Академический Документы
Профессиональный Документы
Культура Документы
DNV-RP-D102
The electronic pdf version of this document found through http://www.dnv.com is the officially binding version
This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of this document, and is believed to reflect the best of
contemporary technology. The use of this document by others than DNV is at the user's sole risk. DNV does not accept any liability or responsibility for loss or damages resulting from
any use of this document.
Recommended Practice DNV-RP-D102, January 2012
Changes – Page 3
CHANGES
Main changes:
This is a new document.
CONTENTS
1. General.................................................................................................................................................... 5
1.1 Application, objective, and contents of FMEA for redundant systems ....................................................5
2. Definitions............................................................................................................................................... 7
2.1 General definitions....................................................................................................................................7
3. Documentation .................................................................................................................................... 11
3.1 General....................................................................................................................................................11
4. Redundancy Design Intention............................................................................................................. 12
4.1 General ...................................................................................................................................................12
4.2 Redundancy design intention and functional redundancy types.............................................................12
4.3 Specification of subsystem or component groups ..................................................................................15
4.4 Specification and analyses of dependencies ...........................................................................................16
5. Single Failure Propagation in Redundant Systems .......................................................................... 21
5.1 General....................................................................................................................................................21
5.2 Failures, common causes, and systematic failure propagation ...............................................................22
5.3 Barriers and other compensating measures ............................................................................................22
5.4 Failure propagation analysis at subsystem level.....................................................................................23
6. Unit and Subsystem FMEA................................................................................................................. 27
6.1 Requirements to the unit FMEA including subsystem FMEA ...............................................................27
6.2 Allocation of unit requirements to subsystems/component groups ........................................................27
6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion .....................30
7. FMEA of Subsystems with Redundancy ........................................................................................... 34
7.1 General....................................................................................................................................................34
8. FMEA of Single Sub-Systems ............................................................................................................. 36
8.1 General....................................................................................................................................................36
9. Redundant Systems with Physical (Fire and Flooding) Separation ............................................... 39
9.1 Separation design intent..........................................................................................................................39
9.2 Separation analysis..................................................................................................................................40
10. Inspections and Tests........................................................................................................................... 41
10.1 General....................................................................................................................................................41
11. FMEA Report and Compliance Statement ....................................................................................... 43
11.1 General....................................................................................................................................................43
Appendix A. IMCA references...................................................................................................................... 44
Appendix B. DNV references ........................................................................................................................ 45
Appendix C. Typical table of contents for a minimum DP FMEA............................................................ 46
Appendix D. Failure modes in electrical power systems operating with closed bus tie(s) ...................... 47
1. General
1.1 Application, objective, and contents of FMEA for redundant systems
1.1.1 The requirements of this guideline apply to failure mode and effect analysis (FMEA) of redundant
systems.
Guidance note 1:
Class notations as DYNPOS-AUTR, DYNPOS-AUTRO, DPS 2, DPS 3, DYNPOS-ER, RP, RPS, AP-2, AP-3
requires redundancy. An FMEA of the system redundancy is required as part of the verification of the specific
acceptance criterion for the specific notation.
This guideline may also be suitable for other applications as e.g. IMO requirements to Safe Return to Port.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
This guideline does not set any guidance to FMEA of software. However, the guideline requires testing and
verification of how the software responds to relevant failures in the system subject to verification.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
1.1.2 The objective of failure mode and effects analysis of redundant systems in a specified unit (U) is to
provide objective evidence of required redundancy and fault tolerance.
System boundary
Acceptance
criteria
Redundant reference level
component A B
group A Redundant
component
group B
U
Figure 1-1
The redundancy design intent can be visualized by means of one redundant component group diagram (UAB). The
diagram represent the complete physical system (unit (U) and system boundary and the two physical redundant
component groups (A and B). The main concepts are the system boundary, the redundant component groups
illustrated by minimum two redundant groups (A group and B group), and the acceptance criteria reference level
which is referring to the unit system boundary. Please note that more than two redundant groups may also be
assumed (e.g. A, B, C, D groups).
Guidance note:
In order to give the reader an introduction to the vessel subject to the FMEA and the project in general the FMEA
report should start with giving high level vessel information which may typically include: main particulars, yard, yard
number, owner, ship name and identification, vessel type, intended operation, class notations, main equipment
suppliers, FMEA supplier and other relevant information.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
1.1.3 In order to be valid, the FMEA, the test program, and the test report must at all times during the
operational phase be maintained and updated in case of alterations of the system.
In case of alterations it must be evaluated if:
— additional FMEA is required
— test program need to be updated
— functional testing and/or failure testing is required
— other parts of the documentation needs to be updated.
Guidance note:
The requirements to keep the FMEA documents updated during the operational phase, will vary between the different
class notations (e.g. DYNPOS-AUTR, DPS 2, RP, AP).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
1.1.4 The FMEA shall specify all vessel operational modes which it is intended to be valid for (minimum one
mode). For each of these vessel operational modes the technical system configuration shall be described and
prerequisites for achieving the required failure tolerance and redundancy shall be included.
Guidance note:
The vessel operational mode specifies the high level system setup, redundancy design intention and vessel operations..
Examples of vessel operational modes are positioning keeping, weather vaning, manoeuvring, dredging. It is
understood that vessel operations in this context is a common term comprising vessel operations, control system
modes, industrial functions.
The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specified
for all relevant configurations One example could be that a vessel has different technical system configurations for
different vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notation
is intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated,
specified, analysed, and tested in the FMEA.
The technical system configuration includes all technical modes (and combinations of the modes) of all systems that
may influence the redundancy and failure tolerance of the unit. This will typically include but is not limited to e.g.,
control system modes, power plant and thruster configuration, switch board (AC and DC) configuration and
distribution setup, auxiliary systems setup, valves, breakers, pumps, …).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
1.1.5 All specified vessel operational modes and technical system configurations that FMEA is intended to be
valid for, shall be analysed and as far as possible be verified by testing.
1.1.6 A failure mode and effect analysis (FMEA) of redundant systems shall as a minimum consist of the
following parts:
— general vessel information
— specification of acceptance criteria,
— specification of the overall system boundary of the unit (U) to be subject for FMEA
— redundancy design intent(s), worst case failure design intent, time requirements, and vessel operational
modes
— specification of all redundant components (e.g. A,B) and single component groups included within the
overall system boundary. The relevant system names, main units, compartments (when applicable), and
their main intended functions shall be presented in a structured manner, supported with a descriptive
narrative text.
— specification of all assumptions related to systems interfaces and dependencies of external systems
— single failure and common cause analysis at unit (U) and subsystem levels (A,B)
— if applicable, separation design intent and descriptions of the installation of redundant component groups
in fire and flooding protected compartments. This also includes cables and communication lines, and
associated equipment.
— a test program identifying tests to verify assumptions and conclusions
— summary and conclusions:
— for each subsystem analysed, the conclusions shall be stated at the end of the specific section
— for the total system, an overall summary covering the main findings from the most critical subsystems.
— a compliance statement referring to the overall system boundary, operational modes, tests, and acceptance
criterion including time requirements shall be stated for the FMEA.
Detailed requirements for above parts are stated in this guideline.
Guidance note 1:
Please observe that the requirements to FMEA’s for redundant systems differ from traditional bottom up FMEA’s in
the following respects:
Requirement to state the redundancy design intent
— Requirements to specification of acceptance criterion to be complied with
— Requirements to refer to full scale testing and sea trials to support analysis
— Requirements to state compliance with the acceptance criterion.
The FMEA documentation shall be self-contained and provide sufficient information to get the necessary overview
of the system
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
In general FMEA’s of single non-redundant systems will normally require a complete breakdown of all parts of the
systems resulting in a large set of possible failure modes with the potential of affecting the function of the system.
Please refer to a single engine and single propulsor for a cargo ship. (Normally there will be no class requirement to
an FMEA of such single systems.)
On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failure
shall give loss of position) may give a possibility of administrating the actual detailed scope of the subsystem FMEA’s
into a top-down approach and limiting the detailed analysis. The top-down approach thus avoids detailed and
complete FMEA’s of each of the redundant subsystems.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2. Definitions
2.1 General definitions
2.1.1 Active redundancy (IEC 191-15-02) is that redundancy wherein all means for performing a required
function are intended to operate simultaneously.
2.1.2 Acceptance criterion/criteria are to be stated as the maximum accepted consequence of failure. The
acceptance criterion/criteria should be referring to the system boundary level.
Guidance note:
For the unit level the class notation requirements will normally be the acceptance criterion.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.3 Ageing failure, wear out failure, a failure whose probability of occurrence increases with the passage of
time, as a result of processes inherent in the item (random failure) (IEC 191-04-09).
