You are on page 1of 57

RECOMMENDED PRACTICE

DNV-RP-D102

Failure Mode and Effect Analysis (FMEA) of Redundant Systems


JANUARY 2012

The electronic pdf version of this document found through http://www.dnv.com is the officially binding version

DET NORSKE VERITAS AS

FOREWORD
DET NORSKE VERITAS (DNV) is an autonomous and independent foundation with the objectives of safeguarding life, property and the environment, at sea and onshore. DNV undertakes classification, certification, and other verification and consultancy services relating to quality of ships, offshore units and installations, and onshore industries worldwide, and carries out research in relation to these functions. DNV service documents consist of among others the following types of documents: Service Specifications. Procedual requirements. Standards. Technical requirements. Recommended Practices. Guidance. The Standards and Recommended Practices are offered within the following areas: A) Qualification, Quality and Safety Methodology B) Materials Technology C) Structures D) Systems E) Special Facilities F) Pipelines and Risers G) Asset Operation H) Marine Operations J) Cleaner Energy

O) Subsea Systems

Det Norske Veritas AS January 2012 Any comments may be sent by e-mail to rules@dnv.com

This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of this document, and is believed to reflect the best of contemporary technology. The use of this document by others than DNV is at the user's sole risk. DNV does not accept any liability or responsibility for loss or damages resulting from any use of this document.

Recommended Practice DNV-RP-D102, January 2012 Changes Page 3

CHANGES
Main changes:
This is a new document.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Contents Page 4

CONTENTS
1. General.................................................................................................................................................... 5 1.1 Application, objective, and contents of FMEA for redundant systems ....................................................5 2. Definitions............................................................................................................................................... 7 2.1 General definitions....................................................................................................................................7 3. Documentation .................................................................................................................................... 11 3.1 General....................................................................................................................................................11 4. Redundancy Design Intention............................................................................................................. 12 4.1 General ...................................................................................................................................................12 4.2 Redundancy design intention and functional redundancy types.............................................................12 4.3 Specification of subsystem or component groups ..................................................................................15 4.4 Specification and analyses of dependencies ...........................................................................................16 5. Single Failure Propagation in Redundant Systems .......................................................................... 21 5.1 General....................................................................................................................................................21 5.2 Failures, common causes, and systematic failure propagation ...............................................................22 5.3 Barriers and other compensating measures ............................................................................................22 5.4 Failure propagation analysis at subsystem level.....................................................................................23 6. Unit and Subsystem FMEA................................................................................................................. 27 6.1 Requirements to the unit FMEA including subsystem FMEA ...............................................................27 6.2 Allocation of unit requirements to subsystems/component groups ........................................................27 6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion .....................30 7. FMEA of Subsystems with Redundancy ........................................................................................... 34 7.1 General....................................................................................................................................................34 8. FMEA of Single Sub-Systems ............................................................................................................. 36 8.1 General....................................................................................................................................................36 9. Redundant Systems with Physical (Fire and Flooding) Separation ............................................... 39 9.1 Separation design intent..........................................................................................................................39 9.2 Separation analysis..................................................................................................................................40 10. Inspections and Tests........................................................................................................................... 41 10.1 General....................................................................................................................................................41 11. FMEA Report and Compliance Statement ....................................................................................... 43 11.1 General....................................................................................................................................................43 Appendix A. IMCA references...................................................................................................................... 44 Appendix B. DNV references ........................................................................................................................ 45 Appendix C. Typical table of contents for a minimum DP FMEA............................................................ 46 Appendix D. Failure modes in electrical power systems operating with closed bus tie(s) ...................... 47

