Control and Monitoring Systems: Ships / High Speed, Light Craft and Naval Surface Craft

RULES FOR
CLASSIFICATION OF
SHIPS / HIGH SPEED, LIGHT CRAFT AND

NAVAL SURFACE CRAFT
NEWBUILDING
MACHINERY AND SYSTEMS

MAIN CLASS
PART 4 CHAPTER 9
CONTROL AND MONITORING SYSTEMS

JANUARY 2008
CONTENTS PAGE
Sec. 1 General Requirements ................................................................................................................ 5
Sec. 2 Design Principles ..................................................................................................................... 12
Sec. 3 System Design ......................................................................................................................... 13
Sec. 4 Additional Requirements for Computer Based Systems ......................................................... 16
Sec. 5 Component Design and Installation ......................................................................................... 20
Sec. 6 User Interface .......................................................................................................................... 25
DET NORSKE VERITAS

Veritasveien 1, NO-1322 Høvik, Norway Tel.: +47 67 57 99 00 Fax: +47 67 57 99 11
CHANGES IN THE RULES
General referred to by the ICS notation. As the ICS notation is with-
drawn, the user interface requirements in Sec.6 have been re-
The present edition of the rules includes additions and amendments duced to a level that is presumed to be feasible to verify, and the
decided by the Board as of December 2007, and supersedes the Janu- requirements are made mandatory. Further, the separate para-
ary 2005 edition of the same chapter, including later amendments. graphs related to user interface in Sec.4 have been moved to
The rule changes come into force as indicated below. Sec.6 and aligned with the revised user interface requirements.
This chapter is valid until superseded by a revised chapter. Supple- — The requirements for control system networks and network com-
ments will not be issued except for an updated list of minor amend- ponents have been strengthened, and a separate set of rules for
ments and corrections presented in Pt.0 Ch.1 Sec.3. Pt.0 Ch.1 is wireless communication has been added.
normally revised in January and July each year. — A list of all systems that are subject to certification has been add-
Revised chapters will be forwarded to all subscribers to the rules. ed as a Guidance note in the relevant paragraph.
Buyers of reprints are advised to check the updated list of rule chap- — The documentation requirement for FMEA has been changed
ters printed in Pt.0 Ch.1 Sec.1 to ensure that the chapter is current. from “Information” to “Approval”.
— The general requirement related to emergency/back-up functions
has been strengthened.
Main changes coming into force 1 July 2008
• General
Corrections and Clarifications
— The requirements for interdependency between alarm, control
and safety functions have been clarified. In addition to the above stated rule requirements, a number of correc-
— Requirements for user interface were made applicable only when tions and clarifications have been made in the existing rule text.
Comments to the rules may be sent by e-mail to [email protected]

For subscription orders or information about subscription terms, please use [email protected]
Comprehensive information about DNV and the Society's services is found at the Web site http://www.dnv.com
© Det Norske Veritas
Computer Typesetting (FM+SGML) by Det Norske Veritas
Printed in Norway
If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such person
for his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-
sation shall never exceed USD 2 million.
In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of Det
Norske Veritas.
Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2008
Pt.4 Ch.9 Contents – Page 3
CONTENTS
SEC. 1 GENERAL REQUIREMENTS .......................... 5 B 200 Software development ....................................................17
A. Classification..........................................................................5 C. Control System Networks and

A 100 Rule applications...............................................................5 Data Communication Links .............................................. 17
A 200 Classification principles....................................................5 C 100 General............................................................................17
A 300 Alterations and additions ..................................................5 C 200 Network analysis.............................................................18
A 400 Assumptions......................................................................6 C 300 Network test and verification..........................................18
C 400 Network documentation requirements............................18
B. Definitions ..............................................................................6 C 500 Wireless communication.................................................19
B 100 General terms ....................................................................6 C 600 Documentation of wireless communication....................19
B 200 Terms related to computer based system ..........................7
SEC. 5 COMPONENT DESIGN AND
C. Documentation ......................................................................7 INSTALLATION ............................................... 20
C 100 General ..............................................................................7
C 200 Type approved products..................................................10 A. General ................................................................................ 20
C 300 Plans and particulars .......................................................10 A 100 Environmental strains .....................................................20
A 200 Materials .........................................................................20
D. Tests......................................................................................11 A 300 Component design and installation.................................20
D 100 General ............................................................................11
A 400 Maintenance, checking ...................................................20
D 200 Software module testing .................................................11
A 500 Marking...........................................................................20
D 300 Integration testing ...........................................................11
A 600 Standardising...................................................................20
D 400 System testing .................................................................11
D 500 On-board testing..............................................................11 B. Environmental Conditions, Instrumentation .................. 20
B 100 General............................................................................20
SEC. 2 DESIGN PRINCIPLES .................................... 12
B 200 Electric power supply .....................................................21
A. System Configuration ........................................................12 B 300 Pneumatic and hydraulic power supply ..........................21
A 100 General ............................................................................12 B 400 Temperature ....................................................................21
A 200 Field instrumentation ......................................................12 B 500 Humidity .........................................................................21
A 300 System.............................................................................12 B 600 Salt contamination ..........................................................21
A 400 Integrated system ............................................................12 B 700 Oil contamination............................................................21
B 800 Vibrations........................................................................21
B. Response to Failures ...........................................................12 B 900 Inclination .......................................................................22
B 100 Failure detection..............................................................12 B 1000 Electromagnetic compatibility ........................................22
B 200 System response..............................................................12 B 1100 Miscellaneous .................................................................23
SEC. 3 SYSTEM DESIGN ............................................ 13 C. Electrical and Electronic Equipment ............................... 23
C 100 General............................................................................23
A. System Elements .................................................................13 C 200 Mechanical design, installation.......................................23
A 100 General ............................................................................13
C 300 Protection provided by enclosure....................................23
A 200 Automatic control ...........................................................13
C 400 Cables and wires .............................................................23
A 300 Remote control................................................................13
C 500 Cable installation ............................................................23
A 400 Protective safety system..................................................13
C 600 Power supply...................................................................23
A 500 Alarms.............................................................................14
A 600 Indication ........................................................................14 C 700 Fibre optic equipment .....................................................23
A 700 Planning and reporting ....................................................14
SEC. 6 USER INTERFACE ......................................... 25
A 800 Calculation, simulation and decision support .................15
A. General ................................................................................ 25
B. General Requirements........................................................15
A 100 Application......................................................................25
B 100 System operation and maintenance.................................15
B 200 Electrical power distribution...........................................15 A 200 Introduction.....................................................................25
SEC. 4 ADDITIONAL REQUIREMENTS FOR B. Workstation Design and Arrangement ............................ 25

COMPUTER BASED SYSTEMS .................... 16 B 100 Location of visual display units and user input devices .25
A. General Requirements........................................................16 C. User Input Device and Display Unit Design .................... 25
A 100 Assignment of responsibility when installing integrated C 100 User input devices...........................................................25
systems ............................................................................16 C 200 Visual display units.........................................................25
A 200 System dependency.........................................................16 C 300 Colours............................................................................25
A 300 Storage devices ...............................................................16 C 400 Requirements for preservation of night vision (UIDs and
A 400 Computer usage ..............................................................16 VDUs for installation on the navigating bridge).............25
A 500 System response and capacity.........................................16
A 600 Temperature control........................................................16 D. Screen Based Systems ........................................................ 26
A 700 System maintenance........................................................16 D 100 General............................................................................26
A 800 System access..................................................................16 D 200 Illumination.....................................................................26
D 300 Colour screens.................................................................26
B. System Software ..................................................................17 D 400 Computer dialogue..........................................................26
B 100 Software requirements ....................................................17 D 500 Application screen views ................................................26
DET NORSKE VERITAS

Pt.4 Ch.9 Contents – Page 4
DET NORSKE VERITAS

Pt.4 Ch.9 Sec.1 – Page 5
SECTION 1
GENERAL REQUIREMENTS
A. Classification Pt.4 Ch.7: boilers, thermal-oil installations, incinerators, oil fired

water heaters,
A 100 Rule applications Pt.4 Ch.8: power management
101 The requirements of this chapter shall apply to all con- Pt.4 Ch.9: main alarm system, integrated control and monitoring
trol and monitoring systems required by the rules. systems
Guidance note: Pt.4 Ch.14: steering gears
Additional requirements for specific applications will be given Ferries
under rules governing those applications. Pt.5 Ch.2: bow doors monitoring
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Oil Carriers
Pt.5 Ch.3: cargo tank level measurement, cargo tank overflow
102 All control and monitoring systems installed, but not protection, cargo valves and pumps, flammable gas detection
necessarily required by the rules, that may have an impact on (permanent system only), inert gas, offshore loading and unload-
the safety of main functions (listed in Pt.1 Ch.1 Sec.1 A200 of ing
the Rules for Classification of Ships), shall meet the require- Chemical carriers
ments of this chapter. Pt.5 Ch.4: cargo tank level, cargo tank overflow protection, cargo
valves and pumps, flammable gas detection (permanent system
A 200 Classification principles only), inert gas
201 Classification of control and monitoring systems shall Liquefied Gas Carriers
generally be according to the following principles: Pt.5 Ch.5: cargo tank level measurement, cargo tank overflow
protection, cargo valves and pumps, flammable gas detection
— plan approval (permanent system only), inert gas, cargo and vapour pressure,
— certification of major units of equipment associated with oxygen indication equipment (permanent system only)
essential and important control and monitoring systems Well Stimulation Vessels
— on-board inspection (visual inspection and functional test-
ing). Pt.5 Ch.7: cargo tank level measurement, cargo tank overflow
protection, emergency shut-down
Guidance note: Offshore Service Vessels for Transportation of Low Flash-
The plan approval normally includes case-by-case document as- point Liquids
sessment of each delivery, alternatively partly covered by type Pt.5 Ch.7: cargo tank level measurement
approval as specified in Standards for Certification 1.2 and 2.4. Slop Reception and Processing Facilities
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Pt.5 Ch.10: oil separating, fire detection, inert gas
Ships for Carriage of Refrigerated Cargoes and Containers
202 Major units of equipment associated with essential and
important control and monitoring systems, as specified in the Pt.5 Ch.10: cargo hold temperature
rules, shall be provided with a product certificate unless ex- Dynamic Positioning systems
emption is given in a DNV issued Type Approval Certificate Pt.6 Ch.7: dynamic positioning, independent joystick with auto
or the logic is simple and the failure mechanisms are easily un- heading
derstood. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
The certification procedure normally consists of:
203 The following control and monitoring systems are sub-
— assessment of certain manufacturer documentation ject to certification, if installed, in addition to those specified
— visual inspection in other sections:
— verification of performance according to functional re-
quirements based on approved test programs — main alarm system
— verification of failure mode behaviour — integrated control and monitoring system.
— verification of implementation software quality plan cov-
ering life cycle activities, if applicable A 300 Alterations and additions
— issue certificate. 301 Manufacturers or system suppliers shall maintain a sys-
tem to track changes as a result of defects being detected in
Other control and monitoring systems, which when found to hardware and software, and inform users of the need for mod-
have an effect on the safety of the ship may be required to be ification in the event of detecting a defect.
certified.
302 When an alteration or addition to the approved system(s)
Guidance note: is proposed, plans shall be submitted for approval. The altera-
Control and monitoring systems for the following systems shall tions or additions shall be carried out under survey, and the in-
be certified unless the above mentioned exemptions apply (in stallation and testing shall be to the surveyor's satisfaction.
general, the certification requirements are given in the relevant
application rule section, this list is for guidance only): 303 Details of proposed hardware and software modifica-
1A1 tions shall be submitted for evaluation. Where the modification
may affect compliance with the rules, proposals for verifica-
Pt.3 Ch.3: water tight doors, side and stern doors
tion and validation shall also be submitted.
Pt.4 Ch.1: remote control of essential machinery, bridge control
of propulsion machinery, local fire extinguishing 304 Software versions shall be identifiable as required in
Pt.4 Ch.3: diesel engines, electronic engine management, steam Sec.4.
turbines, gas turbines 305 If remote software maintenance is arranged for onboard,
Pt.4 Ch.5: propellers, water jets, propulsion thrusters, dynamic the installation of new software versions submitted from software
positioning thrusters suppliers requires the below items and or actions to be fulfilled:
DET NORSKE VERITAS

