system is to be designed with selfmonitoring properties. Power or system failures are to initiate an audible alarm distinguishable from the fire-alarm. This alarm may be incorporated in the machinery alarm system as required by Pt 16, Ch 1, 2.3 Alarm systems.

2.8.4 When fire detectors are provided with means to adjust their sensitivity, the arrangements are to be such that the set point can be fixed and readily identified.

2.8.5 The fire detector heads are to be of a type which can be tested and reset without the renewal of any component. Facilities are to be provided on the fire-control panel for functional testing and reset of the system.

2.8.6 When it is intended that a particular loop is to be temporarily switched off, this state is to be clearly indicated at the fire detection indicating panels.

2.8.7 When it is intended that a particular detector(s) is (are) to be temporarily switched off locally, this state is to be clearly indicated at the local position. Reactivation of the detector(s) is to be performed automatically after a preset time.

2.8.8 It is to be demonstrated to the Surveyor’s satisfaction that detector heads are so located that air currents will not render the system ineffective whether the craft is at sea or in port.

2.8.9 An audible fire-alarm is to be provided having a characteristic which distinguishes it from the alarm system required by Pt 16, Ch 1, 2.3 Alarm systems or any other alarm system.

2.8.10 Where an automatic fire detection system is to be fitted in a machinery space, the requirements of Pt 16, Ch 1, 2.8 Fire detection and fire alarm systems 2.8.11 to Pt 16, Ch 1, 2.8 Fire detection and fire alarm systems 2.8.15 are also to be satisfied. See also SOLAS 1974, as amended Chapter II-2, Part C, Regulation 7 - Detection and alarm, or Pt 17 Fire Protection, Detection and Extinction as applicable.

2.8.11 Detector heads are to be located in the machinery spaces so that all potential fire outbreak points are guarded. A combination of detectors is to be provided to ensure that the system will react to all possible fire characteristics.

2.8.12 Fire detection indicating panels are to denote the section in which a detector or manually operated call point has operated. At least one indicating panel is to be so located that it is easily accessible to responsible members of the crew at all times. An indicating panel is to be located on the navigating bridge, together with TV monitoring in the case of high speed craft.

2.8.13 A fire detection control unit is to be located in the navigating bridge area, the fire-control station, or in some other position such that a fire in the machinery spaces will not render it inoperable.

2.8.14 The audible fire-alarm is to be immediately audible on all parts of the navigating bridge, at the fire-control station and the machinery control stations, and throughout the crew accommodation areas and the machinery spaces.

2.8.15 Facilities are to be provided in the fire detection system to initiate manually the fire-alarm from the following locations:

1. Positions adjacent to all exits from machinery spaces.

2. Navigating bridge.

3. Control station in engine room.

4. Fire control station.

2.8.16 Fire detection systems within the accommodation spaces and cabin balconies are also to comply with Pt 16, Ch 1, 2.8 Fire detection and fire alarm systems 2.8.17.

2.8.17 In yachts, the fixed fire detection and fire-alarm systems are to be capable of remotely and individually identifying each detector and manually operated call point. On other craft, indicating units are to denote, as a minimum, the section in which a detector or manually operated call point has operated. At least one indicating unit is to be so located that it is easily accessible to responsible members of the crew. One indicating unit is to be located on the navigating bridge if the control panel is located in the central control station.

2.8.18 Clear information is to be displayed on or adjacent to each indicating unit regarding the spaces covered and the location of the section and, for yachts, each detector and manually operated call point.

2.8.19 The fire detection system is not to be used for any other purpose, except that closing of fire doors and similar functions may be permitted at the control panel. For craft required to comply with the HSC Code, the control panel may be used to activate a paging system, fan stops, closure of fire doors, closure of fire and smoke dampers, and/or a sprinkler system.

2.8.20 In passenger craft other than yachts, where the fire detection system does not include means of remotely identifying each detector individually, a section of detectors is neither to serve spaces on both sides of the craft nor on more than one deck, except when permitted by Pt 16, Ch 2, 17.1 Fire detection and fire alarm systems 17.1.8.

2.8.21 A section of fire detectors and manually operated call points which covers a control station, a service space or an accommodation space is not to include a machinery space of Category A.

2.8.22 The fire control panel is to be located on the navigating bridge or in a central fire-control station and may form part of that panel specified in Pt 16, Ch 1, 2.8 Fire detection and fire alarm systems 2.8.12. In passenger craft carrying more than 36 passengers, the fire-control panel is to be located in the continuously manned central control station.

