fmea

RECOMMENDED PRACTICE

DET NORSKE VERITAS AS

The electronic pdf version of this document found through http://www.dnv.com is the officially binding version

DNV-RP-D102

Failure Mode and Effect Analysis (FMEA) of Redundant Systems

JANUARY 2012

© Det Norske Veritas AS January 2012

Any comments may be sent by e-mail to [email protected]

This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of this document, and is believed to reflect the best ofcontemporary technology. The use of this document by others than DNV is at the user's sole risk. DNV does not accept any liability or responsibility for loss or damages resulting fromany use of this document.

FOREWORDDET NORSKE VERITAS (DNV) is an autonomous and independent foundation with the objectives of safeguarding life,property and the environment, at sea and onshore. DNV undertakes classification, certification, and other verification andconsultancy services relating to quality of ships, offshore units and installations, and onshore industries worldwide, andcarries out research in relation to these functions.

DNV service documents consist of among others the following types of documents:� Service Specifications. Procedual requirements.� Standards. Technical requirements.� Recommended Practices. Guidance.

The Standards and Recommended Practices are offered within the following areas:A) Qualification, Quality and Safety MethodologyB) Materials TechnologyC) StructuresD) SystemsE) Special FacilitiesF) Pipelines and RisersG) Asset OperationH) Marine OperationsJ) Cleaner EnergyO) Subsea Systems


Recommended Practice DNV-RP-D102, January 2012Changes � Page 3

CHANGES

Main changes:This is a new document.


Recommended Practice DNV-RP-D102, January 2012 Contents � Page 4

CONTENTS

1. General.................................................................................................................................................... 51.1 Application, objective, and contents of FMEA for redundant systems ....................................................52. Definitions............................................................................................................................................... 72.1 General definitions....................................................................................................................................73. Documentation .................................................................................................................................... 113.1 General ....................................................................................................................................................114. Redundancy Design Intention............................................................................................................. 124.1 General ...................................................................................................................................................124.2 Redundancy design intention and functional redundancy types.............................................................124.3 Specification of subsystem or component groups ..................................................................................154.4 Specification and analyses of dependencies ...........................................................................................165. Single Failure Propagation in Redundant Systems .......................................................................... 215.1 General ....................................................................................................................................................215.2 Failures, common causes, and systematic failure propagation ...............................................................225.3 Barriers and other compensating measures ............................................................................................225.4 Failure propagation analysis at subsystem level .....................................................................................236. Unit and Subsystem FMEA................................................................................................................. 276.1 Requirements to the unit FMEA including subsystem FMEA ...............................................................276.2 Allocation of unit requirements to subsystems/component groups ........................................................276.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion .....................307. FMEA of Subsystems with Redundancy ........................................................................................... 347.1 General ....................................................................................................................................................348. FMEA of Single Sub-Systems ............................................................................................................. 368.1 General ....................................................................................................................................................369. Redundant Systems with Physical (Fire and Flooding) Separation ............................................... 399.1 Separation design intent ..........................................................................................................................399.2 Separation analysis..................................................................................................................................4010. Inspections and Tests........................................................................................................................... 4110.1 General ....................................................................................................................................................4111. FMEA Report and Compliance Statement ....................................................................................... 4311.1 General ....................................................................................................................................................43Appendix A. IMCA references...................................................................................................................... 44Appendix B. DNV references ........................................................................................................................ 45Appendix C. Typical table of contents for a minimum DP FMEA............................................................ 46Appendix D. Failure modes in electrical power systems operating with closed bus tie(s) ...................... 47


Recommended Practice DNV-RP-D102, January 2012 Sec.1. General � Page 5

1. General1.1 Application, objective, and contents of FMEA for redundant systems1.1.1 The requirements of this guideline apply to failure mode and effect analysis (FMEA) of redundantsystems.

Guidance note 1:Class notations as DYNPOS-AUTR, DYNPOS-AUTRO, DPS 2, DPS 3, DYNPOS-ER, RP, RPS, AP-2, AP-3requires redundancy. An FMEA of the system redundancy is required as part of the verification of the specificacceptance criterion for the specific notation.This guideline may also be suitable for other applications as e.g. IMO requirements to Safe Return to Port.

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2:This guideline does not set any guidance to FMEA of software. However, the guideline requires testing andverification of how the software responds to relevant failures in the system subject to verification.


1.1.2 The objective of failure mode and effects analysis of redundant systems in a specified unit (U) is toprovide objective evidence of required redundancy and fault tolerance.

Figure 1-1The redundancy design intent can be visualized by means of one redundant component group diagram (UAB). Thediagram represent the complete physical system (unit (U) and system boundary and the two physical redundantcomponent groups (A and B). The main concepts are the system boundary, the redundant component groupsillustrated by minimum two redundant groups (A group and B group), and the acceptance criteria reference levelwhich is referring to the unit system boundary. Please note that more than two redundant groups may also beassumed (e.g. A, B, C, D groups).

Guidance note:In order to give the reader an introduction to the vessel subject to the FMEA and the project in general the FMEAreport should start with giving high level vessel information which may typically include: main particulars, yard, yardnumber, owner, ship name and identification, vessel type, intended operation, class notations, main equipmentsuppliers, FMEA supplier and other relevant information.


1.1.3 In order to be valid, the FMEA, the test program, and the test report must at all times during theoperational phase be maintained and updated in case of alterations of the system. In case of alterations it must be evaluated if:

� additional FMEA is required� test program need to be updated� functional testing and/or failure testing is required � other parts of the documentation needs to be updated.

Guidance note:The requirements to keep the FMEA documents updated during the operational phase, will vary between the differentclass notations (e.g. DYNPOS-AUTR, DPS 2, RP, AP).


1.1.4 The FMEA shall specify all vessel operational modes which it is intended to be valid for (minimum onemode). For each of these vessel operational modes the technical system configuration shall be described andprerequisites for achieving the required failure tolerance and redundancy shall be included.

Guidance note:The vessel operational mode specifies the high level system setup, redundancy design intention and vessel operations..Examples of vessel operational modes are positioning keeping, weather vaning, manoeuvring, dredging. It isunderstood that vessel operations in this context is a common term comprising vessel operations, control systemmodes, industrial functions.

A B

U

System boundaryAcceptancecriteriareference level

Redundant componentgroup B

Redundant componentgroup A


Recommended Practice DNV-RP-D102, January 2012 Sec.1. General � Page 6

The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specifiedfor all relevant configurations One example could be that a vessel has different technical system configurations fordifferent vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notationis intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated,specified, analysed, and tested in the FMEA.The technical system configuration includes all technical modes (and combinations of the modes) of all systems thatmay influence the redundancy and failure tolerance of the unit. This will typically include but is not limited to e.g.,control system modes, power plant and thruster configuration, switch board (AC and DC) configuration anddistribution setup, auxiliary systems setup, valves, breakers, pumps, �).


1.1.5 All specified vessel operational modes and technical system configurations that FMEA is intended to bevalid for, shall be analysed and as far as possible be verified by testing.

1.1.6 A failure mode and effect analysis (FMEA) of redundant systems shall as a minimum consist of thefollowing parts:

� general vessel information � specification of acceptance criteria,� specification of the overall system boundary of the unit (U) to be subject for FMEA � redundancy design intent(s), worst case failure design intent, time requirements, and vessel operational

modes � specification of all redundant components (e.g. A,B) and single component groups included within the

overall system boundary. The relevant system names, main units, compartments (when applicable), andtheir main intended functions shall be presented in a structured manner, supported with a descriptivenarrative text.

� specification of all assumptions related to systems interfaces and dependencies of external systems � single failure and common cause analysis at unit (U) and subsystem levels (A,B)� if applicable, separation design intent and descriptions of the installation of redundant component groups

in fire and flooding protected compartments. This also includes cables and communication lines, andassociated equipment.

� a test program identifying tests to verify assumptions and conclusions� summary and conclusions:

� for each subsystem analysed, the conclusions shall be stated at the end of the specific section� for the total system, an overall summary covering the main findings from the most critical subsystems.

� a compliance statement referring to the overall system boundary, operational modes, tests, and acceptancecriterion including time requirements shall be stated for the FMEA.

Detailed requirements for above parts are stated in this guideline.Guidance note 1:Please observe that the requirements to FMEA�s for redundant systems differ from traditional bottom up FMEA�s inthe following respects:Requirement to state the redundancy design intent� Requirements to specification of acceptance criterion to be complied with� Requirements to refer to full scale testing and sea trials to support analysis� Requirements to state compliance with the acceptance criterion.

The FMEA documentation shall be self-contained and provide sufficient information to get the necessary overviewof the system


Guidance note 2:In general FMEA�s of single non-redundant systems will normally require a complete breakdown of all parts of thesystems resulting in a large set of possible failure modes with the potential of affecting the function of the system.Please refer to a single engine and single propulsor for a cargo ship. (Normally there will be no class requirement toan FMEA of such single systems.)On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failureshall give loss of position) may give a possibility of administrating the actual detailed scope of the subsystem FMEA�sinto a top-down approach and limiting the detailed analysis. The top-down approach thus avoids detailed andcomplete FMEA�s of each of the redundant subsystems.



Recommended Practice DNV-RP-D102, January 2012 Sec.2. Definitions � Page 7

2. Definitions2.1 General definitions2.1.1 Active redundancy (IEC 191-15-02) is that redundancy wherein all means for performing a requiredfunction are intended to operate simultaneously.

2.1.2 Acceptance criterion/criteria are to be stated as the maximum accepted consequence of failure. Theacceptance criterion/criteria should be referring to the system boundary level.

Guidance note:For the unit level the class notation requirements will normally be the acceptance criterion.


2.1.3 Ageing failure, wear out failure, a failure whose probability of occurrence increases with the passage oftime, as a result of processes inherent in the item (random failure) (IEC 191-04-09).Aging or random failureAn aging or a random failure for a component or a subsystem is characterised by that the failure may occur atany time and the time of the failure event can not in advance be stated to occur within a specified time.

Figure 2-1For a random failure, the time to the failure event is random

2.1.4 Benign failure modes, a term used for subsets of failure modes which primarily affects only thesubsystem itself and with minor effect with regards to propagation leading to critical failures in other sub-systems.

Guidance note:A typical benign failure mode is loss of power output, whereas overvoltage will be considered as a non-benign failuremode.There is a need to define which possible states a system may enter into after a failure. It cannot be assumed that asystem or component is simply lost (absence of function). The system or component may enter into a state affectingother units. Detailed analysis of basic functionality may have to be done at a single failure level, e.g. the problem witha faulty input from a draft sensor, a wind sensor, or a common reference signal may affect more than one redundancygroup.


2.1.5 Common cause failures (IEC 191-04-23), failures of different items, resulting from a single event, wherethese failures are not consequences of each other

2.1.6 Common mode failures (IEC 191-04-24), failures of items characterized by the same fault mode. Note:Common mode failures should not be confused with common cause failures as the common mode failures may resultfrom differing causes.

---e-n-d---of---N-o-t-e---

2.1.7 Common component group, represents components, physical connections, and dependencies betweenthe redundant component groups.

2.1.8 Component group is a specified set of components or sub-systems within a specified component groupboundary

2.1.9 Dependent systematic failures: The unacceptable failure situations for redundant systems are related tofailures in two or more redundant groups, when the second failure is occurring in a systematic manner withinthe stated acceptable time requirement. The most critical situations are related to systematic failure propagationin the following situations:

� systematic failure propagation between dependent systems or common components

t

R

1Random failure



� systematic failure due to common cause propagation � systematic failure propagation due to primary � secondary failure propagation.

Guidance note:The key point is that the redundant systems will fail within the unacceptable failure time requirement as given in theacceptance criterion for the applied class notation. The objective of the single failure analysis is therefore to identifypossible dependent systematic failures which may violate the stated acceptance criterion for the given class notations(�DP�, AP, RP,�)


2.1.10 Failure (ISO 14224, 3.15): termination of the ability of an item to perform a required function NOTE 1: After the failure, the item has a fault.NOTE 2: �Failure� is an event, as distinguished from a �fault,� which is a state.NOTE 3: This concept as defined does not apply to items consisting of software only.

2.1.11 Failure cause (IEC 191-04-17): The circumstances during design, manufacture or use which have ledto a failure.

2.1.12 Failure mode (ISO 14224, 3.20): The effect by which a failure is observed on the failed item.

Figure 2-2Failure mode observed at boundary

2.1.13 FMEA: Failure mode and effect analysis. Guidance note:A general FMEA method is described in e.g. IEC 60812 2006. The method represents a bottom up analysis of failureeffects on the end item level (system boundary). The general FMEA does not, as a work process, take advantage ofrequirements to redundancy, acceptance criterion/criteria, and testing on the actual system as being required in theguideline for FMEA of redundant systems.


2.1.14 Fail safe (IEC 90-191) is a design property of an item which prevents its failures from resulting incritical faults

2.1.15 Hidden failure (ISO 14224, 3.24), a failure that is not immediately evident to operations andmaintenance personnel.

Guidance note:NOTE: Equipment that fails to perform an �on demand� function falls into this category. It is necessary that suchfailures are detected to be revealed through checks. Monitoring and periodical testing/verification should be performed in order to ensure sufficient availability of suchfunctions. Protective functions e.g. in power plants and switchboards are typical examples of on demand functionswhere possible hidden failures should be considered.


2.1.16 Primary failure (IEC 191-04-15), a failure of an item, not caused either directly or indirectly by a failureor a fault of another item (also see secondary failure).

2.1.17 Redundant (IEC 90-191-15), in an item, the existence of more than one means for performing a requiredfunction.

2.1.18 Redundant component groups (subsystems) are two or more component groups which represent two ormore means for performing a required function.

2.1.19 Redundancy design intent, the redundancy design intention refers to redundant component groups whichconstitutes the overall system design for a given system operational mode and technical system configuration.