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.1. General Page 5

1. General
1.1 Application, objective, and contents of FMEA for redundant systems
1.1.1 The requirements of this guideline apply to failure mode and effect analysis (FMEA) of redundant systems.
Guidance note 1: Class notations as DYNPOS-AUTR, DYNPOS-AUTRO, DPS 2, DPS 3, DYNPOS-ER, RP, RPS, AP-2, AP-3 requires redundancy. An FMEA of the system redundancy is required as part of the verification of the specific acceptance criterion for the specific notation. This guideline may also be suitable for other applications as e.g. IMO requirements to Safe Return to Port.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: This guideline does not set any guidance to FMEA of software. However, the guideline requires testing and verification of how the software responds to relevant failures in the system subject to verification.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.2 The objective of failure mode and effects analysis of redundant systems in a specified unit (U) is to provide objective evidence of required redundancy and fault tolerance.
System boundary Acceptance criteria reference level

Redundant component group A

B
U

Redundant component group B

Figure 1-1 The redundancy design intent can be visualized by means of one redundant component group diagram (UAB). The diagram represent the complete physical system (unit (U) and system boundary and the two physical redundant component groups (A and B). The main concepts are the system boundary, the redundant component groups illustrated by minimum two redundant groups (A group and B group), and the acceptance criteria reference level which is referring to the unit system boundary. Please note that more than two redundant groups may also be assumed (e.g. A, B, C, D groups). Guidance note: In order to give the reader an introduction to the vessel subject to the FMEA and the project in general the FMEA report should start with giving high level vessel information which may typically include: main particulars, yard, yard number, owner, ship name and identification, vessel type, intended operation, class notations, main equipment suppliers, FMEA supplier and other relevant information.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.3 In order to be valid, the FMEA, the test program, and the test report must at all times during the operational phase be maintained and updated in case of alterations of the system. In case of alterations it must be evaluated if: additional FMEA is required test program need to be updated functional testing and/or failure testing is required other parts of the documentation needs to be updated.
Guidance note: The requirements to keep the FMEA documents updated during the operational phase, will vary between the different class notations (e.g. DYNPOS-AUTR, DPS 2, RP, AP).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.4 The FMEA shall specify all vessel operational modes which it is intended to be valid for (minimum one mode). For each of these vessel operational modes the technical system configuration shall be described and prerequisites for achieving the required failure tolerance and redundancy shall be included.
Guidance note: The vessel operational mode specifies the high level system setup, redundancy design intention and vessel operations.. Examples of vessel operational modes are positioning keeping, weather vaning, manoeuvring, dredging. It is understood that vessel operations in this context is a common term comprising vessel operations, control system modes, industrial functions. DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.1. General Page 6

The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specified for all relevant configurations One example could be that a vessel has different technical system configurations for different vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notation is intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated, specified, analysed, and tested in the FMEA. The technical system configuration includes all technical modes (and combinations of the modes) of all systems that may influence the redundancy and failure tolerance of the unit. This will typically include but is not limited to e.g., control system modes, power plant and thruster configuration, switch board (AC and DC) configuration and distribution setup, auxiliary systems setup, valves, breakers, pumps, ).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

1.1.5 All specified vessel operational modes and technical system configurations that FMEA is intended to be valid for, shall be analysed and as far as possible be verified by testing. 1.1.6 A failure mode and effect analysis (FMEA) of redundant systems shall as a minimum consist of the following parts: general vessel information specification of acceptance criteria, specification of the overall system boundary of the unit (U) to be subject for FMEA redundancy design intent(s), worst case failure design intent, time requirements, and vessel operational modes specification of all redundant components (e.g. A,B) and single component groups included within the overall system boundary. The relevant system names, main units, compartments (when applicable), and their main intended functions shall be presented in a structured manner, supported with a descriptive narrative text. specification of all assumptions related to systems interfaces and dependencies of external systems single failure and common cause analysis at unit (U) and subsystem levels (A,B) if applicable, separation design intent and descriptions of the installation of redundant component groups in fire and flooding protected compartments. This also includes cables and communication lines, and associated equipment. a test program identifying tests to verify assumptions and conclusions summary and conclusions: for each subsystem analysed, the conclusions shall be stated at the end of the specific section for the total system, an overall summary covering the main findings from the most critical subsystems. a compliance statement referring to the overall system boundary, operational modes, tests, and acceptance criterion including time requirements shall be stated for the FMEA. Detailed requirements for above parts are stated in this guideline.
Guidance note 1: Please observe that the requirements to FMEAs for redundant systems differ from traditional bottom up FMEAs in the following respects: Requirement to state the redundancy design intent Requirements to specification of acceptance criterion to be complied with Requirements to refer to full scale testing and sea trials to support analysis Requirements to state compliance with the acceptance criterion. The FMEA documentation shall be self-contained and provide sufficient information to get the necessary overview of the system
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: In general FMEAs of single non-redundant systems will normally require a complete breakdown of all parts of the systems resulting in a large set of possible failure modes with the potential of affecting the function of the system. Please refer to a single engine and single propulsor for a cargo ship. (Normally there will be no class requirement to an FMEA of such single systems.) On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failure shall give loss of position) may give a possibility of administrating the actual detailed scope of the subsystem FMEAs into a top-down approach and limiting the detailed analysis. The top-down approach thus avoids detailed and complete FMEAs of each of the redundant subsystems.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.2. Definitions Page 7