2.8.23 Detectors and manually operated call points are to be grouped into sections. The activation of any detector or manually operated call point is to initiate a visual and audible fire signal at the control panel and indicating units. If the signals have not received attention within two minutes an audible alarm is to be automatically sounded throughout the crew accommodation and service spaces, control stations and machinery spaces of Category A. For craft required to comply with the HSC Code, there is to be no time delay for the audible alarms in crew accommodation areas, following initiation of an audible and visual alarm at the control panel and indicating units, when all the control stations are unattended. This alarm sounder system need not be an integral part of the detection system.

2.8.24 For electrical engineering requirements, see Pt 16, Ch 2, 17.1 Fire detection and fire alarm systems.

2.9.1 Where fixed water-based local application firefighting systems are required to be installed by National Administration requirements, arrangements are to be in accordance with this sub-Section.

2.9.2 Systems are to be available for immediate use and arranged for manual activation from inside and outside the protected space. See also Pt 16, Ch 2, 17.3 Fixed water-based local application fire-fighting systems 17.3.4.

2.9.3 Activation of a system is not to result in loss of electrical power or reduction of the manoeuvrability of the craft and is not to require confirmation of space evacuation or sealing, see also Pt 16, Ch 2, 17.3 Fixed water-based local application fire-fighting systems 17.3.12.

2.9.4 System zones and protected areas are to be arranged to allow essential services to be provided by machinery and/or equipment located outside areas affected by direct spray or extended water in the event of a system activation, where the machinery and/or equipment is duplicated or otherwise replicated to provide redundancy.

2.9.5 A control panel is to be provided for managing actions such as opening of valves, starting of pumps and initiation of alarms and warnings and processing information from detectors. This panel is to be independent of the fire detection control unit required by Pt 16, Ch 1, 2.8 Fire detection and fire alarm systems.

2.9.6 Alarms are to be initiated upon activation of a system and are to indicate the specific zone released at the control panel. Alarms are to be provided in each protected space, at an attended machinery control station and in the wheelhouse. The audible alarm is to be distinguishable from other safety system alarms.

2.9.7 A failure in a manual system activation switch circuit is not to prevent system activation using other installed manual system activation switches or, where installed, automatic activation. The means of activation are to be provided with self-monitoring facilities which will activate an alarm at an attended control station in the event of failure detection.

2.9.8 Where, additionally, the system is required to be capable of automatic release, the arrangements are to be in accordance with Pt 16, Ch 1, 2.9 Fixed water-based local application fire-fighting systems 2.9.9 to Pt 16, Ch 1, 2.9 Fixed water-based local application fire-fighting systems 2.9.12.

2.9.9 A minimum of two fire detectors are to be provided for each protected area. One is to be a flame detector and the other is to be a smoke or heat detector, as considered appropriate to the nature of the risk and ambient conditions. The system is to be activated upon detection by two of the detectors. A fault in one detector is to initiate an alarm at an attended control station and is not to inhibit activation of the system under the control of the other detector or manually.

2.9.10 The fire detectors are to be arranged (located, oriented, guarded, etc.) to ensure that a fire in one protected area will not result in the inadvertent automatic activation of a system for another protected area. Guards or barriers provided to comply with this requirement are not to reduce the ability to detect a fire in the protected area.

2.9.11 A fire detection alarm system panel in accordance with Pt 16, Ch 1, 2.8 Fire detection and fire alarm systems may be used for receiving fire detection signals. Separate loops are not required provided that the address of the initiating device can be identified at the control panel. The received signals are then to be sent to the control panel required by Pt 16, Ch 1, 2.9 Fixed water-based local application fire-fighting systems 2.9.5 for processing and action.

2.9.12 The system's fire detection systems and control units are to meet the performance criteria stipulated by the National Administration and are to be Type Approved in accordance with Test Specification Number 1 given in LR’s Type Approval System for an environmental category appropriate for the locations in which they are intended to operate.

2.10.1 The requirements of this sub-Section are to be complied with where control, alarm, moinitoring or safety systems incorporate programmable electronic equipment. Systems for essential services and safety critical applications, systems incorporating shared data communication links and systems which are integrated are to comply with the additional requirements of Pt 16, Ch 1, 2.11 Data communication links, Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems and Pt 16, Ch 1, 2.14 Programmable electronic systems - Additional requirements for integrated systems, as applicable. For systems complying with ISO 17894, Ships and marine technology - Computer applications - General principles for the development and use of programmable electronic systems in marine applications, see Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems.