Aging or random failure
An aging or a random failure for a component or a subsystem is characterised by that the failure may occur at
any time and the time of the failure event can not in advance be stated to occur within a specified time.
Random failure
1
Figure 2-1
For a random failure, the time to the failure event is random
2.1.4 Benign failure modes, a term used for subsets of failure modes which primarily affects only the
subsystem itself and with minor effect with regards to propagation leading to critical failures in other sub-
systems.
Guidance note:
A typical benign failure mode is loss of power output, whereas overvoltage will be considered as a non-benign failure
mode.
There is a need to define which possible states a system may enter into after a failure. It cannot be assumed that a
system or component is simply lost (absence of function). The system or component may enter into a state affecting
other units. Detailed analysis of basic functionality may have to be done at a single failure level, e.g. the problem with
a faulty input from a draft sensor, a wind sensor, or a common reference signal may affect more than one redundancy
group.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.5 Common cause failures (IEC 191-04-23), failures of different items, resulting from a single event, where
these failures are not consequences of each other
2.1.6 Common mode failures (IEC 191-04-24), failures of items characterized by the same fault mode.
Note:
Common mode failures should not be confused with common cause failures as the common mode failures may result
from differing causes.
---e-n-d---of---N-o-t-e---
2.1.7 Common component group, represents components, physical connections, and dependencies between
the redundant component groups.
2.1.8 Component group is a specified set of components or sub-systems within a specified component group
boundary
2.1.9 Dependent systematic failures: The unacceptable failure situations for redundant systems are related to
failures in two or more redundant groups, when the second failure is occurring in a systematic manner within
the stated acceptable time requirement. The most critical situations are related to systematic failure propagation
in the following situations:
— systematic failure propagation between dependent systems or common components
2.1.10 Failure (ISO 14224, 3.15): termination of the ability of an item to perform a required function
NOTE 1: After the failure, the item has a fault.
NOTE 2: “Failure” is an event, as distinguished from a “fault,” which is a state.
NOTE 3: This concept as defined does not apply to items consisting of software only.
2.1.11 Failure cause (IEC 191-04-17): The circumstances during design, manufacture or use which have led
to a failure.
2.1.12 Failure mode (ISO 14224, 3.20): The effect by which a failure is observed on the failed item.
Figure 2-2
Failure mode observed at boundary
2.1.14 Fail safe (IEC 90-191) is a design property of an item which prevents its failures from resulting in
critical faults
2.1.15 Hidden failure (ISO 14224, 3.24), a failure that is not immediately evident to operations and
maintenance personnel.
Guidance note:
NOTE: Equipment that fails to perform an “on demand” function falls into this category. It is necessary that such
failures are detected to be revealed through checks.
Monitoring and periodical testing/verification should be performed in order to ensure sufficient availability of such
functions. Protective functions e.g. in power plants and switchboards are typical examples of on demand functions
where possible hidden failures should be considered.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.16 Primary failure (IEC 191-04-15), a failure of an item, not caused either directly or indirectly by a failure
or a fault of another item (also see secondary failure).
2.1.17 Redundant (IEC 90-191-15), in an item, the existence of more than one means for performing a required
function.
2.1.18 Redundant component groups (subsystems) are two or more component groups which represent two or
more means for performing a required function.
2.1.19 Redundancy design intent, the redundancy design intention refers to redundant component groups which
constitutes the overall system design for a given system operational mode and technical system configuration.
2.1.20 Secondary failure (IEC 191-04-16), a failure of an item, caused either directly or indirectly by a failure
or a fault of another item (cascading failure).
2.1.21 Separation design intent, the separation design intention refers to separated redundant component
groups which constitutes the overall system design for a given system operational mode and technical system
configuration.
2.1.22 Simultaneous independent failures, an ideal feature of redundant systems is that possible failure events
are occurring statistically randomly and independently. This implies that a failure in the A sub-system and
another failure in the B sub-system occurring independently within an acceptable time requirement period
(simultaneous), is acceptable according to the class requirements in the DP, AP and RP class notations where
redundancy is required.
2.1.23 Standby redundancy (IEC 191-15-03), that redundancy, wherein a part of the means for performing a
required function is intended to operate, while the remaining part(s) of the means are inoperative until needed.
2.1.24 System boundary, is a closed imaginary shell around all components assumed within the specified
system.
Guidance note:
The system boundary can be considered as the ‘End item’ concept used in IEC 60812.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.25 Systematic failure, reproducible failure (IEC 191-04-19), a failure related in a deterministic way to a
certain cause, which can only be eliminated by a modification of the design or of the manufacturing process,
operational procedures, documentation or other relevant factors.
Guidance note 1:
Corrective maintenance without modification will usually not eliminate the failure cause.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
A systematic failure can be induced at will by simulating the failure cause.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
1 Systematic,
reproducble failure
failure
cause
Figure 2-3
For a systematic failure, the time from the failure cause is present until the failure event is limited. An example is
an electronic component exposed to 1000°C, will for sure fail within 10 minutes.
2.1.26 Technical system configuration, the technical system configuration includes all technical modes (and
combinations of the modes) of all systems that may influence the redundancy and failure tolerance of the unit.
This will typically include but is not limited to e.g., control system modes, power plant and thruster
configuration, switch board (AC and DC) configuration and distribution setup, auxiliary systems setup, valves,
breakers, pumps, …).
Guidance note:
The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specified
for all relevant configurations One example could be that a vessel has different technical system configurations for
different vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notation
is intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated,
specified, analysed, and tested in the FMEA.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.27 Time requirement, the minimum required time duration for which the residual remaining capacity as
defined by the worst case failure design intent shall be available.
Guidance note:
The time requirement will normally be governed by the maximum time necessary to safely terminate the on-going
operations after the worst case single failure, given the residual remaining capacity. All relevant operational scenarios
which the vessel performs and/or participates in, must be considered when deciding the time requirements. This time
requirement must be fulfilled by the design, and the way the vessel is technically configured (technical system
configuration) and operated.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.28 Unit, the complete physical system (e.g. vessel) in which the redundant system (e.g. DP system) to be
analysed is included.
2.1.29 Vessel operational mode(s), The vessel operational mode specifies the high level system setup and
redundancy design intention for a specified set of vessel operations. Examples of vessel operations are
positioning keeping, weather vaneing, manoeuvring, dredging, diving.
Guidance note:
The FMEA must as a minimum specify one vessel operational mode. In case that more than one mode is intended,
then each mode must be specified. It is understood that vessel operations in this context is a common term comprising
vessel operations, control system modes, industrial functions,
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
2.1.30 Worst case failure design intent, the worst case failure design intent shall refer to the minimum
remaining capacity after any relevant single failure or common cause (for a given operational mode)
2.1.31 Zone is a confined space with fire and flooding protection.
3. Documentation
3.1 General
3.1.1 The documentation as listed in Table 3-1 is required for approval and test work process related to Failure
Mode Effect Analyses for redundant systems.
Table 3-1 Documentation requirements
Documentation type Information element
Failure mode and effect analysis 1) Introduction to FMEA
System boundary and redundant component groups
Acceptance criterion/criteria
2) Summary and conclusions
3) Redundancy Design Intent and operational modes
4) Single Failure propagation analysis
5) Unit FMEA and subsystem FMEA
6) Separation Design Intent and separation verification
7) Compliance statement
8) References
FMEA test procedure 9) Test procedure Each test or inspection activity shall be described by
— test purpose and reference to analysis
— test setup
— test method
— expected results and acceptance criteria
— observation and results of test
— space for notes and conclusions
FMEA report The updated FMEA and the test records shall together with the findings, conclusions
and test summary be compiled into an FMEA report.
Figure 4-1
The general concept of redundant systems and component groups
Guidance note:
Redundancy within the unit boundary level means that there is more than one means for performing a required
function. The redundancy design intention by means of component groups shall specify how the redundant parts are
intended to be organised, documented and denoted in the FMEA for redundant systems.
The redundancy design intention for a redundant component group (A-B), shall specify if and how components in
groups A and B are connected. There are basically three situations how redundant systems or component group can
be organised and described:
i) In the first no components belongs both to A and B.
ii) In the second situation some common components belongs both to A and B (intersection between A and B). (E.g.
common passive parts in cooling water system).
iii) In the third situation no components belongs both to A and B group. However, A and B are connected by
components in a common component group X. (e.g. Main SWBA and SWBB. A bus tie connection is SWBX).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
4.2.4 All redundant groups shall be documented to be able to operate as specified in the redundancy design
intention including the functional redundancy type, and according to the stated acceptance criterion/criteria.
Guidance note 1:
Example on how to illustrate the redundancy design intention related to a ship with one main and one alternative
propulsion system as required by the additional class notation AP-2 (also refer to section A).