a) no modification shall be possible without the acceptance .3 Control system fault alarm. An alarm which indicates a
and acknowledgement by the ships responsible failure of an automatic or remote control system, e.g., the
b) the objective or reason for updating a software module navigating bridge propulsion control failure alarm.
shall be documented in the ship's systems/software main- .4 Bilge alarm. An alarm which indicates an abnormally high
tenance log level of bilge water.
.5 Engineers' alarm. An alarm to be operated from the engine
c) any revision which may affect compliance with the rules control room or at the manoeuvring platform, as appropri-
shall be approved by the society and evidence of such shall ate, to alert personnel in the engineers' accommodation
be available onboard that assistance is needed in the engine-room.
d) an installation procedure and required pre-requisites for .6 Personnel alarm. An alarm to confirm the safety of the en-
installation of the software module shall be available gineer on duty when alone in the machinery spaces.
.7 Fire detection alarm. An alarm to alert the crew on the
e) the security of the installation process and integrity of the navigating bridge, at the fire control station or elsewhere
new software shall be verified (especially when software that a fire has been detected.
has been transferred using open lines like the Internet) .8 Alarms indicating faults in emergency or primary alarm or
f) a test program for verification of correct installation and detection systems or failure of their power supplies.
correct functioning of the functions shall be available .9 Cargo alarm. An alarm which indicates abnormal condi-
g) in the case that the new software module has not been suc- tions originating in cargo, or in systems for the preserva-
cessfully installed, the previous version of the system shall tion or safety of cargo.
be available for re-installation and re-testing. .10 Gas detection alarm. An alarm which indicates that gas
has been detected.
A 400 Assumptions .11 Power-operated watertight door fault alarms. Alarms
which indicate low level in hydraulic fluid reservoir, low
401 The rules of this chapter are based on the assumptions gas pressure or loss of stored energy in hydraulic accumu-
that the personnel using the equipment to be installed on board lators, and loss of electrical power supply for power-oper-
are familiar with the use of, and able to operate this equipment. ated sliding watertight doors.
.12 For special ships (e.g. high-speed craft), additional alarms
may be classified as primary alarms in addition to the ones
B. Definitions defined above.
104 A control and monitoring system includes all compo-
B 100 General terms nents necessary for control and monitoring, including sensors
101 Alarm is for warning of an abnormal condition and is a and actuators. In this chapter, system is short for control and
combined visual and audible signal, where the audible part monitoring system. A system includes all resources required,
calls the attention of personnel, and the visual part serves to including:
identify the abnormal condition.
— the field instrumentation of one or more process segments
102 Emergency alarms. Alarms which indicate that immedi- — all necessary resources needed to maintain the function in-
ate danger to human life or to the ship and its machinery exists cluding system monitoring and adequate self-check
and that immediate action must be taken. The following are — all user interfaces.
classified as emergency alarms:
105 An essential control and monitoring system (hereafter
.1 General emergency alarm. An alarm given in the case of called essential system) is a system supporting services which
an emergency to all persons on board summoning passen- needs to be in continuous operation for maintaining the vessel's
gers and crew to muster stations. propulsion and steering. Examples of services are given in
.2 Fire alarm. An alarm to summon the crew in the case of Ch.8 Sec.13. Additional class notations may extend the term
fire. essential services. Such extensions, if any, can be found in the
.3 Those alarms giving warning of immediate personnel haz- relevant rule chapters.
ard, including: Guidance note:
.3.1 Fire-extinguishing medium alarm. An alarm warn- The objective for an essential function is that it should be in con-
ing of the imminent release of fire-extinguishing tinuous operation. However the rules do not in all respects fulfil
medium into a space. this objective as single failures may lead to unavailability of a
function.
.3.2 Power-operated sliding watertight door closing
alarm. An alarm required by SOLAS Ch. II-1/ ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
15.9.1, or SOLAS Ch. II-1/15.7.1.6 for ships con-
structed on or after 1 February 1992, warning of the 106 An important control and monitoring system (hereafter
closing of a power-operated sliding watertight called important system) is a system supporting services which
door. need not necessarily be in continuous operation for maintain-
ing the vessel's manoeuvrability, but which are necessary for
.4 For special ships (e.g. high-speed craft), additional alarms maintaining the vessels functions as defined in Pt.1 Ch.1 Sec.1
may be classified as emergency alarms in addition to the A200 of the Rules for Classification of Ships, or other relevant
ones defined above. parts of the rules. Additional class notations may extend the
103 Primary alarms. Alarms which indicate a condition that term important services. Such extensions, if any, can be found
requires prompt attention to prevent an emergency condition. in the relevant rule chapters.
The following are classified as primary alarms: 107 Non-important control and monitoring systems (hereaf-
ter called non-important systems) are systems supporting func-
.1 Machinery alarm. An alarm which indicates a malfunction tions for which the Society has no requirements according to
or other abnormal condition of the machinery and electri- relevant definitions in the rules.
cal installation.
.2 Steering gear alarm. An alarm which indicates a malfunc- 108 Field instrumentation comprises all instrumentation that
tion or other abnormal condition of the steering gear sys- forms an integral part of a process segment to maintain a func-
tem, i.e. overload alarm, phase failure alarm, no-voltage tion.
alarm, and hydraulic oil tank low-level alarm. The field instrumentation includes:
DET NORSKE VERITAS

— sensors, actuators, local control loops and related local (CRT), and liquid crystal display (LCD).
processing as required to maintain local control and mon- 202 User input device (UID) is any device from which a user
itoring of the process segment may issue an input including handles, buttons, switches, key-
— user interface for manual operation (when required). board, joystick, pointing device, voice sensor and other control
Other equipment items do not, whether they are implemented actuators.
locally or remotely, belong to the field instrumentation. This ap- 203 A software module is an assembly of code and data with
plies to data communication and facilities for data acquisition a defined set of input and output, intended to accomplish a
and pre-processing of information utilised by remote systems. function and where verification of intended operation is possi-
109 A process segment is a collection of mechanical equip- ble through documentation and tests.
ment with its related field instrumentation, e.g. a machinery or 204 Basic software is the software necessary for the hard-
a piping system. ware to support the application software.
Process segments belonging to essential systems are referred Guidance note:
to as essential. Basic software normally includes the operating system and addi-
tional general software necessary to support the general applica-
110 An integrated system is a combination of computer tion software and project application software.
based systems which are interconnected in order to allow com-
mon access to sensor information and/or command and con- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
trol.
205 Application software is computer software performing
111 Operator station in an integrated system is a unit con- general tasks related to the EUC being controlled or moni-
sisting of a user interface, i.e. UIDs and VDU, and interface tored, rather than to the functioning of the computer itself.
controller(s).
206 SW manufacturer is a manufacturer of equipment/sys-
112 User is any human being that will use a system or de- tems in which programmable electronic systems are a compo-
vice, e.g. captain, navigator, engineer, radio operator, stock- nent in the delivery.
keeper, etc.
207 A computer task is, in a multiprocessing environment,
113 Workstation is a work place at which one or several tasks one or more sequences of instructions treated by a control pro-
constituting a particular activity are carried out and which program as an element of work to be accomplished by a computer.
vides the information and equipment required for safe per-
formance of the tasks. 208 Data communication links includes point to point links,
instrument net and local area networks, normally used for in-
114 Equipment under control (EUC) is the mechanical ter-computer communication. A data communication link in-
equipment (machinery, pumps, valves, etc.) or environment cludes all software and hardware necessary to support the data
(smoke, fire, waves, etc.) monitored and/or controlled by a communication.
control and monitoring system.
Guidance note:
115 Independent systems: see Sec.2 A201. For local area networks, this includes network controllers, net-
116 Redundancy is defined as two mutually independent sys- work transducers, the cables and the network software on all
tems that can maintain a function. nodes.
117 Remote control systems comprise all equipment neces- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
sary to operate units from a control position where the operator
cannot directly observe the effect of his actions. 209 A node in a network is a processing location and can be
a computer or other device, such as a printer. Every node has a
(HSC Code 11.1.1) unique network address.
118 Back-up control systems comprise all equipment neces-
sary to maintain control of essential functions required for the
craft's safe operation when the main control systems have
failed or malfunctioned. C. Documentation
(HSC Code 11.1.2) C 100 General
119 Monitoring includes indication, alarming and/or protec- 101 Overview documentation as listed in Table C1 is re-
tive safety functions. quired submitted prior to commencement of approval work,
Guidance note: applicable for ships with integrated systems installed.
Which of these elements a particular system contains depends Guidance note:
upon the rule requirements for the application. Typically submitted by yard based upon their detailed specifica-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- tion.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
120 A protective safety system is a system that is activated on
occurrence of predefined abnormal process equipment states. 102 For document assessment, documentation listed in Ta-
The protective safety actions may e.g. be: ble C2 is required submitted in order to adequately describe
control and monitoring systems.
— safety shut-down to stop or idle speed
— restoration to normal conditions 103 For a system subject to certification, documentation list-
— reduction of power output (load) ed in Table C3 shall be available for the surveyor at testing at
the manufacturer.
dependent upon the specific application requirement. The safe- 104 For on-board inspection, documentation listed in Table
ty action may be automatic or manual. C4 is required submitted to survey station.
B 200 Terms related to computer based system 105 For control and monitoring systems subject to approval
201 Visual display unit (VDU) is normally a computer mon- an operation manual (Z160) and a maintenance manual (Z180)
itor, but may also be any area where information is displayed are to be kept onboard.
including indicator lamps or panels, instruments, mimic dia- 106 The documentation shall be limited to describe and ex-
grams, light emitting diode (LED) display, cathode ray tube plain the relevant aspects governed by the rule requirements.
DET NORSKE VERITAS