2.10.2 Where programmable electronic systems share resources, any components that can affect the ability to effectively provide required control, alarm or safety functions are to fulfil the requirements of Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements to Pt 16, Ch 1, 2.14 Programmable electronic systems - Additional requirements for integrated systems related to providing those required functions.

2.10.3 Programmable electronic equipment is to revert to a defined safe state on initial start up or re-start in the event of failure.

2.10.4 In the event of failure of any programmable electronic equipment, the system and any other system to which it is connected, is to fail to a defined safe state or maintain safe operation, as applicable.

2.10.5 Programmable electronic equipment is to be certified by a recognised authority as suitable for the environmental conditions in which it is intended to operate, see also Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.3

2.10.6 Emergency stop functions are to be hard-wired and independent of any programmable electronic equipment. Alternatively, the system providing emergency stop functions is to comply with the requirements of Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.2 and/or Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.8.

2.10.7 Programmable electronic equipment is to be provided with self-monitoring capabilities such that hardware and functional failures will initiate an audible and visual alarm in accordance with the requirements of Pt 16, Ch 1, 2.3 Alarm systems and, where applicable, Pt 16, Ch 1, 4.2 Alarm system for machinery . Hardware failures indications are to enable faults to be identifiable at least down to the level of the lowest replaceable unit and the self-monitoring capabilities are to ensure that diagnostic information is readily available.

2.10.8 Means are to be provided to recover or replace data required for safe and effective system operation lost as a result of component failure. The submission required by Pt 16, Ch 1, 1.2 Documentation required for design review 1.2.6 is to address reinstatement of system operation following data loss.

2.10.9 System configuration, programs and data are to be protected against loss or corruption in the event of failure of any power supply. For essential services and safety critical systems, see Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.6.

2.10.10 Where it is necessary to store data required for system operation in volatile memory, a back-up power supply is to be provided that prevents data loss in the event of loss of the normal power supply. The submission required by Pt 16, Ch 1, 1.2 Documentation required for design review 1.2.6 is to include details of any routine maintenance necessary and the measures necessary to restore system operation in the event of data loss as a result of power supply failure.

2.10.11 Back-up power supplies required by Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements 2.10.10 are to be rated to supply the connected load for a defined period of time that allows sufficient time to restore the supply in the event of loss of the normal power supply as a result of failure of a main source of electrical power. This period is not to be less than 30 minutes.

2.10.12 Where regular battery replacement is required to maintain the availability of volatile memory back-up power supply required by Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements 2.10.10, these are to be included in the schedule of batteries required by Pt 16, Ch 2, 1.2 Documentation required for design review 1.2.10 and Pt 16, Ch 2, 12.7 Recording of batteries for emergency and essential services, irrespective of battery type and size. Applicable entries in this schedule are to note that these batteries are not for safety critical systems or essential or emergency services.

2.10.13 Access to system configuration, programs and data is to be restricted by physical and/or logical means providing effective security against unauthorised alteration both for local and remote access.

2.10.14 Where date and time information is required by the equipment, this is to be provided by means of a battery backed clock with restricted access for alteration. Date and time information is to be fully represented and utilised.

2.10.15 Displays and controls are to be protected against liquid ingress due to spillage.

2.10.16 Display units are to comply with the requirements of an acceptable National or International Standard, e.g. IEC 60950-1: Information technology equipment – Safety – Part 1: General requirements, in respect of emission of ionising radiation.

2.10.17 Where systems detect fault conditions, any affected mimic diagrams are to ensure that the status of unreliable and incorrect data is clearly identified.

2.10.18 Multi-function displays and controls are to be duplicated and interchangeable where used for the control or monitoring of more than one system, machinery item or item of equipment. At least one unit at the main control station is to be supplied from an independent uninterruptible power system (UPS).

2.10.19 The number of multi-function display and control units provided at the main control station and their power supply arrangements are to be sufficient to ensure continuing safe operation in the event of failure of any unit or any power supply.

2.10.20 Software lifecycle activities, e.g. design, development, supply and maintenance, are to be carried out in accordance with an acceptable quality management system which has lifecycle models suitable to the nature of the software project, considering its size, complexity, safety, risk and integrity. Project specific software quality plans are to be submitted. These are to demonstrate that the provisions of ISO/IEC 90003: Software engineering – Guidelines for the application of ISO 9001:2015 to computer software, or equivalent, are incorporated. The plans are to define responsibilities for the lifecycle activities, including verification, validation, software module testing, integration with other components or systems and security policies to be applied.