P1A
P2B
AUX
U
Figure 4-2
The acceptance criteria shall be related to a specific reference level as indicated above. For class notation
AP-2(a%)(+): it shall be possible to engage alternative propulsion system within maximum 5 minutes after
failure to the main propulsion system (shall be possible from bridge)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Example with DP system and 4 thrusters
Loss of position/heading
OR
Drift off Drive off
T1A
T2B
A B A B
T3A T4B
Loss of A Loss of B A drive off B drive off
positioning positioning
Figure 4-3
The arrangement of the redundant thruster groups are indicated in the figure to the left. and in the middle
above. The no loss of positioning is illustrated by a fault tree and divided into the no drift off or drive off events.
The redundancy design intention in this example may be described in a e.g narrative way by describing both the
normal operation mode and the failed operation mode.
The same redundancy design intention may alternatively be described in a logic description/Boolean style:
Please note that the OR (inclusive OR) operator in a Boolean expression e.g. A OR B is true if either (A or B) or (A
and B) are true. Another way of expressing this could be that A OR B means the same as A and/or B.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
Example with 5 thrusters and two operational modes
T1A
T2B
T5
DG1A DG3B
DG2A DG4B
T3A T4B
Figure 4-4
Example indicating a vessel with 5 thrusters
Above redundancy design intentions for 5 thrusters operational modes 1 and 2 can as an alternative be expressed in a
more logic or Boolean style as indicated below:
Operational mode 1
Operational mode 2
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 4:
Example with a rig with 8 thrusters, 2 in each corner of rig, two pontoons.
T1A T3B
T2A T4B
T7D T5C
T8D T6C
Figure 4-5
Example indicating a rig with 8 thrusters, 2 in each corner of rig, two pontoons
The redundancy design intention may be expressed in a short narrative manner as indicated below:
Alternatively the redundancy design intention may be expressed in a more logic or Boolean style:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
4.3.3 Components which connects redundant component groups or are common for redundant component
groups shall be specified as:
— common component groups, or
— groups required (dependent) for operation of the redundant groups.
Figure 4-6
The general concept of redundant systems and component groups
Guidance note:
- Connections between redundant groups shall be identified and be represented as cross component groups (e.g.
denominated as X groups) or common components.
- The intention with the X groups is to represent the components or installations, which may represent all types of
means for propagating failure effects from a redundant group to the corresponding redundant group (Example: The
main switchboard on the A side is denominated as SWBA and the B side is denominated as SWBB. A bus tie
between the two switchboard sides could be denoted as SWBX).
- Fuel line crossovers, connected cooling water, common software modules are examples of common component
groups and could be denoted as X group components.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
4.3.4 All redundant and common component groups shall be presented in structured manner by means of block
or component group diagrams, logic descriptions, tables or drawings covering the high level description of the
redundant systems.
4.4 Specification and analyses of dependencies
4.4.1 All subsystem or component dependencies shall be identified and documented in a structured manner by
means of tables, logic descriptions, drawings, or diagrams. This system mapping shall be performed both for
dependencies within the redundancy groups and between the redundancy groups.
Guidance note 1:
All system dependencies shall be identified in tables, or by equivalent means, which main equipment such as engines,
generators, thrusters, electrical power switchboards etc. are grouped together to form self-contained systems of which
each system is capable of maintaining a residual position keeping capability in a worst case single failure incident.
This identification process shall involve all equipment dependencies belonging to each redundant component group.
The redundancy may be documented aided by a tag numbering system where one redundant part system is clearly
distinguishable from the other redundant part.
System group A
Lube Oil
T1
Fuel Oil
Freshwater,... T3
System group B
Lube Oil
T2
Fuel Oil
Figure 4-7
Illustration of DP thrusters and DP thruster system dependencies in a diagram
The intention with this system dependency mapping is to identify all interconnections between redundant part-
systems, hardware or software-wise, and prepare for analysis with regard to potential failure propagation within and
across the redundant system boundaries.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Example related to class notation alternative propulsion (AP-2)
P1A
P2B
AUX
U
Figure 4-8
Illustration of propulsion system for redundant notation AP-2
Dependency statements:
Normal operation mode dependency: P1A dependent on {MV1A, GenSet1, MSB1, Prime mover1, Propulsor1, AUX…}
Failed operation mode dependency: P2B dependent on {MV2B, GenSet2, MSB2, Prime mover2, Propulsor2, AUX,…}
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
Example with 4 thrusters and 4 diesel generators for a DP-2 notation
G G G G
SWBA SWBB
Figure 4-9
Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 4:
Example with 5 thrusters and 5 diesel generators and DP-2 notation
DG 5
DG 1A DG 2A DG 3B DG 4B
G G G G
SWBA SWBB
SWBX
50%
M M M M
50%
T5
Figure 4-10
Example of vessel system with 5 thrusters and 5 diesel generators for a DP-2 notation
Two operational modes are defined for the above system with 5 thrusters. The difference between these two modes
are that the DG5 generator is either supporting the B group thrusters (mode 1) or the A group thrusters (mode 2).
Guidance note 5:
Example of system mapping of redundant DP control system:
Control system
boundary
Figure 4-11
Example of redundant DP control system
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Figure 5-1
Common component X causing failures in A and B
Figure 5-2
Common cause failure, resulting from a single event related to U, i.e. either as an external common cause
(ECC) or an internal common cause (ICC). (E.g. fire and flooding, gas into air intakes, environment, vibration,
high seas affecting contamination in fuel tanks, shocks, humidity, EMC,….)
Figure 5-3
Primary failure in subsystem A propagating to a secondary failure in subsystem B (e.g. ignition, fire, heat,
vibration, network storm in A propagating to B)
The above examples are of course not exhaustive and should not limit the scope of failure mode identification in the
FMEA. The above principles may be combined in numerous ways and two typical combinations are given in Figure
5-4.
Figure 5-4
Primary failure in X propagating to A and B and then leading to secondary failures in A and B. The failure
propagation from X may also be described as a common cause for the failures in A and B (left figure). In the
right figure common causes lead directly to failures in A, X, and B.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
5.2.3 The overall requirement is that the redundant systems shall not fail so that the accept criteria and the
redundancy design intent are violated within the defined time requirement. These considerations shall cover all
relevant system operational modes and other relevant conditions (e.g. environmental).
5.2.4 For a given system, the selection of scope of relevant failures, common causes, and time requirements,
shall be given by the applicable requirements e.g. classification rules.
Guidance note:
In addition to software and hardware failures
- any combination of hidden failures,
- possible effects of inadvertent acts of operation,
if reasonable probable, should be considered.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 1:
Requirements to barriers (e.g. protective functions, physical separation, etc…) or compensating measures may
typically be guided by e.g. by classification rules.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
The red (bold) lines in the figures below indicate where (how) barriers to prevent systematic failure propagation for
common component failures, common cause failures, and primary/secondary failures can be visualised.
Figure 5-5
Barriers indicated by red bold lines to prevent internal common causes (ICC) or external common causes
(ECC)
Figure 5-6
Barriers indicated by red bold lines to prevent primary failures to propagate to secondary failures
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
A failure mode is the effect by which a failure is observed on the failed item (subsystem boundary).
Figure 5-7
Primary failure in subsystem A propagating to a secondary failure in subsystem B e.g. fire, vibration, network
storm in A propagating to B.
Note that the failure mode description is related to the failure effect at the subsystem boundary. The descriptions of
the initial causes or internal component failures within the boundary are not necessary in order to describe failure
modes (e.g. lubrication pump failure, engine shutdown, Engine to full power, Loss of power to auxiliaries for
governor, Generator under-excitation, Generator over-excitation …). However, examples of initial failure (e.g. fuel
starvation, pipe rupture, clogged filter) for a given failure mode (e.g. under frequency of generator), should support
the analysis in order to justify the relevance of the failure mode.
Failures within A have to be identified to such an extent that all failure modes at the A system boundary will be
identified. Please observe that failures which have no effect at the subsystem boundary, need not be elaborated in the
failure mode propagation analysis. On the other hand, all failures giving the same failure effect at the system boundary
can be considered as one failure mode in the failure mode propagation analysis.
GPS A GPS B
ECC
Figure 5-8
Common cause failure, resulting from a single event related to U, i.e. either as an external common cause
(ECC) or an internal common cause (ICC). (E.g. GPS satellite signals to redundant GPS systems, fire and
flooding, gas into air intakes, environment, vibration, high seas affecting contamination in fuel tanks, ship
heeling, shocks, humidity, EMC,….)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Figure 5-9 illustrates the main principles for failure mode propagation in a redundancy design intention table:
Redundancy design intention by redundant and common component groups
Common cause
Figure 5-9
Failure modes may propagate from subsystems to other subsystems or from common causes outside the component
groups. The overall task is to identify possible failure modes which may affect the overall redundancy design
intention within the time requirements.