2. Definitions
2.1 General definitions
2.1.1 Active redundancy (IEC 191-15-02) is that redundancy wherein all means for performing a required function are intended to operate simultaneously. 2.1.2 Acceptance criterion/criteria are to be stated as the maximum accepted consequence of failure. The acceptance criterion/criteria should be referring to the system boundary level.
Guidance note: For the unit level the class notation requirements will normally be the acceptance criterion.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.3 Ageing failure, wear out failure, a failure whose probability of occurrence increases with the passage of time, as a result of processes inherent in the item (random failure) (IEC 191-04-09). Aging or random failure An aging or a random failure for a component or a subsystem is characterised by that the failure may occur at any time and the time of the failure event can not in advance be stated to occur within a specified time.
R 1 Random failure

Figure 2-1 For a random failure, the time to the failure event is random

2.1.4 Benign failure modes, a term used for subsets of failure modes which primarily affects only the subsystem itself and with minor effect with regards to propagation leading to critical failures in other subsystems.
Guidance note: A typical benign failure mode is loss of power output, whereas overvoltage will be considered as a non-benign failure mode. There is a need to define which possible states a system may enter into after a failure. It cannot be assumed that a system or component is simply lost (absence of function). The system or component may enter into a state affecting other units. Detailed analysis of basic functionality may have to be done at a single failure level, e.g. the problem with a faulty input from a draft sensor, a wind sensor, or a common reference signal may affect more than one redundancy group.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.5 Common cause failures (IEC 191-04-23), failures of different items, resulting from a single event, where these failures are not consequences of each other 2.1.6 Common mode failures (IEC 191-04-24), failures of items characterized by the same fault mode.
Note: Common mode failures should not be confused with common cause failures as the common mode failures may result from differing causes.
---e-n-d---of---N-o-t-e---

2.1.7 Common component group, represents components, physical connections, and dependencies between the redundant component groups. 2.1.8 Component group is a specified set of components or sub-systems within a specified component group boundary 2.1.9 Dependent systematic failures: The unacceptable failure situations for redundant systems are related to failures in two or more redundant groups, when the second failure is occurring in a systematic manner within the stated acceptable time requirement. The most critical situations are related to systematic failure propagation in the following situations: systematic failure propagation between dependent systems or common components
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.2. Definitions Page 8

systematic failure due to common cause propagation systematic failure propagation due to primary secondary failure propagation.
Guidance note: The key point is that the redundant systems will fail within the unacceptable failure time requirement as given in the acceptance criterion for the applied class notation. The objective of the single failure analysis is therefore to identify possible dependent systematic failures which may violate the stated acceptance criterion for the given class notations (DP, AP, RP,)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.10 Failure (ISO 14224, 3.15): termination of the ability of an item to perform a required function NOTE 1: After the failure, the item has a fault. NOTE 2: Failure is an event, as distinguished from a fault, which is a state. NOTE 3: This concept as defined does not apply to items consisting of software only. 2.1.11 Failure cause (IEC 191-04-17): The circumstances during design, manufacture or use which have led to a failure. 2.1.12 Failure mode (ISO 14224, 3.20): The effect by which a failure is observed on the failed item.