Guidance note: 107 Symbols used shall be explained, or reference to a stand-

Documentation for a specific control and monitoring system ard code given.
should be complete (as required in Table C2) in one submittal.
108 The documentation type number together with identifi-
A document may cover more than one instrumented system. A cation of the control and monitoring system can be used as a
document may cover more than one documentation type. unique identifier for the document. The "T" indicates that the
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- documentation type is required also for control and monitoring
systems where type approved components or software mod-
Guidance note: ules are used.
Typically submitted by manufacturers based upon their project
specific specification.
Table C1 Documentation required submitted prior to commencing approval work

(typically submitted by yard based upon their detailed specification, applicable for ships with integrated systems installed)
Documentation type Information element Purpose Where to
— the tasks allocated to each sub-system, divided between sys-
tem tasks and manual tasks, including emergency recovery
System philosophy tasks Information Approval centre
(I010) (T) — principles that will be used in the technical implementation of
each system
General arrangement for General ship information Information Approval centre
the ship
General arrangement for Main equipment layout Information Approval centre
the main engine room
Electric power generation.
Main propulsion line(s) with machinery and essential auxiliaries.
Miscellaneous machinery or equipment (where control and moni-
Specification of main toring systems are specified by other sections of the rules).
electro/mechanical Information Approval centre
equipment The following shall be specified:
— manufacturer and type
— rating
— number of
— purpose
Table C2 Documentation required for document assessment

(typically submitted by manufacturers based upon their project specific specification)
Documentation type Information element Purpose
— clear text description of the system configuration
— clear text description of scope of supply and what is controlled and monitored
Functional description (system and how
requirement specification) — clear text description of safe state(s) for each function implemented Approval
(I020) (T) — clear text description of switching mechanisms for systems designed with re-
dundancy R0
— P&I/hydraulic/pneumatic diagrams if relevant.
System block diagrams (I030) — a diagram showing connections between all main components (units, mod- Approval
(T) ules) of the system and interfaces with other systems.
User interface — a description of the functions allocated to each work and operator station Approval
documentation (I040) — a description of transfer of responsibility between work and operator stations.
Power supply — electrical supply: diagram showing connection to distribution board(s), batter- Approval
arrangement (I050) (T) ies, converters or UPS.
The purpose shall ensure that for single failures, essential systems will fail to safety
and that systems in operation will not be lost or degraded beyond acceptable per-
formance criteria when specified by the rules.
Functional failure analysis, for The following aspects shall be covered:
essential
systems and important closed — a description of the boundaries of the system including power supply prefera- Approval
loop control systems bly by a block diagram
(Z070) (T) — a list of items which are subject to assessment with a specification of probable
failure modes for each item, with references to the system documentation
— a description of the system response to each of the above failure modes iden-
tified
— a comment to the consequence of each of these failures.
DET NORSKE VERITAS

Table C2 Documentation required for document assessment (Continued)

(typically submitted by manufacturers based upon their project specific specification)
A failure modes and effect analysis (FMEA) shall be carried out for the entire sys-
tem. The FMEA shall be sufficiently detailed to cover all the systems’ major com-
ponents and shall include but not be limited to the following information:
— a description of all the systems’ major components and a functional block di-
agram showing their interaction with each other
Failure mode and effect analy- — all significant failure modes
sis (FMEA) (Z071) (T) where — the most predictable cause associated with each failure mode
specifically required by DNV — the transient effect of each failure on the vessels position Approval
Rules — the method of detecting that the failure has occurred
— the effect of the failure upon the rest of the system’s ability to maintain station
— an analysis of possible common failure mode.
Where parts of the system are identified as non-redundant and where redundancy
is not possible, these parts shall be further studied with consideration given to their
reliability and mechanical protection. The results of this further study shall be sub-
mitted for review.
A list and or index identifying all input and output signals to the system as required
in the rules, containing at least the following information:
List of control & — service description Approval
monitored points (I110) (T) — instrument tag-number
— system (control, safety, alarm, indication)
— type of signal (digital / analogue input / output).
Circuit diagrams — for essential hardwired circuits (for emergency stop, shutdown, interlocking, Approval
(I150) etc.) details of input and output devices and power source for each circuit.
Description of test configuration and test simulation methods.
Based upon the functional description, each test shall be described specifying:
Test program for testing at the — initial condition

— how to perform the test Approval
manufacturer (Z120) (T) — what to observe during the test and acceptance criteria for each test.
The tests shall cover all normal modes as well as failure modes identified in the
functional failure analysis, including power and communication failures.
Data sheets with — environmental conditions stipulated in Sec.5 for temperature, vibration, hu-
environmental Information
midity, enclosure and EMC.
specifications (I080)
DET NORSKE VERITAS

Table C3 Documentation required available for the testing at the manufacturer

Software quality plan, The software life cycle activities shall minimum contain procedures for: Available for information
based upon life cycle ac- at testing at the manufac-
tivities (I140) — software requirements specification turer.
— parameters data requirements
— software function test:
— parameter data test
— validation testing
— system project files stored at the manufacturer
— software change handling and revision control.
Operation manual A document intended for regular use on board, providing information as applicable Available for information
(Z160) about: at testing at the manufac-
turer.
— operational mode for normal system performance, related to normal and abnormal
performance of the EUC
— operating instructions for normal and degraded operating modes
— details of the user interface
— transfer of control
— redundancy
— test facilities
— failure detection and identification facilities (automatic and manual)
— data security
— access restrictions
— special areas requiring user attention
— procedures for start-up
— procedures for restoration of functions
— procedures for data back-up
— procedures for software re-load and system regeneration.
Installation manual A document providing information about the installation procedures. Available for information
(Z170) at testing at the manufac-
turer.
Maintenance manual A document intended for regular use on board providing information about: Available for information
(Z180) at testing at the manufac-
— maintenance and periodical testing turer.
— acceptance criteria
— fault identification and repair
— list of the suppliers' service net
— ship’s systems’ software - maintenance log.
Test program for dock — initial condition Approval
and sea trials (Z140) — what to test
— how to perform the test
— acceptance criteria for the test.
Table C4 Documentation required for on-board inspection

Test program for dock — initial condition Approval
and sea trials (Z140) — what to test
— how to perform the test
— acceptance criteria for the test.
C 200 Type approved products ware modules that are incorporated.
201 For type approved components or software modules, C 300 Plans and particulars
reference shall be made to the type approval certificate
number, the manufacturer's name and product type identifica- 301 Plans for control and monitoring the following systems
tion. shall be submitted when mandatory and/or installed, as appli-
cable, found in the respective parts of the rules.
Guidance note:
The following shall in addition be documented, if installed:
Documentation that has been approved during the type approval
process should not be submitted, unless it has been revised or — main alarm system
when asked for in the certificate.
— integrated control and monitoring system.
Guidance note:
202 For systems where type approved components or soft- List taken from respective parts of the rules, except Pt.6:
ware modules are incorporated, only the documentation types Pt.3 Ch.3: Water tight doors, side and stern doors, water leakage
marked with "T" in 100 shall be submitted. However, docu- monitoring. (Rules for Classification of Ships)
mentation types not marked with "T" may also be submitted if Pt.4 Ch.1: Essential machinery, remote control, propulsion ma-
their contents vary for different deliveries of the component or chinery, bridge control, engineers' alarm. (Rules for Classifica-
software module. tion of Ships)
203 For type approved systems, where different options exist Pt.4 Ch.3: Main and auxiliary engines, gas turbines, steam tur-
for the configuration, the type approval certificate shall be bines.
completed with information about the components and soft- Pt.4 Ch.4: Shafting, clutches/elastic couplings.
DET NORSKE VERITAS

Pt.4 Ch.5: Propeller/water jets, thrusters. D 300 Integration testing

Pt.4 Ch.6: Valves and pumps, remote control. (Rules for Classi- 301 Integration tests include integration of hardware compo-
fication of Ships) nents into hardware units and integration of software modules
Pt.4 Ch.7: Boilers, thermal-oil installations, incinerators oil fired in the same hardware unit.
water heaters. 302 Integration tests shall be done with the actual software
Pt.4 Ch.8: Power management system and hardware to be used on board and shall include:
Pt.4 Ch.9: main alarm system, integrated control and monitoring
system a) Hardware tests
Pt.4 Ch.14: Steering gear — hardware failures.
Pt.5 Ch.2: Bow doors monitoring, fire doors, water ingress detec-
tion system, ventilation, container refrigerating. (Rules for Clas- b) Basic software tests
sification of Ships)
— basic software failures.
Pt.5 Ch.3: Cargo and vapour temperature, cargo tank level, cargo
tank overflow protection, cargo valves and pumps, flammable c) Application software tests.
gas detection system (permanent system only), inert gas, off-
shore loading and unloading, oil discharge. (Rules for Classifica- d) Function tests of normal system operation and normal
tion of Ships) EUC performance, in accordance with the rules. Function
Pt.5 Ch.4: Cargo tank oil/water interface detection, cargo and va- tests are also to include a degree of performance testing
pour temperature, cargo tank level, cargo tank overflow protec- outside of the normal operating parameters.
tion, cargo valves and pumps, flammable gas detection system e) User interface tests.
(permanent system only), inert gas. (Rules for Classification of
Ships) Guidance note:
Pt.5 Ch.5: Cargo and vapour temperature, cargo tank level, cargo The tests may be done on a representative test system if the com-
tank overflow protection, cargo valves and pumps, cargo and va- puter hardware is type approved.
pour pressure, emergency shut-down system, Flammable gas de-
tection system (permanent system only), inert gas, oxygen ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
indication equipment (permanent system only). (Rules for Clas-
sification of Ships). D 400 System testing
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 401 System tests shall include the entire system, integrating
all units. The tests may also include several systems.
402 System tests shall be done with the software installed on
the actual systems to be used on board, interconnected to dem-
D. Tests onstrate the functions of the systems with several units and / or
the functions of several systems.
D 100 General Guidance note:
101 All tests shall be according to test programs approved by The tests may be done on a representative test system if the com-
the Society. puter hardware is type approved.
102 Tests in the presence of a DNV surveyor according to ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
200, 300 and 400 shall be performed at the manufacturers
works. 403 The tests shall include those tests which were not/could
not be completed on unit level.
103 The following shall be evaluated during test of compu-
ter based system: D 500 On-board testing
— tools for system set-up and configuration of the EUC 501 The tests shall include:
— implementation of software quality plan, see also Sec.4 a) During installation the correct function of individual
B200. equipment packages, together with establishment of cor-
rect parameters for alarm, control and protective safety
104 The tests and visual examinations shall verify that all (time constants, set points, etc.).
relevant rule requirements are met. The tests are only to cover
requirements given by these rules. The test programs shall b) During installation and sea trials, the correct function of
specify in detail how the various functions shall be tested and systems and integration of systems, including the ability of
the control systems to keep any EUC within the specified
what shall be observed during the tests. tolerances.
105 Failures shall be simulated as realistically as possible, c) The correct protection and capacity of power supplies.
preferably by letting the monitored parameters exceed the
alarm and protective safety limits. Alarm and protective safety d) Back-up and emergency control functions for essential
limits shall be checked. vessel systems.
106 It shall be verified that all automatic control functions 502 The tests shall demonstrate that the essential vessel
are working satisfactorily during normal load changes. functions are operable on the available back-up means of con-
trol as required in the relevant application rules, and in a situ-
D 200 Software module testing ation where the main control system is disabled as far as is
practical.
201 Documentation of compliance with software module
testing according to requirements for software quality plan as 503 The test program for harbour and sea trials shall be ap-
described in Sec.4 B200 shall be available in connection with proved by the local DNV station.
survey at manufacturers' works.
DET NORSKE VERITAS

