Вы находитесь на странице: 1из 57

RECOMMENDED PRACTICE

DNV-RP-D102

Failure Mode and Effect Analysis (FMEA)


of Redundant Systems
JANUARY 2012

The electronic pdf version of this document found through http://www.dnv.com is the officially binding version

DET NORSKE VERITAS AS


FOREWORD
DET NORSKE VERITAS (DNV) is an autonomous and independent foundation with the objectives of safeguarding life,
property and the environment, at sea and onshore. DNV undertakes classification, certification, and other verification and
consultancy services relating to quality of ships, offshore units and installations, and onshore industries worldwide, and
carries out research in relation to these functions.
DNV service documents consist of among others the following types of documents:
— Service Specifications. Procedual requirements.
— Standards. Technical requirements.
— Recommended Practices. Guidance.
The Standards and Recommended Practices are offered within the following areas:
A) Qualification, Quality and Safety Methodology
B) Materials Technology
C) Structures
D) Systems
E) Special Facilities
F) Pipelines and Risers
G) Asset Operation
H) Marine Operations
J) Cleaner Energy
O) Subsea Systems

© Det Norske Veritas AS January 2012

Any comments may be sent by e-mail to rules@dnv.com

This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of this document, and is believed to reflect the best of
contemporary technology. The use of this document by others than DNV is at the user's sole risk. DNV does not accept any liability or responsibility for loss or damages resulting from
any use of this document.
Recommended Practice DNV-RP-D102, January 2012
Changes – Page 3

CHANGES

Main changes:
This is a new document.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Contents – Page 4

CONTENTS

1. General.................................................................................................................................................... 5
1.1 Application, objective, and contents of FMEA for redundant systems ....................................................5
2. Definitions............................................................................................................................................... 7
2.1 General definitions....................................................................................................................................7
3. Documentation .................................................................................................................................... 11
3.1 General....................................................................................................................................................11
4. Redundancy Design Intention............................................................................................................. 12
4.1 General ...................................................................................................................................................12
4.2 Redundancy design intention and functional redundancy types.............................................................12
4.3 Specification of subsystem or component groups ..................................................................................15
4.4 Specification and analyses of dependencies ...........................................................................................16
5. Single Failure Propagation in Redundant Systems .......................................................................... 21
5.1 General....................................................................................................................................................21
5.2 Failures, common causes, and systematic failure propagation ...............................................................22
5.3 Barriers and other compensating measures ............................................................................................22
5.4 Failure propagation analysis at subsystem level.....................................................................................23
6. Unit and Subsystem FMEA................................................................................................................. 27
6.1 Requirements to the unit FMEA including subsystem FMEA ...............................................................27
6.2 Allocation of unit requirements to subsystems/component groups ........................................................27
6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion .....................30
7. FMEA of Subsystems with Redundancy ........................................................................................... 34
7.1 General....................................................................................................................................................34
8. FMEA of Single Sub-Systems ............................................................................................................. 36
8.1 General....................................................................................................................................................36
9. Redundant Systems with Physical (Fire and Flooding) Separation ............................................... 39
9.1 Separation design intent..........................................................................................................................39
9.2 Separation analysis..................................................................................................................................40
10. Inspections and Tests........................................................................................................................... 41
10.1 General....................................................................................................................................................41
11. FMEA Report and Compliance Statement ....................................................................................... 43
11.1 General....................................................................................................................................................43
Appendix A. IMCA references...................................................................................................................... 44
Appendix B. DNV references ........................................................................................................................ 45
Appendix C. Typical table of contents for a minimum DP FMEA............................................................ 46
Appendix D. Failure modes in electrical power systems operating with closed bus tie(s) ...................... 47

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.1. General – Page 5

1. General
1.1 Application, objective, and contents of FMEA for redundant systems
1.1.1 The requirements of this guideline apply to failure mode and effect analysis (FMEA) of redundant
systems.
Guidance note 1:
Class notations as DYNPOS-AUTR, DYNPOS-AUTRO, DPS 2, DPS 3, DYNPOS-ER, RP, RPS, AP-2, AP-3
requires redundancy. An FMEA of the system redundancy is required as part of the verification of the specific
acceptance criterion for the specific notation.
This guideline may also be suitable for other applications as e.g. IMO requirements to Safe Return to Port.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
This guideline does not set any guidance to FMEA of software. However, the guideline requires testing and
verification of how the software responds to relevant failures in the system subject to verification.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.2 The objective of failure mode and effects analysis of redundant systems in a specified unit (U) is to
provide objective evidence of required redundancy and fault tolerance.
System boundary
Acceptance
criteria
Redundant reference level
component A B
group A Redundant
component
group B
U

Figure 1-1
The redundancy design intent can be visualized by means of one redundant component group diagram (UAB). The
diagram represent the complete physical system (unit (U) and system boundary and the two physical redundant
component groups (A and B). The main concepts are the system boundary, the redundant component groups
illustrated by minimum two redundant groups (A group and B group), and the acceptance criteria reference level
which is referring to the unit system boundary. Please note that more than two redundant groups may also be
assumed (e.g. A, B, C, D groups).

Guidance note:
In order to give the reader an introduction to the vessel subject to the FMEA and the project in general the FMEA
report should start with giving high level vessel information which may typically include: main particulars, yard, yard
number, owner, ship name and identification, vessel type, intended operation, class notations, main equipment
suppliers, FMEA supplier and other relevant information.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.3 In order to be valid, the FMEA, the test program, and the test report must at all times during the
operational phase be maintained and updated in case of alterations of the system.
In case of alterations it must be evaluated if:
— additional FMEA is required
— test program need to be updated
— functional testing and/or failure testing is required
— other parts of the documentation needs to be updated.
Guidance note:
The requirements to keep the FMEA documents updated during the operational phase, will vary between the different
class notations (e.g. DYNPOS-AUTR, DPS 2, RP, AP).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.4 The FMEA shall specify all vessel operational modes which it is intended to be valid for (minimum one
mode). For each of these vessel operational modes the technical system configuration shall be described and
prerequisites for achieving the required failure tolerance and redundancy shall be included.
Guidance note:
The vessel operational mode specifies the high level system setup, redundancy design intention and vessel operations..
Examples of vessel operational modes are positioning keeping, weather vaning, manoeuvring, dredging. It is
understood that vessel operations in this context is a common term comprising vessel operations, control system
modes, industrial functions.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.1. General – Page 6

The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specified
for all relevant configurations One example could be that a vessel has different technical system configurations for
different vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notation
is intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated,
specified, analysed, and tested in the FMEA.
The technical system configuration includes all technical modes (and combinations of the modes) of all systems that
may influence the redundancy and failure tolerance of the unit. This will typically include but is not limited to e.g.,
control system modes, power plant and thruster configuration, switch board (AC and DC) configuration and
distribution setup, auxiliary systems setup, valves, breakers, pumps, …).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.5 All specified vessel operational modes and technical system configurations that FMEA is intended to be
valid for, shall be analysed and as far as possible be verified by testing.
1.1.6 A failure mode and effect analysis (FMEA) of redundant systems shall as a minimum consist of the
following parts:
— general vessel information
— specification of acceptance criteria,
— specification of the overall system boundary of the unit (U) to be subject for FMEA
— redundancy design intent(s), worst case failure design intent, time requirements, and vessel operational
modes
— specification of all redundant components (e.g. A,B) and single component groups included within the
overall system boundary. The relevant system names, main units, compartments (when applicable), and
their main intended functions shall be presented in a structured manner, supported with a descriptive
narrative text.
— specification of all assumptions related to systems interfaces and dependencies of external systems
— single failure and common cause analysis at unit (U) and subsystem levels (A,B)
— if applicable, separation design intent and descriptions of the installation of redundant component groups
in fire and flooding protected compartments. This also includes cables and communication lines, and
associated equipment.
— a test program identifying tests to verify assumptions and conclusions
— summary and conclusions:
— for each subsystem analysed, the conclusions shall be stated at the end of the specific section
— for the total system, an overall summary covering the main findings from the most critical subsystems.
— a compliance statement referring to the overall system boundary, operational modes, tests, and acceptance
criterion including time requirements shall be stated for the FMEA.
Detailed requirements for above parts are stated in this guideline.
Guidance note 1:
Please observe that the requirements to FMEA’s for redundant systems differ from traditional bottom up FMEA’s in
the following respects:
Requirement to state the redundancy design intent
— Requirements to specification of acceptance criterion to be complied with
— Requirements to refer to full scale testing and sea trials to support analysis
— Requirements to state compliance with the acceptance criterion.
The FMEA documentation shall be self-contained and provide sufficient information to get the necessary overview
of the system
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2:
In general FMEA’s of single non-redundant systems will normally require a complete breakdown of all parts of the
systems resulting in a large set of possible failure modes with the potential of affecting the function of the system.
Please refer to a single engine and single propulsor for a cargo ship. (Normally there will be no class requirement to
an FMEA of such single systems.)
On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failure
shall give loss of position) may give a possibility of administrating the actual detailed scope of the subsystem FMEA’s
into a top-down approach and limiting the detailed analysis. The top-down approach thus avoids detailed and
complete FMEA’s of each of the redundant subsystems.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.2. Definitions – Page 7

2. Definitions
2.1 General definitions
2.1.1 Active redundancy (IEC 191-15-02) is that redundancy wherein all means for performing a required
function are intended to operate simultaneously.
2.1.2 Acceptance criterion/criteria are to be stated as the maximum accepted consequence of failure. The
acceptance criterion/criteria should be referring to the system boundary level.
Guidance note:
For the unit level the class notation requirements will normally be the acceptance criterion.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.3 Ageing failure, wear out failure, a failure whose probability of occurrence increases with the passage of
time, as a result of processes inherent in the item (random failure) (IEC 191-04-09).
Aging or random failure
An aging or a random failure for a component or a subsystem is characterised by that the failure may occur at
any time and the time of the failure event can not in advance be stated to occur within a specified time.

Random failure
1

Figure 2-1
For a random failure, the time to the failure event is random

2.1.4 Benign failure modes, a term used for subsets of failure modes which primarily affects only the
subsystem itself and with minor effect with regards to propagation leading to critical failures in other sub-
systems.
Guidance note:
A typical benign failure mode is loss of power output, whereas overvoltage will be considered as a non-benign failure
mode.
There is a need to define which possible states a system may enter into after a failure. It cannot be assumed that a
system or component is simply lost (absence of function). The system or component may enter into a state affecting
other units. Detailed analysis of basic functionality may have to be done at a single failure level, e.g. the problem with
a faulty input from a draft sensor, a wind sensor, or a common reference signal may affect more than one redundancy
group.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.5 Common cause failures (IEC 191-04-23), failures of different items, resulting from a single event, where
these failures are not consequences of each other
2.1.6 Common mode failures (IEC 191-04-24), failures of items characterized by the same fault mode.
Note:
Common mode failures should not be confused with common cause failures as the common mode failures may result
from differing causes.
---e-n-d---of---N-o-t-e---

2.1.7 Common component group, represents components, physical connections, and dependencies between
the redundant component groups.
2.1.8 Component group is a specified set of components or sub-systems within a specified component group
boundary
2.1.9 Dependent systematic failures: The unacceptable failure situations for redundant systems are related to
failures in two or more redundant groups, when the second failure is occurring in a systematic manner within
the stated acceptable time requirement. The most critical situations are related to systematic failure propagation
in the following situations:
— systematic failure propagation between dependent systems or common components

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.2. Definitions – Page 8

— systematic failure due to common cause propagation


— systematic failure propagation due to primary – secondary failure propagation.
Guidance note:
The key point is that the redundant systems will fail within the unacceptable failure time requirement as given in the
acceptance criterion for the applied class notation. The objective of the single failure analysis is therefore to identify
possible dependent systematic failures which may violate the stated acceptance criterion for the given class notations
(‘DP’, AP, RP,…)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.10 Failure (ISO 14224, 3.15): termination of the ability of an item to perform a required function
NOTE 1: After the failure, the item has a fault.
NOTE 2: “Failure” is an event, as distinguished from a “fault,” which is a state.
NOTE 3: This concept as defined does not apply to items consisting of software only.
2.1.11 Failure cause (IEC 191-04-17): The circumstances during design, manufacture or use which have led
to a failure.
2.1.12 Failure mode (ISO 14224, 3.20): The effect by which a failure is observed on the failed item.

Figure 2-2
Failure mode observed at boundary

2.1.13 FMEA: Failure mode and effect analysis.


Guidance note:
A general FMEA method is described in e.g. IEC 60812 2006. The method represents a bottom up analysis of failure
effects on the end item level (system boundary). The general FMEA does not, as a work process, take advantage of
requirements to redundancy, acceptance criterion/criteria, and testing on the actual system as being required in the
guideline for FMEA of redundant systems.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.14 Fail safe (IEC 90-191) is a design property of an item which prevents its failures from resulting in
critical faults
2.1.15 Hidden failure (ISO 14224, 3.24), a failure that is not immediately evident to operations and
maintenance personnel.
Guidance note:
NOTE: Equipment that fails to perform an “on demand” function falls into this category. It is necessary that such
failures are detected to be revealed through checks.
Monitoring and periodical testing/verification should be performed in order to ensure sufficient availability of such
functions. Protective functions e.g. in power plants and switchboards are typical examples of on demand functions
where possible hidden failures should be considered.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.16 Primary failure (IEC 191-04-15), a failure of an item, not caused either directly or indirectly by a failure
or a fault of another item (also see secondary failure).
2.1.17 Redundant (IEC 90-191-15), in an item, the existence of more than one means for performing a required
function.
2.1.18 Redundant component groups (subsystems) are two or more component groups which represent two or
more means for performing a required function.
2.1.19 Redundancy design intent, the redundancy design intention refers to redundant component groups which
constitutes the overall system design for a given system operational mode and technical system configuration.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.2. Definitions – Page 9

2.1.20 Secondary failure (IEC 191-04-16), a failure of an item, caused either directly or indirectly by a failure
or a fault of another item (cascading failure).
2.1.21 Separation design intent, the separation design intention refers to separated redundant component
groups which constitutes the overall system design for a given system operational mode and technical system
configuration.
2.1.22 Simultaneous independent failures, an ideal feature of redundant systems is that possible failure events
are occurring statistically randomly and independently. This implies that a failure in the A sub-system and
another failure in the B sub-system occurring independently within an acceptable time requirement period
(simultaneous), is acceptable according to the class requirements in the DP, AP and RP class notations where
redundancy is required.
2.1.23 Standby redundancy (IEC 191-15-03), that redundancy, wherein a part of the means for performing a
required function is intended to operate, while the remaining part(s) of the means are inoperative until needed.
2.1.24 System boundary, is a closed imaginary shell around all components assumed within the specified
system.
Guidance note:
The system boundary can be considered as the ‘End item’ concept used in IEC 60812.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.25 Systematic failure, reproducible failure (IEC 191-04-19), a failure related in a deterministic way to a
certain cause, which can only be eliminated by a modification of the design or of the manufacturing process,
operational procedures, documentation or other relevant factors.
Guidance note 1:
Corrective maintenance without modification will usually not eliminate the failure cause.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2:
A systematic failure can be induced at will by simulating the failure cause.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1 Systematic,
reproducble failure

failure
cause

Figure 2-3
For a systematic failure, the time from the failure cause is present until the failure event is limited. An example is
an electronic component exposed to 1000°C, will for sure fail within 10 minutes.