2.11.1 Where control, alarm or safety systems use shared data communication links to transfer data, the requirements of Pt 16, Ch 1, 2.11 Data communication links 2.11.2 are to be complied with. The requirements apply to local area networks, fieldbuses and other types of data communication link which make use of a shared medium to transfer control, alarm or safety related data between distributed programmable electronic equipment or systems.

2.11.2 Data communication is to be automatically restored within 45 seconds in the event of a single component failure. Upon restoration, priority is to be given to updating safety critical data and control, alarm and safety related data for essential services. Components comprise all items required to facilitate data communication, including cables, switches, repeaters, software components and power supplies.

2.11.3 Loss of a data communication link is not to result in the loss of ability to operate any essential service by alternative means, see also Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.2.

2.11.4 The properties of the data communication link, (e.g. bandwidth, access control method, etc.), are to ensure that all connected systems will operate in a safe, stable and repeatable manner under all operating conditions. The latency of control, alarm and safety related data is not to exceed two seconds.

2.11.5 Protocols are to ensure the integrity of control, alarm and safety related data, and provide timely recovery of corrupted or invalid data.

2.11.6  Means are to be provided to monitor performance and identify hardware and functional failures. An audible and visual alarm is to operate in accordance with the requirements of Pt 16, Ch 1, 2.3 Alarm systems and, where applicable, Pt 16, Ch 1, 4.2 Alarm system for machinery in the event of a failure of an active or standby component.

2.11.7 System self-monitoring capabilities are to be arranged to initiate transition to a defined safe state for the complete installation in the event of data communication failure, see also Pt 16, Ch 1, 2.5 Control systems 2.5.4.

2.11.8 Means are to be provided to prevent unintended connection or disconnection of any equipment where this may affect the performance of any other systems in operation.

2.11.9 Data cables are to comply with the applicable requirements of Pt 16, Ch 2, 11 Electric cables, optical fibre cables and busbar trunking systems (busways). Other media will be subject to special consideration.

2.11.10 The installation is to provide adequate protection against mechanical damage and electromagnetic interference.

2.11.11 Components are to be located with appropriate segregation such that the risk of mechanical damage or electromagnetic interference resulting in the loss of both active and standby components is minimised. Duplicated data communication links are to be routed to give as much physical separation as is practical.

2.12.1 The requirements of this sub-Section are in addition to Pt 16, Ch 1, 2.11 Data communication links and apply to systems incorporating wireless data communication links.

2.12.2 Wireless data communication links are not to be used for safety critical systems or essential services that are required for the propulsion or safety of the craft, except as permitted by Pt 16, Ch 1, 2.12 Additional requirements for wireless data communication links 2.12.3.

2.12.3 For services not required to operate continuously, wireless data communication links may be considered where an alternative means of operation that can be brought into action within an acceptable period of time is provided.

2.12.4 Wireless data communication is to employ recognised international wireless communication system protocols that incorporate the following:

1. Message integrity: fault prevention, detection, diagnosis and correction, ensuring that the received message is not corrupted or altered when compared to the transmitted message.

2. Configuration and device authentication: is to permit connection only of devices that are included in the system design.

3. Message encryption: protection of the confidentiality and/or criticality of the data content.

4. Security management: protection of network assets and prevention of unauthorised access to network assets.

2.12.5 The wireless system is to comply with the radio frequency and power level requirements of the International Telecommunications Union and any requirements of the National Administration with which the craft is registered.

2.12.6 Compliance with different port state and local regulations pertaining to the use of radio-frequency transmission that would prohibit the operation of a wireless data communication link, due to frequency and power level restrictions, is not addressed by these requirements and is the responsibility of the Owner and Operator.

2.13.1 The requirements of Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.2 to Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.10 are to be complied with where control, alarm, monitoring or safety systems for essential services, as defined by Pt 16, Ch 2, 1.6 Definitions, or safety critical systems, incorporate programmable electronic equipment:

1. Safety critical systems are those which provide functions intended to protect persons from physical hazards (e.g. fire, explosion, etc.), or to prevent mechanical damage which may result in the loss of an essential service (e.g. main engine low lubricating oil pressure shutdown).

2. Applications that are not essential services may also be considered to be safety critical (e.g. domestic boiler low water level shutdown).

2.13.2 Alternative means of safe and effective operation are to be provided for essential services and, wherever practicable, these are to be by provision of a fully independent hard wired back-up system. Where these alternative means are not independent of any programmable electronic equipment, the software is to satisfy the requirements of LR's Software Conformity Assessment System - Assessment Module GEN1 (1994).