SECTION 2
DESIGN PRINCIPLES
A. System Configuration segment, failure in the field instrumentation of one process

segment shall not result in failure for the remaining parts of the
A 100 General system.
101 Essential and important systems shall be so arranged A 400 Integrated system
that a single failure in one system or one unit cannot spread to
another unit. 401 Control shall only be available on workstations from
where control is intended and access shall be provided via a
102 Failure of any remote or automatic control systems shall command transfer system.
initiate an audible and visual alarm and shall not prevent nor-
mal manual control. 402 At least two operator stations shall be available at the
main work station ensuring that all functions that may need si-
A 200 Field instrumentation multaneous attention are available.
201 The field instrumentation belonging to separate essential
process segments shall be mutually independent.
Guidance note: B. Response to Failures
System B is independent of system A when any single system
failure occurring in system A has no effect on the maintained op- B 100 Failure detection
eration of system B. A single system failure occurring in system
B may have an effect on the maintained operation of system A. 101 Essential and important systems shall have facilities to
Two systems are mutually independent when a single system detect the most probable failures that may cause reduced or er-
failure occurring in either of the systems has no consequences for roneous system performance.
the maintained operation of the other system according to above. Failures detected shall initiate alarms.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 102 The self-check facilities shall cover at least, but not lim-
ited to, the following failure types:
202 When the field instrumentation of a process segment is
common for several control and monitoring systems, and any — power failures.
of these systems are essential, failures in any of these control
and monitoring systems shall not affect this field instrumenta- Additionally for essential systems,
tion.
203 When manual emergency operation of an essential proc- — loop failures, both command and feedback loops (normal-
ess segment is required, separate and independent field instru- ly short circuit and broken connections)
mentation is required for the manual emergency operation. — earth faults.
204 Electronic governors shall have their power supply inde- Additionally for computer based systems,
pendent of other consumers and arranged with redundancy
type R0. Governors for engines, other than those driving elec- — communication errors
trical generators, which keep the last position upon power fail- — computer hardware failures
ure, are regarded as fulfilling the redundancy type R0. Speed — see also Sec.4.
sensor cabling shall be mechanically well protected.
B 200 System response
Guidance note:
Electrical and electronic fuel injectors should be designed to per- 201 The most probable failures, e.g. loss of power or wire
mit the necessary functionality, in case of the most probable fail- failure, shall result in the least critical of any possible new con-
ures. ditions.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Guidance note:
Total loss of power to any single control system should not result
A 300 System in loss of propulsion or steering.
301 For an essential system having more than one process ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
DET NORSKE VERITAS

SECTION 3
SYSTEM DESIGN
A. System Elements A 300 Remote control

301 At the remote work station being in command, the user
A 100 General shall receive continuous information on the effects of his or-
101 A system consists of one or several system elements ders.
where each system element serves a specific function. 302 One work station shall be designated as the main work
102 System elements belong to the following categories: station. The main work station shall be independent of other
work stations.
— automatic control 303 When control is possible from several work stations,
— remote control only one workstation shall be in control at any one time.
— alarm
— protective safety 304 Control shall not be transferred before being acknowl-
— indications edged by the receiving work station, unless the work stations
— planning and reporting are located close enough to allow direct visual and audible con-
— calculation, simulation and decision support. tact. Transfer of control shall give an audible pre-warning.
305 The main work station shall be able to take control with-
103 Whenever automatic shutdown or other protective safe- out acknowledgement, but an audible warning shall be given at
ty functions are required in the application rules, such func- the work station that relinquishes control. The action for taking
tions shall be implemented in system units that are mutually control shall not be the same as the normal control action.
independent of the control and alarm systems related to the
same Equipment Under Control (EUC). For a EUC where the 306 Means shall be provided to prevent significant alteration
protective safety system is independent, control and alarm of process equipment parameters when transferring control
functions may be implemented in common system units. from one location to another, or from one means or mode of
operation to another. If this involves manual alignment of con-
When the application rules only require control and alarm trol levers, indicators shall show how the levers shall be set to
functions for a EUC, these functions shall be implemented in become aligned.
either mutually independent system units or alternative in
common system units if the system is redundant. 307 It shall be indicated at each alternative work station,
when control is held.
A redundant system shall, upon failure, have sufficient self di-
agnostics to effectively ensure transfer of active execution to 308 Safety interlocks in different parts of the systems shall
the standby unit. not conflict with each other.
Exceptions from these general principles may be given if spec- Basic safety interlocks must be hardwired and shall be active
ified in the application rules for the EUC. during remote and local operation.
Guidance note: Guidance note:
The independency requirement does not intend to prevent the dif- Hardwired safety interlocks should not be overridden by pro-
ferent control-, alarm- and safety system units from communicat- grammable interlocks.
ing status information over e.g. a network, but each unit shall be ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
able to perform its main functions autonomously, and not be de-
pendent on the other control system units.
A 400 Protective safety system
Redundancy in system design is in general not accepted as an al-
ternative way to meet the requirement for independency between 401 The protective safety system element shall be so de-
systems. signed that the most probable failures, e.g. loss of power sup-
ply or wire failure, result in the least critical of any possible
new condition (fail to safety) taking into consideration the
safety of the machinery itself as well as the safety of the vessel.
A 200 Automatic control
For essential systems which have a stopped unit as it's fail to
201 Automatic control shall keep process equipment varia- safety principle, loop monitoring according to Sec.2 B100
bles within the limits specified for the process equipment (e.g. shall be provided and arranged such that loop failure initiates
the machinery) during normal working conditions. an alarm and do not stop the unit. Where loop failure monitor-
202 The automatic control shall be stable over the entire con- ing is not possible, a two out of two voting system may be ac-
trol range. The margin of stability shall be sufficient to ensure cepted.
that variations in the parameters of the controlled process 402 Protective safety actions shall give alarm at predefined
equipment that are expected under normal conditions, will not work stations.
cause instability. The automatic control system element shall
be designed so as to accomplish the function it shall serve. 403 When the protective safety system element stops a unit,
the unit shall not start again automatically.
203 Automatic control such as automatic starting and other
automatic operations shall include provisions for manually 404 When a protective safety system element is made inop-
overriding the automatic controls unless designed according to erative by a manual override, this shall be clearly indicated at
Ch.1 Sec.4 A101 (Rules for Classification of Ships) or safe predefined workstations.
manual operation is not feasible. Failure of any part of such 405 When the protective safety system element has been ac-
systems shall not prevent the use of the manual override. tivated, it shall be possible to trace the cause of the safety ac-
204 In closed loop systems, feedback failures shall initiate tion by means of central or local indicators.
an alarm, and the system shall enter the least critical of possible 406 When two or more protective safety actions are initiated
new conditions. This normally implies the system to either re- by one failure condition (e.g. start of standby pump and stop of
main in its present state or move controlled to "zero" state. engine at low lubricating oil pressure), these actions shall be
DET NORSKE VERITAS

activated at different levels, with the least drastic action acti- An active alarm signal shall not prevent indication of any new
vated first. alarms, with related audible signal and visual indication. This
An alarm shall be activated prior to a protective safety action, requirement shall also apply for group alarms.
except when it is regarded as not being possible due to urgen- In case the alarms are presented on a screen, only visible
cy, see Ch.1 Sec.4 A407, related Guidance note (Rules for alarms may be acknowledged.
Classification of Ships). 507 Acknowledgement of visual signals shall be separate for
A 500 Alarms each signal or common for a limited group of signals. Ac-
knowledgement shall only be possible when the user has visual
501 Primary and emergency alarm indicating devices shall information on the alarm condition for the signal or all signals
be arranged such as to ensure attention of the responsible duty in a group.
officer, e.g. machinery alarm indicating devices located in the
normal working areas of the machinery space. 508 Local audible signal for an alarm included in a centralised
alarm handling system shall be suppressed when localised in the
Guidance note 1: same workplace as the centralised alarm handling system.
Several suitably placed low volume audible signal units should
be used rather than a single unit for the whole area. A combina- 509 Manual suppression of separate alarms may be accepted,
tion of audible signals and rotating light signals may be of advan- when this is continuously indicated when suppressed.
tage. 510 Sufficient information shall be provided to ensure opti-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- mal alarm handling. The presence of active alarms shall be
continuously indicated, and alarm text shall be easily under-
Guidance note 2: stood.
IMO resolution A.830 (19) regulation 3.16, requires that alarms 511 The more frequent failures within the alarm system,
and indicators on the navigation bridge should be kept at a mini-
mum. Alarms and indicators not required for the navigation such as broken connections to measuring elements, shall initi-
bridge should not be placed there unless permitted by the admin- ate alarm.
istration. 512 Interlocking of alarms shall be arranged so that most
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- probable failures in the interlocking system, e.g. broken con-
nection in external wiring, does not prevent alarms.
502 Visual indication shall be easily distinguishable from 513 Inhibiting of alarm and protective safety functions in
other indications by use of colour and special representation. certain operating modes (e.g. during start-up) shall be automat-
Guidance note: ically disabled in other modes.
In view of standardising, visual alarm signals should preferably 514 It shall be possible to delay alarms to prevent false
be red. Special representation may be a symbol. alarms due to normal transient conditions.
A 600 Indication
503 Audible signals used for primary and emergency alarms 601 Indications sufficient to allow safe operation of essential
shall be readily distinguishable from signals indicating normal and important functions shall be installed at all control loca-
conditions, telephone signals, different alarm systems and tions from where the function can be accomplished. Alarms or
noise. pre-warnings are not considered as substitutes for indications
504 Responsibility for alarms shall not be transferred before for this purpose.
acknowledged by the receiving location. Transfer of responsi- Guidance note:
bility shall give audible pre-warning. At each alternative loca- It is advised that indicating and recording instruments are cen-
tion, it shall be indicated when in charge. tralised and arranged to facilitate watch-keeping, e.g. by stand-
505 Presentation and acknowledgement of alarms shall only ardising the scales, applying mimic diagrams, etc.
be possible at the workstation(s) dedicated to respond to the ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
alarm.
Guidance note: 602 Adequate illumination shall be provided in the equip-
Alarm lists may be available on any workstation. ment or in the ship to enable identification of controls and fa-
cilitate reading of indicators at all times. Means shall be
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- provided for dimming the output of any equipment light source
which is capable of interfering with navigation.
506 Alarms shall be annunciated by visual indication and au-
dible signal. It shall be possible to see and distinguish different 603 Indication panels shall be provided with a lamp test
statuses of the alarms e.g. normal, active, unacknowledged, ac- function.
knowledged and blocked.
A 700 Planning and reporting
Silencing and acknowledgement of alarms shall be arranged as
follows: Guidance note:
Planning and reporting functions are used to present a user with
Silencing the audible signal: information to plan future actions.
— Silencing the alarm shall cause the audible signal to cease, ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
in addition to extinguishing any related light signals.
— The visual alarm indication shall remain unchanged. 701 Planning and reporting system elements shall have no
outputs for real-time process equipment control during plan-
Acknowledgement of an alarm: ning mode.
Guidance note:
— When an alarm is acknowledged the visual indication shall
The output may however be used to set up premises for process
change. An indication shall remain if the alarm condition equipment control, e.g. route plan used as input to an autopilot or
is still active. load plan used as input for automatic or user assisted sequence
— If the acknowledge alarm function is used prior to silenc- control of the loading.
ing of the audible signal, the acknowledgement may also
silence the audible signal. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
DET NORSKE VERITAS