2.1.26 Technical system configuration, the technical system configuration includes all technical modes (and
combinations of the modes) of all systems that may influence the redundancy and failure tolerance of the unit.
This will typically include but is not limited to e.g., control system modes, power plant and thruster
configuration, switch board (AC and DC) configuration and distribution setup, auxiliary systems setup, valves,
breakers, pumps, …).
Guidance note:
The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specified
for all relevant configurations One example could be that a vessel has different technical system configurations for
different vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notation
is intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated,
specified, analysed, and tested in the FMEA.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.27 Time requirement, the minimum required time duration for which the residual remaining capacity as
defined by the worst case failure design intent shall be available.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.2. Definitions – Page 10

Guidance note:
The time requirement will normally be governed by the maximum time necessary to safely terminate the on-going
operations after the worst case single failure, given the residual remaining capacity. All relevant operational scenarios
which the vessel performs and/or participates in, must be considered when deciding the time requirements. This time
requirement must be fulfilled by the design, and the way the vessel is technically configured (technical system
configuration) and operated.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.28 Unit, the complete physical system (e.g. vessel) in which the redundant system (e.g. DP system) to be
analysed is included.
2.1.29 Vessel operational mode(s), The vessel operational mode specifies the high level system setup and
redundancy design intention for a specified set of vessel operations. Examples of vessel operations are
positioning keeping, weather vaneing, manoeuvring, dredging, diving.
Guidance note:
The FMEA must as a minimum specify one vessel operational mode. In case that more than one mode is intended,
then each mode must be specified. It is understood that vessel operations in this context is a common term comprising
vessel operations, control system modes, industrial functions,
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.30 Worst case failure design intent, the worst case failure design intent shall refer to the minimum
remaining capacity after any relevant single failure or common cause (for a given operational mode)
2.1.31 Zone is a confined space with fire and flooding protection.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.3. Documentation – Page 11

3. Documentation
3.1 General
3.1.1 The documentation as listed in Table 3-1 is required for approval and test work process related to Failure
Mode Effect Analyses for redundant systems.
Table 3-1 Documentation requirements
Documentation type Information element
Failure mode and effect analysis 1) Introduction to FMEA
System boundary and redundant component groups
Acceptance criterion/criteria
2) Summary and conclusions
3) Redundancy Design Intent and operational modes
4) Single Failure propagation analysis
5) Unit FMEA and subsystem FMEA
6) Separation Design Intent and separation verification
7) Compliance statement
8) References
FMEA test procedure 9) Test procedure Each test or inspection activity shall be described by
— test purpose and reference to analysis
— test setup
— test method
— expected results and acceptance criteria
— observation and results of test
— space for notes and conclusions
FMEA report The updated FMEA and the test records shall together with the findings, conclusions
and test summary be compiled into an FMEA report.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 12

4. Redundancy Design Intention


4.1 General
4.1.1 The objective of the redundancy design intention is to specify the redundancy, i.e. to describe at a high
level the distribution of systems and components into redundant groups. High level dependencies and
intersections between these groups must be described. The intended normal operation and operation after
relevant single failures (normally one failure at the time) shall also be specified.
4.1.2 Redundant component groups (e.g. A and B) in a unit (U) can either have no intersection, some common
components, or be related by connecting components (e.g. X).

Figure 4-1
The general concept of redundant systems and component groups

Guidance note:
Redundancy within the unit boundary level means that there is more than one means for performing a required
function. The redundancy design intention by means of component groups shall specify how the redundant parts are
intended to be organised, documented and denoted in the FMEA for redundant systems.
The redundancy design intention for a redundant component group (A-B), shall specify if and how components in
groups A and B are connected. There are basically three situations how redundant systems or component group can
be organised and described:
i) In the first no components belongs both to A and B.
ii) In the second situation some common components belongs both to A and B (intersection between A and B). (E.g.
common passive parts in cooling water system).
iii) In the third situation no components belongs both to A and B group. However, A and B are connected by
components in a common component group X. (e.g. Main SWBA and SWBB. A bus tie connection is SWBX).

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.2 Redundancy design intention and functional redundancy types


4.2.1 The redundancy design intention is first to be specified for the main set of systems (e.g. such as thrusters
and propellers). The subsystems required for operation of the thrusters such as machinery, power generation,
power supply, and control systems shall be clarified for all operational modes. The intended normal operation
mode(s) before single failure shall be stated as well as the intended operation after a single failure.
4.2.2 All redundant functions shall have a stated ability to transfer to the non-failed function. The intended
functionality of fail safe functions or switching functions between redundant systems shall be described by
means of figures, tables, block diagrams, and with a descriptive narrative supporting text. Each operational
mode and the switching or fail safe functionality of the redundant systems shall be stated.
4.2.3 The functional redundancy type (e.g. active or passive including a switchover time limit /restoration
time) shall also be stated.
Guidance note:
Examples of redundancy types:
- active redundancy
- passive redundancy (standby redundancy (hot or cold standby))
- partly loaded redundancy
- change over redundancy
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.2.4 All redundant groups shall be documented to be able to operate as specified in the redundancy design
intention including the functional redundancy type, and according to the stated acceptance criterion/criteria.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 13

Guidance note 1:
Example on how to illustrate the redundancy design intention related to a ship with one main and one alternative
propulsion system as required by the additional class notation AP-2 (also refer to section A).

Redundancy design intention Subsystem//component Functional redundancy type/description


groups
Normal operation requirement P1A P1A running, P2B not running, Passive
redundancy
Intended operation after single P2B Possible to engage P2B within 5 minutes
failure

P1A

P2B

AUX
U

Figure 4-2
The acceptance criteria shall be related to a specific reference level as indicated above. For class notation
AP-2(a%)(+): it shall be possible to engage alternative propulsion system within maximum 5 minutes after
failure to the main propulsion system (shall be possible from bridge)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Example with DP system and 4 thrusters

Loss of position/heading

OR
Drift off Drive off
T1A

T2B

T1A T3A T2B T4B


AND OR

A B A B
T3A T4B
Loss of A Loss of B A drive off B drive off
positioning positioning

Figure 4-3
The arrangement of the redundant thruster groups are indicated in the figure to the left. and in the middle
above. The no loss of positioning is illustrated by a fault tree and divided into the no drift off or drive off events.

The redundancy design intention in this example may be described in a e.g narrative way by describing both the
normal operation mode and the failed operation mode.

Redundancy design intention: Redundancy type/description


The normal operation before shall be based on positioning of the T1A and T3A thruster Active redundancy
failure,-→ group and the T2B and T4B thruster group
In the case of a single failure,→ the positioning operation shall be based either on the (T1A
and T3A) thruster group or the (T2B and T4B) thruster
group. A single failure shall not give loss of positioning by
a drive off by any thruster T1A, T3A, T2B, T4B.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 14

The same redundancy design intention may alternatively be described in a logic description/Boolean style:

Redundancy design intention: Redundancy type/description


Normal operation before failure: ((T1A AND T3A) AND (T2B AND T4B)) Active redundancy
Operation after single failure: ((T1A AND T3A) OR (T2B AND T4B)) AND No drift off and
(NODRIVE OFF (T1A AND T3B AND T2B AND T4B)) No drive off of any thruster

Please note that the OR (inclusive OR) operator in a Boolean expression e.g. A OR B is true if either (A or B) or (A
and B) are true. Another way of expressing this could be that A OR B means the same as A and/or B.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 3:
Example with 5 thrusters and two operational modes

T1A

T2B

T5

DG1A DG3B

DG2A DG4B

T3A T4B
Figure 4-4
Example indicating a vessel with 5 thrusters

Narrative description of redundancy design intention for 5 thrusters operational mode 1

Redundancy design intention: Redundancy type/description


The normal operation before shall be based on positioning by the (T1A and T3A) thruster Active redundancy
failure,-→ group and the (T2B,T4B and T5) thruster group
In the case of a single failure, → the positioning operation shall be based either on the (T1A
and T3A) thruster group or the (T2B and T4B and T5) thruster
group. A single failure shall not give loss of positioning by a
drive off by any thruster T1A, T3A, T2B, T4B, T5.

Narrative description of redundancy design intention for 5 thrusters operational mode 2

Redundancy design intention: Redundancy type/description


The normal operation before shall be based on positioning by the (T1A and T3A and T5) Active redundancy
failure,-→ thruster group and the (T2B and T4B) thruster group
In the case of a single failure, → the positioning operation shall be based either on the (T1A
and T3A and T5) thruster group or the (T2B and T4B) thruster
group. A single failure shall not give loss of positioning by a
drive off by any thruster T1A, T3A, T2B, T4B, T5.

Above redundancy design intentions for 5 thrusters operational modes 1 and 2 can as an alternative be expressed in a
more logic or Boolean style as indicated below:
Operational mode 1

Redundancy design intention: Redundancy type/description


Normal operation before failure: (T1A AND T3A) AND (T2B AND T4B AND T5) Active redundancy
Operation after single failure: (T1A AND T3A) OR (T2B AND T4B AND T5) No drift off and
No drive off of any thruster

Operational mode 2

Redundancy design intention: Redundancy type/description


Normal operation before failure: (T1A AND T3A AND T5) AND (T2B AND T4B) Active redundancy
Operation after single failure: (T1A AND T3A AND T5) OR (T2B AND T4B) No drift off and
No drive off of any thruster

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 15

Guidance note 4:
Example with a rig with 8 thrusters, 2 in each corner of rig, two pontoons.
T1A T3B

T2A T4B

T7D T5C

T8D T6C

Figure 4-5
Example indicating a rig with 8 thrusters, 2 in each corner of rig, two pontoons

The redundancy design intention may be expressed in a short narrative manner as indicated below:

The redundancy design Redundancy type


intention
Normal operation without is that at least one thruster should be operating in all 4 corners of the rig Active redundancy
failure →
In the situation where a single only the thrusters in only one corner of the rig shall be allowed to stop. Active redundancy,
failure has occurred → A bump less transfer to the failed state is required. Continuous operation,
bump less transfer

Alternatively the redundancy design intention may be expressed in a more logic or Boolean style:

The redundancy design Redundancy type


intention
Normal operation without ((T1A OR T2A) AND (T3B OR T4B) AND (T5C OR T6C) AND (T7D Active redundancy
failure OR T8D))
Operation after single failure ((T1A OR T2A) AND (T3B OR T4B) AND (T5C OR T6C)) OR Active redundancy,
((T1A OR T2A) AND (T3B OR T4B) AND (T7D OR T8D)) OR Continuous operation,
((T1A OR T2A) AND (T5C OR T6C) AND (T7D OR T8D)) OR bump less transfer
((T3B OR T4B) AND (T5C OR T6C) AND (T7D OR T8D)) OR

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.3 Specification of subsystem or component groups


4.3.1 A component group or a subsystem is a set of specified components within a specified group boundary.
All component groups shall be denoted by unique identifiers indicating the component group type, the type of
equipment, and function(s) within the group.
4.3.2 All redundant systems shall be specified by means of a set of component groups. The design intention
shall clearly state all redundant component groups where functional system redundancy is the means to achieve
the required acceptance criterion/criteria.
Guidance note:
The redundancy design intention can be expressed at a high level by redundant groups presented in diagrams or tables
(e.g. by denominating the groups with names as specific groups, e.g. diesel generator starboard side DG3, diesel
generator port side DG1). It may be convenient to include several components in a component group in order to keep
the number of redundant component groups at lower level.
Example:
Redundant component group DG1 consists of:
- diesel motor (specific tag number)
- generator (specific tag number)
- generator breaker
- etc…
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.3.3 Components which connects redundant component groups or are common for redundant component
groups shall be specified as:
— common component groups, or
— groups required (dependent) for operation of the redundant groups.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 16

Figure 4-6
The general concept of redundant systems and component groups

Guidance note:
- Connections between redundant groups shall be identified and be represented as cross component groups (e.g.
denominated as X groups) or common components.
- The intention with the X groups is to represent the components or installations, which may represent all types of
means for propagating failure effects from a redundant group to the corresponding redundant group (Example: The
main switchboard on the A side is denominated as SWBA and the B side is denominated as SWBB. A bus tie
between the two switchboard sides could be denoted as SWBX).
- Fuel line crossovers, connected cooling water, common software modules are examples of common component
groups and could be denoted as X group components.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.3.4 All redundant and common component groups shall be presented in structured manner by means of block
or component group diagrams, logic descriptions, tables or drawings covering the high level description of the
redundant systems.
4.4 Specification and analyses of dependencies
4.4.1 All subsystem or component dependencies shall be identified and documented in a structured manner by
means of tables, logic descriptions, drawings, or diagrams. This system mapping shall be performed both for
dependencies within the redundancy groups and between the redundancy groups.
Guidance note 1:
All system dependencies shall be identified in tables, or by equivalent means, which main equipment such as engines,
generators, thrusters, electrical power switchboards etc. are grouped together to form self-contained systems of which
each system is capable of maintaining a residual position keeping capability in a worst case single failure incident.
This identification process shall involve all equipment dependencies belonging to each redundant component group.
The redundancy may be documented aided by a tag numbering system where one redundant part system is clearly
distinguishable from the other redundant part.