5.4.5 All relevant failure modes for each subsystem shall be identified. As a result of the failure investigation,
the following information elements shall be documented in an organised manner e.g. by means of a worksheet.
As a minimum the following information elements shall be provided:
— each component group and subsystem assumed to have a single failure
— identify potential failure modes at each component and possible common causes
— initial failure or common cause as justification for including the failure mode
— identify failure detection methods
— effect on other subsystems
— barriers or compensating measures for the failure mode
— end effect at unit level
— reference to inspection, testing, and verification necessary to prove and support the conclusions.
Guidance note:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
5.4.6 The failure propagation analysis for each subsystem shall conclude on the following questions:
— Can any single failure mode in the subsystem propagate so that it violates the unit acceptance criterion?
— Can the conclusions be verified by testing? Refer to specific test in a test program.
— If not possible to test, then is there a need for further verification of functionality or compensating
measures?
— Is there a need for further failure analysis inside the subsystem boundary? (e.g. for FMEA of thrusters, DP
control systems, mode selector, PMS…). Refer to subsystem FMEA for single and redundant subsystem.
5.4.7 In general conclusions in the theoretical analysis shall be verified by testing. If testing is considered not
possible or necessary, such statements shall be justified in the FMEA with sufficient conclusions (evidence,
proof…).
5.4.8 The results of the FMEA of all subsystems shall be compiled and form the result of the unit FMEA. The
unit FMEA shall cover the entire unit with all its relevant systems and components. The unit FMEA shall relate
to the overall acceptance criteria including time requirements and shall provide conclusive evidence of
compliance with the criteria.
A A B A A B
Subsystem C Subsystem C
boundary and boundary and
acceptance acceptance
criterion criterion
IO A IO B IO
Sub-system C Sub-system C
MA MB M Unit
Unit
Figure 6-1
In the left figure above an FMEA of redundant subsystem C (e.g. redundant control system) is illustrated. In
the right figure above, an FMEA of a single system C (e.g. thruster) is illustrated. In both cases the acceptance
criteria at the unit boundaries should be clarified (allocated) at the subsystem C boundary.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Example: Allocation of redundancy design intention from unit level to subsystem level for redundant DP control
system:
The unit redundancy design intention for the system described by the below redundancy design intention expressed as:
Control system
boundary
Figure 6-2
Redundant automatic DP control system.
At the DP control system boundary level the thrusters are connected to IO modules inside the DP control system as
indicated below:
IOA1 connected to T1
IOA2 connected to T3
IOB1 connected to T2
IOB2 connected to T4
The dependency statements including the redundancy design intent for the thrusters are therefore:
The redundancy requirement to the DP control system will therefore be the input to the single failure analysis of the
DP control system. The analysis of the DP control system may either be carried out as a part of the unit (vessel) FMEA
or the FMEA may be delivered as a part of the subsystem delivery. In both cases, the unit FMEA shall handle the
comparison between the analyses at the subsystem boundary.
As an alternative to the logic expressions in this example the allocation may be stated in a more narrative manner.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
Example: Allocation of requirements to a single thruster system boundary
Example with 4 thrusters and 4 diesel generators for a DP-2 notation
G G G G
SWBA SWBB
Figure 6-3
Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.
A benign failure in thruster T1A (causing stop) will affect the positioning capability of the A thruster group. It must be
assumed that the A group (T1A AND T3A) has reduced capacity. This is acceptable as long as the single benign failure
is assumed not to affect the redundant group (T2B AND T4B). For that reason there will be no need to allocate a
functional requirement of normal function of T1A in the case of a single benign failure mode and then it will not be
necessary to do detailed analysis of the thruster inside the thruster boundary with regards to all other benign failure modes.
However, there will be a functional requirement to the T1A that it shall not fail to an uncontrolled thrust output
possibly leading to drive off. This requirement must be allocated to the subsystem thruster FMEA. The requirement
will serve as the starting point for the subsystem single failure analysis of T1A.
6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion
6.3.1 The objective of section 6.3 is to provide explanatory examples of how the subsystem design intention shall
be compared with the overall unit design intention in the unit FMEA in order to verify that intentions are consistent.
Guidance note 1:
Typical examples of subsystem FMEA’s delivered by other parties than the unit FMEA supplier are control system
manufacturers FMEA’s of their own deliverables into the project.
A pre-requisite for performing the comparisons as described here is that the FMEA’s of the subsystems are available
and they are containing the necessary information elements as required by this standard.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Example: Redundant DP controller subsystem.
Task: Compare requirements for a redundant subsystem FMEA for a DP control system with the unit redundancy
design intent at DP control unit boundary level.
Control system
boundary
Figure 6-4
The automatic DP control system and the control system boundary are shown. The redundancy design intent
for dual DP control systems is indicated. Connecting components (X) between redundant control components
are also indicated.
Operation before single failure: (T1A AND T3A) AND (T2B AND T4B) Active redundancy
Operation after single failure: ((T1A AND T3A) OR (T2B AND T4B))
meaning that the acceptance criterion for the thruster groups is assumed to be ((T1 and T3) OR (T2 and T4)) assuming
a single failure.
Normal operation before failure (IOA1 AND IOA2) AND (IOB1 AND IOB2)
Operation after single failure ((IOA1 AND IOA2) OR (IOB1 AND IOB2)) AND One IO group to be running
(NODRIVE OFF (IOA1 AND IOA2 AND IOB1 and no drive off of any
AND IOB2)) thruster IO
meaning that the acceptance criterion for the DP control system is that no single failure shall lead to loss of more than
one redundancy group
Conclusion: This means that the DP control system acceptance criterion is compliant with the criterion at the thruster
group level.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
Example based on other DP control system.
DP control System
DP system
Vessel
Figure 6-5
DP control system (example provided by Kongsberg Maritime)
For a DP control system the DP control system FMEA redundancy design intention may be defined at the system
boundary and the I/O (RMP) modules connected to the thruster control systems.
X1
X2
X3
X6 X6
X5
T1A&T3A T2B&T4B
DP system
U:Unit, Vessel
Figure 6-6
Vessel boundary, DP system boundary, DP control system, and interfaces. The redundancy design intent for
the control system shall be specified at the control system (subsystem) boundary.
The allocated unit requirement to the outside boundary of DP control system can be expressed in e.g. a logic or
Boolean style of design intention
Normal operation before single RMPA AND RMPB AND RMPC AND RMPD Active redundancy
failure
Single failure operation (RMPA AND RMPB) OR (RMPC AND
RMPD)
The internal DP control redundancy design intent equipment:
Normal operation before failure RMPA AND RMPB AND RMPC AND RMPD
Single failure operation 3 out of {RMPA RMPB, RMPC, RMPD} are
working, one RMP is failed
Conclusion: The allocated unit requirement (upper table) will always be true both for normal operation and for
operation with failure given that the lower set of requirements are true. The reason is that if 3 out of 4 RMPs are
working, then one of the A or B groups will be able to position. This result also comes from that the lower requirement
(inside DP control system boundary) is a stricter requirement than the requirement at the DP system (outside
boundary) redundancy design requirement.
The above situation may be illustrated by the following enlarged part of the above figure:
Figure 6-7
The allocated redundancy requirements (single failure operation) to the DP control system is compared with
the requirements (single failure operation) assumed by the DP control system manufacturer. The comparison
shall be carried out in the unit FMEA. In this case it can be seen that the subsystem FMEA is consistent with
the allocated requirements from the unit FMEA, as the requirements at the outside always will be true if the
DP control system requirement is true.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 4:
Example: Single thruster subsystem
The unit FMEA must compare the requirements to a manufacturer FMEA for a single thruster controller and the
allocated unit redundancy design intent at the thruster boundary level. The unit acceptance criterion for the thruster
groups is assumed to be ((T1 and T3) OR (T2 and T4)) and in addition that no thruster shall give drive off.
The acceptance criterion for the thruster controller is that a single failure in the thruster control system shall neither
cause significant increase in thrust output nor make the thruster rotate. Further on there is no requirement to
redundancy inside the boundary since the redundancy design intent is specified at a higher level.
Conclusion: This means that the manufacturer subsystem FMEA criterion is compatible with the unit FMEA at the
subsystem boundary level.