Figure 2-2 Failure mode observed at boundary

2.1.13 FMEA: Failure mode and effect analysis.


Guidance note: A general FMEA method is described in e.g. IEC 60812 2006. The method represents a bottom up analysis of failure effects on the end item level (system boundary). The general FMEA does not, as a work process, take advantage of requirements to redundancy, acceptance criterion/criteria, and testing on the actual system as being required in the guideline for FMEA of redundant systems.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.14 Fail safe (IEC 90-191) is a design property of an item which prevents its failures from resulting in critical faults 2.1.15 Hidden failure (ISO 14224, 3.24), a failure that is not immediately evident to operations and maintenance personnel.
Guidance note: NOTE: Equipment that fails to perform an on demand function falls into this category. It is necessary that such failures are detected to be revealed through checks. Monitoring and periodical testing/verification should be performed in order to ensure sufficient availability of such functions. Protective functions e.g. in power plants and switchboards are typical examples of on demand functions where possible hidden failures should be considered.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.16 Primary failure (IEC 191-04-15), a failure of an item, not caused either directly or indirectly by a failure or a fault of another item (also see secondary failure). 2.1.17 Redundant (IEC 90-191-15), in an item, the existence of more than one means for performing a required function. 2.1.18 Redundant component groups (subsystems) are two or more component groups which represent two or more means for performing a required function. 2.1.19 Redundancy design intent, the redundancy design intention refers to redundant component groups which constitutes the overall system design for a given system operational mode and technical system configuration.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.2. Definitions Page 9

2.1.20 Secondary failure (IEC 191-04-16), a failure of an item, caused either directly or indirectly by a failure or a fault of another item (cascading failure). 2.1.21 Separation design intent, the separation design intention refers to separated redundant component groups which constitutes the overall system design for a given system operational mode and technical system configuration. 2.1.22 Simultaneous independent failures, an ideal feature of redundant systems is that possible failure events are occurring statistically randomly and independently. This implies that a failure in the A sub-system and another failure in the B sub-system occurring independently within an acceptable time requirement period (simultaneous), is acceptable according to the class requirements in the DP, AP and RP class notations where redundancy is required. 2.1.23 Standby redundancy (IEC 191-15-03), that redundancy, wherein a part of the means for performing a required function is intended to operate, while the remaining part(s) of the means are inoperative until needed. 2.1.24 System boundary, is a closed imaginary shell around all components assumed within the specified system.
Guidance note: The system boundary can be considered as the End item concept used in IEC 60812.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.25 Systematic failure, reproducible failure (IEC 191-04-19), a failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the design or of the manufacturing process, operational procedures, documentation or other relevant factors.
Guidance note 1: Corrective maintenance without modification will usually not eliminate the failure cause.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: A systematic failure can be induced at will by simulating the failure cause.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--R 1 Systematic, reproducble failure

t T failure cause

Figure 2-3 For a systematic failure, the time from the failure cause is present until the failure event is limited. An example is an electronic component exposed to 1000C, will for sure fail within 10 minutes.