2.1.20 Secondary failure (IEC 191-04-16), a failure of an item, caused either directly or indirectly by a failureor a fault of another item (cascading failure).

2.1.21 Separation design intent, the separation design intention refers to separated redundant componentgroups which constitutes the overall system design for a given system operational mode and technical systemconfiguration.

2.1.22 Simultaneous independent failures, an ideal feature of redundant systems is that possible failure eventsare occurring statistically randomly and independently. This implies that a failure in the A sub-system andanother failure in the B sub-system occurring independently within an acceptable time requirement period(simultaneous), is acceptable according to the class requirements in the DP, AP and RP class notations whereredundancy is required.

2.1.23 Standby redundancy (IEC 191-15-03), that redundancy, wherein a part of the means for performing arequired function is intended to operate, while the remaining part(s) of the means are inoperative until needed.

2.1.24 System boundary, is a closed imaginary shell around all components assumed within the specifiedsystem.

Guidance note:The system boundary can be considered as the �End item� concept used in IEC 60812.


2.1.25 Systematic failure, reproducible failure (IEC 191-04-19), a failure related in a deterministic way to acertain cause, which can only be eliminated by a modification of the design or of the manufacturing process,operational procedures, documentation or other relevant factors.

Guidance note 1:Corrective maintenance without modification will usually not eliminate the failure cause.


Guidance note 2:A systematic failure can be induced at will by simulating the failure cause.


Figure 2-3For a systematic failure, the time from the failure cause is present until the failure event is limited. An example isan electronic component exposed to 1000°C, will for sure fail within 10 minutes.

2.1.26 Technical system configuration, the technical system configuration includes all technical modes (andcombinations of the modes) of all systems that may influence the redundancy and failure tolerance of the unit.This will typically include but is not limited to e.g., control system modes, power plant and thrusterconfiguration, switch board (AC and DC) configuration and distribution setup, auxiliary systems setup, valves,breakers, pumps, �).

Guidance note:The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specifiedfor all relevant configurations One example could be that a vessel has different technical system configurations fordifferent vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notationis intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated,specified, analysed, and tested in the FMEA.


2.1.27 Time requirement, the minimum required time duration for which the residual remaining capacity asdefined by the worst case failure design intent shall be available.

t

R

1

T

Systematic, reproducble failure

failurecause



Guidance note:The time requirement will normally be governed by the maximum time necessary to safely terminate the on-goingoperations after the worst case single failure, given the residual remaining capacity. All relevant operational scenarioswhich the vessel performs and/or participates in, must be considered when deciding the time requirements. This timerequirement must be fulfilled by the design, and the way the vessel is technically configured (technical systemconfiguration) and operated.


2.1.28 Unit, the complete physical system (e.g. vessel) in which the redundant system (e.g. DP system) to beanalysed is included.

2.1.29 Vessel operational mode(s), The vessel operational mode specifies the high level system setup andredundancy design intention for a specified set of vessel operations. Examples of vessel operations arepositioning keeping, weather vaneing, manoeuvring, dredging, diving.

Guidance note:The FMEA must as a minimum specify one vessel operational mode. In case that more than one mode is intended,then each mode must be specified. It is understood that vessel operations in this context is a common term comprisingvessel operations, control system modes, industrial functions,


2.1.30 Worst case failure design intent, the worst case failure design intent shall refer to the minimumremaining capacity after any relevant single failure or common cause (for a given operational mode)

2.1.31 Zone is a confined space with fire and flooding protection.


Recommended Practice DNV-RP-D102, January 2012 Sec.3. Documentation � Page 11

3. Documentation 3.1 General3.1.1 The documentation as listed in Table 3-1 is required for approval and test work process related to FailureMode Effect Analyses for redundant systems.

Table 3-1 Documentation requirementsDocumentation type Information elementFailure mode and effect analysis

1) Introduction to FMEA System boundary and redundant component groupsAcceptance criterion/criteria

2) Summary and conclusions3) Redundancy Design Intent and operational modes4) Single Failure propagation analysis 5) Unit FMEA and subsystem FMEA6) Separation Design Intent and separation verification7) Compliance statement8) References

FMEA test procedure 9) Test procedure Each test or inspection activity shall be described by

� test purpose and reference to analysis� test setup� test method� expected results and acceptance criteria� observation and results of test� space for notes and conclusions

FMEA report The updated FMEA and the test records shall together with the findings, conclusions and test summary be compiled into an FMEA report.


Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention � Page 12

4. Redundancy Design Intention4.1 General

4.1.1 The objective of the redundancy design intention is to specify the redundancy, i.e. to describe at a highlevel the distribution of systems and components into redundant groups. High level dependencies andintersections between these groups must be described. The intended normal operation and operation afterrelevant single failures (normally one failure at the time) shall also be specified.

4.1.2 Redundant component groups (e.g. A and B) in a unit (U) can either have no intersection, some commoncomponents, or be related by connecting components (e.g. X).

Figure 4-1The general concept of redundant systems and component groups

Guidance note:Redundancy within the unit boundary level means that there is more than one means for performing a requiredfunction. The redundancy design intention by means of component groups shall specify how the redundant parts areintended to be organised, documented and denoted in the FMEA for redundant systems.The redundancy design intention for a redundant component group (A-B), shall specify if and how components ingroups A and B are connected. There are basically three situations how redundant systems or component group canbe organised and described:i) In the first no components belongs both to A and B. ii) In the second situation some common components belongs both to A and B (intersection between A and B). (E.g.

common passive parts in cooling water system).iii) In the third situation no components belongs both to A and B group. However, A and B are connected by

components in a common component group X. (e.g. Main SWBA and SWBB. A bus tie connection is SWBX).


4.2 Redundancy design intention and functional redundancy types

4.2.1 The redundancy design intention is first to be specified for the main set of systems (e.g. such as thrustersand propellers). The subsystems required for operation of the thrusters such as machinery, power generation,power supply, and control systems shall be clarified for all operational modes. The intended normal operationmode(s) before single failure shall be stated as well as the intended operation after a single failure.

4.2.2 All redundant functions shall have a stated ability to transfer to the non-failed function. The intendedfunctionality of fail safe functions or switching functions between redundant systems shall be described bymeans of figures, tables, block diagrams, and with a descriptive narrative supporting text. Each operationalmode and the switching or fail safe functionality of the redundant systems shall be stated.

4.2.3 The functional redundancy type (e.g. active or passive including a switchover time limit /restorationtime) shall also be stated.

Guidance note:Examples of redundancy types:- active redundancy- passive redundancy (standby redundancy (hot or cold standby))- partly loaded redundancy- change over redundancy


4.2.4 All redundant groups shall be documented to be able to operate as specified in the redundancy designintention including the functional redundancy type, and according to the stated acceptance criterion/criteria.



Guidance note 1:Example on how to illustrate the redundancy design intention related to a ship with one main and one alternativepropulsion system as required by the additional class notation AP-2 (also refer to section A).

Figure 4-2The acceptance criteria shall be related to a specific reference level as indicated above. For class notationAP-2(a%)(+): it shall be possible to engage alternative propulsion system within maximum 5 minutes afterfailure to the main propulsion system (shall be possible from bridge)


Guidance note 2:Example with DP system and 4 thrusters

Figure 4-3The arrangement of the redundant thruster groups are indicated in the figure to the left. and in the middleabove. The no loss of positioning is illustrated by a fault tree and divided into the no drift off or drive off events.

The redundancy design intention in this example may be described in a e.g narrative way by describing both thenormal operation mode and the failed operation mode.

Redundancy design intention Subsystem//component groups

Functional redundancy type/description

Normal operation requirement P1A P1A running, P2B not running, Passive redundancy

Intended operation after single failure

P2B Possible to engage P2B within 5 minutes

Redundancy design intention: Redundancy type/descriptionThe normal operation before failure,-

shall be based on positioning of the T1A and T3A thruster group and the T2B and T4B thruster group

Active redundancy

In the case of a single failure, the positioning operation shall be based either on the (T1A and T3A) thruster group or the (T2B and T4B) thruster group. A single failure shall not give loss of positioning by a drive off by any thruster T1A, T3A, T2B, T4B.

UAUX

P1A

P2B

OR

Loss of position/heading

Drift off Drive off

A B A B

AND OR

Loss of A Loss of B A drive off B drive offpositioning positioning

T1A

T2B

T3A T4B

T1A T3A T2B T4B



The same redundancy design intention may alternatively be described in a logic description/Boolean style:

Please note that the OR (inclusive OR) operator in a Boolean expression e.g. A OR B is true if either (A or B) or (Aand B) are true. Another way of expressing this could be that A OR B means the same as A and/or B.


Guidance note 3:Example with 5 thrusters and two operational modes

Figure 4-4Example indicating a vessel with 5 thrusters

Narrative description of redundancy design intention for 5 thrusters operational mode 1

Narrative description of redundancy design intention for 5 thrusters operational mode 2

Above redundancy design intentions for 5 thrusters operational modes 1 and 2 can as an alternative be expressed in amore logic or Boolean style as indicated below:Operational mode 1

Operational mode 2


Redundancy design intention: Redundancy type/descriptionNormal operation before failure: ((T1A AND T3A) AND (T2B AND T4B)) Active redundancyOperation after single failure: ((T1A AND T3A) OR (T2B AND T4B)) AND

(NODRIVE OFF (T1A AND T3B AND T2B AND T4B))No drift off andNo drive off of any thruster


shall be based on positioning by the (T1A and T3A) thruster group and the (T2B,T4B and T5) thruster group

Active redundancy

In the case of a single failure, the positioning operation shall be based either on the (T1A and T3A) thruster group or the (T2B and T4B and T5) thruster group. A single failure shall not give loss of positioning by a drive off by any thruster T1A, T3A, T2B, T4B, T5.


shall be based on positioning by the (T1A and T3A and T5) thruster group and the (T2B and T4B) thruster group

Active redundancy

In the case of a single failure, the positioning operation shall be based either on the (T1A and T3A and T5) thruster group or the (T2B and T4B) thruster group. A single failure shall not give loss of positioning by a drive off by any thruster T1A, T3A, T2B, T4B, T5.

Redundancy design intention: Redundancy type/descriptionNormal operation before failure: (T1A AND T3A) AND (T2B AND T4B AND T5) Active redundancyOperation after single failure: (T1A AND T3A) OR (T2B AND T4B AND T5) No drift off and

No drive off of any thruster

Redundancy design intention: Redundancy type/descriptionNormal operation before failure: (T1A AND T3A AND T5) AND (T2B AND T4B) Active redundancyOperation after single failure: (T1A AND T3A AND T5) OR (T2B AND T4B) No drift off and

No drive off of any thruster

T1A

T2B

T3A T4B

DG1A

DG2A DG4B

DG3B

T5



Guidance note 4:Example with a rig with 8 thrusters, 2 in each corner of rig, two pontoons.

Figure 4-5Example indicating a rig with 8 thrusters, 2 in each corner of rig, two pontoons

The redundancy design intention may be expressed in a short narrative manner as indicated below:

Alternatively the redundancy design intention may be expressed in a more logic or Boolean style:


4.3 Specification of subsystem or component groups

4.3.1 A component group or a subsystem is a set of specified components within a specified group boundary.All component groups shall be denoted by unique identifiers indicating the component group type, the type ofequipment, and function(s) within the group.

4.3.2 All redundant systems shall be specified by means of a set of component groups. The design intentionshall clearly state all redundant component groups where functional system redundancy is the means to achievethe required acceptance criterion/criteria.

Guidance note:The redundancy design intention can be expressed at a high level by redundant groups presented in diagrams or tables(e.g. by denominating the groups with names as specific groups, e.g. diesel generator starboard side DG3, dieselgenerator port side DG1). It may be convenient to include several components in a component group in order to keepthe number of redundant component groups at lower level.Example:Redundant component group DG1 consists of:- diesel motor (specific tag number)- generator (specific tag number)- generator breaker- etc�


4.3.3 Components which connects redundant component groups or are common for redundant componentgroups shall be specified as:

� common component groups, or � groups required (dependent) for operation of the redundant groups.

The redundancy design intention

Redundancy type

Normal operation without failure

is that at least one thruster should be operating in all 4 corners of the rig Active redundancy

In the situation where a single failure has occurred

only the thrusters in only one corner of the rig shall be allowed to stop. A bump less transfer to the failed state is required.

Active redundancy,Continuous operation, bump less transfer

The redundancy design intention

Redundancy type

Normal operation without failure

((T1A OR T2A) AND (T3B OR T4B) AND (T5C OR T6C) AND (T7D OR T8D))

Active redundancy

Operation after single failure ((T1A OR T2A) AND (T3B OR T4B) AND (T5C OR T6C)) OR((T1A OR T2A) AND (T3B OR T4B) AND (T7D OR T8D)) OR((T1A OR T2A) AND (T5C OR T6C) AND (T7D OR T8D)) OR((T3B OR T4B) AND (T5C OR T6C) AND (T7D OR T8D)) OR

Active redundancy,Continuous operation, bump less transfer

T1A

T2A

T3B

T4B

T7D

T8D

T5C

T6C



Figure 4-6The general concept of redundant systems and component groups

Guidance note:

- Connections between redundant groups shall be identified and be represented as cross component groups (e.g.denominated as X groups) or common components.

- The intention with the X groups is to represent the components or installations, which may represent all types ofmeans for propagating failure effects from a redundant group to the corresponding redundant group (Example: Themain switchboard on the A side is denominated as SWBA and the B side is denominated as SWBB. A bus tiebetween the two switchboard sides could be denoted as SWBX).

- Fuel line crossovers, connected cooling water, common software modules are examples of common componentgroups and could be denoted as X group components.