A 800 Calculation, simulation and decision support of power, the system shall be restored and resume operation
801 Output from calculation, simulation or decision support automatically.
modules shall not suppress basic information necessary to al- 102 Testing of essential systems and alarm systems shall be
low safe operation of essential and important functions. possible during normal operation. The system shall not remain
Guidance note: in test mode unintentionally, and an active test mode shall be
Output from calculation, simulation or decision support modules clearly indicated on the operator interface.
may be presented as additional information. Guidance note:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Automatic return to operation mode or alarm should be arranged.
B. General Requirements B 200 Electrical power distribution

201 Requirements given in Ch.8 Sec.2 A101 and H100 apply
B 100 System operation and maintenance to control and monitoring systems.
101 Start-ups and restarts shall be possible without special-
ised system knowledge. On power-up and restoration after loss
DET NORSKE VERITAS

SECTION 4
ADDITIONAL REQUIREMENTS FOR COMPUTER BASED SYSTEMS
A. General Requirements
Guidance note:
A 100 Assignment of responsibility when installing inte-
The following response times are applicable for typical EUC on
grated systems vessels:
101 There shall be one named body responsible for the inte-
gration of the total integrated system. This body shall have the Data sampling for automatic control purposes (fast 0.1 s
necessary expertise and resources enabling a controlled inte- changing parameters)
gration process. Data sampling, indications for analogue remote 0.1 s
Guidance note: controls (fast changing parameters)
The responsible body may be the yard, a major manufacturer or Other indications 1s
another competent body. Alarm presentations 2s
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Display of fully updated screen views 2s
Display of fully updated screen views including 5s
A 200 System dependency start of new application
201 Where a computer based system is part of an essential
function, back-up or emergency means of operation shall be ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
provided, which to the largest extent possible shall be inde-
pendent of the normal control system, with its user interface. 502 System start-up and system restoration after power fail-
ures shall take place with sufficient speed to comply with the
A 300 Storage devices maximum unavailable time for the systems concerned, revert-
ing thereafter to a pre-defined state providing an appropriate
301 The on-line operation of essential functions shall not de- level of safety.
pend on the operation of rotating bulk storage devices, such as
hard discs. 503 System capacities shall be sufficient to provide adequate
Guidance note: response times for all functions, taking the maximum load and
maximum number of simultaneous tasks under normal and ab-
This does not exclude the use of such storage devices for main-
tenance and back-up purposes. normal conditions for the EUC into consideration.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- A 600 Temperature control
302 Software and data necessary to ensure satisfactory per- 601 Wherever possible, computers shall not have forced
formance of essential and important functions shall normally ventilation. For systems where cooling or forced ventilation is
be stored in non-volatile memory (e.g. EPROM, EEPROM or required for keeping the temperature at an acceptable level,
FLASH). Exception may be given for RAM with battery back- alarm for high temperature or maloperation of the temperature
up if the following three conditions are met: control function, shall be provided.
— low battery voltage results in an alarm or visual indication A 700 System maintenance
detectable by routine inspections 701 Integrated systems supporting one or more essential or
— battery can easily be replaced by crew personnel without important function shall be arranged to allow individual units
danger of losing data to be tested, repaired and restarted without interference with
— battery failure has no influence on performance as long as the maintained operation of the remaining parts of the system.
normal power supply is maintained. 702 Essential systems shall have diagnostic facilities to sup-
A 400 Computer usage port finding and repairs of failures.
401 Computers serving essential and important functions A 800 System access
shall only be used for purposes relevant to vessel operation.
801 Access to system set-up or configuration functions for
A 500 System response and capacity the EUC shall be protected to avoid unauthorised modifica-
tions of the system performance. For screen based systems,
501 Systems used for control and monitoring shall provide tools shall be available to allow easy and unambiguous modi-
response times compatible with the time constants of the relat- fication of configuration parameters provided modifications
ed EUC (equipment under control). are allowable under normal operation.
Guidance note:
As a minimum, this applies to:
- calibration data
- alarm limit modification
- manual alarm inhibiting.
The operator should only have access to the application(s) related
to the operation of the functions covered by the system according
to 301, while access to other applications or installations of such,
should be prevented. Hot keys normally giving access to other
functions or program exits (Alt+Tab, Ctrl+Esc, Alt+Esc, double-
clicking in background, etc.) must be disabled.
DET NORSKE VERITAS

802 Unauthorised access to the operation of essential and tax and function testing as part of the process
important systems, from a position outside of the vessel, shall — actions to minimise the probability of execution failures.
not be possible.
Guidance note:
Typical execution failures are:
- deadlocks
B. System Software - infinite loops
- division by zero
B 100 Software requirements - inadvertent overwriting of memory areas
- erroneous input data.
101 Basic software on processor systems running applica-
tion software belonging to different functions, shall have facil- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
ities for:
202 The actions taken to comply with 201 shall be docu-
— running several modules under allocated priorities mented and implemented, and the execution of these actions
— detection of execution failures of individual modules shall be retraceable. The documentation shall include a brief
— discrimination of faulty modules to ensure maintained op- description of all tests that apply to the system (hardware and
eration at least of modules of same or higher priority. software), with a description of the tests intended made by sub-
vendors, those carried out at the manufacturer's and those that
102 Individual application software modules allocated as remain until installation onboard.
tasks under an operating system as specified above shall not
perform operations related to more than one function. These 203 When novel software is developed for essential systems,
modules shall be allocated priorities in accordance with the rel- DNV “approval of the manufacturer” may be required, either
ative priority between the functions they serve. prior to or as part of the actual product development.
103 When hardware belonging to inputs, outputs, communi-
cation links and user interface is configured to minimise the
consequences of failures, the related software shall be separat- C. Control System Networks and
ed in different computer tasks to secure the same degree of sep- Data Communication Links
aration.
104 When calculation, simulation or decision support ele- C 100 General
ments are used to serve essential functions, and a basic func- 101 Any network integrating control and/or monitoring sys-
tionality can be maintained without these elements, the tems shall be single point of failure-tolerant. This normally im-
application software shall be designed so as to allow such sim- plies that the network with its necessary components and
plified operation. cables shall be designed with adequate redundancy.
105 System set-up, configuration of the EUC and the setting Guidance note:
of parameters for the EUC onboard shall take place without If the fault tolerance is based on other design principles, e.g. a
modification of program code or recompilation. The Society ring net, the fault tolerance shall be documented specifically. The
must be notified if such actions cannot be avoided. requirement applies to the network containing the integrated con-
trol and monitoring systems, and not eventual external commu-
106 Running application software versions shall be uniquely nication links to single controllers, remote I/O or similar (e.g. a
identified by number, date or other appropriate means. Modi- serial line to an interfaced controller) when such units otherwise
fications shall not to be made without also changing the ver- can be accepted without redundancy.
sion identifier. A record of changes to the system since the
original issue (and their identification) shall be maintained and ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
made available to the surveyor on request. 102 The integrity and autonomy of each network segment
Guidance note: within an integrated system shall be secured with appropriate
- When the setting of parameters is equivalent to programming network components, e.g. switches or routers. It shall be pos-
then version identification of these settings should be availa- sible to protect each segment from unnecessary traffic on the
ble. Version identification may be a check sum. remaining network, and each segment shall be able to work in-
- For integrated systems, identification should be available in dependent and with necessary operator interface.
the system overview. Guidance note:
- For any screen based system, identification should be readily
available on the VDU during normal operation. Virtual networks (VLAN) are normally not accepted as an alter-
- PROM's to be labelled. native to segmentation.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
103 In a network integrating control and/or monitoring sys-