2.1.26 Technical system configuration, the technical system configuration includes all technical modes (and combinations of the modes) of all systems that may influence the redundancy and failure tolerance of the unit. This will typically include but is not limited to e.g., control system modes, power plant and thruster configuration, switch board (AC and DC) configuration and distribution setup, auxiliary systems setup, valves, breakers, pumps, ).
Guidance note: The technical system configuration(s) are prerequisites for establishing the basis for an FMEA, and must be specified for all relevant configurations One example could be that a vessel has different technical system configurations for different vessel operational modes and another example could be in case a vessel with DYNPOS-AUTRO notation is intended to also to have a mode based on DYNPOS-AUTR acceptance criteria, both modes shall be stated, specified, analysed, and tested in the FMEA.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.27 Time requirement, the minimum required time duration for which the residual remaining capacity as defined by the worst case failure design intent shall be available.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.2. Definitions Page 10

Guidance note: The time requirement will normally be governed by the maximum time necessary to safely terminate the on-going operations after the worst case single failure, given the residual remaining capacity. All relevant operational scenarios which the vessel performs and/or participates in, must be considered when deciding the time requirements. This time requirement must be fulfilled by the design, and the way the vessel is technically configured (technical system configuration) and operated.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.28 Unit, the complete physical system (e.g. vessel) in which the redundant system (e.g. DP system) to be analysed is included. 2.1.29 Vessel operational mode(s), The vessel operational mode specifies the high level system setup and redundancy design intention for a specified set of vessel operations. Examples of vessel operations are positioning keeping, weather vaneing, manoeuvring, dredging, diving.
Guidance note: The FMEA must as a minimum specify one vessel operational mode. In case that more than one mode is intended, then each mode must be specified. It is understood that vessel operations in this context is a common term comprising vessel operations, control system modes, industrial functions,
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

2.1.30 Worst case failure design intent, the worst case failure design intent shall refer to the minimum remaining capacity after any relevant single failure or common cause (for a given operational mode) 2.1.31 Zone is a confined space with fire and flooding protection.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.3. Documentation Page 11

3. Documentation
3.1 General
3.1.1 The documentation as listed in Table 3-1 is required for approval and test work process related to Failure Mode Effect Analyses for redundant systems.
Table 3-1 Documentation requirements Documentation type Information element Failure mode and effect analysis 1) Introduction to FMEA System boundary and redundant component groups Acceptance criterion/criteria 2) Summary and conclusions 3) Redundancy Design Intent and operational modes 4) Single Failure propagation analysis 5) Unit FMEA and subsystem FMEA 6) Separation Design Intent and separation verification 7) Compliance statement 8) References FMEA test procedure 9) Test procedure Each test or inspection activity shall be described by FMEA report test purpose and reference to analysis test setup test method expected results and acceptance criteria observation and results of test space for notes and conclusions

The updated FMEA and the test records shall together with the findings, conclusions and test summary be compiled into an FMEA report.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 12

4. Redundancy Design Intention


4.1 General
4.1.1 The objective of the redundancy design intention is to specify the redundancy, i.e. to describe at a high level the distribution of systems and components into redundant groups. High level dependencies and intersections between these groups must be described. The intended normal operation and operation after relevant single failures (normally one failure at the time) shall also be specified. 4.1.2 Redundant component groups (e.g. A and B) in a unit (U) can either have no intersection, some common components, or be related by connecting components (e.g. X).

Figure 4-1 The general concept of redundant systems and component groups

Guidance note: Redundancy within the unit boundary level means that there is more than one means for performing a required function. The redundancy design intention by means of component groups shall specify how the redundant parts are intended to be organised, documented and denoted in the FMEA for redundant systems. The redundancy design intention for a redundant component group (A-B), shall specify if and how components in groups A and B are connected. There are basically three situations how redundant systems or component group can be organised and described: i) In the first no components belongs both to A and B. ii) In the second situation some common components belongs both to A and B (intersection between A and B). (E.g. common passive parts in cooling water system). iii) In the third situation no components belongs both to A and B group. However, A and B are connected by components in a common component group X. (e.g. Main SWBA and SWBB. A bus tie connection is SWBX).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.2 Redundancy design intention and functional redundancy types