4.3.4 All redundant and common component groups shall be presented in structured manner by means of blockor component group diagrams, logic descriptions, tables or drawings covering the high level description of theredundant systems.

4.4 Specification and analyses of dependencies

4.4.1 All subsystem or component dependencies shall be identified and documented in a structured manner bymeans of tables, logic descriptions, drawings, or diagrams. This system mapping shall be performed both fordependencies within the redundancy groups and between the redundancy groups.

Guidance note 1:All system dependencies shall be identified in tables, or by equivalent means, which main equipment such as engines,generators, thrusters, electrical power switchboards etc. are grouped together to form self-contained systems of whicheach system is capable of maintaining a residual position keeping capability in a worst case single failure incident.This identification process shall involve all equipment dependencies belonging to each redundant component group.The redundancy may be documented aided by a tag numbering system where one redundant part system is clearlydistinguishable from the other redundant part.

Figure 4-7Illustration of DP thrusters and DP thruster system dependencies in a diagram

The intention with this system dependency mapping is to identify all interconnections between redundant part-systems, hardware or software-wise, and prepare for analysis with regard to potential failure propagation within andacross the redundant system boundaries.


Diesel Generator DG1,2

Lube Oil

Fuel Oil

Freshwater,...

T1

T3

Diesel Generator DG3,4

Lube Oil

Fuel Oil

Freshwater,...

T2

T4

System group A

System group B



Guidance note 2:Example related to class notation alternative propulsion (AP-2)

Figure 4-8Illustration of propulsion system for redundant notation AP-2

Dependency statements:Normal operation mode dependency: P1A dependent on {MV1A, GenSet1, MSB1, Prime mover1, Propulsor1, AUX�}Failed operation mode dependency: P2B dependent on {MV2B, GenSet2, MSB2, Prime mover2, Propulsor2, AUX,�}


Guidance note 3:Example with 4 thrusters and 4 diesel generators for a DP-2 notation

Figure 4-9Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.

Redundancy design intention Subsystem//component groups Functional redundancy type/descriptionNormal operation requirement P1A P1A running, P2B not running, Passive redundancyIntended operation after single failure P2B Possible to engage P2B within 5 minutes

Redundancy design intention overview by redundant and common component groupsRedundantA groups

Common groupsX groups

RedundantB groups

Thrusters AT1A AND T3A

Thrusters BT2B AND T4B

Thrusters A dependent on: Thrusters B dependent on:Diesel generators ADG1A OR DG2A

Diesel generators BDG3B OR DG4B

Main switchboard ASWBA

Main bus tie switchboardSWBX

Main switchboard BSWBB

UAUX

P1A

P2B

M

G G

M

G G

M M

DG1A DG2A DG3B DG4B

SWBA SWBB

T1A T3A T2B T4B



Please note that in the operational mode above main bus tie (SWBX) is assumed to be open in the above table, thenA and the B groups are not dependent on SWBX. (In case the failure mode spurious closing of main bus tie is to beconsidered, then SWBX should be included in the common X group.)In the operational mode where SWBX is closed (below table), then both thruster groups A and B, are dependent onSWBX.


Guidance note 4:Example with 5 thrusters and 5 diesel generators and DP-2 notation

Figure 4-10Example of vessel system with 5 thrusters and 5 diesel generators for a DP-2 notation

Redundancy design intention Component groups /subsystems Redundancy typeNormal operation: (T1A AND T3A) AND (T2B AND T4B) Active redundancyOperation after failure: (T1A AND T3A) OR (T2B AND T4B)

Redundancy design intention overview by redundant and common component groupsRedundant A groups Common groups X groups Redundant B groups

(T1A AND T3A) (T2B AND T4B)Dependent on Dependent on(DG1A OR DG2A) (DG3B OR DG4B)SWBA SWBB


(T1A AND T3A ) (T2B AND T4B )Dependent on Dependent on(DG1A OR DG2A) (DG3B OR DG4B )SWBA SWBX SWBB

DG 5

DG 4B DG 3B DG 2A DG 1A

M

G G

M

G G

M M

M

G

SWBA SWBB

T1A T3A

T5

T2B T4B

SWBX

50%

50%

100%



Two operational modes are defined for the above system with 5 thrusters. The difference between these two modesare that the DG5 generator is either supporting the B group thrusters (mode 1) or the A group thrusters (mode 2).

Dependency statements for operational mode 1

Dependency statements for operational mode 2

Please note the different dependencies statements between operational modes 1 and 2. Thruster group A may beindependent of DG5 in operational mode 1 and thruster group B may be independent on DG5 in operational mode 2.


Redundancy design intentionOperational mode 1

Component groups /subsystems Redundancy type

Normal operation: (T1A AND T3A AND ½T5) AND (T2B AND T4B AND ½T5) Active redundancyOperation after failure: (T1A AND T3A AND ½T5) OR (T2B AND T4B AND ½T5)


(T1A AND T3A AND ½T5) (T2B AND T4B AND ½T5)Dependent on Dependent on(DG1A OR DG2A) (DG3B OR DG4B OR DG5)� �

Redundancy design intentionOperational mode 2

Component groups /subsystems Redundancy type

Normal operation: (T1A AND T3A AND ½T5) AND (T2B AND T4B AND ½T5) Active redundancyOperation after failure: (T1A AND T3A AND ½T5) OR (T2B AND T4B AND ½T5)


(T1A AND T3A AND ½T5) (T2B AND T4B AND ½T5)Dependent on Dependent on(DG1A OR DG2A OR DG5) (DG3B OR DG4B)� �



Guidance note 5:Example of system mapping of redundant DP control system:

Figure 4-11Example of redundant DP control system


Redundancy design intention overview by redundant and common component groupsRedundant A groups Common/connecting groups X groups Redundant B groups

Thruster System AT1, T3

Thruster System BT2, T4

Dependent on Dependent onPower System ADiesel generators A; DG1, DG2 Main switchboard A; SWB A SWB X

Power System BDiesel generators B; DG3, DG4Main switchboard B; SWB B

Operator Station A:DPP A, DPD A, TRB A, OSC A

Operator Station B:DPP B, DPD B, TRB B, OSC B

DP LAN A:DPSW A,Net A1, A2 and A3 Net X1, X2, X3 and X4

DP LAN B:DPSW B,Net B1, B2

DP Controller A:DPC A, Bus A

DP Controller B:DPC B, Bus B

IO System A;IO A1, IO A2Serial A1, A2HW A1, A2

IO System B:IO B1, IO B2,Serial B1HW B1, B2

Sensor System A:Gyro 1, Gyro 3,VRU 1, VRU 3,Wind 1, Wind 3

Sensor System B:Gyro 2,VRU 2,Wind 2

Posref System A:DGPS 1, Laser

Posref System B:DGPS 2

Power Distr A:UPS A,Power A1, A2, A3, A4

Power Distr B:UPS B,Power B1, B2, B3

Control system boundary


Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems � Page 21

5. Single Failure Propagation in Redundant Systems5.1 General

5.1.1 The objective of section E is to prepare for an understanding of the underlying complex nature of possiblefailure propagation in redundant systems. This is illustrated by some examples given in the guidance notebelow. The intention is to clarify the underlying analytic reasoning that must form the basis for the failure modeanalysis and give examples of interpretations and use of terminology (e.g. primary-secondary failure, commoncomponent, common cause,�).

Guidance note:The simplified abstraction (UAXB model) gives the basic examples of failure propagation, but the model should notbe understood to be exhaustive. In general, the basis for an FMEA is that all relevant failure modes shall be consideredand that it will not be acceptable to only consider benign failure modes. However, please note that in a practicalindustrial context of FMEA, it may not be possible that all failure modes and failure mechanisms are to be includedin the written identification of failures and common causes. In the case that the list of identified failure modes and common causes are non-exhaustive, a justification of the limitedanalysis shall be given. Under no circumstances the analysis should be limited to a scope less than the required orotherwise applicable standards (e.g. IMCA and MTS standards).It must be emphasised that the establishment of a standard set of failure modes for specific systems, can not relieveor replace the requirement for an open minded and analytic approach to the identification of failure modes andcommon causes. The purpose with this approach is to ensure that the relevant set of failure modes will be considered,for the given system (in relation to the UAXB topology, operation, environment and other factors), and to ensure awell managed test and verification scope.The main issue with regard to failures in redundant systems is to clarify that no single failure or no single failure causemay affect the redundant systems as defined in the redundancy design intention. There are basically three effects thatmay lead to non-acceptable simultaneous failures of redundant systems. 1) Failure in a component group or subsystem which both redundant systems are dependent on or both systems have

common components, so that a failure will affect both redundant systems (e.g. common cooling system).2) Common cause failure affecting both redundant systems (e.g. fire flooding, external EMC, GPS satellites,

extreme movements of the vessel).3) Primary failure in one of the redundant systems propagating to the other redundant systems (e.g. short circuit).

Below are illustrated some examples of the above propagation effects:

Figure 5-1Common component X causing failures in A and B

Figure 5-2Common cause failure, resulting from a single event related to U, i.e. either as an external common cause(ECC) or an internal common cause (ICC). (E.g. fire and flooding, gas into air intakes, environment, vibration,high seas affecting contamination in fuel tanks, shocks, humidity, EMC,�.)

Figure 5-3Primary failure in subsystem A propagating to a secondary failure in subsystem B (e.g. ignition, fire, heat,vibration, network storm in A propagating to B)



The above examples are of course not exhaustive and should not limit the scope of failure mode identification in theFMEA. The above principles may be combined in numerous ways and two typical combinations are given in Figure5-4.

Figure 5-4Primary failure in X propagating to A and B and then leading to secondary failures in A and B. The failurepropagation from X may also be described as a common cause for the failures in A and B (left figure). In theright figure common causes lead directly to failures in A, X, and B.


5.2 Failures, common causes, and systematic failure propagation

5.2.1 Any relevant single random failure or common cause which may propagate within the time requirementand violate the stated acceptance criterion shall be considered, and the effect of these shall be analysed.However, the unlikely event of two independent random failures or common causes occurring within thedefined time requirement is normally not considered.

5.2.2 The objective of the single failure analysis is further on to identify possible dependent systematic failurepropagation, e.g. for the given class notation like DP, AP, or RP.

Guidance note:The unacceptable failure situations for redundant systems are related to failure propagation between two or moreredundant groups, when the failure propagation is occurring in a systematic manner within the time requirements. Themost critical situations are related to systematic failure propagation in the following cases:- systematic failure propagation between dependent systems or failure of common components- systematic failure due to common cause propagation - systematic failure propagation due to primary � secondary failure propagation.


5.2.3 The overall requirement is that the redundant systems shall not fail so that the accept criteria and theredundancy design intent are violated within the defined time requirement. These considerations shall cover allrelevant system operational modes and other relevant conditions (e.g. environmental).

5.2.4 For a given system, the selection of scope of relevant failures, common causes, and time requirements,shall be given by the applicable requirements e.g. classification rules.

Guidance note:In addition to software and hardware failures - any combination of hidden failures,- possible effects of inadvertent acts of operation, if reasonable probable, should be considered.


5.3 Barriers and other compensating measures

5.3.1 The FMEA shall describe and analyse barriers and other compensating measures established for:

� prevention of failure propagation, � limitation of possible consequence of failures, or � improvement of remaining capacity after failure.

This includes also compensating measures like failure detection, protective functions, stand-by start, re-start,change-over, etc.

5.3.2 When the system integrity is assumed to be based on two or more barriers, any possible dependenciesbetween such barriers must be analysed. The analysis must verify that the barriers are sufficiently independentso that acceptance criteria are complied with.



Guidance note 1:Requirements to barriers (e.g. protective functions, physical separation, etc�) or compensating measures maytypically be guided by e.g. by classification rules.


Guidance note 2:The red (bold) lines in the figures below indicate where (how) barriers to prevent systematic failure propagation forcommon component failures, common cause failures, and primary/secondary failures can be visualised.

Figure 5-5Barriers indicated by red bold lines to prevent internal common causes (ICC) or external common causes(ECC)

Figure 5-6Barriers indicated by red bold lines to prevent primary failures to propagate to secondary failures


5.4 Failure propagation analysis at subsystem level5.4.1 All component groups or subsystems (A, B) within a unit (U) shall be subject to single failurepropagation analysis.

5.4.2 In addition all common causes affecting two or more system groups have to be identified.

5.4.3 In all cases the failure mode effects must be evaluated in relation to the acceptance criterion and withinthe given time requirement.

Guidance note 1:The basis for the failure propagation analysis is typically: - the unit FMEA consisting of a specified unit with a given unit boundary - a set of redundant subsystems/component groups - redundancy design intentions for the stated operational modes and time requirement- dependency statements of subsystems and if possible allocated requirements to the subsystems giving functional

and redundancy requirements to the subsystems assuming a single failure- any available specific subsystem FMEA�s from the manufacturers (e.g. thruster controller systems, DP control

systems, power management systems, and the mode selector/change system).The single failure propagation analysis should be organised by handling the subsystem in a sequence.




Guidance note 2:A failure mode is the effect by which a failure is observed on the failed item (subsystem boundary).

Figure 5-7Primary failure in subsystem A propagating to a secondary failure in subsystem B e.g. fire, vibration, networkstorm in A propagating to B.

Note that the failure mode description is related to the failure effect at the subsystem boundary. The descriptions ofthe initial causes or internal component failures within the boundary are not necessary in order to describe failuremodes (e.g. lubrication pump failure, engine shutdown, Engine to full power, Loss of power to auxiliaries forgovernor, Generator under-excitation, Generator over-excitation �). However, examples of initial failure (e.g. fuelstarvation, pipe rupture, clogged filter) for a given failure mode (e.g. under frequency of generator), should supportthe analysis in order to justify the relevance of the failure mode. Failures within A have to be identified to such an extent that all failure modes at the A system boundary will beidentified. Please observe that failures which have no effect at the subsystem boundary, need not be elaborated in thefailure mode propagation analysis. On the other hand, all failures giving the same failure effect at the system boundarycan be considered as one failure mode in the failure mode propagation analysis.