Cooling
Lubrication
Ventilation
Aux
Figure 6-8
Thruster example provided by Brunvoll
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
A A B
Subsystem C
boundary and
acceptance
criterion
IO A IO B
Sub-system C
MA MB Unit
Figure 7-1
Unit and subsystem boundaries
7.1.2 A failure mode and effect analysis (FMEA) of redundant subsystems shall as a minimum consist of the
following parts:
— general information
— acceptance criteria at the subsystem boundary level
— the overall subsystem boundary to be subject for FMEA
— redundancy design intent(s), worst case failure intent, time requirements, and system operational modes
— all redundant components and single component groups included within the subsystem boundary. The
relevant system names, main units, compartments (when applicable), and their main intended functions
shall be presented in a structured manner, supported with a descriptive narrative text.
— all assumptions related to systems interfaces and dependencies of external systems
— single failure and common cause analysis at subsystem levels
— if applicable, description of the installation of redundant component groups in fire and flooding protected
compartments. This also includes cables and communication lines, and associated equipment.
— a reference to a test program to support the conclusions shall be included or referred
— summary, and conclusions
— a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance
criterion including time requirements shall be stated.
Guidance note:
DP system
Vessel
Figure 7-2
System boundaries for vessel, DP system and part of DP control system. The interfaces between the I/O
modules (RMP) and thrusters are indicated. (Example and figure provided by KM).
Operation without failure 4 out of {RMPA, RMPB, RMPC, RMPD} = RMPA AND RMPB AND RMPC
AND RMPD
Operation with single failure 3 out of {RMPA, RMPB, RMPC, RMPD}
A B C X-components Comments
PSU A from PSU B from Fire, flooding (DPC
UPS A UPS B cabinet)
Dedicated RSER-module
RSER A* RSER B* RSER C* X4, X6 for each sensor group
Table shows redundancy design intention for RMP (A,B,C,D) modules and A, B, C groups (Courtesy KM).
The single failure mode propagation analysis can be based on above table and diagrams.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Unit
boundary and
acceptance
criterion
A A B
Subsystem C
boundary and
acceptance
criterion
IO
Sub-system C
M Unit
Figure 8-1
Illustration of a unit boundary with two redundant systems A and B. System C is assumed to be a single system
and the manufacturer may deliverer the FMEA for this subsystem.
8.1.2 A failure mode and effect analysis (FMEA) of a single subsystem shall as a minimum consist of the
following parts:
— general information
— acceptance criteria at the subsystem boundary level
— the overall subsystem boundary to be subject for FMEA
— design intent(s) and system operational modes for the subsystem
— all component groups included within the subsystem boundary. The relevant system names, main units,
compartments (when applicable), and their main intended functions shall be presented in a structured
manner, supported with a descriptive narrative text.
— all assumptions related to systems interfaces and dependencies of external systems
— single failure and common cause analysis at subsystem levels
— if applicable, description of the installation of component groups in fire and flooding protected
compartments. This also includes cables and communication lines, and associated equipment.
— a reference to a test program to support the conclusions shall be included or referred
— summary, and conclusions
— a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance
criterion including time requirements shall be stated.
Guidance note:
Example of a boundary for FMEA of single thruster (Courtesy Brunvoll):
Cooling
Lubrication
Ventilation
Aux
Figure 8-2
Brunvoll thruster system
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Redundant Redundant
A B
component component
group A group B
U
Unit U
Figure 9-1
The separation design intent for redundant systems requires specifications of the redundancy component group A
within the A zone (compartment). Specifications of the redundant component group B within the B compartment/
zone shall also be stated.
Guidance note 1:
The requirement for specification and identification includes all zones, spaces, and cable trays where the equipment
is installed. Equipment is understood as all components, including piping and cabling which may influence the
redundancy design intent and acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 2:
Tank top Tween deck Main deck Bridge deck
Zone A Zone B
T1
T2
A6
B6
DPC
DPA
A8
B8
Tk1 DG1,2 SwbA
Tk2
DG3,4 SwbB
A7
B7
T3
T4
Figure 9-2
Separation design intent diagram with separated zones and redundant component group. The following
abbreviations are used in above figure and table below
Separation design intent table with separated zones and redundant component groups:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note 3:
The table in guidance 2 may be inconvenient when there are more than two zones and cross sectional dependencies.
The below table is an example of a separation design intent table for a system with 3 separated zones and 3 redundant
component groups:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
9.1.2 The separation acceptance criterion shall be stated. Any possible time requirements shall also be stated.
Guidance note:
The separation acceptance criterion for e.g. IMO DP3 is that the applicable zones should be separated by A60 rated
materials and the zones constructed should be watertight under the waterline. In case of a fire or flooding event all
components in the components groups in the zone should be considered as failed.
Reference is also made to annex D3 where failure modes for separated electrical power systems operating in parallel
and separated power systems simultaneously supplying equipment placed in non-separated areas are discussed.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
9.2.2 The separation analysis shall result in a statement that confirms that no fire or flooding events in any of
the separated compartments shall be able to influence the operation of both (or all) the separated systems and
subsystems in such a manner that the acceptance criteria is violated within the stated time requirement.
10.1.2 The test program shall have an introduction which as a minimum shall include the following:
— reference to the specific FMEA document (title, version and date)
— specification of (or reference to) all specified system operational modes and technical system
configurations that shall be verified by testing (ref 1.1.3).
10.1.3 Each test shall as a minimum contain:
— test identification (e.g. test number)
— reference to the specific part in the FMEA to be verified (e.g. redundancy design intent, worksheets, …)
— test intention
— test prerequisites and test setup specific for this test
— test method and actions to be performed
— expected results and acceptance criteria including time requirements if relevant
— space for actual observation, test results, and conclusions.
Guidance note:
In order to facilitate the practical testing, description of the test method should include detailed locations where the
physical and practical actions should be carried out. The location should be detailed to which space, cabinet, switch,
fuse, termination board, wire, as relevant.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
10.1.4 For systems and subsystems where separation is required, a set of inspections, tests and verification
activities shall be prepared and referenced. These inspections, tests, and verifications shall support the
conclusions of the separation analysis.
10.1.5 All systems subject to testing and systems that may influence the test results, shall be completed and
commissioned ready for final testing before the FMEA tests can start.
10.1.6 Before the actual testing commences, a planning meeting between the involved parties shall be
arranged. The objective is to organise the test execution.
10.1.7 After each test, the actual observations and results shall be recorded. After the test session, the records
shall be reviewed in a meeting where involved parties are present. The meeting shall conclude on findings,
conclusions and responsibilities for further actions.
11.1.3 A compliance statement referring to the overall unit (U), operational modes, test conclusion, and
acceptance criterion including time requirements shall be stated in the FMEA report.
APPENDIX A
IMCA REFERENCES
The International Marine Contractors Association (IMCA) has a wide range of publications available for
members and non-members. Several of these documents give basic introduction to FMEA of marine systems.
Examples of such documents are:
— Methods of Establishing the Safety and reliability of Dynamic Positioning systems, information note
IMCA M 04/04
— IMCA M 166 Guidance on failure modes and effect analysis (FMEAs)
These and other documents also include information and examples on relevant systems and their failure modes.
APPENDIX B
DNV REFERENCES
Below are given some DNV rule references related to typical notations which requires FMEA or may otherwise
give requirements to relevant failure modes to be considered for different systems and notations.
RULES FOR CLASSIFICATION OF SHIPS
Pt.6 Ch.2 Redundant Propulsion
Pt.6 Ch.7 Dynamic Positioning Systems
Pt.6 Ch.19 Alternative Propulsion
Pt.6 Ch.22 Enhanced System Verification (ESV)
Please refer to section 2, D106 to see typical failure modes for programmable control system:
“106 The HIL test-package shall contain test cases related to the normal, degraded and abnormal operation of
the target and simulated systems. Normally single and common failure modes and common components should
be extensively analysed and tested. Multiple failures should be tested if found relevant.
Guidance note:
Operation in all normal modes and transfer between operational modes and the corresponding functional
requirements, should be the basis for establishing the HIL test scope. In addition, failure testing is also to be included
in the test scope. General types of failures to be simulated could be, but not limited to:
- sensors or input devices failure modes (dropout, noise, calibration errors, drift, bias, signal freeze, wild point,…)
- failure mode of actuators, drives, power system components or other electro-mechanical components
- feedback from sensors on actuator failure modes
- failure modes in computer networks
- failure modes related to overload of networks
- failures affecting weighting and voting mechanisms
- failures affecting protective safety functions
- failures affecting alarms, monitoring, and analysis functions
- failures causing and/or otherwise affecting switch-over in redundant systems
- common mode failures affecting several components and/or signals
- emergency handling (special emergency functions required during emergency handling could be tested)
- reconstruction of relevant reported failures/incidents related to the system and/or operations.”
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Please note that the above listed failure modes are relevant also for general FMEAs (not only HIL testing).