4.2.1 The redundancy design intention is first to be specified for the main set of systems (e.g. such as thrusters and propellers). The subsystems required for operation of the thrusters such as machinery, power generation, power supply, and control systems shall be clarified for all operational modes. The intended normal operation mode(s) before single failure shall be stated as well as the intended operation after a single failure. 4.2.2 All redundant functions shall have a stated ability to transfer to the non-failed function. The intended functionality of fail safe functions or switching functions between redundant systems shall be described by means of figures, tables, block diagrams, and with a descriptive narrative supporting text. Each operational mode and the switching or fail safe functionality of the redundant systems shall be stated. 4.2.3 The functional redundancy type (e.g. active or passive including a switchover time limit /restoration time) shall also be stated.
Guidance note: Examples of redundancy types: active redundancy passive redundancy (standby redundancy (hot or cold standby)) partly loaded redundancy change over redundancy
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.2.4 All redundant groups shall be documented to be able to operate as specified in the redundancy design intention including the functional redundancy type, and according to the stated acceptance criterion/criteria.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 13

Guidance note 1: Example on how to illustrate the redundancy design intention related to a ship with one main and one alternative propulsion system as required by the additional class notation AP-2 (also refer to section A). Redundancy design intention Normal operation requirement Intended operation after single failure Subsystem//component groups P1A P2B Functional redundancy type/description P1A running, P2B not running, Passive redundancy Possible to engage P2B within 5 minutes

P1A

P2B AUX U

Figure 4-2 The acceptance criteria shall be related to a specific reference level as indicated above. For class notation AP-2(a%)(+): it shall be possible to engage alternative propulsion system within maximum 5 minutes after failure to the main propulsion system (shall be possible from bridge)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: Example with DP system and 4 thrusters


Loss of position/heading

OR

T1A T2B

Drift off

Drive off

T1A

T3A

T2B

T4B
AND OR

A
T3A T4B

B Loss of B positioning

A A drive off

B B drive off

Loss of A positioning

Figure 4-3 The arrangement of the redundant thruster groups are indicated in the figure to the left. and in the middle above. The no loss of positioning is illustrated by a fault tree and divided into the no drift off or drive off events. The redundancy design intention in this example may be described in a e.g narrative way by describing both the normal operation mode and the failed operation mode.
Redundancy design intention: The normal operation before failure,In the case of a single failure, Redundancy type/description shall be based on positioning of the T1A and T3A thruster Active redundancy group and the T2B and T4B thruster group the positioning operation shall be based either on the (T1A and T3A) thruster group or the (T2B and T4B) thruster group. A single failure shall not give loss of positioning by a drive off by any thruster T1A, T3A, T2B, T4B.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 14

The same redundancy design intention may alternatively be described in a logic description/Boolean style:
Redundancy design intention: Normal operation before failure: Operation after single failure: Redundancy type/description ((T1A AND T3A) AND (T2B AND T4B)) Active redundancy ((T1A AND T3A) OR (T2B AND T4B)) AND No drift off and (NODRIVE OFF (T1A AND T3B AND T2B AND T4B)) No drive off of any thruster

Please note that the OR (inclusive OR) operator in a Boolean expression e.g. A OR B is true if either (A or B) or (A and B) are true. Another way of expressing this could be that A OR B means the same as A and/or B.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 3: Example with 5 thrusters and two operational modes

T1A T2B T5
DG1A DG3B

DG2A

DG4B

T3A

T4B

Figure 4-4 Example indicating a vessel with 5 thrusters Narrative description of redundancy design intention for 5 thrusters operational mode 1
Redundancy design intention: The normal operation before failure,In the case of a single failure, Redundancy type/description shall be based on positioning by the (T1A and T3A) thruster Active redundancy group and the (T2B,T4B and T5) thruster group the positioning operation shall be based either on the (T1A and T3A) thruster group or the (T2B and T4B and T5) thruster group. A single failure shall not give loss of positioning by a drive off by any thruster T1A, T3A, T2B, T4B, T5.

Narrative description of redundancy design intention for 5 thrusters operational mode 2


Redundancy design intention: The normal operation before failure,In the case of a single failure, Redundancy type/description shall be based on positioning by the (T1A and T3A and T5) Active redundancy thruster group and the (T2B and T4B) thruster group the positioning operation shall be based either on the (T1A and T3A and T5) thruster group or the (T2B and T4B) thruster group. A single failure shall not give loss of positioning by a drive off by any thruster T1A, T3A, T2B, T4B, T5.