Figure 5-8Common cause failure, resulting from a single event related to U, i.e. either as an external common cause(ECC) or an internal common cause (ICC). (E.g. GPS satellite signals to redundant GPS systems, fire andflooding, gas into air intakes, environment, vibration, high seas affecting contamination in fuel tanks, shipheeling, shocks, humidity, EMC,�.)


5.4.4 The single failure propagation analysis shall:

� investigate possible failure modes for the subsystem and then the possible failure propagation paths fromthe subsystem to other subsystems, and

� investigate possible failure modes for the common connecting groups and then the possible failurepropagation paths from the common connecting groups to the connected subsystems, and

� investigate possible common causes which can influence more than one subsystem directly or indirectly byinfluencing one subsystem or common connecting group.

Based on above type investigations, it shall be documented at the unit level which failure modes that mayviolate the redundancy design intent and acceptance criteria within the stated time requirement.

GPS A GPS B

U

ECC



Figure 5-9 illustrates the main principles for failure mode propagation in a redundancy design intention table:

: Failure originating in A group, propagating to B via connecting X-group: Failure originating in connecting X-group propagating to A and B group: External common cause, affecting A and/or B and/or common connecting X-group

Figure 5-9Failure modes may propagate from subsystems to other subsystems or from common causes outside the componentgroups. The overall task is to identify possible failure modes which may affect the overall redundancy designintention within the time requirements.

5.4.5 All relevant failure modes for each subsystem shall be identified. As a result of the failure investigation,the following information elements shall be documented in an organised manner e.g. by means of a worksheet.As a minimum the following information elements shall be provided:

� each component group and subsystem assumed to have a single failure� identify potential failure modes at each component and possible common causes� initial failure or common cause as justification for including the failure mode� identify failure detection methods� effect on other subsystems� barriers or compensating measures for the failure mode� end effect at unit level� reference to inspection, testing, and verification necessary to prove and support the conclusions.

Redundancy design intention by redundant and common component groups

Redundant A groups

Common/connecting groups X groups Redundant B groups

Thruster System A T1, T3

Thruster System B T2, T4

Dependent on Dependent on Power System A Diesel generators A; DG1, DG2 Main switchboard A; SWB A

SWB X

Power System B Diesel generators B; DG3, DG4 Main switchboard B; SWB B

Operator Station A: DPP A, DPD A, TRB A, OSC A

Operator Station B: DPP B, DPD B, TRB B, OSC B

DP LAN A: DPSW A, Net A1, A2 and A3

Net X1, X2, X3 and X4

DP LAN B: DPSW B, Net B1, B2

DP Controller A: DPC A, Bus A

DP Controller B: DPC B, Bus B

IO System A; IO A1, IO A2 Serial A1, A2, HW A1, A2

IO System B: IO B1, IO B2, Serial B1 HW B1, B2

Sensor System A: Gyro 1 , Gyro 3, VRU 1, VRU 3, Wind 1, Wind 3

Sensor System B: Gyro 2, VRU 2, Wind 2

Posref System A: DGPS 1 , Laser

Posref System B: DGPS 2

Power Distr A: UPS A, Power A1, A2, A3, A4

Power Distr B: UPS B, Power B1, B2, B3

Common cause



Guidance note:


5.4.6 The failure propagation analysis for each subsystem shall conclude on the following questions:

� Can any single failure mode in the subsystem propagate so that it violates the unit acceptance criterion?� Can the conclusions be verified by testing? Refer to specific test in a test program.� If not possible to test, then is there a need for further verification of functionality or compensating

measures?� Is there a need for further failure analysis inside the subsystem boundary? (e.g. for FMEA of thrusters, DP

control systems, mode selector, PMS�). Refer to subsystem FMEA for single and redundant subsystem.

5.4.7 In general conclusions in the theoretical analysis shall be verified by testing. If testing is considered notpossible or necessary, such statements shall be justified in the FMEA with sufficient conclusions (evidence,proof�).

5.4.8 The results of the FMEA of all subsystems shall be compiled and form the result of the unit FMEA. Theunit FMEA shall cover the entire unit with all its relevant systems and components. The unit FMEA shall relateto the overall acceptance criteria including time requirements and shall provide conclusive evidence ofcompliance with the criteria.

Example of worksheet tableSubsystem

failedFailure Mode(local effect at

subsystem boundary)

Initial failure/common

cause

Failure detection methods

Effect on other sub-systems

Compensating measure /Barrier

End effect at unit (U)

Reference to test or

verification

DG1 DG1 stop Mechanical breakdown

Alarm Higher load DG2

DG1 generator breaker opens

DG3 or DG4 running normallyT1, T2, T3 and T4 positioning

Ref test #1Stop DG1 and check alarm and effect

DG1 Low frequency Fuel starvation

Alarm,disconnect

Higher load DG2

Bus tie opens SWBX

� Ref test # 2

DG1 High bus voltage

AVR failure Alarm, disconnect

Higher load DG2

Bus tie opensSWBX

� Ref test # 3

DG1 Load sharing failure active power.

� � � � � �

DG1 � � � � � � ��


Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA � Page 27

6. Unit and Subsystem FMEA6.1 Requirements to the unit FMEA including subsystem FMEA

6.1.1 The unit FMEA shall cover the entire unit with all its relevant systems and components. When parts ofthe unit FMEA is based on subsystem FMEAs (e.g. delivered by subsystem manufacturers), the requirementsin G and H apply.

6.1.2 The unit FMEA shall as a minimum include:

� reference to the subsystem FMEA document and a short description of the subsystem� clarification of subsystem boundaries � interfaces and dependencies to the subsystem shall be clarified� the allocated requirements to the subsystem including the subsystem design intention (see below)� an evaluation of the subsystem FMEA to ensure that it is fit for purpose, e.g. that all relevant operational

modes and failure modes are considered� the subsystem design intention shall be compared with the overall unit design intention in order to verify

that intentions are consistent.

Guidance note:

Figure 6-1In the left figure above an FMEA of redundant subsystem C (e.g. redundant control system) is illustrated. Inthe right figure above, an FMEA of a single system C (e.g. thruster) is illustrated. In both cases the acceptancecriteria at the unit boundaries should be clarified (allocated) at the subsystem C boundary.


6.2 Allocation of unit requirements to subsystems/component groups

6.2.1 In order to support the overall redundancy design intent, requirements must be allocated to thesubsystems. The subsystem design intention will be determined (allocated) by these requirements. Theobjective of 6.2 is to provide explanatory examples of how this allocation can be documented.

Guidance note 1:In general FMEA�s of single non-redundant systems will normally require a complete breakdown of all parts of thesystems resulting in a large set of possible failure modes with the potential of affecting the function of the system. On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failureshall give loss of position and/or loss of heading) may give a possibility of administrating the actual detailed scope ofthe subsystem FMEA�s into a top-down approach and limiting the detailed analysis. The top-down approach thusavoids detailed and complete FMEA�s of each of the redundant subsystems. For a specific unit with a redundancy design intention, the allocation task is to establish the requirements atsubsystems boundary level (Ref 6.1.2).


Guidance note 2:Example: Allocation of redundancy design intention from unit level to subsystem level for redundant DP controlsystem:The unit redundancy design intention for the system described by the below redundancy design intention expressed as:

Redundancy design intention: Redundancy type/descriptionNormal operation before failure:

((T1 AND T3) AND (T2 AND T4)) Active redundancy

Operation after single failure: ((T1 AND T3) OR (T2 AND T4)) AND(NODRIVE OFF (T1 AND T3 AND T2 AND T4))

No drift off andNo drive off of any thruster

Unit

A B A

Sub-system C

M A M B

IO A IO B

Unitboundary andacceptancecriterion

Subsystem Cboundary andacceptancecriterion

Unit

A B A

Sub-system C

M

IO





Figure 6-2Redundant automatic DP control system.

At the DP control system boundary level the thrusters are connected to IO modules inside the DP control system asindicated below:

IOA1 connected to T1IOA2 connected to T3IOB1 connected to T2IOB2 connected to T4

Redundancy design intention table by redundant and common component groups Redundant A groups Common/connecting groups X groups Redundant B groups

Thruster System AT1, T3

Thruster System BT2, T4

Dependent on Dependent onPower System ADiesel generators A; DG1, DG2 Main switchboard A; SWB A SWB X

Power System BDiesel generators B; DG3, DG4Main switchboard B; SWB B

Operator Station A:DPP A, DPD A, TRB A, OSC A

Operator Station B:DPP B, DPD B, TRB B, OSC B

DP LAN A:DPSW A, Net A1, A2 and A3 Net X1, X2, X3 and X4

DP LAN B:DPSW B, Net B1, B2

DP Controller A:DPC A, Bus A

DP Controller B:DPC B, Bus B

IO System A;IO A1, IO A2Serial A1, A2HW A1, A2

IO System B:IO B1, IO B2,Serial B1HW B1, B2

Sensor System A:Gyro 1, Gyro 3,VRU 1, VRU 3,Wind 1, Wind 3

Sensor System B:Gyro 2,VRU 2,Wind 2

Posref System A:DGPS 1, Laser

Posref System B:DGPS 2

Power Distr A:UPS A,Power A1, A2, A3, A4

Power Distr B:UPS B,Power B1, B2, B3




The dependency statements including the redundancy design intent for the thrusters are therefore:

The unit level redundancy requirements allocated down to the outside of the DP control system boundary may nowbe expressed as:

The redundancy requirement to the DP control system will therefore be the input to the single failure analysis of theDP control system. The analysis of the DP control system may either be carried out as a part of the unit (vessel) FMEAor the FMEA may be delivered as a part of the subsystem delivery. In both cases, the unit FMEA shall handle thecomparison between the analyses at the subsystem boundary. As an alternative to the logic expressions in this example the allocation may be stated in a more narrative manner.


Guidance note 3:Example: Allocation of requirements to a single thruster system boundary Example with 4 thrusters and 4 diesel generators for a DP-2 notation

Figure 6-3Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.

A benign failure in thruster T1A (causing stop) will affect the positioning capability of the A thruster group. It must beassumed that the A group (T1A AND T3A) has reduced capacity. This is acceptable as long as the single benign failureis assumed not to affect the redundant group (T2B AND T4B). For that reason there will be no need to allocate afunctional requirement of normal function of T1A in the case of a single benign failure mode and then it will not benecessary to do detailed analysis of the thruster inside the thruster boundary with regards to all other benign failure modes.However, there will be a functional requirement to the T1A that it shall not fail to an uncontrolled thrust outputpossibly leading to drive off. This requirement must be allocated to the subsystem thruster FMEA. The requirementwill serve as the starting point for the subsystem single failure analysis of T1A.

(T1 AND T3) (T2 AND T4)dependent on dependent on(IOA1 AND IOA2) (IOB1 AND IOB2)

Redundancy design intentNormal operation before failure

(IOA1 AND IOA2) AND (IOB1 AND IOB2�) Active redundancy

Operation after single failure

((IOA1 AND IOA2�) OR (IOB1 AND IOB2�)) AND(NODRIVE OFF (IOA1 AND IOA2 AND IOB1 AND IOB2))

One IO group to be running and no drive off of any thruster IO

Redundancy design intention overview by redundant and common component groupsRedundantA groups

Common groupsX groups

RedundantB groups

Thrusters AT1A AND T3A

Thrusters BT2B AND T4B

Thrusters A dependent on: Thrusters B dependent on:Diesel generators ADG1A OR DG2A

Diesel generators BDG3B OR DG4B

Main switchboard ASWBA

Main bus tie switchboardSWBX

Main switchboard BSWBB

M

G G

M

G G

M M

DG1A DG2A DG3B DG4B

SWBA SWBB

T1A T3A T2B T4B



This may be stated as:Functional/redundancy requirement to subsystem T1A in the single failure analysis of T1A: No drive off T1A.(Please note that the single failure analysis at unit level on the outside of the T1A thruster boundary still shallinvestigate if a failure in T1A may propagate to the B thruster group by e.g. propagation via connecting componentsas Net X1, X2, X3 and X4 in figure 6-2 in Guidance note 2 above.)


6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion

6.3.1 The objective of section 6.3 is to provide explanatory examples of how the subsystem design intention shallbe compared with the overall unit design intention in the unit FMEA in order to verify that intentions are consistent.

Guidance note 1:Typical examples of subsystem FMEA�s delivered by other parties than the unit FMEA supplier are control systemmanufacturers FMEA�s of their own deliverables into the project.A pre-requisite for performing the comparisons as described here is that the FMEA�s of the subsystems are availableand they are containing the necessary information elements as required by this standard.


Guidance note 2:Example: Redundant DP controller subsystem.Task: Compare requirements for a redundant subsystem FMEA for a DP control system with the unit redundancydesign intent at DP control unit boundary level.

Figure 6-4The automatic DP control system and the control system boundary are shown. The redundancy design intentfor dual DP control systems is indicated. Connecting components (X) between redundant control componentsare also indicated.

The redundancy design intention at the DP system level:

meaning that the acceptance criterion for the thruster groups is assumed to be ((T1 and T3) OR (T2 and T4)) assuminga single failure.

Operation before single failure: (T1A AND T3A) AND (T2B AND T4B) Active redundancyOperation after single failure: ((T1A AND T3A) OR (T2B AND T4B))




The DP control system redundancy design intention:

meaning that the acceptance criterion for the DP control system is that no single failure shall lead to loss of more thanone redundancy group Conclusion: This means that the DP control system acceptance criterion is compliant with the criterion at the thrustergroup level.


Guidance note 3:Example based on other DP control system.