B 200 Software development tems all network components controlling the network traffic
201 All relevant actions under the development phase of a and nodes communicating over the network shall be designed
complex system software, shall be taken to ensure that the with inherent properties to prevent network overload at any
probability of errors that could occur in the program code is re- time. This implies that neither the nodes nor the network com-
duced to an acceptable level. ponents shall, be able to generate excessive network traffic or
consume extra resources that may degrade the network per-
Relevant actions shall include at least: formance.
— actions to ensure that the programming of applications is Guidance note:
based on complete and valid specifications This may imply that the nodes and network components shall
— actions to ensure that software purchased from other par- have properties to monitor it's own communication through the
ties has an acceptable track record and is subject to ade- network, and to be able to detect, alarm and respond in a prede-
quate testing fined manner in case of an excessive traffic event.
— actions to impose a full control of software releases and ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
versions during manufacturing, installation onboard and
during the operational phase 104 The performance of the network shall be continuously
— actions to ensure that program modules are subject to syn- monitored, and alarms shall be generated if malfunctions or re-
DET NORSKE VERITAS

duced/degraded capacity occurs. be secured with sufficient means to prevent unauthorised ac-
105 Cables and network components belonging to redundant cess, and functions to maintain the security of the control and
networks shall be physically separated; by separate cable rout- monitoring system. The security properties shall be document-
ing and installation of network components belonging to the ed.
redundant network in separate cabinets, power supply to such Guidance note:
units included. Any remote access to the control system shall be authorised on-
board. The system shall have appropriate virus protection also re-
106 It shall be possible to maintain local control of machin- lated to the possibility of infection via the remote connection.
ery as required by Ch.1 Sec.4 A406 (ship rules) independent of
network status. This may imply that essential nodes hosting If remote connection for e.g. the above purposes is possible, the
function is subject to special considerations and case-by-case ap-
such control functions shall be able to work autonomously, and proval.
with necessary operator interface independent of the network.
Guidance note:
To be demonstrated during sea-trial. 115 The CCTV system (Closed Circuit Television) shall not
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- be part of an integrated control system.
107 Internode signals shall reach the recipient within a pre- C 200 Network analysis
defined time. Any malfunctions shall be alarmed. 201 The control and monitoring network with its compo-
Guidance note: nents, connected nodes, communication links (also external in-
The 'pre-defined time' shall as a minimum correspond to the time terfaces) shall be subject to an analysis where all relevant
constants in the EUC, which implies that the detection and alarm- failure scenarios are identified and considered. The analysis
ing shall be initiated quickly enough to enable appropriate oper- may be in the form of e.g. an FMEA, and shall specifically fo-
ator intervention to secure the operation of the EUC. cus on the integrity of the different network functions imple-
mented in separate network segments as well as the main
network components (switches, routers etc.)
108 If the automation system is connected to administrative Guidance note:
networks, the connection principle shall ensure that any func- The main purpose of the analysis shall identify possible failures
tion or failure in the administrative net can not harmfully affect that may occur in the network, identify and evaluate the conse-
the functionality of the control and monitoring system. The ad- quences and to ensure that the consequences of failures are ac-
ministrative functions shall be hosted in separate servers and ceptable.
shall, if at all necessary, have 'read only' access to the control The analysis shall be performed in connection with the system
network. design, and not after the system is implemented.
Guidance note: The requirement is basically applicable for all control and moni-
toring systems containing nodes connected on a common net-
The “administrative network” in this connection may contain work. However, for simpler systems, the above requirement may
functions like e.g. report generation, process analysis, decision be fulfilled by covering the most relevant failure scenarios in a
support etc. i.e. functions that by definition are not essential for test programme
vessel operation and not covered by the rules.
109 Functions being irrelevant for vessel operation (e.g. mis- C 300 Network test and verification
cellaneous office- or entertainment-related functions) shall not 301 The network functionality shall be verified in a test
be connected in any way to any control and monitoring system where at least the following items shall be verified:
or utilise its network.
110 It shall not be possible for unauthorised personnel to 1) The main observations / items from the FMEA
connect equipment to the control and monitoring network or 2) Self diagnostics, alarming upon different network failures
otherwise have access to such network.
3) Worst-case scenarios – network storm
Guidance note:
4) Segment segregation – autonomous operation of segments
This pertain to both communication onboard the vessel as well as
remotely via external communication. Any access point to be 5) Individual controller node integrity – nodes working with-
clearly marked and shall be sufficiently secured e.g. by location out network communication
with restricted access, a lockable device or password access.
6) Consequence of single cabinet failure.
Guidance note:
111 Any powered network component controlling the net- In order to simulate e.g. fire in a single cabinet / cubicle, and to
work traffic shall automatically resume to normal operation verify that essential vessel functions are still available
upon restoration of power after a power failure. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
112 All nodes in a network shall be synchronized to allow a
uniform time tagging of alarms (and events) to enable a proper C 400 Network documentation requirements
sequential logging.
401 The following information related to the network prop-
113 The network shall be designed with adequate immunity erties shall be included in the documentation submitted for ap-
to withstand possible exposure to electromagnetic interference proval, (with reference to Sec.1, table C2):
in relevant areas.
Guidance note: 1) Topology and network details including power supply ar-
This implies the use of suitable network media in areas exposed rangement
to high voltage equipment. 2) Functional description, with special focus on interfaces
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 3) Identification of critical network components
114 Systems allowing for remote connection (e.g. via inter- 4) Qualitative reliability analysis (e.g. FMEA)
net), for e.g. remote diagnostics or maintenance purposes, shall 5) Failure response test programme.
DET NORSKE VERITAS

C 500 Wireless communication Guidance note:

The access to the network shall be restricted to a defined set of
501 Wireless technologies may be used in systems that are nodes with dedicated MAC (media access control) addresses.
additional or supplementary to those required by main class
rules. Any use of wireless technology in systems required by ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
additional class notations is subject to special consideration.
506 In case more than one wireless system shall operate in
Guidance note: the same area onboard and there is a risk of interference, a fre-
This implies that the main class requirements shall be fulfilled quency coordination plan shall be made and the interference
even in case of the wireless communication being out of service. resistance shall be documented and then demonstrated on
board.
507 The wireless equipment shall employ recognised inter-
502 The wireless equipment shall not cause interference to national protocols supporting adequate means for securing
licensed users of the ISM frequency bands in the geographical message integrity.
areas where the ship shall operate. The radiated power level Guidance note:
should be adjustable. The protocol should be in compliance with the IEEE 802 stand-
Guidance note: ard and the nodes should execute at least a 16-bit cyclic redun-
The wireless-equipment should be certified according to techni- dancy check of the data packets
cal requirements established by applicable IEEE802 standards ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
for operation within the ISM band. The user manual should iden-
tify any relevant spectrum and power restrictions for the ISM 508 In case any form of control signals or confidential data
bands that may have been enforced by the authorities in the var- is transferred over the wireless network, data encryption ac-
ious states of relevance in the operating area of the vessel. cording to a recognised standard shall be utilised.
Secure encryption schemes such as WiFi Protected Access
503 The wireless broadcasting shall operate in the radio (WPA) should be used to protect critical wireless data
bands designated for ISM.
Guidance note:
The industrial, scientific and medical (ISM) bands are located at 509 The data handling and final presentation of information
900 MHz (902-928 MHz), 2.4 GHz (2400-2483.5 MHz) and 5.8 shall comply with rules and regulations being applicable to the
GHz (5725-5850 MHz). information category.
Isochronous (real-time) or asynchronous (transmit-acknowledg-
504 The wireless broadcasting shall sustain the anticipated ment) transport will be required depending on the application.
electromagnetic environment on board and be tolerant towards ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
interference from narrow-band signals.
Guidance note: C 600 Documentation of wireless communication
The type of modulation used should be of the category “spread 601 The following information related to the wireless com-
spectrum” and be in compliance with the IEEE 802 series. Direct munication shall be included in the documentation submitted
Sequence Spread Spectrum (DSSS) and Frequency Hopping
Spread Spectrum (FHSS) are recognised standards for modula- for approval, (with reference to Sec.1 Table C2):
tion.
— functional description
If DSSS modulation is used and more than one access point (AP) — ISM certificate (IEEE802) from a licence authority (typi-
may be active simultaneously, these APs should be physically cal flag state) or alternatively applicable test reports
separated and also use separate channels. The minimum process- — single line drawings of the WLAN topology with power
ing gain should not be less than 10 dB.
arrangements
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- — specification of frequency band(s), power output and pow-
er management
505 The wireless system shall entail a fixed topology and — specification of modulation type and data protocol
support prevention of unauthorised access to the network. — description of integrity and authenticity measures.
DET NORSKE VERITAS

SECTION 5
COMPONENT DESIGN AND INSTALLATION
A. General Guidance note:

The installation should as far as possible be built up from easily
A 100 Environmental strains replaceable units and designed for easy troubleshooting, check-
ing and maintenance. When a spare unit is mounted, only minor
101 Instrumentation equipment shall be suitable for marine adjustments or calibrations of the unit should be necessary.
use, and is normally to be designed to operate under environ- Faulty replacements should not be possible.
mental conditions as described in B, unless means are provided
to ascertain that the equipment parameters are not exceeded.
These means are subject to approval on case-by-case basis.
A 500 Marking
102 Data sheets, sufficiently detailed to ensure proper appli-
cation of the instrumentation equipment, shall be available. 501 All units and test points shall be clearly and permanently
marked. Transducers, controllers and actuators shall be
103 Performance and environmental testing may be required marked with their system function, so that they can be easily
to ascertain the suitability of the equipment. and clearly identified on plans and in instrument lists. See also
Ch.8 Sec.3 E.
A 200 Materials
Guidance note:
201 Explosive materials and materials which may develop Marking of test points with e.g alarm or tag numbers is accepta-
toxic gases, shall not be used. Covers, termination boards, ble as long as they can easily be identified in the alarm list or oth-
printed circuit cards, constructive elements and other parts that er documentation.
may contribute to spreading fire, shall be of flame-retardant The marking of system function should preferably not be placed
material. on the unit itself, but adjacent to it.
Guidance note: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Materials with a high resistance to corrosion and ageing should
be used. Metallic contact between different materials should not
cause electrolytic corrosion in a marine atmosphere. As base ma- A 600 Standardising
terial for printed circuit cards, glass-reinforced epoxy resin or Guidance note:
equivalent should be used. Systems, components and signals should be standardised as far
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- as practicable.
A 300 Component design and installation
301 Component design and installation shall facilitate oper-
ation, adjustment, repair and replacement. As far as practica-
ble, screw connections shall be secured. B. Environmental Conditions, Instrumentation
302 Mechanical resonances with amplification greater than B 100 General
10 shall not occur.
101 The environmental parameters given in 200 to 1100, in-
303 Electric cables and components shall be effectively sep- cluding any of their combinations, represent “average adverse”
arated from all equipment, which, in case of leakage, could conditions, which will cover the majority of applications on
cause damage to the electrical equipment. In desks, consoles board vessels. Where environmental conditions will exceed
and switchboards, which contain electrical equipment, pipes those specified, special arrangements and special components
and equipment conveying oil, water or other fluids or steam will have to be considered.
under pressure shall be built into a separate section with drain-
age. Table B1 Parameter class for the different locations on board
304 Means shall be provided for preventing moisture (con- Parameter Class Location
densation) accumulating inside the equipment during opera- A Machinery spaces, control rooms,
tion and when the plant is shut down. accommodation, bridge
305 Differential pressure elements (dp-cells) shall be able to B Inside cabinets, desks. etc. with temperature
rise of 5°C or more installed in location A
sustain a pressure differential at least equal to the highest pres- Temperature
sure for the EUC (equipment under control). C Pump rooms, holds, rooms with no heating
D Open deck, masts and inside cabinets, desks
306 Thermometer wells shall be used when measuring tem- etc. with a temperature rise of 5°C or more
perature in fluids, steam or gases under pressure. installed in location C
307 The installation of temperature sensors shall permit easy A Locations where special precautions
dismantling for functional testing. are taken to avoid condensation
Humidity
308 Clamps used to secure capillary tubes shall be made of a B All locations except as specified for
location A
material that is softer than the tubing.
Vibration A On bulkheads, beams, deck, bridge
A 400 Maintenance, checking B On machinery such as internal combustion
engines, compressors, pumps, including pip-
401 Maintenance, repair and performance tests of systems ing on such machinery
and components are as far as practicable to be possible without
affecting the operation of other systems or components. C Masts
Electro- A All locations except as specified for bridge
Provisions for testing, (e.g. three-way cocks) shall be arranged magnetic and open deck
in pipes connecting pressure switches/transducers to EUC nor- compatibility B All locations including bridge and open deck
mally in operation at sea. (EMC)
DET NORSKE VERITAS