System group A
Lube Oil

T1

Fuel Oil

Diesel Generator DG1,2

Freshwater,... T3

System group B
Lube Oil

T2

Fuel Oil

Diesel Generator DG3,4


T4
Freshwater,...

Figure 4-7
Illustration of DP thrusters and DP thruster system dependencies in a diagram

The intention with this system dependency mapping is to identify all interconnections between redundant part-
systems, hardware or software-wise, and prepare for analysis with regard to potential failure propagation within and
across the redundant system boundaries.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 17

Guidance note 2:
Example related to class notation alternative propulsion (AP-2)

P1A

P2B

AUX
U

Figure 4-8
Illustration of propulsion system for redundant notation AP-2

Redundancy design intention Subsystem//component groups Functional redundancy type/description


Normal operation requirement P1A P1A running, P2B not running, Passive redundancy
Intended operation after single failure P2B Possible to engage P2B within 5 minutes

Dependency statements:
Normal operation mode dependency: P1A dependent on {MV1A, GenSet1, MSB1, Prime mover1, Propulsor1, AUX…}
Failed operation mode dependency: P2B dependent on {MV2B, GenSet2, MSB2, Prime mover2, Propulsor2, AUX,…}
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
Example with 4 thrusters and 4 diesel generators for a DP-2 notation

DG1A DG2A DG3B DG4B

G G G G

SWBA SWBB

T1A T3A T2B T4B


M M M M

Figure 4-9
Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.

Redundancy design intention overview by redundant and common component groups


Redundant Common groups Redundant
A groups X groups B groups
Thrusters A Thrusters B
T1A AND T3A T2B AND T4B
Thrusters A dependent on: Thrusters B dependent on:
Diesel generators A Diesel generators B
DG1A OR DG2A DG3B OR DG4B
Main switchboard A Main bus tie switchboard Main switchboard B
SWBA SWBX SWBB

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 18

Redundancy design intention Component groups /subsystems Redundancy type


Normal operation: (T1A AND T3A) AND (T2B AND T4B) Active redundancy
Operation after failure: (T1A AND T3A) OR (T2B AND T4B)

Redundancy design intention overview by redundant and common component groups


Redundant A groups Common groups X groups Redundant B groups
(T1A AND T3A) (T2B AND T4B)
Dependent on Dependent on
(DG1A OR DG2A) (DG3B OR DG4B)
SWBA SWBB
Please note that in the operational mode above main bus tie (SWBX) is assumed to be open in the above table, then
A and the B groups are not dependent on SWBX. (In case the failure mode spurious closing of main bus tie is to be
considered, then SWBX should be included in the common X group.)
In the operational mode where SWBX is closed (below table), then both thruster groups A and B, are dependent on
SWBX.

Redundancy design intention overview by redundant and common component groups


Redundant A groups Common groups X groups Redundant B groups
(T1A AND T3A ) (T2B AND T4B )
Dependent on Dependent on
(DG1A OR DG2A) (DG3B OR DG4B )
SWBA SWBX SWBB

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 4:
Example with 5 thrusters and 5 diesel generators and DP-2 notation

DG 5

DG 1A DG 2A DG 3B DG 4B

G G G G

SWBA SWBB
SWBX

50%

M M M M
50%

T1A T3A T2B T4B


100%

T5

Figure 4-10
Example of vessel system with 5 thrusters and 5 diesel generators for a DP-2 notation

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 19

Two operational modes are defined for the above system with 5 thrusters. The difference between these two modes
are that the DG5 generator is either supporting the B group thrusters (mode 1) or the A group thrusters (mode 2).

Redundancy design intention Component groups /subsystems Redundancy type


Operational mode 1
Normal operation: (T1A AND T3A AND ½T5) AND (T2B AND T4B AND ½T5) Active redundancy
Operation after failure: (T1A AND T3A AND ½T5) OR (T2B AND T4B AND ½T5)
Dependency statements for operational mode 1

Redundancy design intention overview by redundant and common component groups


Redundant A groups Common groups X groups Redundant B groups
(T1A AND T3A AND ½T5) (T2B AND T4B AND ½T5)
Dependent on Dependent on
(DG1A OR DG2A) (DG3B OR DG4B OR DG5)
… …

Redundancy design intention Component groups /subsystems Redundancy type


Operational mode 2
Normal operation: (T1A AND T3A AND ½T5) AND (T2B AND T4B AND ½T5) Active redundancy
Operation after failure: (T1A AND T3A AND ½T5) OR (T2B AND T4B AND ½T5)
Dependency statements for operational mode 2

Redundancy design intention overview by redundant and common component groups


Redundant A groups Common groups X groups Redundant B groups
(T1A AND T3A AND ½T5) (T2B AND T4B AND ½T5)
Dependent on Dependent on
(DG1A OR DG2A OR DG5) (DG3B OR DG4B)
… …
Please note the different dependencies statements between operational modes 1 and 2. Thruster group A may be
independent of DG5 in operational mode 1 and thruster group B may be independent on DG5 in operational mode 2.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.4. Redundancy Design Intention – Page 20

Guidance note 5:
Example of system mapping of redundant DP control system:

Control system
boundary

Figure 4-11
Example of redundant DP control system

Redundancy design intention overview by redundant and common component groups


Redundant A groups Common/connecting groups X groups Redundant B groups
Thruster System A Thruster System B
T1, T3 T2, T4
Dependent on Dependent on
Power System A Power System B
Diesel generators A; DG1, DG2 Diesel generators B; DG3, DG4
Main switchboard A; SWB A SWB X Main switchboard B; SWB B
Operator Station A: Operator Station B:
DPP A, DPD A, TRB A, OSC A DPP B, DPD B, TRB B, OSC B
DP LAN A: DP LAN B:
DPSW A, DPSW B,
Net A1, A2 and A3 Net X1, X2, X3 and X4 Net B1, B2
DP Controller A: DP Controller B:
DPC A, Bus A DPC B, Bus B
IO System A; IO System B:
IO A1, IO A2 IO B1, IO B2,
Serial A1, A2 Serial B1
HW A1, A2 HW B1, B2
Sensor System A: Sensor System B:
Gyro 1, Gyro 3, Gyro 2,
VRU 1, VRU 3, VRU 2,
Wind 1, Wind 3 Wind 2
Posref System A: Posref System B:
DGPS 1, Laser DGPS 2
Power Distr A: Power Distr B:
UPS A, UPS B,
Power A1, A2, A3, A4 Power B1, B2, B3

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.5. Single Failure Propagation in Redundant Systems – Page 21

5. Single Failure Propagation in Redundant Systems


5.1 General
5.1.1 The objective of section E is to prepare for an understanding of the underlying complex nature of possible
failure propagation in redundant systems. This is illustrated by some examples given in the guidance note
below. The intention is to clarify the underlying analytic reasoning that must form the basis for the failure mode
analysis and give examples of interpretations and use of terminology (e.g. primary-secondary failure, common
component, common cause,…).
Guidance note:
The simplified abstraction (UAXB model) gives the basic examples of failure propagation, but the model should not
be understood to be exhaustive. In general, the basis for an FMEA is that all relevant failure modes shall be considered
and that it will not be acceptable to only consider benign failure modes. However, please note that in a practical
industrial context of FMEA, it may not be possible that all failure modes and failure mechanisms are to be included
in the written identification of failures and common causes.
In the case that the list of identified failure modes and common causes are non-exhaustive, a justification of the limited
analysis shall be given. Under no circumstances the analysis should be limited to a scope less than the required or
otherwise applicable standards (e.g. IMCA and MTS standards).
It must be emphasised that the establishment of a standard set of failure modes for specific systems, can not relieve
or replace the requirement for an open minded and analytic approach to the identification of failure modes and
common causes. The purpose with this approach is to ensure that the relevant set of failure modes will be considered,
for the given system (in relation to the UAXB topology, operation, environment and other factors), and to ensure a
well managed test and verification scope.
The main issue with regard to failures in redundant systems is to clarify that no single failure or no single failure cause
may affect the redundant systems as defined in the redundancy design intention. There are basically three effects that
may lead to non-acceptable simultaneous failures of redundant systems.
1) Failure in a component group or subsystem which both redundant systems are dependent on or both systems have
common components, so that a failure will affect both redundant systems (e.g. common cooling system).
2) Common cause failure affecting both redundant systems (e.g. fire flooding, external EMC, GPS satellites,
extreme movements of the vessel).
3) Primary failure in one of the redundant systems propagating to the other redundant systems (e.g. short circuit).
Below are illustrated some examples of the above propagation effects:

Figure 5-1
Common component X causing failures in A and B

Figure 5-2
Common cause failure, resulting from a single event related to U, i.e. either as an external common cause
(ECC) or an internal common cause (ICC). (E.g. fire and flooding, gas into air intakes, environment, vibration,
high seas affecting contamination in fuel tanks, shocks, humidity, EMC,….)

Figure 5-3
Primary failure in subsystem A propagating to a secondary failure in subsystem B (e.g. ignition, fire, heat,
vibration, network storm in A propagating to B)

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.5. Single Failure Propagation in Redundant Systems – Page 22

The above examples are of course not exhaustive and should not limit the scope of failure mode identification in the
FMEA. The above principles may be combined in numerous ways and two typical combinations are given in Figure
5-4.

Figure 5-4
Primary failure in X propagating to A and B and then leading to secondary failures in A and B. The failure
propagation from X may also be described as a common cause for the failures in A and B (left figure). In the
right figure common causes lead directly to failures in A, X, and B.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.2 Failures, common causes, and systematic failure propagation


5.2.1 Any relevant single random failure or common cause which may propagate within the time requirement
and violate the stated acceptance criterion shall be considered, and the effect of these shall be analysed.
However, the unlikely event of two independent random failures or common causes occurring within the
defined time requirement is normally not considered.
5.2.2 The objective of the single failure analysis is further on to identify possible dependent systematic failure
propagation, e.g. for the given class notation like DP, AP, or RP.
Guidance note:
The unacceptable failure situations for redundant systems are related to failure propagation between two or more
redundant groups, when the failure propagation is occurring in a systematic manner within the time requirements. The
most critical situations are related to systematic failure propagation in the following cases:
- systematic failure propagation between dependent systems or failure of common components
- systematic failure due to common cause propagation
- systematic failure propagation due to primary – secondary failure propagation.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.2.3 The overall requirement is that the redundant systems shall not fail so that the accept criteria and the
redundancy design intent are violated within the defined time requirement. These considerations shall cover all
relevant system operational modes and other relevant conditions (e.g. environmental).
5.2.4 For a given system, the selection of scope of relevant failures, common causes, and time requirements,
shall be given by the applicable requirements e.g. classification rules.
Guidance note:
In addition to software and hardware failures
- any combination of hidden failures,
- possible effects of inadvertent acts of operation,
if reasonable probable, should be considered.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.3 Barriers and other compensating measures


5.3.1 The FMEA shall describe and analyse barriers and other compensating measures established for:
— prevention of failure propagation,
— limitation of possible consequence of failures, or
— improvement of remaining capacity after failure.
This includes also compensating measures like failure detection, protective functions, stand-by start, re-start,
change-over, etc.
5.3.2 When the system integrity is assumed to be based on two or more barriers, any possible dependencies
between such barriers must be analysed. The analysis must verify that the barriers are sufficiently independent
so that acceptance criteria are complied with.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.5. Single Failure Propagation in Redundant Systems – Page 23

Guidance note 1:
Requirements to barriers (e.g. protective functions, physical separation, etc…) or compensating measures may
typically be guided by e.g. by classification rules.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
The red (bold) lines in the figures below indicate where (how) barriers to prevent systematic failure propagation for
common component failures, common cause failures, and primary/secondary failures can be visualised.

Figure 5-5
Barriers indicated by red bold lines to prevent internal common causes (ICC) or external common causes
(ECC)

Figure 5-6
Barriers indicated by red bold lines to prevent primary failures to propagate to secondary failures
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.4 Failure propagation analysis at subsystem level


5.4.1 All component groups or subsystems (A, B) within a unit (U) shall be subject to single failure
propagation analysis.
5.4.2 In addition all common causes affecting two or more system groups have to be identified.
5.4.3 In all cases the failure mode effects must be evaluated in relation to the acceptance criterion and within
the given time requirement.
Guidance note 1:
The basis for the failure propagation analysis is typically:
- the unit FMEA consisting of a specified unit with a given unit boundary
- a set of redundant subsystems/component groups
- redundancy design intentions for the stated operational modes and time requirement
- dependency statements of subsystems and if possible allocated requirements to the subsystems giving functional
and redundancy requirements to the subsystems assuming a single failure
- any available specific subsystem FMEA’s from the manufacturers (e.g. thruster controller systems, DP control
systems, power management systems, and the mode selector/change system).
The single failure propagation analysis should be organised by handling the subsystem in a sequence.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.5. Single Failure Propagation in Redundant Systems – Page 24

Guidance note 2:
A failure mode is the effect by which a failure is observed on the failed item (subsystem boundary).

Figure 5-7
Primary failure in subsystem A propagating to a secondary failure in subsystem B e.g. fire, vibration, network
storm in A propagating to B.