Figure 6-5DP control system (example provided by Kongsberg Maritime)

Normal operation before failure (IOA1 AND IOA2) AND (IOB1 AND IOB2)Operation after single failure ((IOA1 AND IOA2) OR (IOB1 AND IOB2)) AND

(NODRIVE OFF (IOA1 AND IOA2 AND IOB1 AND IOB2))

One IO group to be running and no drive off of any thruster IO

DP control System

DP system

Vessel



For a DP control system the DP control system FMEA redundancy design intention may be defined at the systemboundary and the I/O (RMP) modules connected to the thruster control systems.

Figure 6-6Vessel boundary, DP system boundary, DP control system, and interfaces. The redundancy design intent forthe control system shall be specified at the control system (subsystem) boundary.

The allocated unit requirement to the outside boundary of DP control system can be expressed in e.g. a logic orBoolean style of design intention

The internal DP control redundancy design intent equipment:

Conclusion: The allocated unit requirement (upper table) will always be true both for normal operation and foroperation with failure given that the lower set of requirements are true. The reason is that if 3 out of 4 RMPs areworking, then one of the A or B groups will be able to position. This result also comes from that the lower requirement(inside DP control system boundary) is a stricter requirement than the requirement at the DP system (outsideboundary) redundancy design requirement.

Normal operation before single failure

RMPA AND RMPB AND RMPC AND RMPD Active redundancy

Single failure operation (RMPA AND RMPB) OR (RMPC AND RMPD)

Normal operation before failure RMPA AND RMPB AND RMPC AND RMPDSingle failure operation 3 out of {RMPA RMPB, RMPC, RMPD} are

working, one RMP is failed

Part of DP control system

DP system

U:Unit, Vessel

X1

X2

X3

X4

X5

X6

T1A&T3A T2B&T4B

RMPA RMPB RMPC RMPD

X6



The above situation may be illustrated by the following enlarged part of the above figure:

Figure 6-7The allocated redundancy requirements (single failure operation) to the DP control system is compared withthe requirements (single failure operation) assumed by the DP control system manufacturer. The comparisonshall be carried out in the unit FMEA. In this case it can be seen that the subsystem FMEA is consistent withthe allocated requirements from the unit FMEA, as the requirements at the outside always will be true if theDP control system requirement is true.


Guidance note 4:Example: Single thruster subsystem The unit FMEA must compare the requirements to a manufacturer FMEA for a single thruster controller and theallocated unit redundancy design intent at the thruster boundary level. The unit acceptance criterion for the thrustergroups is assumed to be ((T1 and T3) OR (T2 and T4)) and in addition that no thruster shall give drive off. The acceptance criterion for the thruster controller is that a single failure in the thruster control system shall neithercause significant increase in thrust output nor make the thruster rotate. Further on there is no requirement toredundancy inside the boundary since the redundancy design intent is specified at a higher level. Conclusion: This means that the manufacturer subsystem FMEA criterion is compatible with the unit FMEA at thesubsystem boundary level.

Figure 6-8Thruster example provided by Brunvoll


CoolingLubricationVentilationAux

FMEA Acceptance criterion: Fail to safe, no drive off

Example from the rules6.7.4 A 303 A single failure in the thruster control system shall neither cause significant increase in thrust output nor make the thruster rotate.

Acceptance criterion may alternativelybe tailor made for specifiic purposes

Sub-system FMEA boundary

Emergency stop withloop monitoring


Recommended Practice DNV-RP-D102, January 2012 Sec.7. FMEA of Subsystems with Redundancy � Page 34

7. FMEA of Subsystems with Redundancy 7.1 General7.1.1 An FMEA of a subsystem with redundancy (by e.g. a manufacturer) shall be based on the same principlesand requirements as an FMEA of a unit with redundant systems. The main difference is the boundary level ofthe subsystem. Please refer to the requirements to the unit FMEA as described in anterior sections.

Figure 7-1Unit and subsystem boundaries

7.1.2 A failure mode and effect analysis (FMEA) of redundant subsystems shall as a minimum consist of thefollowing parts:

� general information� acceptance criteria at the subsystem boundary level� the overall subsystem boundary to be subject for FMEA� redundancy design intent(s), worst case failure intent, time requirements, and system operational modes � all redundant components and single component groups included within the subsystem boundary. The

relevant system names, main units, compartments (when applicable), and their main intended functionsshall be presented in a structured manner, supported with a descriptive narrative text.

� all assumptions related to systems interfaces and dependencies of external systems � single failure and common cause analysis at subsystem levels� if applicable, description of the installation of redundant component groups in fire and flooding protected

compartments. This also includes cables and communication lines, and associated equipment.� a reference to a test program to support the conclusions shall be included or referred� summary, and conclusions � a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance

criterion including time requirements shall be stated.

Guidance note:

Figure 7-2System boundaries for vessel, DP system and part of DP control system. The interfaces between the I/Omodules (RMP) and thrusters are indicated. (Example and figure provided by KM).

Unit

A B A

Sub-system C

M A M B

IO A IO B



DP system

Vessel

Part of DP control system


Recommended Practice DNV-RP-D102, January 2012 Sec.7. FMEA of Subsystems with Redundancy � Page 35

Redundancy design intention at thruster RMP module level:

Table shows redundancy design intention for RMP (A,B,C,D) modules and A, B, C groups (Courtesy KM).The single failure mode propagation analysis can be based on above table and diagrams.


Operation without failure 4 out of {RMPA, RMPB, RMPC, RMPD} = RMPA AND RMPB AND RMPC AND RMPD

Operation with single failure 3 out of {RMPA, RMPB, RMPC, RMPD}

A B C X-components CommentsPSU A from UPS A

PSU B from UPS B

Fire, flooding (DPC cabinet)

RCU A RCU B (RCU C) X1, X2, X6

NET A NET B X1Redundant Net for RCU, OS

RedNet RedNet (RedNet) X3

RHUB A RHUB B X5, X6

RMP A* RMP B* RMP C* RMP D* X6Dedicated RMP-module for each Thruster

RSER A* RSER B* RSER C* X4, X6Dedicated RSER-module for each sensor group

cJoy DP OT (PSU A)

cJoy DP OT (PSU B)

(cJoy DP OT)

OS A (from UPS A)

OS B (from UPS B)

(OS C)

A B C X-components CommentsPSU A from UPS A

PSU B from UPS B

Fire, flooding (DPC cabinet)

RCU A RCU B (RCU C) X1, X2, X6

NET A NET B X1Redundant Net for RCU, OS

RedNet RedNet (RedNet) X3

RHUB A RHUB B X5, X6

RMP A* RMP B* RMP C* RMP D* X6Dedicated RMP-module for each Thruster

RSER A* RSER B* RSER C* X4, X6Dedicated RSER-module for each sensor group

cJoy DP OT (PSU A)

cJoy DP OT (PSU B)

(cJoy DP OT)

OS A (from UPS A)

OS B (from UPS B)

(OS C)


Recommended Practice DNV-RP-D102, January 2012 Sec.8. FMEA of Single Sub-Systems � Page 36

8. FMEA of Single Sub-Systems8.1 General8.1.1 An FMEA of a single subsystem without redundancy (by e.g. a manufacturer) shall be based on the sameprinciples and requirements as an FMEA of a unit with redundant systems.

Guidance note:A manufacturer FMEA of a single subsystem without redundancy differs in some respects from the FMEA of asubsystem with redundancy. The main difference is that it is accepted that the function of the single subsystem is lostas a consequence of a single failure. A single sub-system will normally not have redundancy design intent of theUAXB type as described in anterior sections. The acceptance criterion will typically be that the effect of the singlefailure mode shall be �fail to safe�.


Figure 8-1Illustration of a unit boundary with two redundant systems A and B. System C is assumed to be a single systemand the manufacturer may deliverer the FMEA for this subsystem.

8.1.2 A failure mode and effect analysis (FMEA) of a single subsystem shall as a minimum consist of thefollowing parts:

� general information � acceptance criteria at the subsystem boundary level� the overall subsystem boundary to be subject for FMEA � design intent(s) and system operational modes for the subsystem� all component groups included within the subsystem boundary. The relevant system names, main units,

compartments (when applicable), and their main intended functions shall be presented in a structuredmanner, supported with a descriptive narrative text.

� all assumptions related to systems interfaces and dependencies of external systems � single failure and common cause analysis at subsystem levels� if applicable, description of the installation of component groups in fire and flooding protected

compartments. This also includes cables and communication lines, and associated equipment.� a reference to a test program to support the conclusions shall be included or referred� summary, and conclusions � a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance

criterion including time requirements shall be stated.

Unit

A B A

Sub-system C

M

IO





Guidance note:Example of a boundary for FMEA of single thruster (Courtesy Brunvoll):

Figure 8-2Brunvoll thruster system

CoolingLubricationVentilationAux

FMEA Acceptance criterion: Fail to safe, no drive off

Example from the rules6.7.4 A 303 A single failure in the thruster control system shall neither cause significant increase in thrust output nor make the thruster rotate.

Acceptance criterion may alternativelybe tailor made for specifiic purposes

Sub-system FMEA boundary

Emergency stop withloop monitoring



Single failure analysis Table 8-1 is an example of FMEA work sheet for the parts of thruster sub-system part. Please note that these examplefailure modes are not intended to be exhaustive for such a subsystem and that similar work sheets for the other partsof the thruster subsystem and other failure modes must be provided in a real FMEA.


Table 8-1 Part of thruster System worksheetItemRef.Fig.

Item description

Failure mode

Failure cause Expected Failure

Local Effect

Expected FailureSystem Effect

Expected Detection of

failure/Alarm

Compensating provision

against failure

Reference to tests

1

Power supply Bridge system:

-A5

Loss of power

Loosening of cable termination

Loss of PLC unit Bridge. No thrust command active from bridge system.

Pitch to zero, no thrust produced. Thruster out of DP. No positioning effect.

Control system failure.

Independent power supply. No influence on other operating thrusters

2

Loss of Power supplyThruster room:-A6

Loss of power

Loosening of cable termination.

Loss of PLC unit Thruster room. No remote control or local control possible.

Auto stop of Drive motor, no thrust produced. Thruster out of DP. No positioning effect.


Independent power supply. No influence on other operating thrusters

1

Loss of PLC unit on Bridge-A5-A1

PLC bridge stopped

PLC halted, no function active

Loss of PLC unit bridge.No communication to panels or thruster room.

No thrust command active from bridge system. Pitch to zero, no thrust produced. Thruster out of DP.


Thruster can be operated by manual push buttons if needed.

2

Loss of PLC unit in thruster room-A6-A1

PLC thruster room stopped

PLC halted, no function active

Loss of PLC unit thruster room.

No remote control function possible. Auto stop of Drive motor. Thruster out of DP. No positioning effect.

Control system failure alarm Auto stop.

No influence on other operating thrusters.

3

Loss of Serial line between control cabinet bridge and thruster room. ProfibusCable.

No communication between thruster room and bridge.

Wire break, loosening of cable termination.

No communication between PLC units.

No thrust command active from bridge system. Pitch to zero, no thrust produced. Thruster out of DP.


Thruster can be operated by manual push buttons if needed.

4.5

Loss of thrust command signal from active bridge panel.4-20mA

No signal from lever

Potentiometer fault or fault in control card in lever. Wire break, loosening of cable termination.

Loss of signal from control lever.

Pitch set point to zero.

Loop failure / thrust command failure.

Change to other control panel or control by manual push buttons.

4.5

Loss of thrust command signal from bridge panel not in command

No signal from actual lever

Potentiometer fault or fault in control card in lever. Wire break, loosening of cable termination.

Loss of signal from control lever

No influence on command from active panel

Loop failure from actual lever.

5Fault in thrust indicator

Failure in indicator or loss of signal.

Incorrect thrust indication on actual panel

No effect on system

Fault indication on component

Thrust indication to be read on other panel.

Comments:


Recommended Practice DNV-RP-D102, January 2012 Sec.9. Redundant Systems with Physical (Fire and Flooding) Separation � Page 39

9. Redundant Systems with Physical (Fire and Flooding) Separation 9.1 Separation design intent9.1.1 For FMEA�s of redundant systems with requirements to physical (typically to prevent failurepropagation due to fire and flooding events) separation, the separation design intent of the redundant systemsin separated zones shall be described at a high level by means of layout drawings, equipment lists, figures,tables, and supported by a descriptive narrative text. The separation intent shall specify how all redundantcomponent groups are located in separated zones with fire and flooding protection. All zones shall be identifiedby unique identifications in addition to the identification of the component groups located within the zones.

Figure 9-1The separation design intent for redundant systems requires specifications of the redundancy component group Awithin the A zone (compartment). Specifications of the redundant component group B within the B compartment/zone shall also be stated.

Guidance note 1:The requirement for specification and identification includes all zones, spaces, and cable trays where the equipmentis installed. Equipment is understood as all components, including piping and cabling which may influence theredundancy design intent and acceptance criteria.


Guidance note 2:

Figure 9-2Separation design intent diagram with separated zones and redundant component group. The followingabbreviations are used in above figure and table below

Separation design intent table with separated zones and redundant component groups:


Separation design intent tableZone Component groups Component groups ZoneZone A tank top T1, Tk1, DG1, DG2, SWBA, T3 T2, Tk2, DG3, DG4, SWBB, T4 Zone B tank topZone A tween A6, A7 B6, B7 Zone B tweenZone A main A8 B8 Zone B mainZone A bridge DPA DPC Zone B bridge��T : ThrusterTk : Fuel tankDG : Diesel generatorSWB : Main switch boardDP : Dynamic positioning controller

U

Compartment Bfire/flooding

Redundant componentgroup B

Unit U

Compartment Afire/flooding

Redundant componentgroup A

BA

Tank top Tween deck Main deck Bridge deck

Zone A Zone B

Redundant component groups


Recommended Practice DNV-RP-D102, January 2012 Sec.9. Redundant Systems with Physical (Fire and Flooding) Separation � Page 40

Guidance note 3:The table in guidance 2 may be inconvenient when there are more than two zones and cross sectional dependencies.The below table is an example of a separation design intent table for a system with 3 separated zones and 3 redundantcomponent groups:


9.1.2 The separation acceptance criterion shall be stated. Any possible time requirements shall also be stated.Guidance note:The separation acceptance criterion for e.g. IMO DP3 is that the applicable zones should be separated by A60 ratedmaterials and the zones constructed should be watertight under the waterline. In case of a fire or flooding event allcomponents in the components groups in the zone should be considered as failed. Reference is also made to annex D3 where failure modes for separated electrical power systems operating in paralleland separated power systems simultaneously supplying equipment placed in non-separated areas are discussed.