Pt.6 Ch.26 Dynamic Positioning System - Enhanced Reliability Dynpos-er
APPENDIX C
TYPICAL TABLE OF CONTENTS FOR A MINIMUM DP FMEA
The overall requirements to the contents of an FMEA are given in section A. The simplified example given
below of a table of contents for a DP FMEA shows typical systems to be analysed in the FMEA:
— introduction (general vessel information and acceptance criteria)
— system description and boundaries
— redundancy design intent and worst case failure intent
— vessel operational modes and technical system configurations for DP operations
— power systems
— high voltage systems
— low voltage distributions
— emergency power
— battery and UPS systems and distributions.
— machinery system
— diesel engines / diesel generator sets
— fuel oil system
— lubrication oil system
— seawater / freshwater cooling system
— compressed air system
— engine room ventilation.
— thruster system
— thruster control system
— thruster hydraulic system
— thruster cooling system
— control mode selection
— power supplies to control and auxiliary pumps.
— IAS / power management / engine control system
— Integrated automation system
— power management system
— generator voltage control system
— diesel engine governor control.
— emergency stop / shutdowns
— other relevant systems
— fire fighting system
— ventilation system
— shut down system (ESD)
— cooling system in computer rooms
— etc …
— conclusions / findings / recommendations if applicable
— test program
— in principle, all statements and conclusions of FMEA are to be verified by testing (as far as possible).
it is accepted that several conclusions is verified by one test, e.g. by a partial blackout
— in general, the following main groups of tests will be required (each group typically contains several
tests):
- partial black-out on the main- and distribution switchboards (AC)
- loss of distribution board or equipment with dual power supply
- loss of (black-out) each battery and UPS distributions
- fail to safe response on single failures (e.g. thruster control systems)
- simulation of failures requiring manual or automatic intervention
- dependant on the actual design, other tests might be required.
APPENDIX D
FAILURE MODES IN ELECTRICAL POWER SYSTEMS OPERATING
WITH CLOSED BUS TIE(S)
D.1 Introduction
There are certain single failures that in case of open tie breakers only will affect one of the systems (A or B),
but that in case of closed tie breakers, might jeopardize both the A and B systems. Such failures need not to be
analysed in depth for open tie breakers operation since it is then accepted that one of the system A or B fails.
In the situation where the electrical power systems belonging to different redundancy groups are electrically
connected and arranged by bus-tie breakers to separate automatically upon failures(closed bus-tie), a failure in
one system (A) may propagate via the closed bus-tie (X-group) to the redundant systems (e.g. B). In this
situation a large number of additional failure modes may violate the overall redundancy design intent. The
FMEA must consider the additional failure modes relevant for the given design in relation to the applicable
requirements. Section A4 describes requirements and examples typical for DP systems. However, the nature
of such failure modes is similar for all marine electrical power systems running in parallel. The relevant failure
modes for an FMEA for a given system are typically influenced by the required rules or applicable standards.
The FMEA has to verify that the control and protection systems is able to automatically bring the system into
a safe state whenever a single failure occur that might lead to a worse failure than the defined worst case
acceptable failure in the design intend (usually loss of either the A or B system).
D.2 Typical failure modes for a closed bus tie for a DP 2 FMEA analysis
The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.3 (which
also is a guidance note in the DNV DP rules):
“For equipment class 2, the power system should be divisible into two or more systems such that in the event
of failure of one system at least one other system will remain in operation. The power system may be run as
one system during operation, but should be arranged by bus-tie breakers to separate automatically upon failures
which could be transferred from one system to another, including overloading and short-circuits.”
Based on this IMO guideline the industry trend is to design and operate an increased number of DP class 2
notation vessels with closed bus-tie. Through experience from closed bus tie testing and operation over the last
years more and more failures modes are being considered relevant for DP class 2 notations.
The typical standard minimum set of functions, failure modes and tests to be considered for DP class notations
should include:
— Protection philosophy to support redundancy design intent - (short circuit and other selectivity calculations
must be approved - In particular those related to operation of the bus tie).
— Frequency and active power control (governor failure, high /low frequency and active power imbalance).
— Voltage and reactive power control (AVR failure, high /low voltage and reactive power imbalance).
— Power management (e.g. load sharing, malfunction,.).
— Power system transients and distortion (e.g. power dips, voltage dip ride through capabilities, harmonics,
unbalanced currents).
— Other relevant tests must also be included in the DP FMEA test program in order to verify that the system
has the expected robustness and transitional ride through capabilities.
As the industry and rules are evolving, it is considered natural that the list of relevant failure modes for DP class
2 notations will be expanded, in order to provide more comprehensive integrity against failure propagation
across the closed bus-tie. Please note that the list provided for DP class 3 notations in D3 below gives more
details on the failure modes listed for DP class 2 notations in addition to many more failure modes relevant for
closed bus tie systems.
D.3 Typical failure modes for a closed bus tie for a DP 3 FMEA analysis
The traditional interpretation of the DP-3 requirements has been that in order to achieve the intended integrity,
the power systems must be run as separated systems with open bus-tie breakers. However, there are a number
of benefits (technical, environmental, economic and operational) with operation with closed bus-ties. Due to
these benefits some operators to run the DP-3 systems with closed bus-ties for as large periods of the operations
as possible.
The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.4 (which
also is a guidance note in the DNV DP rules):
“For equipment class 3, the power system should be divisible into two or more systems such that in the event
of failure of one system, at least one other system will remain in operation. The divided power system should
be located in different spaces separated by A-60 class division. Where the power systems are located below the
operational waterline, the separation should also be watertight. Bus-tie breakers should be open during class 3
operations unless equivalent integrity of power operation can be accepted according to 3.1.3”.
The challenge is to ensure the above equivalent safety level of the rules and at the same time enable closed bus-
tie operations to achieve the desired benefits. The following issues should at least be adequately addressed in
DP FMEA for analysis of DP3 with closed tie-breakers or automatic change over of supply between systems:
1) Active and reactive load sharing:
- Active power load sharing failure (e.g. caused by governor failure, insufficient, excess or unstable active
power, fuel rack failure, active power or frequency sensor failures, signal failures, load-sharing line
failures)
- Reactive power load sharing failure (e.g. caused by AVR failure, insufficient, excess or unstable reactive
power, reactive power sensor failures, voltage sensor failures, signal failures)
- Detection methods and actions to bring the system to a safe state with conditions and time responses
2) Consequences of voltage transients:
- Reference to analysis of worst case voltage dip (depth and duration) on healthy bus after short-circuit on
other bus (in closed tie-breaker operation)
- Document adequate voltage dip “ride-through” capability of necessary systems to remain in position:
thruster drives, computer systems, networks, contactors, pumps, ventilation, and other axillaries.
3) Risk for simultaneous trip or load reduction of all thrusters:
- Are there built-in protections in thruster variable speed drives that cause trip or load reduction? If yes;
how is it ensured that not all thrust are lost at the same time by the same trigger? Examples of such
protection can be high/low voltage and/or frequency.
- Are there situations where all thrusters will reduce their power simultaneously to such a level that
position cannot be maintained? E.g. built-in load reduction functionality in drives that may reduce power
to zero if one diesel engine fails to full speed.
4) Ensure that no hidden failure renders it impossible to open tie-breaker from PMS or other protection
devices:
- Do the PMS have direct HW open command signals to both tie-breakers?
- Redundant open command signals?
- Fail safe system that trips breaker on wire break on open command signal?
- Is it sufficiently ensured that tie-breaker is not in local mode during DP3 operation? (e.g. clear indication
of local/remote status on PMS GUI)
- Include check of tie breaker operability in procedures for DYNPOS-AUTRO/DPS3 operation?
5) Fault tolerance in PMS system:
- How is it ensured that a single feedback failure to PMS does not cause the PMS to carry out action that
result in loss of position?
- Can for instance a single failure on feedback signal to PMS cause:
- PMS to connect generator (or bus-tie) without synchronization?
- Force full load reduction to all running thrusters simultaneously?
- PMS to decrease generator frequencies to a level that causes risk of automatic load reduction of
drives / tripping of drives?
- PMS to increase frequency to a level that causes systems to trip?
- PMS to jump to manual mode?
- Can single PMS operator failure cause blackout?
- Can one single PMS unit trip all generator breakers?
- Failure to start and connect
- Crash synchronization on connect
- Connection of a stopped generator
6) Documentation and verification of protection settings:
- Is there protection functionality in PMS that can trip generator breakers and thus need to be included in
discrimination analysis?
- Require tables with settings of all protection equipment both in relays on breaker and in PMS.
- As part of FMEA: Verify by onboard inspection all protection settings on breakers, not only short circuit.
Special focus on tie-breaker.