Note that the failure mode description is related to the failure effect at the subsystem boundary. The descriptions of
the initial causes or internal component failures within the boundary are not necessary in order to describe failure
modes (e.g. lubrication pump failure, engine shutdown, Engine to full power, Loss of power to auxiliaries for
governor, Generator under-excitation, Generator over-excitation …). However, examples of initial failure (e.g. fuel
starvation, pipe rupture, clogged filter) for a given failure mode (e.g. under frequency of generator), should support
the analysis in order to justify the relevance of the failure mode.
Failures within A have to be identified to such an extent that all failure modes at the A system boundary will be
identified. Please observe that failures which have no effect at the subsystem boundary, need not be elaborated in the
failure mode propagation analysis. On the other hand, all failures giving the same failure effect at the system boundary
can be considered as one failure mode in the failure mode propagation analysis.

GPS A GPS B

ECC

Figure 5-8
Common cause failure, resulting from a single event related to U, i.e. either as an external common cause
(ECC) or an internal common cause (ICC). (E.g. GPS satellite signals to redundant GPS systems, fire and
flooding, gas into air intakes, environment, vibration, high seas affecting contamination in fuel tanks, ship
heeling, shocks, humidity, EMC,….)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.4.4 The single failure propagation analysis shall:


— investigate possible failure modes for the subsystem and then the possible failure propagation paths from
the subsystem to other subsystems, and
— investigate possible failure modes for the common connecting groups and then the possible failure
propagation paths from the common connecting groups to the connected subsystems, and
— investigate possible common causes which can influence more than one subsystem directly or indirectly by
influencing one subsystem or common connecting group.
Based on above type investigations, it shall be documented at the unit level which failure modes that may
violate the redundancy design intent and acceptance criteria within the stated time requirement.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.5. Single Failure Propagation in Redundant Systems – Page 25

Figure 5-9 illustrates the main principles for failure mode propagation in a redundancy design intention table:
Redundancy design intention by redundant and common component groups

Redundant A groups Common/connecting groups X groups Redundant B groups

Thruster System A Thruster System B


T1, T3 T2, T4
Dependent on Dependent on
Power System A Power System B
Diesel generators A; DG1, Diesel generators B; DG3, DG4
DG2
Main switchboard A; SWB A SWB X Main switchboard B; SWB B
Operator Station A: Operator Station B:
DPP A, DPD A, TRB A, OSC A DPP B, DPD B, TRB B, OSC B
DP LAN A: DP LAN B:
DPSW A, DPSW B,
Net A1, A2 and A3 Net X1, X2, X3 and X4 Net B1, B2
DP Controller A: DP Controller B:
DPC A, Bus A DPC B, Bus B
IO System A; IO A1, IO A2 IO System B: IO B1, IO B2,
Serial A1, A2, HW A1, A2 Serial B1 HW B1, B2
Sensor System A: Sensor System B:
Gyro 1 , Gyro 3, VRU 1, VRU 3, Gyro 2, VRU 2,
Wind 1, Wind 3 Wind 2
Posref System A: Posref System B:
DGPS 1 , Laser DGPS 2
Power Distr A: Power Distr B:
UPS A, UPS B,
Power A1, A2, A3, A4 Power B1, B2, B3

Common cause

: Failure originating in A group, propagating to B via connecting X-group


: Failure originating in connecting X-group propagating to A and B group
: External common cause, affecting A and/or B and/or common connecting X-group

Figure 5-9
Failure modes may propagate from subsystems to other subsystems or from common causes outside the component
groups. The overall task is to identify possible failure modes which may affect the overall redundancy design
intention within the time requirements.

5.4.5 All relevant failure modes for each subsystem shall be identified. As a result of the failure investigation,
the following information elements shall be documented in an organised manner e.g. by means of a worksheet.
As a minimum the following information elements shall be provided:
— each component group and subsystem assumed to have a single failure
— identify potential failure modes at each component and possible common causes
— initial failure or common cause as justification for including the failure mode
— identify failure detection methods
— effect on other subsystems
— barriers or compensating measures for the failure mode
— end effect at unit level
— reference to inspection, testing, and verification necessary to prove and support the conclusions.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.5. Single Failure Propagation in Redundant Systems – Page 26

Guidance note:

Example of worksheet table


Subsystem Failure Mode Initial failure/ Failure Effect on other Compensating End effect at Reference to
failed (local effect at common detection sub-systems measure / unit (U) test or
subsystem cause methods Barrier verification
boundary)
DG1 DG1 stop Mechanical Alarm Higher load DG1 generator DG3 or DG4 Ref test #1
breakdown DG2 breaker opens running Stop DG1 and
normally check alarm
T1, T2, T3 and and effect
T4 positioning
DG1 Low frequency Fuel Alarm, Higher load Bus tie opens “ Ref test # 2
starvation disconnect DG2 SWBX
DG1 High bus AVR failure Alarm, Higher load Bus tie opens “ Ref test # 3
voltage disconnect DG2 SWBX
DG1 Load sharing … … … … … …
failure active
power.
DG1 … … … … … … …
… … … … … … … …

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.4.6 The failure propagation analysis for each subsystem shall conclude on the following questions:
— Can any single failure mode in the subsystem propagate so that it violates the unit acceptance criterion?
— Can the conclusions be verified by testing? Refer to specific test in a test program.
— If not possible to test, then is there a need for further verification of functionality or compensating
measures?
— Is there a need for further failure analysis inside the subsystem boundary? (e.g. for FMEA of thrusters, DP
control systems, mode selector, PMS…). Refer to subsystem FMEA for single and redundant subsystem.
5.4.7 In general conclusions in the theoretical analysis shall be verified by testing. If testing is considered not
possible or necessary, such statements shall be justified in the FMEA with sufficient conclusions (evidence,
proof…).
5.4.8 The results of the FMEA of all subsystems shall be compiled and form the result of the unit FMEA. The
unit FMEA shall cover the entire unit with all its relevant systems and components. The unit FMEA shall relate
to the overall acceptance criteria including time requirements and shall provide conclusive evidence of
compliance with the criteria.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 27

6. Unit and Subsystem FMEA


6.1 Requirements to the unit FMEA including subsystem FMEA
6.1.1 The unit FMEA shall cover the entire unit with all its relevant systems and components. When parts of
the unit FMEA is based on subsystem FMEAs (e.g. delivered by subsystem manufacturers), the requirements
in G and H apply.
6.1.2 The unit FMEA shall as a minimum include:
— reference to the subsystem FMEA document and a short description of the subsystem
— clarification of subsystem boundaries
— interfaces and dependencies to the subsystem shall be clarified
— the allocated requirements to the subsystem including the subsystem design intention (see below)
— an evaluation of the subsystem FMEA to ensure that it is fit for purpose, e.g. that all relevant operational
modes and failure modes are considered
— the subsystem design intention shall be compared with the overall unit design intention in order to verify
that intentions are consistent.
Guidance note:
Unit Unit
boundary and boundary and
acceptance acceptance
criterion criterion

A A B A A B
Subsystem C Subsystem C
boundary and boundary and
acceptance acceptance
criterion criterion
IO A IO B IO
Sub-system C Sub-system C
MA MB M Unit
Unit

Figure 6-1
In the left figure above an FMEA of redundant subsystem C (e.g. redundant control system) is illustrated. In
the right figure above, an FMEA of a single system C (e.g. thruster) is illustrated. In both cases the acceptance
criteria at the unit boundaries should be clarified (allocated) at the subsystem C boundary.

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

6.2 Allocation of unit requirements to subsystems/component groups


6.2.1 In order to support the overall redundancy design intent, requirements must be allocated to the
subsystems. The subsystem design intention will be determined (allocated) by these requirements. The
objective of 6.2 is to provide explanatory examples of how this allocation can be documented.
Guidance note 1:
In general FMEA’s of single non-redundant systems will normally require a complete breakdown of all parts of the
systems resulting in a large set of possible failure modes with the potential of affecting the function of the system.
On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failure
shall give loss of position and/or loss of heading) may give a possibility of administrating the actual detailed scope of
the subsystem FMEA’s into a top-down approach and limiting the detailed analysis. The top-down approach thus
avoids detailed and complete FMEA’s of each of the redundant subsystems.
For a specific unit with a redundancy design intention, the allocation task is to establish the requirements at
subsystems boundary level (Ref 6.1.2).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2:
Example: Allocation of redundancy design intention from unit level to subsystem level for redundant DP control
system:
The unit redundancy design intention for the system described by the below redundancy design intention expressed as:

Redundancy design intention: Redundancy type/description


Normal operation before ((T1 AND T3) AND (T2 AND T4)) Active redundancy
failure:
Operation after single failure: ((T1 AND T3) OR (T2 AND T4)) AND No drift off and
(NODRIVE OFF (T1 AND T3 AND T2 AND T4)) No drive off of any thruster

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 28

Redundancy design intention table by redundant and common component groups


Redundant A groups Common/connecting groups X groups Redundant B groups
Thruster System A Thruster System B
T1, T3 T2, T4
Dependent on Dependent on
Power System A Power System B
Diesel generators A; DG1, DG2 Diesel generators B; DG3, DG4
Main switchboard A; SWB A SWB X Main switchboard B; SWB B
Operator Station A: Operator Station B:
DPP A, DPD A, TRB A, OSC A DPP B, DPD B, TRB B, OSC B
DP LAN A: DP LAN B:
DPSW A, Net A1, A2 and A3 Net X1, X2, X3 and X4 DPSW B, Net B1, B2
DP Controller A: DP Controller B:
DPC A, Bus A DPC B, Bus B
IO System A; IO System B:
IO A1, IO A2 IO B1, IO B2,
Serial A1, A2 Serial B1
HW A1, A2 HW B1, B2
Sensor System A: Sensor System B:
Gyro 1, Gyro 3, Gyro 2,
VRU 1, VRU 3, VRU 2,
Wind 1, Wind 3 Wind 2
Posref System A: Posref System B:
DGPS 1, Laser DGPS 2
Power Distr A: Power Distr B:
UPS A, UPS B,
Power A1, A2, A3, A4 Power B1, B2, B3

Control system
boundary

Figure 6-2
Redundant automatic DP control system.

At the DP control system boundary level the thrusters are connected to IO modules inside the DP control system as
indicated below:
IOA1 connected to T1
IOA2 connected to T3
IOB1 connected to T2
IOB2 connected to T4

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 29

The dependency statements including the redundancy design intent for the thrusters are therefore:

(T1 AND T3) (T2 AND T4)


dependent on dependent on
(IOA1 AND IOA2) (IOB1 AND IOB2)
The unit level redundancy requirements allocated down to the outside of the DP control system boundary may now
be expressed as:

Redundancy design intent


Normal operation before (IOA1 AND IOA2) AND (IOB1 AND IOB2…) Active redundancy
failure
Operation after single ((IOA1 AND IOA2…) OR (IOB1 AND IOB2…)) AND One IO group to be running and no
failure (NODRIVE OFF (IOA1 AND IOA2 AND IOB1 AND IOB2)) drive off of any thruster IO

The redundancy requirement to the DP control system will therefore be the input to the single failure analysis of the
DP control system. The analysis of the DP control system may either be carried out as a part of the unit (vessel) FMEA
or the FMEA may be delivered as a part of the subsystem delivery. In both cases, the unit FMEA shall handle the
comparison between the analyses at the subsystem boundary.
As an alternative to the logic expressions in this example the allocation may be stated in a more narrative manner.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 3:
Example: Allocation of requirements to a single thruster system boundary
Example with 4 thrusters and 4 diesel generators for a DP-2 notation

DG1A DG2A DG3B DG4B

G G G G

SWBA SWBB

T1A T3A T2B T4B


M M M M

Figure 6-3
Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.

Redundancy design intention overview by redundant and common component groups


Redundant Common groups Redundant
A groups X groups B groups
Thrusters A Thrusters B
T1A AND T3A T2B AND T4B
Thrusters A dependent on: Thrusters B dependent on:
Diesel generators A Diesel generators B
DG1A OR DG2A DG3B OR DG4B
Main switchboard A Main bus tie switchboard Main switchboard B
SWBA SWBX SWBB

A benign failure in thruster T1A (causing stop) will affect the positioning capability of the A thruster group. It must be
assumed that the A group (T1A AND T3A) has reduced capacity. This is acceptable as long as the single benign failure
is assumed not to affect the redundant group (T2B AND T4B). For that reason there will be no need to allocate a
functional requirement of normal function of T1A in the case of a single benign failure mode and then it will not be
necessary to do detailed analysis of the thruster inside the thruster boundary with regards to all other benign failure modes.
However, there will be a functional requirement to the T1A that it shall not fail to an uncontrolled thrust output
possibly leading to drive off. This requirement must be allocated to the subsystem thruster FMEA. The requirement
will serve as the starting point for the subsystem single failure analysis of T1A.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 30

This may be stated as:


Functional/redundancy requirement to subsystem T1A in the single failure analysis of T1A: No drive off T1A.
(Please note that the single failure analysis at unit level on the outside of the T1A thruster boundary still shall
investigate if a failure in T1A may propagate to the B thruster group by e.g. propagation via connecting components
as Net X1, X2, X3 and X4 in figure 6-2 in Guidance note 2 above.)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion
6.3.1 The objective of section 6.3 is to provide explanatory examples of how the subsystem design intention shall
be compared with the overall unit design intention in the unit FMEA in order to verify that intentions are consistent.
Guidance note 1:
Typical examples of subsystem FMEA’s delivered by other parties than the unit FMEA supplier are control system
manufacturers FMEA’s of their own deliverables into the project.
A pre-requisite for performing the comparisons as described here is that the FMEA’s of the subsystems are available
and they are containing the necessary information elements as required by this standard.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2:
Example: Redundant DP controller subsystem.
Task: Compare requirements for a redundant subsystem FMEA for a DP control system with the unit redundancy
design intent at DP control unit boundary level.

Control system
boundary

Figure 6-4
The automatic DP control system and the control system boundary are shown. The redundancy design intent
for dual DP control systems is indicated. Connecting components (X) between redundant control components
are also indicated.