9.2 Separation analysis9.2.1 The separation analysis shall clarify the installation of redundant equipment into the physically separatedzones according to the separation design intent and the acceptance criteria. The method of separating thedifferent zones shall be described.

Guidance note:The requirement for the analysis includes all zones, spaces where equipment is installed. Equipment is understood as allcomponents, including piping and cabling which may influence the redundancy design intent and acceptance criteria.


9.2.2 The separation analysis shall result in a statement that confirms that no fire or flooding events in any ofthe separated compartments shall be able to influence the operation of both (or all) the separated systems andsubsystems in such a manner that the acceptance criteria is violated within the stated time requirement.

Separation design intent tableZone Room Component groups Effect of failure Comments

1 Engine room 1 Tk1, DG1, DG2,�1 Switch board room 1 SWBA, SWBB,�

� �2 Engine room 2 Tk2, DG3, DG4,�2 Switch board room 2 SWBC,�

� �3 �3 �

� �T : ThrusterTk : Fuel tankDG : Diesel generatorSWB : Main switch boardDP : Dynamic positioning controller


Recommended Practice DNV-RP-D102, January 2012 Sec.10. Inspections and Tests � Page 41

10. Inspections and Tests10.1 General

10.1.1 A test plan for verification of conclusions in the FMEA shall be prepared and submitted to thecertification body. The test plan shall support verification of the following:

� redundancy design intention� worst case redundancy design intention� single failure tolerance within the given time requirement and acceptance criteria� barriers and other compensating measures, including sufficient independencies between these� if relevant, separation requirements.

Guidance note:Verification of pre-requisites for the FMEA may be carried out at the dock. It may be beneficial to first carry out a�Test plan for system verification before main test� e.g. at the dock before the sea-trial. This could be related toparameterisation of protective functions, software versions installed, inspection and verification of designassumptions of fire and flooding protected compartments, etcTypically a large part of the testing will be related to the redundancy verification where redundant groups should betested by running both the A and B components groups in parallel, and introducing failure to one group in order toverify the required redundancy. Examples of such tests are blackout tests of AC and DC systems. Failure of equipmentwhich has not been without power during the blackout tests (typically process stations with dual power supply, orbattery backup) must be tested separately.When physical separation is required, simultaneous failure of all components within relevant boundaries (e.g. tosimulate the effect of fire or flooding) will be a relevant test strategy.In the case that redundancy is dependent on switchover mechanisms, e.g. standby start, change over or restart, suchfunctions must be tested(e.g. loss of one computer or network in a redundant control system). Single failure or common cause related testing. The tests should simulate the failure modes identified in the singlefailure analysis in order to verify:that a failure will not propagate so that the acceptance criteria or redundancy design intention are violatedfailure response outside the acceptance criteria (e.g. thruster failure leading to drive off on a DP vessel)In general tests should be carried out �end to end� from initiator to final element/output.


10.1.2 The test program shall have an introduction which as a minimum shall include the following:

� reference to the specific FMEA document (title, version and date)� specification of (or reference to) all specified system operational modes and technical system

configurations that shall be verified by testing (ref 1.1.3).

10.1.3 Each test shall as a minimum contain:

� test identification (e.g. test number)� reference to the specific part in the FMEA to be verified (e.g. redundancy design intent, worksheets, �)� test intention � test prerequisites and test setup specific for this test� test method and actions to be performed� expected results and acceptance criteria including time requirements if relevant� space for actual observation, test results, and conclusions.

Guidance note:In order to facilitate the practical testing, description of the test method should include detailed locations where thephysical and practical actions should be carried out. The location should be detailed to which space, cabinet, switch,fuse, termination board, wire, as relevant.


10.1.4 For systems and subsystems where separation is required, a set of inspections, tests and verificationactivities shall be prepared and referenced. These inspections, tests, and verifications shall support theconclusions of the separation analysis.

10.1.5 All systems subject to testing and systems that may influence the test results, shall be completed andcommissioned ready for final testing before the FMEA tests can start.

10.1.6 Before the actual testing commences, a planning meeting between the involved parties shall bearranged. The objective is to organise the test execution.


Recommended Practice DNV-RP-D102, January 2012 Sec.10. Inspections and Tests � Page 42

10.1.7 After each test, the actual observations and results shall be recorded. After the test session, the recordsshall be reviewed in a meeting where involved parties are present. The meeting shall conclude on findings,conclusions and responsibilities for further actions.


Recommended Practice DNV-RP-D102, January 2012 Sec.11. FMEA Report and Compliance Statement � Page 43

11. FMEA Report and Compliance Statement 11.1 General11.1.1 The FMEA and the test report shall be updated according to observations and test results from the actualtesting.

11.1.2 The updated FMEA and the test records shall together with the findings, conclusions and test summarybe compiled into an FMEA report.

Guidance note:The conclusion and test summary should include the worst case failure mode(s) and example of related failure causesin order to identify which parts of the system that has the highest impact on the capacity. The remaining capacity aftersuch failures should be stated. For the redundant system to be approved, these conclusions must comply with theoverall design intent and given acceptance criteria.


11.1.3 A compliance statement referring to the overall unit (U), operational modes, test conclusion, andacceptance criterion including time requirements shall be stated in the FMEA report.


Recommended Practice DNV-RP-D102, January 2012 App.A IMCA references � Page 44

APPENDIX A IMCA REFERENCES

The International Marine Contractors Association (IMCA) has a wide range of publications available formembers and non-members. Several of these documents give basic introduction to FMEA of marine systems.Examples of such documents are:

� Methods of Establishing the Safety and reliability of Dynamic Positioning systems, information noteIMCA M 04/04

� IMCA M 166 Guidance on failure modes and effect analysis (FMEAs)

These and other documents also include information and examples on relevant systems and their failure modes.


Recommended Practice DNV-RP-D102, January 2012 App.B DNV references � Page 45

APPENDIX B DNV REFERENCES

Below are given some DNV rule references related to typical notations which requires FMEA or may otherwisegive requirements to relevant failure modes to be considered for different systems and notations. RULES FOR CLASSIFICATION OF SHIPSPt.6 Ch.2 Redundant Propulsion Pt.6 Ch.7 Dynamic Positioning SystemsPt.6 Ch.19 Alternative PropulsionPt.6 Ch.22 Enhanced System Verification (ESV)Please refer to section 2, D106 to see typical failure modes for programmable control system:�106 The HIL test-package shall contain test cases related to the normal, degraded and abnormal operation ofthe target and simulated systems. Normally single and common failure modes and common components shouldbe extensively analysed and tested. Multiple failures should be tested if found relevant.

Guidance note:Operation in all normal modes and transfer between operational modes and the corresponding functionalrequirements, should be the basis for establishing the HIL test scope. In addition, failure testing is also to be includedin the test scope. General types of failures to be simulated could be, but not limited to:- sensors or input devices failure modes (dropout, noise, calibration errors, drift, bias, signal freeze, wild point,�)- failure mode of actuators, drives, power system components or other electro-mechanical components- feedback from sensors on actuator failure modes- failure modes in computer networks- failure modes related to overload of networks- failures affecting weighting and voting mechanisms- failures affecting protective safety functions- failures affecting alarms, monitoring, and analysis functions- failures causing and/or otherwise affecting switch-over in redundant systems- common mode failures affecting several components and/or signals- emergency handling (special emergency functions required during emergency handling could be tested)- reconstruction of relevant reported failures/incidents related to the system and/or operations.�


Please note that the above listed failure modes are relevant also for general FMEAs (not only HIL testing).Pt.6 Ch.26 Dynamic Positioning System - Enhanced Reliability Dynpos-er


Recommended Practice DNV-RP-D102, January 2012 App.C Typical table of contents for a minimum DP FMEA � Page 46

APPENDIX C TYPICAL TABLE OF CONTENTS FOR A MINIMUM DP FMEA

The overall requirements to the contents of an FMEA are given in section A. The simplified example givenbelow of a table of contents for a DP FMEA shows typical systems to be analysed in the FMEA:

� introduction (general vessel information and acceptance criteria)� system description and boundaries� redundancy design intent and worst case failure intent� vessel operational modes and technical system configurations for DP operations� power systems

� high voltage systems� low voltage distributions� emergency power� battery and UPS systems and distributions.

� machinery system

� diesel engines / diesel generator sets� fuel oil system� lubrication oil system� seawater / freshwater cooling system� compressed air system� engine room ventilation.

� thruster system

� thruster control system� thruster hydraulic system� thruster cooling system� control mode selection� power supplies to control and auxiliary pumps.

� IAS / power management / engine control system

� Integrated automation system� power management system� generator voltage control system� diesel engine governor control.

� emergency stop / shutdowns� other relevant systems

� fire fighting system� ventilation system� shut down system (ESD)� cooling system in computer rooms� etc �

� conclusions / findings / recommendations if applicable� test program

� in principle, all statements and conclusions of FMEA are to be verified by testing (as far as possible).it is accepted that several conclusions is verified by one test, e.g. by a partial blackout

� in general, the following main groups of tests will be required (each group typically contains severaltests):- partial black-out on the main- and distribution switchboards (AC)- loss of distribution board or equipment with dual power supply- loss of (black-out) each battery and UPS distributions- fail to safe response on single failures (e.g. thruster control systems)- simulation of failures requiring manual or automatic intervention- dependant on the actual design, other tests might be required.


Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) � Page 47

APPENDIX D FAILURE MODES IN ELECTRICAL POWER SYSTEMS OPERATING

WITH CLOSED BUS TIE(S)

D.1 IntroductionThere are certain single failures that in case of open tie breakers only will affect one of the systems (A or B),but that in case of closed tie breakers, might jeopardize both the A and B systems. Such failures need not to beanalysed in depth for open tie breakers operation since it is then accepted that one of the system A or B fails. In the situation where the electrical power systems belonging to different redundancy groups are electricallyconnected and arranged by bus-tie breakers to separate automatically upon failures(closed bus-tie), a failure inone system (A) may propagate via the closed bus-tie (X-group) to the redundant systems (e.g. B). In thissituation a large number of additional failure modes may violate the overall redundancy design intent. TheFMEA must consider the additional failure modes relevant for the given design in relation to the applicablerequirements. Section A4 describes requirements and examples typical for DP systems. However, the natureof such failure modes is similar for all marine electrical power systems running in parallel. The relevant failuremodes for an FMEA for a given system are typically influenced by the required rules or applicable standards. The FMEA has to verify that the control and protection systems is able to automatically bring the system intoa safe state whenever a single failure occur that might lead to a worse failure than the defined worst caseacceptable failure in the design intend (usually loss of either the A or B system).

D.2 Typical failure modes for a closed bus tie for a DP 2 FMEA analysisThe IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.3 (whichalso is a guidance note in the DNV DP rules):�For equipment class 2, the power system should be divisible into two or more systems such that in the eventof failure of one system at least one other system will remain in operation. The power system may be run asone system during operation, but should be arranged by bus-tie breakers to separate automatically upon failureswhich could be transferred from one system to another, including overloading and short-circuits.�Based on this IMO guideline the industry trend is to design and operate an increased number of DP class 2notation vessels with closed bus-tie. Through experience from closed bus tie testing and operation over the lastyears more and more failures modes are being considered relevant for DP class 2 notations. The typical standard minimum set of functions, failure modes and tests to be considered for DP class notationsshould include:

� Protection philosophy to support redundancy design intent - (short circuit and other selectivity calculationsmust be approved - In particular those related to operation of the bus tie).

� Frequency and active power control (governor failure, high /low frequency and active power imbalance).� Voltage and reactive power control (AVR failure, high /low voltage and reactive power imbalance).� Power management (e.g. load sharing, malfunction,.).� Power system transients and distortion (e.g. power dips, voltage dip ride through capabilities, harmonics,

unbalanced currents).� Other relevant tests must also be included in the DP FMEA test program in order to verify that the system

has the expected robustness and transitional ride through capabilities.

As the industry and rules are evolving, it is considered natural that the list of relevant failure modes for DP class2 notations will be expanded, in order to provide more comprehensive integrity against failure propagationacross the closed bus-tie. Please note that the list provided for DP class 3 notations in D3 below gives moredetails on the failure modes listed for DP class 2 notations in addition to many more failure modes relevant forclosed bus tie systems.

D.3 Typical failure modes for a closed bus tie for a DP 3 FMEA analysis The traditional interpretation of the DP-3 requirements has been that in order to achieve the intended integrity,the power systems must be run as separated systems with open bus-tie breakers. However, there are a numberof benefits (technical, environmental, economic and operational) with operation with closed bus-ties. Due tothese benefits some operators to run the DP-3 systems with closed bus-ties for as large periods of the operationsas possible.The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.4 (whichalso is a guidance note in the DNV DP rules):�For equipment class 3, the power system should be divisible into two or more systems such that in the eventof failure of one system, at least one other system will remain in operation. The divided power system shouldbe located in different spaces separated by A-60 class division. Where the power systems are located below theoperational waterline, the separation should also be watertight. Bus-tie breakers should be open during class 3operations unless equivalent integrity of power operation can be accepted according to 3.1.3�.