7) Short circuit selectivity between bus-tie and generator breakers:
- Selectivity documented also for highest maximum short circuit current?
- Zero delay in bus-tie short circuit protection?
8) Mode monitoring in PMS / IAS system:
- Warning/alarm if power system setup is in conflict with defined prerequisite for DYNPOS-AUTRO/
DPS3 operation.
9) Loop monitoring (or similar) on feedback to e.g. PMS
10) Bus-tie breaker shunt-trip, can this be used? Need to be able to open in case of voltage dip
11) Failures causing high harmonic distortion in the system, where the new situation causes other components
to fail? E.g. filter failure giving high 11th and 13th harmonics causing resonance in internal filters in VFDs
to auxiliaries, again causing these to fail and the auxiliary function is lost for e.g. all thrusters.
12) Negative sequence.
13) Loss of synchronization:
- Maintenance of synchronization after voltage dip e.g. related to short circuit.
- Loss of synchronization – pole slipping (including severe mechanical failure)
14) Earth faults – generally.
15) System parameters outside normal operational ranges/boundaries applicable to voltage and frequency.
16) System imbalance:
- Severe line or phase voltage imbalance (short circuit or similar condition)
- Severe line current imbalance
17) There should be implemented a system to ensure that the set point of all kind of trips functions in the
electrical system are based on data that are verified/tested. Assumed data should not be accepted. All trip
functions should be included in a maintained list. There should be a systematic periodic check of all set
points.
18) The discrimination analysis is to be reviewed with careful attention that all functions and settings are to be
properly justified.
19) Other design related issues which are identified during the design review or testing.
20) As many of these design elements as possible shall be verified by FMEA testing.
As the industry and rules are evolving and experiences collected, it is considered natural that this list of relevant
failure modes will be expanded.
When the system is intended to be operated with closed bus tie(s) between redundant power systems, the above
requirements to analyses must be supported with extensive verification by FMEA testing. Especially, in the
situation where the intention is to justify the ‘equivalent integrity of power operations’ as required by IMO
MSC/Circ. 645 the extent of necessary FMEA testing may include tests that traditionally have been considered
to be potentially destructive (e.g. short circuits and earth failures on electrical system).
Although an equivalent safety level is considered to be achieved by documented analysis and testing, it should
be understood that there will always be a residual probability for failure propagation. For operations (e.g.
diving) where loss of position may result in unacceptable consequences, risk considerations should be
performed in order to evaluate the system operational modes including open or closed bus-ties. This principle
is valid for both DP-2 and DP-3 systems.
The intended equivalent safety level may be achieved by other measures than discussed in this section. In
general such equivalent measures will be accepted.
D.4 Separated power systems simultaneous supplying equipment placed in a non-separated
area
Separated power systems simultaneous supplying equipment placed in a non-separated area, may impose risk
of both power systems being affected by the same fire or flooding incident. Depending on the system the
following typical descriptions and analysis is required by the FMEA:
— Location of equipment and cables routing belonging to different systems. This drawing should also indicate
any possible separations, watertight and passive fire protection. This also includes any slip ring assembly.
Equipment being supplied from different redundancy groups should be installed to provide best possible
protection for failure propagation, and installed in separate cabinets.
— Discrimination analysis: Generator Circuit Breaker’s (CB), Main Switch Board (MSB) equipment feeder
CB, equipment MSB incoming CB (if applicable), equipment MSB feeders, and CB’s further downstream
until end consumers. This is applicable for all relevant power systems. This must be presented as graphs in
a common diagram and preferably supported by CB maker’s discrimination tables. Earth fault
discrimination shall also be included (if applicable). Installation of current limiting breakers should be
considered.
— Short circuit analysis: Maximum and minimum short circuit levels shall be documented for all distributions
(single and three phase fault). Generator decrement curves taking in to consideration.
— Under voltage: As a consequence of a worst case failure scenario both power systems may experience a
short circuit within a short time period. Consequence of short circuit will be under voltage in the systems
which may affect connected equipment. Analysis of the transient voltage dip and duration must be
documented. This must include an evaluation and conclusion on the effect on other equipment and systems.
Bearing in mind the sensitivity of power electronics, contactors, computer systems, etc...
— Parameterisation of protective devices/functions.
— Fire/flooding monitoring (extended systems may be used to increase the possibility to set the system in a
safe mode upon such an incident).
— Operational philosophy (power system, crane/diving/DP operations, etc…).
— Load balance considerations.
Such analysis should be focused on the highest voltage levels in the AC power generation plants and on battery
and UPS distribution systems.
D.5 Additional discussion and examples
A.4.4 include some further discussion and examples of some of the topics stated in A.4.3. Please note that for
a given FMEA, all relevant topics must be addressed.
A general recommendation is that upon detection of abnormal condition, action to bring the system into split
mode shall be automatically executed. Abnormal situations may include:
— Load sharing failure active power.
— Load sharing failure reactive power.
— High/Low bus voltage.
— High/Low frequency.
— Communication failure in PMS or load sharing system.
— Thruster load reduction activated.
— PMS failure or PMS change to manual mode.
— Feedback failure on bus-tie status signals.
Some of the most common failure modes that need to be addressed are outlined in the following subsections.
Note that other failure modes might also be critical (depends on type of equipment, configuration and control
systems installed).
D.5.1 Tie breaker short circuit protection
All generator breakers are equipped with short circuit protection trip functionality such that they will open in
case of short circuit on the bus.
In closed tie-breaker operation it will be crucial that the tie breaker(s) opens before the generator breakers. A
full blackout (A and B side) will be the result if tie breaker fails to open before generator breakers since short
circuit current will flow through all generator breakers and thus they will all trip.
The FMEA has to verify that the breakers to be installed and parameterized such that it is ensured that tie breakers
opens first. It has also to be verified that the tie breaker is able to break the worst case short circuit current.
For the tie-breaker, maximum upstream selectivity has higher priority than the downstream selectivity. For
safest operation tie breaker should be considered to open as fast as possible (configured with zero delay)
although this might be in conflict with downstream selectivity.
For DP3 it is required to have a tie breaker at both sides of fire and flooding division. The division have little
or no value unless the tie breaker on both sides of the division is equipped with short circuit protection. This
has to be verified as part of the FMEA.
The FMEA has to address maker documentation regarding breaking capacity and selectivity/discrimination.
The FMEA needs to verify that the required discrimination is implemented in the system.
*** Example of how tie breaker short circuit protection can be addressed in the FMEA:
The worst case short circuit current on Vessel switchboards are in short circuit analysis shown to be:
Generator breakers: 35 kA
Tie-breaker: 55 kA
The table below shows the breaking capacity and trip setting for the generator and tie breakers.
Breaker Breaking capacity (kA) Short circuit trip setting Delay setting
BT1 (Master) 65 kA 8 kA 80 ms
BT1 (Slave) 65 kA 8 kA 80 ms
Generator breakers 65 kA 12 kA 500 ms
The discrimination curves for generator breaker and tie breaker are shown below.
s
10ks
1ks
1hs
1das
1s
1ds
It is based on the maker documentation concluded that the tie breaker will open before generator breakers in
case of worst case short circuit. To be verified on board that breaker maker, type and protection settings are as
specified.
*** End of example.
D.5.2 Under-voltage release / Voltage transients / high and low bus voltage
Generator breakers will usually be equipped with under-voltage release which opens the breaker if the voltage
is below a specified level for a specified period.
All generator breaker protection relays will measure the same voltage when tie-breaker is closed. A voltage dip
will thus potentially cause all generator breakers to trip simultaneously (full blackout).
Similar consequences can arise if thruster breakers are equipped with under voltage release. All thruster
breakers will measure the same voltage when tie breaker is closed. Thus, they may all trip simultaneously with
loss of position as potential consequence.
Note also that the thruster drive controllers typically also monitor voltage and might also command thrusters
breakers to open. This is also a function that might cause all thrusters to trip simultaneously.
Simultaneous trip of generators or thrusters can be avoided by ensuring that the tie-breaker will always be the
first to open in case of under voltage. It is also important to ensure that no “normal” voltage dip to be expected
in the actual power system will cause any trip (e.g. voltage dip due to start of large motors and voltage dip due
to a short circuit).
A challenging task is to verify that a short circuit on one bus will be cleared fast enough to avoid that feeders
and contactors to essential auxiliary systems does not open due to low voltage. The same type of equipment
will usually be used on both A and B side. Thus, if one looses a pump on A side during a short circuit due to
low voltage, it is also likely that the one for the B system will trip since it will see more or less the same voltage.
A very fast short circuit trip of the tie breaker will reduce the voltage dip in either the A or B system and will
thus be a method to avoid loosing auxiliary systems on both A and B side. Bus tie breakers may be considered
to be equipped with under voltage trip.