The redundancy design intention at the DP system level:

Operation before single failure: (T1A AND T3A) AND (T2B AND T4B) Active redundancy
Operation after single failure: ((T1A AND T3A) OR (T2B AND T4B))

meaning that the acceptance criterion for the thruster groups is assumed to be ((T1 and T3) OR (T2 and T4)) assuming
a single failure.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 31

The DP control system redundancy design intention:

Normal operation before failure (IOA1 AND IOA2) AND (IOB1 AND IOB2)
Operation after single failure ((IOA1 AND IOA2) OR (IOB1 AND IOB2)) AND One IO group to be running
(NODRIVE OFF (IOA1 AND IOA2 AND IOB1 and no drive off of any
AND IOB2)) thruster IO
meaning that the acceptance criterion for the DP control system is that no single failure shall lead to loss of more than
one redundancy group
Conclusion: This means that the DP control system acceptance criterion is compliant with the criterion at the thruster
group level.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
Example based on other DP control system.

DP control System

DP system

Vessel

Figure 6-5
DP control system (example provided by Kongsberg Maritime)

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 32

For a DP control system the DP control system FMEA redundancy design intention may be defined at the system
boundary and the I/O (RMP) modules connected to the thruster control systems.

Part of DP control system

X1

X2

X3

RMPA RMPB X4 RMPC RMPD

X6 X6

X5

T1A&T3A T2B&T4B
DP system

U:Unit, Vessel

Figure 6-6
Vessel boundary, DP system boundary, DP control system, and interfaces. The redundancy design intent for
the control system shall be specified at the control system (subsystem) boundary.

The allocated unit requirement to the outside boundary of DP control system can be expressed in e.g. a logic or
Boolean style of design intention

Normal operation before single RMPA AND RMPB AND RMPC AND RMPD Active redundancy
failure
Single failure operation (RMPA AND RMPB) OR (RMPC AND
RMPD)
The internal DP control redundancy design intent equipment:

Normal operation before failure RMPA AND RMPB AND RMPC AND RMPD
Single failure operation 3 out of {RMPA RMPB, RMPC, RMPD} are
working, one RMP is failed
Conclusion: The allocated unit requirement (upper table) will always be true both for normal operation and for
operation with failure given that the lower set of requirements are true. The reason is that if 3 out of 4 RMPs are
working, then one of the A or B groups will be able to position. This result also comes from that the lower requirement
(inside DP control system boundary) is a stricter requirement than the requirement at the DP system (outside
boundary) redundancy design requirement.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.6. Unit and Subsystem FMEA – Page 33

The above situation may be illustrated by the following enlarged part of the above figure:

Figure 6-7
The allocated redundancy requirements (single failure operation) to the DP control system is compared with
the requirements (single failure operation) assumed by the DP control system manufacturer. The comparison
shall be carried out in the unit FMEA. In this case it can be seen that the subsystem FMEA is consistent with
the allocated requirements from the unit FMEA, as the requirements at the outside always will be true if the
DP control system requirement is true.

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 4:
Example: Single thruster subsystem
The unit FMEA must compare the requirements to a manufacturer FMEA for a single thruster controller and the
allocated unit redundancy design intent at the thruster boundary level. The unit acceptance criterion for the thruster
groups is assumed to be ((T1 and T3) OR (T2 and T4)) and in addition that no thruster shall give drive off.
The acceptance criterion for the thruster controller is that a single failure in the thruster control system shall neither
cause significant increase in thrust output nor make the thruster rotate. Further on there is no requirement to
redundancy inside the boundary since the redundancy design intent is specified at a higher level.
Conclusion: This means that the manufacturer subsystem FMEA criterion is compatible with the unit FMEA at the
subsystem boundary level.

FMEA Acceptance criterion:


Emergency stop with
Fail to safe, no drive off
loop monitoring
Example from the rules
6.7.4 A 303 A single failure in the
thruster control system shall neither
cause significant increase in thrust
output nor make the thruster rotate.

Acceptance criterion may alternatively


be tailor made for specifiic purposes

Cooling
Lubrication
Ventilation
Aux

Sub-system FMEA boundary

Figure 6-8
Thruster example provided by Brunvoll

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.7. FMEA of Subsystems with Redundancy – Page 34

7. FMEA of Subsystems with Redundancy


7.1 General
7.1.1 An FMEA of a subsystem with redundancy (by e.g. a manufacturer) shall be based on the same principles
and requirements as an FMEA of a unit with redundant systems. The main difference is the boundary level of
the subsystem. Please refer to the requirements to the unit FMEA as described in anterior sections.
Unit
boundary and
acceptance
criterion

A A B
Subsystem C
boundary and
acceptance
criterion
IO A IO B
Sub-system C
MA MB Unit

Figure 7-1
Unit and subsystem boundaries

7.1.2 A failure mode and effect analysis (FMEA) of redundant subsystems shall as a minimum consist of the
following parts:
— general information
— acceptance criteria at the subsystem boundary level
— the overall subsystem boundary to be subject for FMEA
— redundancy design intent(s), worst case failure intent, time requirements, and system operational modes
— all redundant components and single component groups included within the subsystem boundary. The
relevant system names, main units, compartments (when applicable), and their main intended functions
shall be presented in a structured manner, supported with a descriptive narrative text.
— all assumptions related to systems interfaces and dependencies of external systems
— single failure and common cause analysis at subsystem levels
— if applicable, description of the installation of redundant component groups in fire and flooding protected
compartments. This also includes cables and communication lines, and associated equipment.
— a reference to a test program to support the conclusions shall be included or referred
— summary, and conclusions
— a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance
criterion including time requirements shall be stated.
Guidance note:

Part of DP control system

DP system

Vessel

Figure 7-2
System boundaries for vessel, DP system and part of DP control system. The interfaces between the I/O
modules (RMP) and thrusters are indicated. (Example and figure provided by KM).

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.7. FMEA of Subsystems with Redundancy – Page 35

Redundancy design intention at thruster RMP module level:

Operation without failure 4 out of {RMPA, RMPB, RMPC, RMPD} = RMPA AND RMPB AND RMPC
AND RMPD
Operation with single failure 3 out of {RMPA, RMPB, RMPC, RMPD}

A B C X-components Comments
PSU A from PSU B from Fire, flooding (DPC
UPS A UPS B cabinet)

RCU A RCU B (RCU C) X1, X2, X6

Redundant Net for RCU,


NET A NET B X1 OS

RedNet RedNet (RedNet) X3

RHUB A RHUB B X5, X6


Dedicated RMP-module for
RMP A* RMP B* RMP C* RMP D* X6 each Thruster

Dedicated RSER-module
RSER A* RSER B* RSER C* X4, X6 for each sensor group

cJoy DP OT cJoy DP OT (cJoy DP OT)


(PSU A) (PSU B)
OS A (from OS B (from (OS C)
UPS A) UPS B)

Table shows redundancy design intention for RMP (A,B,C,D) modules and A, B, C groups (Courtesy KM).
The single failure mode propagation analysis can be based on above table and diagrams.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.8. FMEA of Single Sub-Systems – Page 36

8. FMEA of Single Sub-Systems


8.1 General
8.1.1 An FMEA of a single subsystem without redundancy (by e.g. a manufacturer) shall be based on the same
principles and requirements as an FMEA of a unit with redundant systems.
Guidance note:
A manufacturer FMEA of a single subsystem without redundancy differs in some respects from the FMEA of a
subsystem with redundancy. The main difference is that it is accepted that the function of the single subsystem is lost
as a consequence of a single failure. A single sub-system will normally not have redundancy design intent of the
UAXB type as described in anterior sections. The acceptance criterion will typically be that the effect of the single
failure mode shall be ‘fail to safe’.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Unit
boundary and
acceptance
criterion

A A B
Subsystem C
boundary and
acceptance
criterion
IO
Sub-system C
M Unit

Figure 8-1
Illustration of a unit boundary with two redundant systems A and B. System C is assumed to be a single system
and the manufacturer may deliverer the FMEA for this subsystem.

8.1.2 A failure mode and effect analysis (FMEA) of a single subsystem shall as a minimum consist of the
following parts:
— general information
— acceptance criteria at the subsystem boundary level
— the overall subsystem boundary to be subject for FMEA
— design intent(s) and system operational modes for the subsystem
— all component groups included within the subsystem boundary. The relevant system names, main units,
compartments (when applicable), and their main intended functions shall be presented in a structured
manner, supported with a descriptive narrative text.
— all assumptions related to systems interfaces and dependencies of external systems
— single failure and common cause analysis at subsystem levels
— if applicable, description of the installation of component groups in fire and flooding protected
compartments. This also includes cables and communication lines, and associated equipment.
— a reference to a test program to support the conclusions shall be included or referred
— summary, and conclusions
— a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance
criterion including time requirements shall be stated.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.8. FMEA of Single Sub-Systems – Page 37

Guidance note:
Example of a boundary for FMEA of single thruster (Courtesy Brunvoll):

FMEA Acceptance criterion:


Emergency stop with
Fail to safe, no drive off
loop monitoring
Example from the rules
6.7.4 A 303 A single failure in the
thruster control system shall neither
cause significant increase in thrust
output nor make the thruster rotate.

Acceptance criterion may alternatively


be tailor made for specifiic purposes

Cooling
Lubrication
Ventilation
Aux

Sub-system FMEA boundary

Figure 8-2
Brunvoll thruster system

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.8. FMEA of Single Sub-Systems – Page 38

Single failure analysis


Table 8-1 is an example of FMEA work sheet for the parts of thruster sub-system part. Please note that these example
failure modes are not intended to be exhaustive for such a subsystem and that similar work sheets for the other parts
of the thruster subsystem and other failure modes must be provided in a real FMEA.

Table 8-1 Part of thruster System worksheet


Item Item Failure Failure cause Expected Expected Failure Expected Compensating Reference
Ref. description mode Failure System Effect Detection of provision to tests
Fig. Local Effect failure/ against failure
Alarm
Power supply Loss of Loosening of Loss of PLC Pitch to zero, no Control Independent
Bridge system: power cable unit Bridge. No thrust produced. system power supply.
termination thrust Thruster out of failure. No influence
1 -A5 command DP. No on other
active from positioning operating
bridge system. effect. thrusters
Loss of Power Loss of Loosening of Loss of PLC Auto stop of Control Independent
supply power cable unit Thruster Drive motor, no system power supply.
Thruster room: termination. room. No thrust produced. failure. No influence
2 -A6 remote control Thruster out of on other
or local control DP. No operating
possible. positioning thrusters
effect.
Loss of PLC PLC PLC halted, Loss of PLC No thrust Control Thruster can
unit on Bridge bridge no function unit bridge. command active system be operated by
-A5-A1 stopped active No from bridge failure. manual push
communication system. Pitch to buttons if
1 to panels or zero, no thrust needed.
thruster room. produced.
Thruster out of
DP.
Loss of PLC PLC PLC halted, Loss of PLC No remote Control No influence
unit in thruster thruster no function unit thruster control function system on other
room room active room. possible. Auto failure operating
-A6-A1 stopped stop of Drive alarm Auto thrusters.
2 motor. Thruster stop.
out of DP. No
positioning
effect.
Loss of Serial No Wire break, No No thrust Control Thruster can
line between communi loosening of communication command active system be operated by
control cabinet cation cable between PLC from bridge failure. manual push
bridge and between termination. units. system. Pitch to buttons if
3 thruster room. thruster zero, no thrust needed.
Profibus room and produced.
Cable. bridge. Thruster out of
DP.
Loss of thrust No signal Potentiometer Loss of signal Pitch set point to Loop failure Change to
command from fault or fault from control zero. / thrust other control
signal from lever in control lever. command panel or
active bridge card in lever. failure. control by
4.5 panel. Wire break, manual push
4-20mA loosening of buttons.
cable
termination.
Loss of thrust No signal Potentiometer Loss of signal No influence on Loop failure
command from fault or fault from control command from from actual
signal from actual in control lever active panel lever.
bridge panel lever card in lever.
4.5 not in Wire break,
command loosening of
cable
termination.
Fault in thrust Failure in Incorrect thrust No effect on Fault Thrust
indicator indicator indication on system indication indication to
5 or loss of actual panel on be read on
signal. component other panel.
Comments:

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.9. Redundant Systems with Physical (Fire and Flooding) Separation – Page 39

9. Redundant Systems with Physical (Fire and Flooding) Separation


9.1 Separation design intent
9.1.1 For FMEA’s of redundant systems with requirements to physical (typically to prevent failure
propagation due to fire and flooding events) separation, the separation design intent of the redundant systems
in separated zones shall be described at a high level by means of layout drawings, equipment lists, figures,
tables, and supported by a descriptive narrative text. The separation intent shall specify how all redundant
component groups are located in separated zones with fire and flooding protection. All zones shall be identified
by unique identifications in addition to the identification of the component groups located within the zones.
Compartment A Compartment B
fire/flooding fire/flooding

Redundant Redundant
A B
component component
group A group B
U
Unit U
Figure 9-1
The separation design intent for redundant systems requires specifications of the redundancy component group A
within the A zone (compartment). Specifications of the redundant component group B within the B compartment/
zone shall also be stated.