The challenge is to ensure the above equivalent safety level of the rules and at the same time enable closed bus-tie operations to achieve the desired benefits. The following issues should at least be adequately addressed inDP FMEA for analysis of DP3 with closed tie-breakers or automatic change over of supply between systems:

1) Active and reactive load sharing:- Active power load sharing failure (e.g. caused by governor failure, insufficient, excess or unstable active

power, fuel rack failure, active power or frequency sensor failures, signal failures, load-sharing linefailures)

- Reactive power load sharing failure (e.g. caused by AVR failure, insufficient, excess or unstable reactivepower, reactive power sensor failures, voltage sensor failures, signal failures)

- Detection methods and actions to bring the system to a safe state with conditions and time responses2) Consequences of voltage transients:

- Reference to analysis of worst case voltage dip (depth and duration) on healthy bus after short-circuit onother bus (in closed tie-breaker operation)

- Document adequate voltage dip �ride-through� capability of necessary systems to remain in position:thruster drives, computer systems, networks, contactors, pumps, ventilation, and other axillaries.

3) Risk for simultaneous trip or load reduction of all thrusters:- Are there built-in protections in thruster variable speed drives that cause trip or load reduction? If yes;

how is it ensured that not all thrust are lost at the same time by the same trigger? Examples of suchprotection can be high/low voltage and/or frequency.

- Are there situations where all thrusters will reduce their power simultaneously to such a level thatposition cannot be maintained? E.g. built-in load reduction functionality in drives that may reduce powerto zero if one diesel engine fails to full speed.

4) Ensure that no hidden failure renders it impossible to open tie-breaker from PMS or other protectiondevices:- Do the PMS have direct HW open command signals to both tie-breakers? - Redundant open command signals?- Fail safe system that trips breaker on wire break on open command signal?- Is it sufficiently ensured that tie-breaker is not in local mode during DP3 operation? (e.g. clear indication

of local/remote status on PMS GUI) - Include check of tie breaker operability in procedures for DYNPOS-AUTRO/DPS3 operation?

5) Fault tolerance in PMS system:- How is it ensured that a single feedback failure to PMS does not cause the PMS to carry out action that

result in loss of position? - Can for instance a single failure on feedback signal to PMS cause:

- PMS to connect generator (or bus-tie) without synchronization? - Force full load reduction to all running thrusters simultaneously?- PMS to decrease generator frequencies to a level that causes risk of automatic load reduction of

drives / tripping of drives?- PMS to increase frequency to a level that causes systems to trip?- PMS to jump to manual mode?

- Can single PMS operator failure cause blackout?- Can one single PMS unit trip all generator breakers?- Failure to start and connect- Crash synchronization on connect- Connection of a stopped generator

6) Documentation and verification of protection settings:- Is there protection functionality in PMS that can trip generator breakers and thus need to be included in

discrimination analysis?- Require tables with settings of all protection equipment both in relays on breaker and in PMS. - As part of FMEA: Verify by onboard inspection all protection settings on breakers, not only short circuit.

Special focus on tie-breaker.7) Short circuit selectivity between bus-tie and generator breakers:

- Selectivity documented also for highest maximum short circuit current? - Zero delay in bus-tie short circuit protection?

8) Mode monitoring in PMS / IAS system:- Warning/alarm if power system setup is in conflict with defined prerequisite for DYNPOS-AUTRO/

DPS3 operation.9) Loop monitoring (or similar) on feedback to e.g. PMS10) Bus-tie breaker shunt-trip, can this be used? Need to be able to open in case of voltage dip



11) Failures causing high harmonic distortion in the system, where the new situation causes other componentsto fail? E.g. filter failure giving high 11th and 13th harmonics causing resonance in internal filters in VFDsto auxiliaries, again causing these to fail and the auxiliary function is lost for e.g. all thrusters.

12) Negative sequence.13) Loss of synchronization:

- Maintenance of synchronization after voltage dip e.g. related to short circuit.- Loss of synchronization � pole slipping (including severe mechanical failure)

14) Earth faults � generally.15) System parameters outside normal operational ranges/boundaries applicable to voltage and frequency.16) System imbalance:

- Severe line or phase voltage imbalance (short circuit or similar condition)- Severe line current imbalance

17) There should be implemented a system to ensure that the set point of all kind of trips functions in theelectrical system are based on data that are verified/tested. Assumed data should not be accepted. All tripfunctions should be included in a maintained list. There should be a systematic periodic check of all setpoints.

18) The discrimination analysis is to be reviewed with careful attention that all functions and settings are to beproperly justified.

19) Other design related issues which are identified during the design review or testing.20) As many of these design elements as possible shall be verified by FMEA testing.

As the industry and rules are evolving and experiences collected, it is considered natural that this list of relevantfailure modes will be expanded.When the system is intended to be operated with closed bus tie(s) between redundant power systems, the aboverequirements to analyses must be supported with extensive verification by FMEA testing. Especially, in thesituation where the intention is to justify the �equivalent integrity of power operations� as required by IMOMSC/Circ. 645 the extent of necessary FMEA testing may include tests that traditionally have been consideredto be potentially destructive (e.g. short circuits and earth failures on electrical system).Although an equivalent safety level is considered to be achieved by documented analysis and testing, it shouldbe understood that there will always be a residual probability for failure propagation. For operations (e.g.diving) where loss of position may result in unacceptable consequences, risk considerations should beperformed in order to evaluate the system operational modes including open or closed bus-ties. This principleis valid for both DP-2 and DP-3 systems.The intended equivalent safety level may be achieved by other measures than discussed in this section. Ingeneral such equivalent measures will be accepted.

D.4 Separated power systems simultaneous supplying equipment placed in a non-separated areaSeparated power systems simultaneous supplying equipment placed in a non-separated area, may impose riskof both power systems being affected by the same fire or flooding incident. Depending on the system thefollowing typical descriptions and analysis is required by the FMEA:

� Location of equipment and cables routing belonging to different systems. This drawing should also indicateany possible separations, watertight and passive fire protection. This also includes any slip ring assembly.Equipment being supplied from different redundancy groups should be installed to provide best possibleprotection for failure propagation, and installed in separate cabinets.

� Discrimination analysis: Generator Circuit Breaker�s (CB), Main Switch Board (MSB) equipment feederCB, equipment MSB incoming CB (if applicable), equipment MSB feeders, and CB�s further downstreamuntil end consumers. This is applicable for all relevant power systems. This must be presented as graphs ina common diagram and preferably supported by CB maker�s discrimination tables. Earth faultdiscrimination shall also be included (if applicable). Installation of current limiting breakers should beconsidered.

� Short circuit analysis: Maximum and minimum short circuit levels shall be documented for all distributions(single and three phase fault). Generator decrement curves taking in to consideration.

� Under voltage: As a consequence of a worst case failure scenario both power systems may experience ashort circuit within a short time period. Consequence of short circuit will be under voltage in the systemswhich may affect connected equipment. Analysis of the transient voltage dip and duration must bedocumented. This must include an evaluation and conclusion on the effect on other equipment and systems.Bearing in mind the sensitivity of power electronics, contactors, computer systems, etc...

� Parameterisation of protective devices/functions.



� Fire/flooding monitoring (extended systems may be used to increase the possibility to set the system in asafe mode upon such an incident).

� Operational philosophy (power system, crane/diving/DP operations, etc�).� Load balance considerations.

Such analysis should be focused on the highest voltage levels in the AC power generation plants and on batteryand UPS distribution systems.

D.5 Additional discussion and examples A.4.4 include some further discussion and examples of some of the topics stated in A.4.3. Please note that fora given FMEA, all relevant topics must be addressed.A general recommendation is that upon detection of abnormal condition, action to bring the system into splitmode shall be automatically executed. Abnormal situations may include:

� Load sharing failure active power.� Load sharing failure reactive power.� High/Low bus voltage.� High/Low frequency.� Communication failure in PMS or load sharing system.� Thruster load reduction activated. � PMS failure or PMS change to manual mode.� Feedback failure on bus-tie status signals.

Some of the most common failure modes that need to be addressed are outlined in the following subsections.Note that other failure modes might also be critical (depends on type of equipment, configuration and controlsystems installed).

D.5.1 Tie breaker short circuit protection All generator breakers are equipped with short circuit protection trip functionality such that they will open incase of short circuit on the bus.In closed tie-breaker operation it will be crucial that the tie breaker(s) opens before the generator breakers. Afull blackout (A and B side) will be the result if tie breaker fails to open before generator breakers since shortcircuit current will flow through all generator breakers and thus they will all trip.The FMEA has to verify that the breakers to be installed and parameterized such that it is ensured that tie breakersopens first. It has also to be verified that the tie breaker is able to break the worst case short circuit current.For the tie-breaker, maximum upstream selectivity has higher priority than the downstream selectivity. Forsafest operation tie breaker should be considered to open as fast as possible (configured with zero delay)although this might be in conflict with downstream selectivity.For DP3 it is required to have a tie breaker at both sides of fire and flooding division. The division have littleor no value unless the tie breaker on both sides of the division is equipped with short circuit protection. Thishas to be verified as part of the FMEA.The FMEA has to address maker documentation regarding breaking capacity and selectivity/discrimination.The FMEA needs to verify that the required discrimination is implemented in the system.

*** Example of how tie breaker short circuit protection can be addressed in the FMEA: The worst case short circuit current on Vessel switchboards are in short circuit analysis shown to be:

The table below shows the breaking capacity and trip setting for the generator and tie breakers.

Generator breakers: 35 kATie-breaker: 55 kA

Breaker Breaking capacity (kA) Short circuit trip setting Delay settingBT1 (Master) 65 kA 8 kA 80 msBT1 (Slave) 65 kA 8 kA 80 msGenerator breakers 65 kA 12 kA 500 ms



The discrimination curves for generator breaker and tie breaker are shown below.

It is based on the maker documentation concluded that the tie breaker will open before generator breakers incase of worst case short circuit. To be verified on board that breaker maker, type and protection settings are asspecified.

*** End of example.

D.5.2 Under-voltage release / Voltage transients / high and low bus voltageGenerator breakers will usually be equipped with under-voltage release which opens the breaker if the voltageis below a specified level for a specified period. All generator breaker protection relays will measure the same voltage when tie-breaker is closed. A voltage dipwill thus potentially cause all generator breakers to trip simultaneously (full blackout).Similar consequences can arise if thruster breakers are equipped with under voltage release. All thrusterbreakers will measure the same voltage when tie breaker is closed. Thus, they may all trip simultaneously withloss of position as potential consequence.Note also that the thruster drive controllers typically also monitor voltage and might also command thrustersbreakers to open. This is also a function that might cause all thrusters to trip simultaneously.Simultaneous trip of generators or thrusters can be avoided by ensuring that the tie-breaker will always be thefirst to open in case of under voltage. It is also important to ensure that no �normal� voltage dip to be expectedin the actual power system will cause any trip (e.g. voltage dip due to start of large motors and voltage dip dueto a short circuit).A challenging task is to verify that a short circuit on one bus will be cleared fast enough to avoid that feedersand contactors to essential auxiliary systems does not open due to low voltage. The same type of equipmentwill usually be used on both A and B side. Thus, if one looses a pump on A side during a short circuit due tolow voltage, it is also likely that the one for the B system will trip since it will see more or less the same voltage.A very fast short circuit trip of the tie breaker will reduce the voltage dip in either the A or B system and willthus be a method to avoid loosing auxiliary systems on both A and B side. Bus tie breakers may be consideredto be equipped with under voltage trip.Any protection functions acting on high bus voltage will have to be addressed in the same way.

*** Example of how under voltage release can be addressed in the FMEA: Worst case voltage dip has been analysed for a given vessel switchboard. The results are summarized in thebelow table:

Generator breaker maker and type

Tie breaker maker and type Documentation of selectivity / discrimination

Siemens 3WL 3000 A Siemens 3WL 3000 AAccording to maker documentation (ref. �.) discrimination is assured up to 65 kA provided trip current setting difference is >2 kA and time delay difference is >200 ms.

Case Voltage DurationStart of heavy consumer in DP mode. Two generators running. 90% 3 seconds

Short circuit 0% 100ms (maximum time for the bus-tie to clear fault)

A

1A 1daA 1hA 1kA 10kA 100kA 1MA 10MA

10ks

1ks

1hs

1das

1s

1ds

1cs

s

Bus-tie breaker should break before generator breaker



The table below shows the settings of under-voltage release protection functions in the Vessel switchboard:

It is based on these settings concluded that there are no risk of losing all generators or thrusters simultaneouslyin closed tie breaker operation.To be verified on board that settings are as specified.

*** End of example.

D.5.3 Load sharing monitoringLoad sharing failure between generators is a common mode failure that can lead to total blackout or fullthrusters load reduction (and thus also loss of position). This includes both active and reactive power sharingfailure.Active and reactive load sharing monitoring is a function typically handled by the PMS.Active power load sharing failure can be caused by governor failure, fuel rack failure, active power orfrequency sensor failures, other signal failures and load-sharing line failures. (Examples of failure causesrelevant in systems with load sharing performed by stand-alone units (isochronous) could be earth failure on,broken line in, and short circuit of the load sharing.) Note that in case the PMS is performing load sharingcontrol, a load sharing failure might also be caused by the PMS itself if for instance a feedback signal to thepower management system fails and this failure is not properly detected and handled.Reactive power load sharing failure can for instance be caused by AVR failure, reactive power sensor failures,and voltage sensor failures.Possible consequences of load sharing failures are:

� Generator protection relays (reverse power and over-current) might in such cases trip healthy generatorinstead of faulty, with blackout as the final state.