Any protection functions acting on high bus voltage will have to be addressed in the same way.
*** Example of how under voltage release can be addressed in the FMEA:
Worst case voltage dip has been analysed for a given vessel switchboard. The results are summarized in the
below table:
Case Voltage Duration
Start of heavy consumer in DP mode.
90% 3 seconds
Two generators running.
Short circuit 0% 100ms (maximum time for the bus-tie to clear fault)
The table below shows the settings of under-voltage release protection functions in the Vessel switchboard:
Under voltage Under voltage release /
Breaker Delay
release trip level
Bus-tie 1 (Master) Yes 85% 100 ms
Bus-tie 1 (Slave) Yes 85% 100 ms
Generator breakers Yes 80% 1s
Breakers to thruster T1, T2, T3 and T4 Yes 80% 1s
Thruster drive controller (T1 and T2) Yes 85% 900 ms
Thruster drive controller (T3 and T4) No - -
Breakers to DP essential auxiliaries < 85% >100 ms
Contactors and low voltage breakers to DP essential auxiliaries < 85% >100 ms
It is based on these settings concluded that there are no risk of losing all generators or thrusters simultaneously
in closed tie breaker operation.
To be verified on board that settings are as specified.
*** End of example.
D.5.3 Load sharing monitoring
Load sharing failure between generators is a common mode failure that can lead to total blackout or full
thrusters load reduction (and thus also loss of position). This includes both active and reactive power sharing
failure.
Active and reactive load sharing monitoring is a function typically handled by the PMS.
Active power load sharing failure can be caused by governor failure, fuel rack failure, active power or
frequency sensor failures, other signal failures and load-sharing line failures. (Examples of failure causes
relevant in systems with load sharing performed by stand-alone units (isochronous) could be earth failure on,
broken line in, and short circuit of the load sharing.) Note that in case the PMS is performing load sharing
control, a load sharing failure might also be caused by the PMS itself if for instance a feedback signal to the
power management system fails and this failure is not properly detected and handled.
Reactive power load sharing failure can for instance be caused by AVR failure, reactive power sensor failures,
and voltage sensor failures.
Possible consequences of load sharing failures are:
— Generator protection relays (reverse power and over-current) might in such cases trip healthy generator
instead of faulty, with blackout as the final state.
— PMS might command full load reduction to all thrusters due to high load on one generator (might lead to
loss of position)
Typical barriers against such outcome can be control or protection systems that automatically open the tie
breaker upon detection of load sharing failure (active or reactive).
The FMEA has to analyse and describe how the actual system will handle load sharing failures. It might also
be needed to prove that the measures are effective. Typical questions to be answered by FMEA:
— How are active and reactive load sharing failures detected in the system?
— What is the action to bring system to safe state? (opening of tie-breaker will usually be part of an
appropriate action)
— Immediate or delayed action? Time delays in detection and action?
This kind of information may be found in functional design specification of the PMS system. This issue will
probably also be covered by vendors FMEA of the PMS if such is available and used as input to the FMEA.
It is not straightforward to prove that the measures against load sharing failure consequences are effective.
Tests can be carried out on sea-trials or at dock if necessary generator loads are available. An alternative is to
verify this by use of HIL-testing.
*** Example of how the load sharing monitoring can be summarized in the FMEA:
The table below shows which Vessel controls system that is responsible for active and reactive power load
sharing monitoring in different modes.
Mode Monitoring Control system / PLC Monitors sharing between
PMS A DG1, DG2
Active power
PMS B DG3, DG4
Open tie-breaker
PMS A DG1, DG2
Reactive power
PMS B DG3, DG4
Active power PMS A DG1, DG2, DG3, DG4
Closed tie-breaker
Reactive power PMS A DG1, DG2, DG3, DG4
Automatic action to bring system in safe state (split system) in case of active power load sharing failure:
Mode Measure Level Delay
Warning -
Open tie-breaker Alarm > 200 kW difference 10 sec
Other action (specify) -
Warning -
Alarm > 200 kW difference 10 sec
Closed tie-breaker
Trip of tie breaker > 300 kW difference 5 sec
Other action (specify) -
Automatic action to bring system in safe state (split system) in case of reactive power load sharing failure:
Speed
Up/down Speed Speed Speed
P G1 Up/down Up/down Up/down
DG1running P G3
CB1closed SWBD PG4
DG3running
A+ B CB3closed
DG4running
CB4closed
PG2
DG2running
CB2closed
Tie breaker
status
PMS A PMS B
PG3
PG4
DG3running
CB3closed
DG4running
CB4closed
Open tie-breaker
A B
Speed
Speed Speed Speed
Up/down
P G1 Up/down Up/down
Up/down
DG1running
CB1closed SWBD SWBD
SWBD PG3
P G4
A DG3running
AB DG4running
CB3closed
CB4closed
PG2
DG2running
CB2closed
Tie breaker
status
PMS A PMS B
Tie breaker
status
The blackout prevention / load reduction / load shedding might typically be trigged by one or more of the following:
— high generator active power
— high generator reactive power (not common)
— high generator current
— high total load on bus (sum of generator active power)
— low bus frequency
— low bus voltage.
Such functionality may cause failure propagation between A and B side when operating with closed tie-
breaker. This could happen because the control system has to take into consideration all generators, both on A
and B side in order to check for overload.
Further, load reduction based on bus frequency or bus voltage may cause failure propagation between the A
and B system. Frequency and voltage are equal on A and B side as long as the tie-breaker is closed. This means
that low voltage or low frequency might cause simultaneous load reduction of all running thrusters and
consequently risk of position loss.
It might be necessary to carry out tests on FAT/Dock/Sea trial to:
— prove that system works as indented
— prove that critical failures in the Blackout prevention / Load reduction/ Load limitation are detected by the
control systems (typically failure on active power measurement signal to the control system and the load
reduction command signal to the thrusters)
— prove that no single failure will cause all thrusters to be reduced to a very low or zero speed simultaneously
(risk of drift off).
Blackout recovery systems may also need to be analysed. It should be ensured that unintended operation cannot
create a blackout, e.g. as a result of false blackout detection.
*** Example of how the blackout prevention / load reduction / load shedding can be presented in the FMEA:
Overview of blackout prevention / load reduction / load shedding functionality on Vessel:
Control
Mode Criteria to initiate action Delay Action
system / PLC
PMS A Bus A+B load > 98% 200ms Load reduction command is send to THR1,
THR2, THR3, THR4
PMS A Bus A+B frequency < 56Hz 200ms Load reduction command is send to THR1,
THR2, THR3, THR4
PMS A DG1 load > 98% 200ms Load shedding of non-thruster heavy consumers
DG2 load > 98% on bus A
DG3 load > 98%
DG4 load > 98%
PMS A DG1 load > 105% 200ms Load reduction command to THR1, THR2,
DG2 load > 105% THR3, THR4
DG3 load > 105%
DG4 load > 105%
PMS B Bus A+B load > 98% 200ms Load reduction command send to THR1, THR2,
THR3, THR4
PMS B Bus A+B frequency < 56Hz 200ms Load reduction command send to THR1, THR2,
THR3, THR4
Closed PMS B DG1 load > 98% 200ms Load shedding of non-thruster heavy consumers
tie-breaker DG2 load > 98% on bus B
DG3 load > 98%
DG4 load > 98%
PMS B DG1 load > 105% 200ms Load reduction command to THR2 and THR4
DG2 load > 105%
DG3 load > 105%
DG4 load > 105%
DP Bus A load > 95% 1 sec Command signal to THR1 and/or THR3 reduced
DP Bus B load > 95% 1 sec Command signal to THR2 and/or THR4 reduced
THR1 Bus A+B frequency < 56Hz 200ms THR1 reduces speed by itself
Bus A+B Voltage < 90%
THR2 Bus A+B frequency < 56Hz 200ms THR2 reduces speed by itself
Bus A+B Voltage < 90%
THR3 Bus A+B frequency < 56Hz 200ms THR3 reduces speed by itself
Bus A+B Voltage < 90%
THR4 Bus A+B frequency < 56Hz 200ms THR4 reduces speed by itself
Bus A+B Voltage < 90%
The figure below shows how the blackout prevention / load limiting functions may lead to failure propagation
from e.g. from the A to the B system (or vice versa). This system has thus to be addressed further. The table
below summarizes identified failure modes that will have to be tested in order to verify that no single failure
will lead to loss of position.
A B
SWBD A + B
(closed tie-
kW kW breaker ) kW kW
Hz
Hz
V
Hz V
Hz
V V
Power limit
Power limit
Power limit Power limit
Power limit
Power limit Power limit
Power limit