2.13.3 Items of programmable electronic equipment used to implement control, alarm or safety functions are to be Type Approved in accordance with LR's Type Approval System Test Specification Number 1 (2002). Type approval to an alternative and relevant National or International Standard may be submitted for consideration.

2.13.4 The system is to be configured such that control, alarm and safety function groups are independent. A failure of the system is not to result in the loss of more than one of these function groups. Proposals for alternative arrangements providing an equivalent level of safety will be subject to special consideration.

2.13.5 For essential services, the system is to be arranged to operate automatically from an alternative power supply in the event of a failure of the normal supply.

2.13.6 Volatile memory is not to be used to store data required for:

• an essential service or safety critical functions; or
• ensuring safety or preventing damage, including during start-up or re-start.

Alternative proposals which demonstrates that an equivalent level of system integrity will be achieved may be submitted for consideration.

2.13.7 Failure of any power supply is to initiate an audible and visual alarm in accordance with the requirements of Pt 16, Ch 1, 2.3 Alarm systems and, where applicable, Pt 16, Ch 1, 4.2 Alarm system for machinery .

2.13.8 Where it is intended that the programmable electronic system implements an emergency stop function or safety critical functions, the software is to satisfy the requirements of LR's Software Conformity Assessment System- Assessment Module GEN1 (1994). Alternative proposals providing an equivalent level of system integrity will be subject to special consideration, e.g. fully independent hard wired back-up system, redundancy with design diversity, etc.

2.13.9 Control, alarm and safety related information is to be displayed in a clear, unambiguous and timely manner, and, where applicable, is to be given visual prominence over other information on the display.

2.13.10 Means of access to safety critical functions are to be dedicated to the intended function and readily distinguishable.

2.14.1 The requirements of Pt 16, Ch 1, 2.14 Programmable electronic systems - Additional requirements for integrated systems 2.14.2 to Pt 16, Ch 1, 2.14 Programmable electronic systems - Additional requirements for integrated systems 2.14.7 apply to integrated systems providing control, alarm or safety functions in accordance with the Rules, including systems capable of independent operation interconnected to provide co-ordinated functions or common user interfaces. Examples include integrated machinery control, alarm and monitoring systems, power management systems and safety management systems providing a grouping of fire, passenger, crew or craft safety functions, see Pt 16, Ch 2, 17 Fire safety systems.

2.14.2 System integration is to be managed by a single designated party, and is to be carried out in accordance with a defined procedure identifying the roles, responsibilities and requirements of all parties involved. This procedure is to be submitted for consideration where the integration involves control functions for essential services or safety functions including fire, passenger, crew, and craft safety.

2.14.3 The system requirements specification, see Pt 16, Ch 1, 1.2 Documentation required for design review 1.2.6, is to identify the allocation of functions between modules of the integrated system, and any common data communication protocols or interface standards required to support these functions.

2.14.4 Reversionary modes of operation are to be provided to ensure safe and graceful degradation in the event of one or more failures. In general, the integrated system is to be arranged such that the failure of one part will not affect the functionality of other parts, except those that require data from the failed part.

2.14.5 Where the integration involves control functions for essential services or safety functions, including fire, passenger, crew and craft safety, a Failure Mode and Effects Analysis (FMEA) is to be carried out in accordance with IEC 60812: Analysis techniques for system reliability – Procedure for failure mode and effects analysis (FMEA), or an equivalent and acceptable National or International Standard and the report and worksheets submitted for consideration. The FMEA is to demonstrate that the integrated system will 'fail-safe', see Pt 16, Ch 1, 2.4 Safety systems, general requirements 2.4.5 and Pt 16, Ch 1, 2.5 Control systems 2.5.4, and that essential services in operation will not be lost or degraded beyond acceptable performance criteria where specified by these Rules.

2.14.6 The quantity and quality of information presented to the operator are to be managed to assist situational awareness in all operating conditions. Excessive or ambiguous information that may adversely affect the operator's ability to reason or act correctly is to be avoided, but information needed for corrective or emergency actions is not to be suppressed or obscured in satisfying this requirement.

2.14.7 Where information is required by the Rules or by National Administration requirements to be continuously displayed, the system configuration is to be such that the information may be viewed without manual intervention, e.g. the selection of a particular screen page or mode of operation. See also Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements 2.10.18 and Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements 2.10.19.