� PMS might command full load reduction to all thrusters due to high load on one generator (might lead toloss of position)

Typical barriers against such outcome can be control or protection systems that automatically open the tiebreaker upon detection of load sharing failure (active or reactive).The FMEA has to analyse and describe how the actual system will handle load sharing failures. It might alsobe needed to prove that the measures are effective. Typical questions to be answered by FMEA:

� How are active and reactive load sharing failures detected in the system?� What is the action to bring system to safe state? (opening of tie-breaker will usually be part of an

appropriate action)� Immediate or delayed action? Time delays in detection and action?

This kind of information may be found in functional design specification of the PMS system. This issue willprobably also be covered by vendors FMEA of the PMS if such is available and used as input to the FMEA. It is not straightforward to prove that the measures against load sharing failure consequences are effective.Tests can be carried out on sea-trials or at dock if necessary generator loads are available. An alternative is toverify this by use of HIL-testing.

Breaker Under voltage release

Under voltage release / trip level Delay

Bus-tie 1 (Master) Yes 85% 100 msBus-tie 1 (Slave) Yes 85% 100 msGenerator breakers Yes 80% 1sBreakers to thruster T1, T2, T3 and T4 Yes 80% 1sThruster drive controller (T1 and T2) Yes 85% 900 msThruster drive controller (T3 and T4) No - -Breakers to DP essential auxiliaries < 85% >100 msContactors and low voltage breakers to DP essential auxiliaries < 85% >100 ms



*** Example of how the load sharing monitoring can be summarized in the FMEA: The table below shows which Vessel controls system that is responsible for active and reactive power loadsharing monitoring in different modes.

Automatic action to bring system in safe state (split system) in case of active power load sharing failure:

Automatic action to bring system in safe state (split system) in case of reactive power load sharing failure:

The tables show that appropriate measures for the system in this example are taken in case of load sharingfailures (active or reactive). (Note that other system designs might require additional analyses).It is also seen that PMS A is responsible for the monitoring when tie breaker is closed. This is a potential singlepoint failure that requires additional attention. Identified failure modes that need to be tested on FAT/Dock/Sea trial:

*** End of example.

Mode Monitoring Control system / PLC Monitors sharing between

Open tie-breakerActive power

PMS A DG1, DG2PMS B DG3, DG4

Reactive powerPMS A DG1, DG2PMS B DG3, DG4

Closed tie-breakerActive power PMS A DG1, DG2, DG3, DG4Reactive power PMS A DG1, DG2, DG3, DG4

Mode Measure Level Delay

Open tie-breakerWarning -Alarm > 200 kW difference 10 secOther action (specify) -

Closed tie-breaker

Warning -Alarm > 200 kW difference 10 secTrip of tie breaker > 300 kW difference 5 secOther action (specify) -

Mode Measure Level Delay

Open tie-breakerWarning -Alarm > 100 kVAr difference 4 secOther action (specify) -

Closed tie-breaker

Warning -Alarm > 100 kVAr difference 4 secTrip of tie breaker > 200 kW difference 2 secOther action (specify) -

Failure mode (with closed tie-breaker) Possible worst case consequence

Active power load sharing failure with closed tie-breaker

Full blackout may be the consequence in case the tie breaker is not opened fast enough, or in case no other action is initiated to bring the system in safe state.

Reactive power load sharing failure with closed tie breaker

Full blackout may be the consequence in case the tie breaker is not opened fast enough, or in case no other action is initiated to bring the system in safe state.

Loss of PMS AThis might be a critical failure since loss of PMS A will lead to loss of both load sharing monitoring and the load sharing control (see drawing in section A.4.5.4).Worst case consequence will be full blackout.Has to be verified that the tie breaker is automatically opened in case of loss of PMS A.

Loss of PMS B

This might be a critical failure since loss of PMS B will cause loss of both load sharing monitoring and the load sharing control (see drawing section A.4.5.4) since the monitoring carried out by PMS A is based on DG3 and DG4 signals routed through PMS B (see figure in section A.4.5.4).Worst case consequence might be full blackout.Has to be verified that the tie breaker is automatically opened in case of loss of PMS B.



D.5.4 Active power load sharing control systemLoad sharing between generators will typically be controlled by one of the following control systems:

� Load sharing by PMS� Load sharing by dedicated, stand alone load sharing module� Load sharing integrated system in governors with communication between governors (e.g. analogue load

sharing lines or digital communication)

Note: Load sharing control and load sharing monitoring (ref. A.4.5.3) is two different functions that both haveto be addressed.It is not uncommon to have a backup system were one of the above is the preferred system and one of the othersis used as backup.The FMEA has to address the load sharing system thoroughly when operating with closed tie-breaker, since inthis case the load sharing system will be common for both A and B side, or at least, the system will depend onmeasurements from both A and B side. The FMEA has to identify possible common mode failures. Typicalsignals used by the control system in the load sharing control are (PMS or stand alone dedicated system):

� Running signal from all generators� Open / closed status from all generator circuit breakers� Open / closed status from tie-breaker(s) (both master and slave breakers if applicable)� Active power measurement from all generators� Speed up/down command signal to all generators.

It is thus quite clear that in a load sharing system there are a potential for single failures affecting both the Aand B system. It will usually be necessary that the tie breaker is automatically opened if any failure in the load sharing systemis detected. This applies both to load sharing by PMS and to load other load sharing systems.

*** Example of how the load sharing system can be summarized in the FMEA: The load sharing is controlled by the PMS. The load sharing is controlled as follows:

� Open tie-breaker:� PMS A performs load sharing between DG1 and DG2� PMS B performs load sharing between DG3 and DG4� Closed tie breaker� PMS A performs load sharing between DG1, DG2, DG3 and DG4.

The signals used for load sharing by PMS are shown in the figure below (for both open and closed tie-breakermode). As can be seen, there are dependencies between the A and B systems both with closed and open tie-breaker. The FMEA analysis has concluded that the tests listed in the below tables has to be carried out in orderto verify the load sharing system conforms to the redundancy requirements.Closed tie-breaker

PMS A PMS B

DG1 DG2 DG3 DG4

PG1DG1runningCB1closed

PG2DG2running

CB2closed

PG3DG3running

CB3closed


PG3

PG4DG3runningCB3closedDG4runningCB4closed

A B

SpeedUp/down Speed

Up/downSpeed

Up/down

SWBDA + B

SpeedUp/down

Tie breakerstatus



Open tie-breaker

Identified failure modes for closed tie-breaker that need to be tested:

Identified failure modes for open tie-breaker that need to be tested:

*** End of example.

D.5.5 Blackout prevention, load reduction, load limitation system, and blackout recovery To avoid generator overload, the load on generators typically are automatically reduced or shed. This isessential to avoid partial or full blackout. This functionality is required also for open tie-breaker operation, butwill be even more important when operating with closed tie-breaker since an overload in this case may causeimmediate full blackout.The FMEA has to address the intended functionality of the blackout prevention / load reduction/ load limitationsystem and has also to verify that the system is fail safe such that no single failure related to this functionalitycan violate the acceptance criteria, e.g. for DP2 blackout, or full loss of thrust.The blackout prevention / load reduction / load shedding functionality might typically be implemented in morethan one control system. Thus, on the same vessel one might find blackout prevention / load limitation / loadreduction functionality in the:

� DP control system � PMS� a stand alone load limiting system � variable frequency drives controllers.

Failure mode (with closed tie-breaker) Possible worst case consequence

Power supply failure or complete loss of PMS A

No active power load sharing. May lead to load sharing failure and finally complete blackout (A + B) if not properly handled.Has to verify that tie breaker is automatically opened.

Power supply failure or complete loss of PMS B

Will cause faulty / frozen measurements from DG3 and DG4 in the load sharing control since these are routed through PMS B. May lead to load sharing failure and finally complete blackout (A + B) if not properly handled.Has to verify that tie breaker is automatically opened.

Tie breaker opened/closed status feedback failure

If PMS acts as if tie-breaker is open when actually closed (and vice versa), load sharing will fail and complete blackout (A+B) may be the final result.Has to verify that the system will detect failure on tie breaker status signal and that system is automatically split by opening tie breaker in such case.

Failure mode Possible worst case consequenceTie breaker opened/closed status feedback failure

As shown on the drawing, system A and system B uses the same tie breaker status signal. A failure on this signal will affect both A and B side. It has to be verified that the integrity of the tie breaker status signal is monitored and that tie � breaker is commanded to open if a feedback failure is detected (even if breaker is apparently open already).

PMS A PMS B

DG1 DG2 DG3 DG4


PG2DG2running

CB2closed

PG3

DG3running

CB3closed


A B

SpeedUp/down Speed

Up/downSpeed

Up/downSWBD

A

SpeedUp/down

Tie breakerstatus

SWBDA

Tie breakerstatus

SWBD B



The blackout prevention / load reduction / load shedding might typically be trigged by one or more of the following:

� high generator active power� high generator reactive power (not common)� high generator current� high total load on bus (sum of generator active power)� low bus frequency� low bus voltage.

Such functionality may cause failure propagation between A and B side when operating with closed tie-breaker. This could happen because the control system has to take into consideration all generators, both on Aand B side in order to check for overload.Further, load reduction based on bus frequency or bus voltage may cause failure propagation between the Aand B system. Frequency and voltage are equal on A and B side as long as the tie-breaker is closed. This meansthat low voltage or low frequency might cause simultaneous load reduction of all running thrusters andconsequently risk of position loss.It might be necessary to carry out tests on FAT/Dock/Sea trial to:

� prove that system works as indented� prove that critical failures in the Blackout prevention / Load reduction/ Load limitation are detected by the

control systems (typically failure on active power measurement signal to the control system and the loadreduction command signal to the thrusters)

� prove that no single failure will cause all thrusters to be reduced to a very low or zero speed simultaneously(risk of drift off).

Blackout recovery systems may also need to be analysed. It should be ensured that unintended operation cannotcreate a blackout, e.g. as a result of false blackout detection.*** Example of how the blackout prevention / load reduction / load shedding can be presented in the FMEA: Overview of blackout prevention / load reduction / load shedding functionality on Vessel:

Mode Control system / PLC Criteria to initiate action Delay Action

Closed tie-breaker

PMS A Bus A+B load > 98% 200ms Load reduction command is send to THR1, THR2, THR3, THR4

PMS A Bus A+B frequency < 56Hz 200ms Load reduction command is send to THR1, THR2, THR3, THR4

PMS A DG1 load > 98% DG2 load > 98% DG3 load > 98% DG4 load > 98%

200ms Load shedding of non-thruster heavy consumers on bus A

PMS A DG1 load > 105%DG2 load > 105%DG3 load > 105% DG4 load > 105%

200ms Load reduction command to THR1, THR2, THR3, THR4

PMS B Bus A+B load > 98% 200ms Load reduction command send to THR1, THR2, THR3, THR4

PMS B Bus A+B frequency < 56Hz 200ms Load reduction command send to THR1, THR2, THR3, THR4

PMS B DG1 load > 98% DG2 load > 98% DG3 load > 98% DG4 load > 98%

200ms Load shedding of non-thruster heavy consumers on bus B

PMS B DG1 load > 105%DG2 load > 105%DG3 load > 105% DG4 load > 105%

200ms Load reduction command to THR2 and THR4

DP Bus A load > 95% 1 sec Command signal to THR1 and/or THR3 reducedDP Bus B load > 95% 1 sec Command signal to THR2 and/or THR4 reducedTHR1 Bus A+B frequency < 56Hz

Bus A+B Voltage < 90%200ms THR1 reduces speed by itself

THR2 Bus A+B frequency < 56HzBus A+B Voltage < 90%

200ms THR2 reduces speed by itself







The figure below shows how the blackout prevention / load limiting functions may lead to failure propagationfrom e.g. from the A to the B system (or vice versa). This system has thus to be addressed further. The tablebelow summarizes identified failure modes that will have to be tested in order to verify that no single failurewill lead to loss of position.

Identified failure modes that need to be tested on FAT/Dock/Sea trial:

*** End of example.

D.5.6 PMSThe analysis of the power management system (PMS) must verify that no single failure in the PMS can violatethe given acceptance criteria. Some relevant issues for the analysis are listed below:

� How is it ensured that a single feedback failure to PMS does not cause violation of the acceptance criteria? � Can PMS connect generator (or bus-tie) without synchronization? � Can PMS cause full load reduction to all running thrusters simultaneously?� Can PMS decrease generator frequencies to a level that causes risk of automatic load reduction of drives /

tripping of drives?� Can PMS increase frequency to a level that causes systems to trip?� Can single PMS operator failure cause blackout?� What are the consequences of communication failures?

Failure mode Possible worst case consequenceOne generator power measurement fails to maximum

All thrusters (THR1, THR2, THR3, THR4) will in worst case be reduced to 0% thrust (from both PMS A and PMS B)Need to verify that this is avoided. Possible measure will be to open tie breaker

One generator fails to full power All thrusters (THR1, THR2, THR3, THR4) will in worst case be reduced to 0% thrust (from both PMS A and PMS B)Need to verify that this is avoided. Possible measure will be to open tie breaker

Failure on Bus A or Bus B frequency or voltage measurement to PMS

The PMS receiving faulty measurement might command load reduction to all thrusters simultaneouslyNeed to verify that the system checks inconsistency in frequency and voltage measurement and that system is brought to safe state in case such failure is detected.

PMS A PMS B

THR1 THR3 THR2 THR4

DG1 DG2 DG3 DG4

kW

SWBD A + B(closed tie-

breaker )

kW (DG1,DG2)

kW kW kW

kW (DG3,DG4)

HzV

HzV

Power limit Power limit

Power limit Power limit Power limit

Power limit

Power limitPower limit

A B

HzV Hz

V

fmea

Documents

det norske veritas

recommended practice dnv

manual push buttons

cjoy dp ot

fuel tank dg

descriptive narrative text

a3 dp controller

b2 dp controller