Components and systems designed in compliance with IEC en- B 300 Pneumatic and hydraulic power supply
vironmental specifications for ships, Publication No. 60092- 301 Nominal pressure ±20% (long and short time deviations).
504 (1994), and for EMC, IEC Publication No. 60533, may be
accepted after consideration. B 400 Temperature
Guidance note: 401 Class A:
For details on environmental conditions for instrumentation, see Ambient temperatures +5°C to +55°C.
Standard for Certification 2.4. 402 Class B:
Navigation and radio equipment shall comply with IEC Publica- Ambient temperatures +5°C to +70°C.
tion No. 60945, Marine navigational equipment - General re-
quirements. 403 Class C:
Ambient temperatures -25°C to +55°C.
For EMC only, all other bridge-mounted equipment; equipment
in close proximity to receiving antennas, and equipment capable 404 Class D:
of interfering with safe navigation of the ship and with radio- Ambient temperatures -25°C to +70°C.
communications shall comply with IEC Publication No. 60945
(1996) Clause 9 (covered by EMC class B). B 500 Humidity
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 501 Class A:
Relative humidity up to 96% at all relevant temperatures, no
B 200 Electric power supply condensation.
502 Class B:
201 Power supply failure with successive power breaks with Relative humidity up to 100% at all relevant temperatures.
full power between breaks.
B 600 Salt contamination
— 3 interruptions during 5 minutes
— switching-off time 30 s each case. 601 Salt-contaminated atmosphere up to 1 mg salt per m3 of
air, at all relevant temperatures and humidity conditions. Ap-
202 Power supply variations for equipment connected to plicable to equipment located in open air and made of material
A.C. systems: subject to corrosion.
— combination of permanent frequency variations of ±5% B 700 Oil contamination

and permanent voltage variations of ±10% of nominal 701 Mist and droplets of fuel and lubricating oil. Oily fin-
— combination of frequency transients (5 s duration) ±10% gers.
of nominal and voltage transients (1.5 s duration) ±20% of
nominal. B 800 Vibrations
801 Class A:
203 Power supply variations for equipment connected to
D.C. systems: Frequency range 3 to 100 Hz.
Amplitude 1 mm (peak value) below 13.2 Hz.
— voltage tolerance continuous ±10% of nominal Acceleration amplitude 0.7 g above 13.2 Hz.
— voltage transients cyclic variation 5% of nominal.
— voltage ripple 10%. 802 Class B:
204 Power supply variations for equipment connected to bat- Frequency range 3 to 100 Hz.
tery power sources: Amplitude 1.6 mm (peak value) below 25 Hz.
Acceleration amplitude 4.0 g above 25 Hz.
— +30% to -25% for equipment connected to battery during 803 Class C:
charging
— +20% to -25% for equipment connected to battery not be- Frequency range 3 to 50 Hz.
ing charged Amplitude 3 mm (peak value) below 13.2 Hz.
— voltage transients (up to 2 s duration) ±25% of nominal. Acceleration amplitude 2.1 g above 13.2 Hz.
DET NORSKE VERITAS

Table B2 Minimum immunity requirements for equipment

Port Phenomenon Basic Standard Performance Test value
criteria
A.C. power Conducted low frequency IEC 60945 A 50 - 900 Hz: 10% A.C. supply voltage
interference 900 - 6000 Hz: 10 - 1% A.C. supply voltage
6 - 10 kHz: 1% A.C. supply voltage
Electrical fast transient (Burst) IEC 61000-4-4 B 2 kV 3)
Surge voltage IEC 61000-4-5 B 0.5 kV 1) /1 kV 2)
Conducted radio frequency IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz
interference sweep rate ≤ 1.5 x 10-3 decade/s 7)
modulation 80% AM (1 kHz)
D.C. power Conducted low frequency IEC 60945 A 50 Hz - 10 kHz: 10% D.C. Supply voltage
interference
Electrical fast transient (Burst) IEC 61000-4-4 B 2 kV 3)
Surge voltage IEC 61000-4-5 B 0.5 kV 1) /1 kV 2)
Conducted radio frequency IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz
I/O ports, sig- Electrical fast transient (Burst) IEC 61000-4-4 B 1 kV 4)
nal or control Conducted radio frequency IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz
Enclosure Electrostatic discharge (ESD) IEC 61000-4-2 B 6 kV contact/8 kV air
Electromagnetic field IEC 61000-4-3 A 10 V/m5) 80 MHz-2 GHz
sweep rate ≤ 1.5 x 10-3 decade/s 7)
1) line to line
2) line to ground
3) capacitive coupling
4) coupling clamp
5) special situations to be analysed
6) test procedure to be described in the test report
7) for equipment installed in the bridge and deck zone (EMC Class B) the test levels shall be increased to 10 Vrms for spot frequencies in accordance with
IEC 60945 at 2/3/4/6.2/8.2/12.6/16.5/18.8/22/25 MHz. For screened cables, a special test set-up shall be used enabling the coupling into the cable screen.
Performance criterion A: The equipment under test (EUT) shall continue to operate as intended during and after the test. No degradation of performance or
loss of function is allowed as defined in the relevant equipment standard and in the technical specification published by the manufacturer.
Performance criterion B: The EUT shall continue to operate as intended after the test. No degradation of performance or loss of function is allowed as defined
in the relevant equipment standard and in the technical specification published by the manufacturer. During the test, degradation or loss of function or perform-
ance that is self recoverable is however allowed but no change of actual operating state or stored data is allowed.
Table B3 Maximum emission requirements for equipment

Class Location Port Frequency Range (Hz) Limits
150 k – 30 M 80 – 50 dBµV/m
30 – 100 M 60 – 54 dBµV/m
Enclosure 100 M – 2 G 54 dBµV/m
(Radiated Emission)
All locations except except:
A 156 – 165 M 24 dBµV/m
bridge and open deck
10 – 150 k 120 – 69 dBµV
Power 150 – 500 k 79 dBµV
(Conducted Emission) 500 k – 30 M 73 dBµV
150 – 300 k 80 – 52 dBµV/m
300 k – 30 M 52 – 34 dBµV/m
Enclosure 30 M – 2 G 54 dBµV/m
(Radiated Emission)
All locations including except:
B 156 – 165 M 24 dBµV/m
bridge and open deck
10 – 150 k 96 – 50 dBµV
Power 150 – 350 k 60 – 50 dBµV
(Conducted Emission) 350 k – 30 M 50 dBµV
B 900 Inclination Guidance note:
901 For ships, see Rules for Classification of Ships Pt.4 Ch.1 Electrical and electronic equipment should be designed to func-
tion without degradation or malfunction in their intended electro-
Sec.3 B200. For HS, LC and NSC, see Rules for Classification magnetic environment. The equipment should not adversely
of HS, LC and NSC Pt.4 Ch.1 Sec.1 A200. affect the operation of, or be adversely affected by any other
equipment or systems used on board or in the vicinity of the ves-
B 1000 Electromagnetic compatibility sel. Upon installation, it may be required to take adequate meas-
ures to minimise the electromagnetic noise signals, see
1001 The minimum immunity requirements for equipment Classification Note No. 45.1. Such measures may be in form of a
are given in Table B2, and the maximum emission require- list of electromagnetic noise generating- and sensitive equip-
ments are given in Table B3. ment, and an estimate on required noise reduction, i.e. an EMC
DET NORSKE VERITAS

management plan. Testing may also be required to demonstrate

electromagnetic compatibility. Table C1 Minimum requirements for enclosures
Class Location Degree of
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- protection
A Control rooms, accommodation, bridge IP 22
B 1100 Miscellaneous B Machinery space IP 44
1101 In particular applications other environmental parame- C Open deck, masts, below floor plates in IP 56
ters may influence the equipment, e.g.: machinery space
D Submerged application IP 68
— acceleration
— fire Guidance note:
— explosive atmosphere Automation equipment of class A and B that shall be in operation
— temperature shock during emergency situations, located in areas exposed to wash
— wind, rain, snow, ice, dust down, should have IP 55 protection.
— audible noise ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
— mechanical shock or bump forces equivalent to 20 g of 10
ms duration
— splash and drops of liquid C 400 Cables and wires
— corrosive atmospheres of various compositions, (e.g. am- 401 Cables and wires shall comply with the requirements in
monia on an ammonia carrier). Ch.8 Sec.9.
1102 Acceleration caused by the ship's movement in waves. C 500 Cable installation
Peak acceleration ±1.0 g for ships with length less than 90 m, 501 Cable installations shall comply with the requirements
and ±0.6 g for ships of greater length. Period 5 to 10 s. in Ch.8 Sec.10 and Ch.8 Sec.3 D300.
C 600 Power supply
C. Electrical and Electronic Equipment 601 When using low voltage battery supply, the charging
equipment, batteries and cables shall keep the voltage at equip-
C 100 General ment terminals within +25% to -20% of the nominal voltage
during charging and discharging.
101 Fused isolating transformers shall be fitted between the
main power supply and the different units or systems. Provisions shall be made for preventing reverse current from
the battery through the charging device.
102 Switching of the power supply on and off shall not cause
excessive voltage or other strains that may damage internal or 602 Systems including a standby battery connected for con-
external components. tinuous charging shall not be disturbed in any way by discon-
nection of the battery.
103 Units requiring insulating resistance in cables and wir-
ing higher than 200 kΩ are normally not to be used. Exceptions 603 Battery installations shall be in accordance with Ch.8
can be made for special cable arrangements. Sec.10 B300.
604 Regulated rectifiers shall be designed for the variations
C 200 Mechanical design, installation in voltage and frequency stated in B.
Guidance note:
605 Different system voltages shall be supplied through dif-
Circuits should be designed to prevent damage of the unit or ad- ferent cables.
jacent elements by internal or external failures. No damage
should occur when the signal transmission lines between meas- 606 Terminal lists shall be clearly marked. Various system
uring elements and other units are short-circuited, grounded or voltages shall be distinguished.
broken. Such failures should lead to a comparatively safe condi-
tion (fail to safe). 607 Uninterruptible power supplies shall be according to the
requirements given in Ch.8 Sec.2 A200.
C 700 Fibre optic equipment
Guidance note:
The equipment should preferably function without forced cool- 701 Fabrication and installation of fibre optic cables shall
ing. Where such cooling is necessary, precautions should be tak- comply with the requirements of Ch.8.
en to prevent the equipment from being damaged in case of Guidance note:
failure of the cooling unit.
The construction of fibre optic devices is generally to comply
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- with relevant specifications of IEC Publications.
201 The components shall be effectively secured to avoid
mechanical stressing of wires and soldered joints through vi- 702 Power budget calculation shall be used to:
brations and mechanical shock.
Guidance note: — determine the length between I/O units,
Components weighing more than 10 grams (0.35 oz), should not — select components to obtain a safe reliable transmission
be fastened by their connecting wires only. system, and
— to demonstrate that adequate power reserve has been pro-
vided.
C 300 Protection provided by enclosure After installation, optical time domain reflectometry (OTDR)
301 Enclosures for the equipment shall be made of steel or measurements for each fibre shall be used to correct and re-
other flame retardant material capable of providing EMC pro- evaluate the power budget calculations.
tection and satisfy the minimum requirements of Table C1. The 703 The safety of personnel and operations shall be consid-
required degree of protection is specified in IEC 60529 (Inter- ered in the installation procedures. Warning signs and labels
national Electrotechnical Commission, Publication No. 60529). giving information to the operators shall be placed where haz-
DET NORSKE VERITAS