Guidance note 1:
The requirement for specification and identification includes all zones, spaces, and cable trays where the equipment
is installed. Equipment is understood as all components, including piping and cabling which may influence the
redundancy design intent and acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Tank top Tween deck Main deck Bridge deck

Zone A Zone B
T1
T2

A6
B6

DPC
DPA
A8

B8
Tk1 DG1,2 SwbA

Tk2
DG3,4 SwbB

A7

B7
T3

T4

Redundant component groups

Figure 9-2
Separation design intent diagram with separated zones and redundant component group. The following
abbreviations are used in above figure and table below

Separation design intent table with separated zones and redundant component groups:

Separation design intent table


Zone Component groups Component groups Zone
Zone A tank top T1, Tk1, DG1, DG2, SWBA, T3 T2, Tk2, DG3, DG4, SWBB, T4 Zone B tank top
Zone A tween A6, A7 B6, B7 Zone B tween
Zone A main A8 B8 Zone B main
Zone A bridge DPA DPC Zone B bridge


T : Thruster
Tk : Fuel tank
DG : Diesel generator
SWB : Main switch board
DP : Dynamic positioning controller

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.9. Redundant Systems with Physical (Fire and Flooding) Separation – Page 40

Guidance note 3:
The table in guidance 2 may be inconvenient when there are more than two zones and cross sectional dependencies.
The below table is an example of a separation design intent table for a system with 3 separated zones and 3 redundant
component groups:

Separation design intent table


Zone Room Component groups Effect of failure Comments
1 Engine room 1 Tk1, DG1, DG2,…
1 Switch board room 1 SWBA, SWBB,…
… …
2 Engine room 2 Tk2, DG3, DG4,…
2 Switch board room 2 SWBC,…
… …
3 …
3 …
… …
T : Thruster
Tk : Fuel tank
DG : Diesel generator
SWB : Main switch board
DP : Dynamic positioning controller

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

9.1.2 The separation acceptance criterion shall be stated. Any possible time requirements shall also be stated.
Guidance note:
The separation acceptance criterion for e.g. IMO DP3 is that the applicable zones should be separated by A60 rated
materials and the zones constructed should be watertight under the waterline. In case of a fire or flooding event all
components in the components groups in the zone should be considered as failed.
Reference is also made to annex D3 where failure modes for separated electrical power systems operating in parallel
and separated power systems simultaneously supplying equipment placed in non-separated areas are discussed.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

9.2 Separation analysis


9.2.1 The separation analysis shall clarify the installation of redundant equipment into the physically separated
zones according to the separation design intent and the acceptance criteria. The method of separating the
different zones shall be described.
Guidance note:
The requirement for the analysis includes all zones, spaces where equipment is installed. Equipment is understood as all
components, including piping and cabling which may influence the redundancy design intent and acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

9.2.2 The separation analysis shall result in a statement that confirms that no fire or flooding events in any of
the separated compartments shall be able to influence the operation of both (or all) the separated systems and
subsystems in such a manner that the acceptance criteria is violated within the stated time requirement.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.10. Inspections and Tests – Page 41

10. Inspections and Tests


10.1 General
10.1.1 A test plan for verification of conclusions in the FMEA shall be prepared and submitted to the
certification body. The test plan shall support verification of the following:
— redundancy design intention
— worst case redundancy design intention
— single failure tolerance within the given time requirement and acceptance criteria
— barriers and other compensating measures, including sufficient independencies between these
— if relevant, separation requirements.
Guidance note:
Verification of pre-requisites for the FMEA may be carried out at the dock. It may be beneficial to first carry out a
‘Test plan for system verification before main test’ e.g. at the dock before the sea-trial. This could be related to
parameterisation of protective functions, software versions installed, inspection and verification of design
assumptions of fire and flooding protected compartments, etc
Typically a large part of the testing will be related to the redundancy verification where redundant groups should be
tested by running both the A and B components groups in parallel, and introducing failure to one group in order to
verify the required redundancy. Examples of such tests are blackout tests of AC and DC systems. Failure of equipment
which has not been without power during the blackout tests (typically process stations with dual power supply, or
battery backup) must be tested separately.
When physical separation is required, simultaneous failure of all components within relevant boundaries (e.g. to
simulate the effect of fire or flooding) will be a relevant test strategy.
In the case that redundancy is dependent on switchover mechanisms, e.g. standby start, change over or restart, such
functions must be tested
(e.g. loss of one computer or network in a redundant control system).
Single failure or common cause related testing. The tests should simulate the failure modes identified in the single
failure analysis in order to verify:
that a failure will not propagate so that the acceptance criteria or redundancy design intention are violated
failure response outside the acceptance criteria (e.g. thruster failure leading to drive off on a DP vessel)
In general tests should be carried out ‘end to end’ from initiator to final element/output.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

10.1.2 The test program shall have an introduction which as a minimum shall include the following:
— reference to the specific FMEA document (title, version and date)
— specification of (or reference to) all specified system operational modes and technical system
configurations that shall be verified by testing (ref 1.1.3).
10.1.3 Each test shall as a minimum contain:
— test identification (e.g. test number)
— reference to the specific part in the FMEA to be verified (e.g. redundancy design intent, worksheets, …)
— test intention
— test prerequisites and test setup specific for this test
— test method and actions to be performed
— expected results and acceptance criteria including time requirements if relevant
— space for actual observation, test results, and conclusions.
Guidance note:
In order to facilitate the practical testing, description of the test method should include detailed locations where the
physical and practical actions should be carried out. The location should be detailed to which space, cabinet, switch,
fuse, termination board, wire, as relevant.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

10.1.4 For systems and subsystems where separation is required, a set of inspections, tests and verification
activities shall be prepared and referenced. These inspections, tests, and verifications shall support the
conclusions of the separation analysis.
10.1.5 All systems subject to testing and systems that may influence the test results, shall be completed and
commissioned ready for final testing before the FMEA tests can start.
10.1.6 Before the actual testing commences, a planning meeting between the involved parties shall be
arranged. The objective is to organise the test execution.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.10. Inspections and Tests – Page 42

10.1.7 After each test, the actual observations and results shall be recorded. After the test session, the records
shall be reviewed in a meeting where involved parties are present. The meeting shall conclude on findings,
conclusions and responsibilities for further actions.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
Sec.11. FMEA Report and Compliance Statement – Page 43

11. FMEA Report and Compliance Statement


11.1 General
11.1.1 The FMEA and the test report shall be updated according to observations and test results from the actual
testing.
11.1.2 The updated FMEA and the test records shall together with the findings, conclusions and test summary
be compiled into an FMEA report.
Guidance note:
The conclusion and test summary should include the worst case failure mode(s) and example of related failure causes
in order to identify which parts of the system that has the highest impact on the capacity. The remaining capacity after
such failures should be stated. For the redundant system to be approved, these conclusions must comply with the
overall design intent and given acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

11.1.3 A compliance statement referring to the overall unit (U), operational modes, test conclusion, and
acceptance criterion including time requirements shall be stated in the FMEA report.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.A IMCA references – Page 44

APPENDIX A
IMCA REFERENCES

The International Marine Contractors Association (IMCA) has a wide range of publications available for
members and non-members. Several of these documents give basic introduction to FMEA of marine systems.
Examples of such documents are:
— Methods of Establishing the Safety and reliability of Dynamic Positioning systems, information note
IMCA M 04/04
— IMCA M 166 Guidance on failure modes and effect analysis (FMEAs)
These and other documents also include information and examples on relevant systems and their failure modes.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.B DNV references – Page 45

APPENDIX B
DNV REFERENCES

Below are given some DNV rule references related to typical notations which requires FMEA or may otherwise
give requirements to relevant failure modes to be considered for different systems and notations.
RULES FOR CLASSIFICATION OF SHIPS
Pt.6 Ch.2 Redundant Propulsion
Pt.6 Ch.7 Dynamic Positioning Systems
Pt.6 Ch.19 Alternative Propulsion
Pt.6 Ch.22 Enhanced System Verification (ESV)
Please refer to section 2, D106 to see typical failure modes for programmable control system:
“106 The HIL test-package shall contain test cases related to the normal, degraded and abnormal operation of
the target and simulated systems. Normally single and common failure modes and common components should
be extensively analysed and tested. Multiple failures should be tested if found relevant.
Guidance note:
Operation in all normal modes and transfer between operational modes and the corresponding functional
requirements, should be the basis for establishing the HIL test scope. In addition, failure testing is also to be included
in the test scope. General types of failures to be simulated could be, but not limited to:
- sensors or input devices failure modes (dropout, noise, calibration errors, drift, bias, signal freeze, wild point,…)
- failure mode of actuators, drives, power system components or other electro-mechanical components
- feedback from sensors on actuator failure modes
- failure modes in computer networks
- failure modes related to overload of networks
- failures affecting weighting and voting mechanisms
- failures affecting protective safety functions
- failures affecting alarms, monitoring, and analysis functions
- failures causing and/or otherwise affecting switch-over in redundant systems
- common mode failures affecting several components and/or signals
- emergency handling (special emergency functions required during emergency handling could be tested)
- reconstruction of relevant reported failures/incidents related to the system and/or operations.”
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Please note that the above listed failure modes are relevant also for general FMEAs (not only HIL testing).
Pt.6 Ch.26 Dynamic Positioning System - Enhanced Reliability Dynpos-er

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.C Typical table of contents for a minimum DP FMEA – Page 46

APPENDIX C
TYPICAL TABLE OF CONTENTS FOR A MINIMUM DP FMEA

The overall requirements to the contents of an FMEA are given in section A. The simplified example given
below of a table of contents for a DP FMEA shows typical systems to be analysed in the FMEA:
— introduction (general vessel information and acceptance criteria)
— system description and boundaries
— redundancy design intent and worst case failure intent
— vessel operational modes and technical system configurations for DP operations
— power systems
— high voltage systems
— low voltage distributions
— emergency power
— battery and UPS systems and distributions.
— machinery system
— diesel engines / diesel generator sets
— fuel oil system
— lubrication oil system
— seawater / freshwater cooling system
— compressed air system
— engine room ventilation.
— thruster system
— thruster control system
— thruster hydraulic system
— thruster cooling system
— control mode selection
— power supplies to control and auxiliary pumps.
— IAS / power management / engine control system
— Integrated automation system
— power management system
— generator voltage control system
— diesel engine governor control.
— emergency stop / shutdowns
— other relevant systems
— fire fighting system
— ventilation system
— shut down system (ESD)
— cooling system in computer rooms
— etc …
— conclusions / findings / recommendations if applicable
— test program
— in principle, all statements and conclusions of FMEA are to be verified by testing (as far as possible).
it is accepted that several conclusions is verified by one test, e.g. by a partial blackout
— in general, the following main groups of tests will be required (each group typically contains several
tests):
- partial black-out on the main- and distribution switchboards (AC)
- loss of distribution board or equipment with dual power supply
- loss of (black-out) each battery and UPS distributions
- fail to safe response on single failures (e.g. thruster control systems)
- simulation of failures requiring manual or automatic intervention
- dependant on the actual design, other tests might be required.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 47

APPENDIX D
FAILURE MODES IN ELECTRICAL POWER SYSTEMS OPERATING
WITH CLOSED BUS TIE(S)

D.1 Introduction
There are certain single failures that in case of open tie breakers only will affect one of the systems (A or B),
but that in case of closed tie breakers, might jeopardize both the A and B systems. Such failures need not to be
analysed in depth for open tie breakers operation since it is then accepted that one of the system A or B fails.
In the situation where the electrical power systems belonging to different redundancy groups are electrically
connected and arranged by bus-tie breakers to separate automatically upon failures(closed bus-tie), a failure in
one system (A) may propagate via the closed bus-tie (X-group) to the redundant systems (e.g. B). In this
situation a large number of additional failure modes may violate the overall redundancy design intent. The
FMEA must consider the additional failure modes relevant for the given design in relation to the applicable
requirements. Section A4 describes requirements and examples typical for DP systems. However, the nature
of such failure modes is similar for all marine electrical power systems running in parallel. The relevant failure
modes for an FMEA for a given system are typically influenced by the required rules or applicable standards.
The FMEA has to verify that the control and protection systems is able to automatically bring the system into
a safe state whenever a single failure occur that might lead to a worse failure than the defined worst case
acceptable failure in the design intend (usually loss of either the A or B system).
D.2 Typical failure modes for a closed bus tie for a DP 2 FMEA analysis
The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.3 (which
also is a guidance note in the DNV DP rules):
“For equipment class 2, the power system should be divisible into two or more systems such that in the event
of failure of one system at least one other system will remain in operation. The power system may be run as
one system during operation, but should be arranged by bus-tie breakers to separate automatically upon failures
which could be transferred from one system to another, including overloading and short-circuits.”
Based on this IMO guideline the industry trend is to design and operate an increased number of DP class 2
notation vessels with closed bus-tie. Through experience from closed bus tie testing and operation over the last
years more and more failures modes are being considered relevant for DP class 2 notations.
The typical standard minimum set of functions, failure modes and tests to be considered for DP class notations
should include:
— Protection philosophy to support redundancy design intent - (short circuit and other selectivity calculations
must be approved - In particular those related to operation of the bus tie).
— Frequency and active power control (governor failure, high /low frequency and active power imbalance).
— Voltage and reactive power control (AVR failure, high /low voltage and reactive power imbalance).
— Power management (e.g. load sharing, malfunction,.).
— Power system transients and distortion (e.g. power dips, voltage dip ride through capabilities, harmonics,
unbalanced currents).
— Other relevant tests must also be included in the DP FMEA test program in order to verify that the system
has the expected robustness and transitional ride through capabilities.
As the industry and rules are evolving, it is considered natural that the list of relevant failure modes for DP class
2 notations will be expanded, in order to provide more comprehensive integrity against failure propagation
across the closed bus-tie. Please note that the list provided for DP class 3 notations in D3 below gives more
details on the failure modes listed for DP class 2 notations in addition to many more failure modes relevant for
closed bus tie systems.
D.3 Typical failure modes for a closed bus tie for a DP 3 FMEA analysis
The traditional interpretation of the DP-3 requirements has been that in order to achieve the intended integrity,
the power systems must be run as separated systems with open bus-tie breakers. However, there are a number
of benefits (technical, environmental, economic and operational) with operation with closed bus-ties. Due to
these benefits some operators to run the DP-3 systems with closed bus-ties for as large periods of the operations
as possible.
The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.4 (which
also is a guidance note in the DNV DP rules):
“For equipment class 3, the power system should be divisible into two or more systems such that in the event
of failure of one system, at least one other system will remain in operation. The divided power system should
be located in different spaces separated by A-60 class division. Where the power systems are located below the
operational waterline, the separation should also be watertight. Bus-tie breakers should be open during class 3
operations unless equivalent integrity of power operation can be accepted according to 3.1.3”.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 48

The challenge is to ensure the above equivalent safety level of the rules and at the same time enable closed bus-
tie operations to achieve the desired benefits. The following issues should at least be adequately addressed in
DP FMEA for analysis of DP3 with closed tie-breakers or automatic change over of supply between systems:
1) Active and reactive load sharing:
- Active power load sharing failure (e.g. caused by governor failure, insufficient, excess or unstable active
power, fuel rack failure, active power or frequency sensor failures, signal failures, load-sharing line
failures)
- Reactive power load sharing failure (e.g. caused by AVR failure, insufficient, excess or unstable reactive
power, reactive power sensor failures, voltage sensor failures, signal failures)
- Detection methods and actions to bring the system to a safe state with conditions and time responses
2) Consequences of voltage transients:
- Reference to analysis of worst case voltage dip (depth and duration) on healthy bus after short-circuit on
other bus (in closed tie-breaker operation)
- Document adequate voltage dip “ride-through” capability of necessary systems to remain in position:
thruster drives, computer systems, networks, contactors, pumps, ventilation, and other axillaries.
3) Risk for simultaneous trip or load reduction of all thrusters:
- Are there built-in protections in thruster variable speed drives that cause trip or load reduction? If yes;
how is it ensured that not all thrust are lost at the same time by the same trigger? Examples of such
protection can be high/low voltage and/or frequency.
- Are there situations where all thrusters will reduce their power simultaneously to such a level that
position cannot be maintained? E.g. built-in load reduction functionality in drives that may reduce power
to zero if one diesel engine fails to full speed.
4) Ensure that no hidden failure renders it impossible to open tie-breaker from PMS or other protection
devices:
- Do the PMS have direct HW open command signals to both tie-breakers?
- Redundant open command signals?
- Fail safe system that trips breaker on wire break on open command signal?
- Is it sufficiently ensured that tie-breaker is not in local mode during DP3 operation? (e.g. clear indication
of local/remote status on PMS GUI)
- Include check of tie breaker operability in procedures for DYNPOS-AUTRO/DPS3 operation?
5) Fault tolerance in PMS system:
- How is it ensured that a single feedback failure to PMS does not cause the PMS to carry out action that
result in loss of position?
- Can for instance a single failure on feedback signal to PMS cause:
- PMS to connect generator (or bus-tie) without synchronization?
- Force full load reduction to all running thrusters simultaneously?
- PMS to decrease generator frequencies to a level that causes risk of automatic load reduction of
drives / tripping of drives?
- PMS to increase frequency to a level that causes systems to trip?
- PMS to jump to manual mode?
- Can single PMS operator failure cause blackout?
- Can one single PMS unit trip all generator breakers?
- Failure to start and connect
- Crash synchronization on connect
- Connection of a stopped generator
6) Documentation and verification of protection settings:
- Is there protection functionality in PMS that can trip generator breakers and thus need to be included in
discrimination analysis?
- Require tables with settings of all protection equipment both in relays on breaker and in PMS.
- As part of FMEA: Verify by onboard inspection all protection settings on breakers, not only short circuit.
Special focus on tie-breaker.
7) Short circuit selectivity between bus-tie and generator breakers:
- Selectivity documented also for highest maximum short circuit current?
- Zero delay in bus-tie short circuit protection?
8) Mode monitoring in PMS / IAS system:
- Warning/alarm if power system setup is in conflict with defined prerequisite for DYNPOS-AUTRO/
DPS3 operation.
9) Loop monitoring (or similar) on feedback to e.g. PMS
10) Bus-tie breaker shunt-trip, can this be used? Need to be able to open in case of voltage dip

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 49

11) Failures causing high harmonic distortion in the system, where the new situation causes other components
to fail? E.g. filter failure giving high 11th and 13th harmonics causing resonance in internal filters in VFDs
to auxiliaries, again causing these to fail and the auxiliary function is lost for e.g. all thrusters.
12) Negative sequence.
13) Loss of synchronization:
- Maintenance of synchronization after voltage dip e.g. related to short circuit.
- Loss of synchronization – pole slipping (including severe mechanical failure)
14) Earth faults – generally.
15) System parameters outside normal operational ranges/boundaries applicable to voltage and frequency.
16) System imbalance:
- Severe line or phase voltage imbalance (short circuit or similar condition)
- Severe line current imbalance
17) There should be implemented a system to ensure that the set point of all kind of trips functions in the
electrical system are based on data that are verified/tested. Assumed data should not be accepted. All trip
functions should be included in a maintained list. There should be a systematic periodic check of all set
points.
18) The discrimination analysis is to be reviewed with careful attention that all functions and settings are to be
properly justified.
19) Other design related issues which are identified during the design review or testing.
20) As many of these design elements as possible shall be verified by FMEA testing.
As the industry and rules are evolving and experiences collected, it is considered natural that this list of relevant
failure modes will be expanded.
When the system is intended to be operated with closed bus tie(s) between redundant power systems, the above
requirements to analyses must be supported with extensive verification by FMEA testing. Especially, in the
situation where the intention is to justify the ‘equivalent integrity of power operations’ as required by IMO
MSC/Circ. 645 the extent of necessary FMEA testing may include tests that traditionally have been considered
to be potentially destructive (e.g. short circuits and earth failures on electrical system).
Although an equivalent safety level is considered to be achieved by documented analysis and testing, it should
be understood that there will always be a residual probability for failure propagation. For operations (e.g.
diving) where loss of position may result in unacceptable consequences, risk considerations should be
performed in order to evaluate the system operational modes including open or closed bus-ties. This principle
is valid for both DP-2 and DP-3 systems.
The intended equivalent safety level may be achieved by other measures than discussed in this section. In
general such equivalent measures will be accepted.
D.4 Separated power systems simultaneous supplying equipment placed in a non-separated
area
Separated power systems simultaneous supplying equipment placed in a non-separated area, may impose risk
of both power systems being affected by the same fire or flooding incident. Depending on the system the
following typical descriptions and analysis is required by the FMEA:
— Location of equipment and cables routing belonging to different systems. This drawing should also indicate
any possible separations, watertight and passive fire protection. This also includes any slip ring assembly.
Equipment being supplied from different redundancy groups should be installed to provide best possible
protection for failure propagation, and installed in separate cabinets.
— Discrimination analysis: Generator Circuit Breaker’s (CB), Main Switch Board (MSB) equipment feeder
CB, equipment MSB incoming CB (if applicable), equipment MSB feeders, and CB’s further downstream
until end consumers. This is applicable for all relevant power systems. This must be presented as graphs in
a common diagram and preferably supported by CB maker’s discrimination tables. Earth fault
discrimination shall also be included (if applicable). Installation of current limiting breakers should be
considered.
— Short circuit analysis: Maximum and minimum short circuit levels shall be documented for all distributions
(single and three phase fault). Generator decrement curves taking in to consideration.
— Under voltage: As a consequence of a worst case failure scenario both power systems may experience a
short circuit within a short time period. Consequence of short circuit will be under voltage in the systems
which may affect connected equipment. Analysis of the transient voltage dip and duration must be
documented. This must include an evaluation and conclusion on the effect on other equipment and systems.
Bearing in mind the sensitivity of power electronics, contactors, computer systems, etc...
— Parameterisation of protective devices/functions.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 50

— Fire/flooding monitoring (extended systems may be used to increase the possibility to set the system in a
safe mode upon such an incident).
— Operational philosophy (power system, crane/diving/DP operations, etc…).
— Load balance considerations.
Such analysis should be focused on the highest voltage levels in the AC power generation plants and on battery
and UPS distribution systems.
D.5 Additional discussion and examples
A.4.4 include some further discussion and examples of some of the topics stated in A.4.3. Please note that for
a given FMEA, all relevant topics must be addressed.
A general recommendation is that upon detection of abnormal condition, action to bring the system into split
mode shall be automatically executed. Abnormal situations may include:
— Load sharing failure active power.
— Load sharing failure reactive power.
— High/Low bus voltage.
— High/Low frequency.
— Communication failure in PMS or load sharing system.
— Thruster load reduction activated.
— PMS failure or PMS change to manual mode.
— Feedback failure on bus-tie status signals.
Some of the most common failure modes that need to be addressed are outlined in the following subsections.
Note that other failure modes might also be critical (depends on type of equipment, configuration and control
systems installed).
D.5.1 Tie breaker short circuit protection
All generator breakers are equipped with short circuit protection trip functionality such that they will open in
case of short circuit on the bus.
In closed tie-breaker operation it will be crucial that the tie breaker(s) opens before the generator breakers. A
full blackout (A and B side) will be the result if tie breaker fails to open before generator breakers since short
circuit current will flow through all generator breakers and thus they will all trip.
The FMEA has to verify that the breakers to be installed and parameterized such that it is ensured that tie breakers
opens first. It has also to be verified that the tie breaker is able to break the worst case short circuit current.
For the tie-breaker, maximum upstream selectivity has higher priority than the downstream selectivity. For
safest operation tie breaker should be considered to open as fast as possible (configured with zero delay)
although this might be in conflict with downstream selectivity.
For DP3 it is required to have a tie breaker at both sides of fire and flooding division. The division have little
or no value unless the tie breaker on both sides of the division is equipped with short circuit protection. This
has to be verified as part of the FMEA.
The FMEA has to address maker documentation regarding breaking capacity and selectivity/discrimination.
The FMEA needs to verify that the required discrimination is implemented in the system.
*** Example of how tie breaker short circuit protection can be addressed in the FMEA:
The worst case short circuit current on Vessel switchboards are in short circuit analysis shown to be:

Generator breakers: 35 kA
Tie-breaker: 55 kA
The table below shows the breaking capacity and trip setting for the generator and tie breakers.
Breaker Breaking capacity (kA) Short circuit trip setting Delay setting
BT1 (Master) 65 kA 8 kA 80 ms
BT1 (Slave) 65 kA 8 kA 80 ms
Generator breakers 65 kA 12 kA 500 ms

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 51

The discrimination curves for generator breaker and tie breaker are shown below.
s

10ks

1ks

1hs

1das

1s

1ds

Bus-tie breaker should break before generator breaker


1cs
A
1A 1daA 1hA 1kA 10kA 100kA 1MA 10MA

Generator breaker Tie breaker maker


Documentation of selectivity / discrimination
maker and type and type
According to maker documentation (ref. ….) discrimination is assured
Siemens 3WL 3000 A Siemens 3WL 3000 A up to 65 kA provided trip current setting difference is >2 kA and time
delay difference is >200 ms.

It is based on the maker documentation concluded that the tie breaker will open before generator breakers in
case of worst case short circuit. To be verified on board that breaker maker, type and protection settings are as
specified.
*** End of example.
D.5.2 Under-voltage release / Voltage transients / high and low bus voltage
Generator breakers will usually be equipped with under-voltage release which opens the breaker if the voltage
is below a specified level for a specified period.
All generator breaker protection relays will measure the same voltage when tie-breaker is closed. A voltage dip
will thus potentially cause all generator breakers to trip simultaneously (full blackout).
Similar consequences can arise if thruster breakers are equipped with under voltage release. All thruster
breakers will measure the same voltage when tie breaker is closed. Thus, they may all trip simultaneously with
loss of position as potential consequence.
Note also that the thruster drive controllers typically also monitor voltage and might also command thrusters
breakers to open. This is also a function that might cause all thrusters to trip simultaneously.
Simultaneous trip of generators or thrusters can be avoided by ensuring that the tie-breaker will always be the
first to open in case of under voltage. It is also important to ensure that no “normal” voltage dip to be expected
in the actual power system will cause any trip (e.g. voltage dip due to start of large motors and voltage dip due
to a short circuit).
A challenging task is to verify that a short circuit on one bus will be cleared fast enough to avoid that feeders
and contactors to essential auxiliary systems does not open due to low voltage. The same type of equipment
will usually be used on both A and B side. Thus, if one looses a pump on A side during a short circuit due to
low voltage, it is also likely that the one for the B system will trip since it will see more or less the same voltage.
A very fast short circuit trip of the tie breaker will reduce the voltage dip in either the A or B system and will
thus be a method to avoid loosing auxiliary systems on both A and B side. Bus tie breakers may be considered
to be equipped with under voltage trip.
Any protection functions acting on high bus voltage will have to be addressed in the same way.
*** Example of how under voltage release can be addressed in the FMEA:
Worst case voltage dip has been analysed for a given vessel switchboard. The results are summarized in the
below table:
Case Voltage Duration
Start of heavy consumer in DP mode.
90% 3 seconds
Two generators running.
Short circuit 0% 100ms (maximum time for the bus-tie to clear fault)

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 52

The table below shows the settings of under-voltage release protection functions in the Vessel switchboard:
Under voltage Under voltage release /
Breaker Delay
release trip level
Bus-tie 1 (Master) Yes 85% 100 ms
Bus-tie 1 (Slave) Yes 85% 100 ms
Generator breakers Yes 80% 1s
Breakers to thruster T1, T2, T3 and T4 Yes 80% 1s
Thruster drive controller (T1 and T2) Yes 85% 900 ms
Thruster drive controller (T3 and T4) No - -
Breakers to DP essential auxiliaries < 85% >100 ms
Contactors and low voltage breakers to DP essential auxiliaries < 85% >100 ms
It is based on these settings concluded that there are no risk of losing all generators or thrusters simultaneously
in closed tie breaker operation.
To be verified on board that settings are as specified.
*** End of example.
D.5.3 Load sharing monitoring
Load sharing failure between generators is a common mode failure that can lead to total blackout or full
thrusters load reduction (and thus also loss of position). This includes both active and reactive power sharing
failure.
Active and reactive load sharing monitoring is a function typically handled by the PMS.
Active power load sharing failure can be caused by governor failure, fuel rack failure, active power or
frequency sensor failures, other signal failures and load-sharing line failures. (Examples of failure causes
relevant in systems with load sharing performed by stand-alone units (isochronous) could be earth failure on,
broken line in, and short circuit of the load sharing.) Note that in case the PMS is performing load sharing
control, a load sharing failure might also be caused by the PMS itself if for instance a feedback signal to the
power management system fails and this failure is not properly detected and handled.
Reactive power load sharing failure can for instance be caused by AVR failure, reactive power sensor failures,
and voltage sensor failures.
Possible consequences of load sharing failures are:
— Generator protection relays (reverse power and over-current) might in such cases trip healthy generator
instead of faulty, with blackout as the final state.
— PMS might command full load reduction to all thrusters due to high load on one generator (might lead to
loss of position)
Typical barriers against such outcome can be control or protection systems that automatically open the tie
breaker upon detection of load sharing failure (active or reactive).
The FMEA has to analyse and describe how the actual system will handle load sharing failures. It might also
be needed to prove that the measures are effective. Typical questions to be answered by FMEA:
— How are active and reactive load sharing failures detected in the system?
— What is the action to bring system to safe state? (opening of tie-breaker will usually be part of an
appropriate action)
— Immediate or delayed action? Time delays in detection and action?
This kind of information may be found in functional design specification of the PMS system. This issue will
probably also be covered by vendors FMEA of the PMS if such is available and used as input to the FMEA.
It is not straightforward to prove that the measures against load sharing failure consequences are effective.
Tests can be carried out on sea-trials or at dock if necessary generator loads are available. An alternative is to
verify this by use of HIL-testing.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 53