ard exists. Care must be taken to prevent fibres from penetrat-

ing eyes or skin. ( P n + 10 )
L safe = ----------------------
-
Guidance note: 2
It is advised to use equipment with 'built-in' safety, e.g. interlock Safe distance: L (cm) ; Pn: Nominal power (mW)
the power to the light sources with the covers, possible to discon- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
nect/lock parts of the system under service, screen laser beams.
Safe distance between the light source or fibre end and the eye of 704 Fibre optic systems using standard single- and multi-
the operator may be determined by applying the formulae: mode fibres to be used for intrinsically safe circuits in hazard-
ous areas shall have a power level below 10 mW.
DET NORSKE VERITAS

SECTION 6
USER INTERFACE
A. General C. User Input Device and Display Unit Design

A 100 Application C 100 User input devices
101 The rules in this section apply for all main class vessels. 101 The method of activating a UID shall be clear and unam-
A 200 Introduction biguous.
201 The location and design of the user interface shall give 102 The direction of UID movements shall be consistent
consideration to the physical capabilities of the user and com- with the direction of associated process response and display
ply with accepted ergonomic principles. movement. The purpose shall be to ensure easy and under-
standable operation, such as:
202 This section gives requirements for the user interface to
ensure a safe and efficient operation of the systems installed. — a side thruster lever to be arranged athwart ships
— a propulsion thruster lever shall be arranged according to
the vessel response
B. Workstation Design and Arrangement — the thruster response shall correspond to the lever move-
ment.
B 100 Location of visual display units and user input
devices 103 The operation of a UID shall not obscure indicator ele-
ments where observation of these elements is necessary for ad-
101 Workstations shall be arranged to provide the user with justments.
easy access to UIDs, VDUs and other facilities required for the
operation. 104 UIDs or combined UIDs/indicating elements shall be
102 The VDUs and UIDs shall be arranged with due consid- distinguishable from elements used for indication only.
eration of the general availability parameters as shown in Fig.1 105 UIDs shall be simple to use, and shall normally allow for
and Fig.2. one hand operation. The need for fine motoric movements
shall be avoided.
C 200 Visual display units
201 The information presented shall be clearly visible to the
user, and permit reading at a practicable distance in the light
conditions normally experienced, where installed.
202 In order to ensure readability, the update frequency of
VDUs shall be consistent with the operational use of the VDU
and the accuracy requirement, if any, to the data displayed.
203 VDU letter type shall be of simple, clear-cut design.
Fig. 1
VDU arrangement parameters. 204 Set points shall always be indicated at the location of the
UID.
C 300 Colours
301 The use of colours shall be consistent. Red shall be re-
served to indicate danger, alarm and emergency only. Colour
coding of functions and signals shall be in accordance with
Table C3.
Table C3 Colour coding

Function Colour code
Danger, Alarm, Emergency Red
Attention, Pre-warning, Yellow
Caution, Undefined
Status of normal, safe situation Green
C 400 Requirements for preservation of night vision

(UIDs and VDUs for installation on the navigating bridge)
401 Warning and alarm indicators shall show no light in nor-
mal condition.
402 All UIDs and VDUs shall be fitted with internal or per-
Fig. 2 manent external light source to ensure that all necessary infor-
UID arrangement parameters. mation is visible at all times.
403 Means shall be provided to avoid light and colour chang-
103 UIDs and VDUs serving the same function shall as far es during start-up and mode changes, which may affect night
as possible be arranged and grouped together. vision.
DET NORSKE VERITAS

D. Screen Based Systems will be accepted when data is entered manually into the sys-
tem.
D 100 General
If the user provides the system with insufficient input, the sys-
101 The status of the information displayed shall be clearly tem shall request the continuation of the dialogue by means of
indicated. clarifying questions. Under no circumstances is the system to
Guidance note: end the dialogue incomplete without user request.
This applies to e.g. indications not being updated or indication of
inhibited alarm. D 200 Illumination
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 201 Means shall be provided for adjustment of illumination
of all VDUs and UIDs to a level suitable for all applicable light
102 Alarm messages for primary and emergency alarms re- conditions. However, to make adjustments down to a level
quired in the rules shall, when initiated, be given priority over making information belonging to essential and important func-
any other information presented on the VDU. The entire list of tions unreadable is not permissible and shall be prevented.
alarm messages shall be easily available. Guidance note:
103 Alarms shall be time tagged. Adjustments may be arranged by use of different sets of colours
104 Time tagging for all alarms shall be consistent through- suited for the applicable light conditions.
out the system. The different nodes in the system shall be syn- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
chronised with sufficient accuracy to ensure consistent time
tagging for all alarms throughout the system.
D 300 Colour screens
The accuracy of the synchronisation shall as a minimum corre-
spond to the time constants in the process so that the true se- 301 For cathode ray tubes (CRTs), colours used for essential
quence of events may be traced in the alarm list. information shall not depend on a single source of light.
105 For a main alarm system at least two independent VDUs D 400 Computer dialogue
shall be provided for alarm presentation, alternatively one
VDU and one independent printer. 401 Frequently used operations shall be available in the up-
per menu level, on dedicated software or hardware buttons.
The two independent VDUs or VDU and printer shall not be
driven from the same interface controller. 402 All menus and displays shall be self-explanatory or pro-
vided with appropriate help-functions.
106 UIDs shall be designed and arranged to avoid inadvert-
ent operation. 403 When in dialogue mode, update of essential information
Guidance note:
shall not be blocked.
The purpose shall prevent unintentional activation / de-activation 404 If relevant fields for entry of data shall occur with cur-
of systems, e.g. by means of a lid over a stop button or two-step rent or a default value. A valid data range shall be defined for
operation of critical screen-based functions. each field.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 405 The systems shall indicate the acceptance of a control
action to the user without undue delay.
107 For essential and important systems, dedicated input de-
vices shall be used. 406 Confirmation of a command shall be used when the ac-
Guidance note:
tion requested has a critical consequence.
The input device is normally a dedicated function keyboard, but 407 It shall be possible for the user to recognise whether the
alternative arrangements like e.g. touch-screens or dedicated system is busy executing an operation, or waiting for addition-
software-based dialogue boxes or switches may be accepted on al user action. When the system is busy, buffering of more than
special considerations. one user input is not allowed. Manually initiated time-consum-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- ing operations shall be possible to cancel.
108 Symbols and their associated information in a mimic di- D 500 Application screen views
agram shall have a logical relationship. 501 For integrated systems, all windows to be called to the
109 Means shall be provided to ensure that only correct use VDU shall have a similar representation of all components
of numbers and letters and only values within reasonable limits (menus, buttons, symbols, colours, etc.).
DET NORSKE VERITAS

Control and Monitoring Systems: Ships / High Speed, Light Craft and Naval Surface Craft

Uploaded by

Control and Monitoring Systems: Ships / High Speed, Light Craft and Naval Surface Craft

Uploaded by

RULES FOR

SHIPS / HIGH SPEED, LIGHT CRAFT AND

MACHINERY AND SYSTEMS

CONTROL AND MONITORING SYSTEMS

DET NORSKE VERITAS

Comments to the rules may be sent by e-mail to [email protected]

SEC. 1 GENERAL REQUIREMENTS .......................... 5 B 200 Software development ....................................................17

A. Classification..........................................................................5 C. Control System Networks and

SEC. 4 ADDITIONAL REQUIREMENTS FOR B. Workstation Design and Arrangement ............................ 25

DET NORSKE VERITAS

DET NORSKE VERITAS

A. Classification Pt.4 Ch.7: boilers, thermal-oil installations, incinerators, oil fired

DET NORSKE VERITAS

DET NORSKE VERITAS

DET NORSKE VERITAS

Guidance note: 107 Symbols used shall be explained, or reference to a stand-

Table C1 Documentation required submitted prior to commencing approval work

Table C2 Documentation required for document assessment

DET NORSKE VERITAS

Table C2 Documentation required for document assessment (Continued)

Test program for testing at the — initial condition

DET NORSKE VERITAS

Table C3 Documentation required available for the testing at the manufacturer

Table C4 Documentation required for on-board inspection

DET NORSKE VERITAS

Pt.4 Ch.5: Propeller/water jets, thrusters. D 300 Integration testing

DET NORSKE VERITAS

A. System Configuration segment, failure in the field instrumentation of one process

DET NORSKE VERITAS

A. System Elements A 300 Remote control

DET NORSKE VERITAS

DET NORSKE VERITAS

B. General Requirements B 200 Electrical power distribution

DET NORSKE VERITAS

DET NORSKE VERITAS

103 In a network integrating control and/or monitoring sys-

DET NORSKE VERITAS

DET NORSKE VERITAS

C 500 Wireless communication Guidance note:

DET NORSKE VERITAS

A. General Guidance note:

DET NORSKE VERITAS

— combination of permanent frequency variations of ±5% B 700 Oil contamination

DET NORSKE VERITAS

Table B2 Minimum immunity requirements for equipment

Table B3 Maximum emission requirements for equipment

DET NORSKE VERITAS

management plan. Testing may also be required to demonstrate

DET NORSKE VERITAS

ard exists. Care must be taken to prevent fibres from penetrat-

DET NORSKE VERITAS

A. General C. User Input Device and Display Unit Design

Table C3 Colour coding

C 400 Requirements for preservation of night vision

DET NORSKE VERITAS

DET NORSKE VERITAS

You might also like