*** Example of how the load sharing monitoring can be summarized in the FMEA:
The table below shows which Vessel controls system that is responsible for active and reactive power load
sharing monitoring in different modes.
Mode Monitoring Control system / PLC Monitors sharing between
PMS A DG1, DG2
Active power
PMS B DG3, DG4
Open tie-breaker
PMS A DG1, DG2
Reactive power
PMS B DG3, DG4
Active power PMS A DG1, DG2, DG3, DG4
Closed tie-breaker
Reactive power PMS A DG1, DG2, DG3, DG4
Automatic action to bring system in safe state (split system) in case of active power load sharing failure:
Mode Measure Level Delay
Warning -
Open tie-breaker Alarm > 200 kW difference 10 sec
Other action (specify) -
Warning -
Alarm > 200 kW difference 10 sec
Closed tie-breaker
Trip of tie breaker > 300 kW difference 5 sec
Other action (specify) -
Automatic action to bring system in safe state (split system) in case of reactive power load sharing failure:

Mode Measure Level Delay


Warning -
Open tie-breaker Alarm > 100 kVAr difference 4 sec
Other action (specify) -
Warning -
Alarm > 100 kVAr difference 4 sec
Closed tie-breaker
Trip of tie breaker > 200 kW difference 2 sec
Other action (specify) -
The tables show that appropriate measures for the system in this example are taken in case of load sharing
failures (active or reactive). (Note that other system designs might require additional analyses).
It is also seen that PMS A is responsible for the monitoring when tie breaker is closed. This is a potential single
point failure that requires additional attention.
Identified failure modes that need to be tested on FAT/Dock/Sea trial:
Failure mode
Possible worst case consequence
(with closed tie-breaker)
Active power load sharing failure Full blackout may be the consequence in case the tie breaker is not opened fast
with closed tie-breaker enough, or in case no other action is initiated to bring the system in safe state.
Reactive power load sharing Full blackout may be the consequence in case the tie breaker is not opened fast
failure with closed tie breaker enough, or in case no other action is initiated to bring the system in safe state.
This might be a critical failure since loss of PMS A will lead to loss of both load
Loss of PMS A sharing monitoring and the load sharing control (see drawing in section A.4.5.4).
Worst case consequence will be full blackout.
Has to be verified that the tie breaker is automatically opened in case of loss of PMS A.
This might be a critical failure since loss of PMS B will cause loss of both load
sharing monitoring and the load sharing control (see drawing section A.4.5.4) since
the monitoring carried out by PMS A is based on DG3 and DG4 signals routed
Loss of PMS B
through PMS B (see figure in section A.4.5.4).
Worst case consequence might be full blackout.
Has to be verified that the tie breaker is automatically opened in case of loss of PMS B.
*** End of example.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 54

D.5.4 Active power load sharing control system


Load sharing between generators will typically be controlled by one of the following control systems:
— Load sharing by PMS
— Load sharing by dedicated, stand alone load sharing module
— Load sharing integrated system in governors with communication between governors (e.g. analogue load
sharing lines or digital communication)
Note: Load sharing control and load sharing monitoring (ref. A.4.5.3) is two different functions that both have
to be addressed.
It is not uncommon to have a backup system were one of the above is the preferred system and one of the others
is used as backup.
The FMEA has to address the load sharing system thoroughly when operating with closed tie-breaker, since in
this case the load sharing system will be common for both A and B side, or at least, the system will depend on
measurements from both A and B side. The FMEA has to identify possible common mode failures. Typical
signals used by the control system in the load sharing control are (PMS or stand alone dedicated system):
— Running signal from all generators
— Open / closed status from all generator circuit breakers
— Open / closed status from tie-breaker(s) (both master and slave breakers if applicable)
— Active power measurement from all generators
— Speed up/down command signal to all generators.
It is thus quite clear that in a load sharing system there are a potential for single failures affecting both the A
and B system.
It will usually be necessary that the tie breaker is automatically opened if any failure in the load sharing system
is detected. This applies both to load sharing by PMS and to load other load sharing systems.
*** Example of how the load sharing system can be summarized in the FMEA:
The load sharing is controlled by the PMS. The load sharing is controlled as follows:
— Open tie-breaker:
— PMS A performs load sharing between DG1 and DG2
— PMS B performs load sharing between DG3 and DG4
— Closed tie breaker
— PMS A performs load sharing between DG1, DG2, DG3 and DG4.
The signals used for load sharing by PMS are shown in the figure below (for both open and closed tie-breaker
mode). As can be seen, there are dependencies between the A and B systems both with closed and open tie-
breaker. The FMEA analysis has concluded that the tests listed in the below tables has to be carried out in order
to verify the load sharing system conforms to the redundancy requirements.
Closed tie-breaker
A B

DG1 DG2 DG3 DG4

Speed
Up/down Speed Speed Speed
P G1 Up/down Up/down Up/down
DG1running P G3
CB1closed SWBD PG4
DG3running
A+ B CB3closed
DG4running
CB4closed
PG2
DG2running
CB2closed
Tie breaker
status

PMS A PMS B
PG3
PG4
DG3running
CB3closed
DG4running
CB4closed

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 55

Open tie-breaker
A B

DG1 DG2 DG3 DG4

Speed
Speed Speed Speed
Up/down
P G1 Up/down Up/down
Up/down
DG1running
CB1closed SWBD SWBD
SWBD PG3
P G4
A DG3running
AB DG4running
CB3closed
CB4closed
PG2
DG2running
CB2closed
Tie breaker
status

PMS A PMS B
Tie breaker
status

Identified failure modes for closed tie-breaker that need to be tested:


Failure mode
Possible worst case consequence
(with closed tie-breaker)
Power supply failure or complete No active power load sharing. May lead to load sharing failure and finally
loss of PMS A complete blackout (A + B) if not properly handled.
Has to verify that tie breaker is automatically opened.
Power supply failure or complete Will cause faulty / frozen measurements from DG3 and DG4 in the load sharing
loss of PMS B control since these are routed through PMS B. May lead to load sharing failure and
finally complete blackout (A + B) if not properly handled.
Has to verify that tie breaker is automatically opened.
Tie breaker opened/closed status If PMS acts as if tie-breaker is open when actually closed (and vice versa), load
feedback failure sharing will fail and complete blackout (A+B) may be the final result.
Has to verify that the system will detect failure on tie breaker status signal and that
system is automatically split by opening tie breaker in such case.

Identified failure modes for open tie-breaker that need to be tested:


Failure mode Possible worst case consequence
Tie breaker opened/closed status As shown on the drawing, system A and system B uses the same tie breaker status
feedback failure signal. A failure on this signal will affect both A and B side. It has to be verified
that the integrity of the tie breaker status signal is monitored and that tie – breaker
is commanded to open if a feedback failure is detected (even if breaker is
apparently open already).

*** End of example.


D.5.5 Blackout prevention, load reduction, load limitation system, and blackout recovery
To avoid generator overload, the load on generators typically are automatically reduced or shed. This is
essential to avoid partial or full blackout. This functionality is required also for open tie-breaker operation, but
will be even more important when operating with closed tie-breaker since an overload in this case may cause
immediate full blackout.
The FMEA has to address the intended functionality of the blackout prevention / load reduction/ load limitation
system and has also to verify that the system is fail safe such that no single failure related to this functionality
can violate the acceptance criteria, e.g. for DP2 blackout, or full loss of thrust.
The blackout prevention / load reduction / load shedding functionality might typically be implemented in more
than one control system. Thus, on the same vessel one might find blackout prevention / load limitation / load
reduction functionality in the:
— DP control system
— PMS
— a stand alone load limiting system
— variable frequency drives controllers.

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 56

The blackout prevention / load reduction / load shedding might typically be trigged by one or more of the following:
— high generator active power
— high generator reactive power (not common)
— high generator current
— high total load on bus (sum of generator active power)
— low bus frequency
— low bus voltage.
Such functionality may cause failure propagation between A and B side when operating with closed tie-
breaker. This could happen because the control system has to take into consideration all generators, both on A
and B side in order to check for overload.
Further, load reduction based on bus frequency or bus voltage may cause failure propagation between the A
and B system. Frequency and voltage are equal on A and B side as long as the tie-breaker is closed. This means
that low voltage or low frequency might cause simultaneous load reduction of all running thrusters and
consequently risk of position loss.
It might be necessary to carry out tests on FAT/Dock/Sea trial to:
— prove that system works as indented
— prove that critical failures in the Blackout prevention / Load reduction/ Load limitation are detected by the
control systems (typically failure on active power measurement signal to the control system and the load
reduction command signal to the thrusters)
— prove that no single failure will cause all thrusters to be reduced to a very low or zero speed simultaneously
(risk of drift off).
Blackout recovery systems may also need to be analysed. It should be ensured that unintended operation cannot
create a blackout, e.g. as a result of false blackout detection.
*** Example of how the blackout prevention / load reduction / load shedding can be presented in the FMEA:
Overview of blackout prevention / load reduction / load shedding functionality on Vessel:
Control
Mode Criteria to initiate action Delay Action
system / PLC
PMS A Bus A+B load > 98% 200ms Load reduction command is send to THR1,
THR2, THR3, THR4
PMS A Bus A+B frequency < 56Hz 200ms Load reduction command is send to THR1,
THR2, THR3, THR4
PMS A DG1 load > 98% 200ms Load shedding of non-thruster heavy consumers
DG2 load > 98% on bus A
DG3 load > 98%
DG4 load > 98%
PMS A DG1 load > 105% 200ms Load reduction command to THR1, THR2,
DG2 load > 105% THR3, THR4
DG3 load > 105%
DG4 load > 105%
PMS B Bus A+B load > 98% 200ms Load reduction command send to THR1, THR2,
THR3, THR4
PMS B Bus A+B frequency < 56Hz 200ms Load reduction command send to THR1, THR2,
THR3, THR4
Closed PMS B DG1 load > 98% 200ms Load shedding of non-thruster heavy consumers
tie-breaker DG2 load > 98% on bus B
DG3 load > 98%
DG4 load > 98%
PMS B DG1 load > 105% 200ms Load reduction command to THR2 and THR4
DG2 load > 105%
DG3 load > 105%
DG4 load > 105%
DP Bus A load > 95% 1 sec Command signal to THR1 and/or THR3 reduced
DP Bus B load > 95% 1 sec Command signal to THR2 and/or THR4 reduced
THR1 Bus A+B frequency < 56Hz 200ms THR1 reduces speed by itself
Bus A+B Voltage < 90%
THR2 Bus A+B frequency < 56Hz 200ms THR2 reduces speed by itself
Bus A+B Voltage < 90%
THR3 Bus A+B frequency < 56Hz 200ms THR3 reduces speed by itself
Bus A+B Voltage < 90%
THR4 Bus A+B frequency < 56Hz 200ms THR4 reduces speed by itself
Bus A+B Voltage < 90%

DET NORSKE VERITAS AS


Recommended Practice DNV-RP-D102, January 2012
App.D Failure modes in electrical power systems operating with closed bus tie(s) – Page 57

The figure below shows how the blackout prevention / load limiting functions may lead to failure propagation
from e.g. from the A to the B system (or vice versa). This system has thus to be addressed further. The table
below summarizes identified failure modes that will have to be tested in order to verify that no single failure
will lead to loss of position.
A B

DG1 DG2 DG3 DG4

SWBD A + B
(closed tie-
kW kW breaker ) kW kW

Hz
Hz
V
Hz V
Hz
V V

PMS A kW (DG1,DG2) PMS B


kW (DG3,DG4)

Power limit

Power limit
Power limit Power limit
Power limit
Power limit Power limit
Power limit

THR1 THR3 THR2 THR4

Identified failure modes that need to be tested on FAT/Dock/Sea trial:


Failure mode Possible worst case consequence
One generator power measurement All thrusters (THR1, THR2, THR3, THR4) will in worst case be reduced to 0%
fails to maximum thrust (from both PMS A and PMS B)
Need to verify that this is avoided. Possible measure will be to open tie breaker
One generator fails to full power All thrusters (THR1, THR2, THR3, THR4) will in worst case be reduced to 0%
thrust (from both PMS A and PMS B)
Need to verify that this is avoided. Possible measure will be to open tie breaker
Failure on Bus A or Bus B frequency The PMS receiving faulty measurement might command load reduction to all
or voltage measurement to PMS thrusters simultaneously
Need to verify that the system checks inconsistency in frequency and voltage
measurement and that system is brought to safe state in case such failure is
detected.
*** End of example.
D.5.6 PMS
The analysis of the power management system (PMS) must verify that no single failure in the PMS can violate
the given acceptance criteria. Some relevant issues for the analysis are listed below:
— How is it ensured that a single feedback failure to PMS does not cause violation of the acceptance criteria?
— Can PMS connect generator (or bus-tie) without synchronization?
— Can PMS cause full load reduction to all running thrusters simultaneously?
— Can PMS decrease generator frequencies to a level that causes risk of automatic load reduction of drives /
tripping of drives?
— Can PMS increase frequency to a level that causes systems to trip?
— Can single PMS operator failure cause blackout?
— What are the consequences of communication failures?

DET NORSKE VERITAS AS

Вам также может понравиться