Above redundancy design intentions for 5 thrusters operational modes 1 and 2 can as an alternative be expressed in a more logic or Boolean style as indicated below: Operational mode 1
Redundancy design intention: Normal operation before failure: (T1A AND T3A) AND (T2B AND T4B AND T5) Operation after single failure: (T1A AND T3A) OR (T2B AND T4B AND T5) Redundancy type/description Active redundancy No drift off and No drive off of any thruster

Operational mode 2
Redundancy design intention: Normal operation before failure: (T1A AND T3A AND T5) AND (T2B AND T4B) Operation after single failure: (T1A AND T3A AND T5) OR (T2B AND T4B) Redundancy type/description Active redundancy No drift off and No drive off of any thruster

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 15

Guidance note 4: Example with a rig with 8 thrusters, 2 in each corner of rig, two pontoons.
T1A T2A T3B T4B

T7D T8D

T5C T6C

Figure 4-5 Example indicating a rig with 8 thrusters, 2 in each corner of rig, two pontoons The redundancy design intention may be expressed in a short narrative manner as indicated below:
The redundancy design Redundancy type intention Normal operation without is that at least one thruster should be operating in all 4 corners of the rig Active redundancy failure In the situation where a single only the thrusters in only one corner of the rig shall be allowed to stop. Active redundancy, failure has occurred A bump less transfer to the failed state is required. Continuous operation, bump less transfer

Alternatively the redundancy design intention may be expressed in a more logic or Boolean style:
The redundancy design intention Normal operation without failure Operation after single failure Redundancy type ((T1A OR T2A) AND (T3B OR T4B) AND (T5C OR T6C) AND (T7D OR T8D)) ((T1A OR T2A) AND (T3B OR T4B) AND (T5C OR T6C)) OR ((T1A OR T2A) AND (T3B OR T4B) AND (T7D OR T8D)) OR ((T1A OR T2A) AND (T5C OR T6C) AND (T7D OR T8D)) OR ((T3B OR T4B) AND (T5C OR T6C) AND (T7D OR T8D)) OR ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--Active redundancy Active redundancy, Continuous operation, bump less transfer

4.3 Specification of subsystem or component groups


4.3.1 A component group or a subsystem is a set of specified components within a specified group boundary. All component groups shall be denoted by unique identifiers indicating the component group type, the type of equipment, and function(s) within the group. 4.3.2 All redundant systems shall be specified by means of a set of component groups. The design intention shall clearly state all redundant component groups where functional system redundancy is the means to achieve the required acceptance criterion/criteria.
Guidance note: The redundancy design intention can be expressed at a high level by redundant groups presented in diagrams or tables (e.g. by denominating the groups with names as specific groups, e.g. diesel generator starboard side DG3, diesel generator port side DG1). It may be convenient to include several components in a component group in order to keep the number of redundant component groups at lower level. Example: Redundant component group DG1 consists of: - diesel motor (specific tag number) - generator (specific tag number) - generator breaker - etc
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.3.3 Components which connects redundant component groups or are common for redundant component groups shall be specified as: common component groups, or groups required (dependent) for operation of the redundant groups.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 16

Figure 4-6 The general concept of redundant systems and component groups Guidance note: - Connections between redundant groups shall be identified and be represented as cross component groups (e.g. denominated as X groups) or common components. - The intention with the X groups is to represent the components or installations, which may represent all types of means for propagating failure effects from a redundant group to the corresponding redundant group (Example: The main switchboard on the A side is denominated as SWBA and the B side is denominated as SWBB. A bus tie between the two switchboard sides could be denoted as SWBX). - Fuel line crossovers, connected cooling water, common software modules are examples of common component groups and could be denoted as X group components.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

4.3.4 All redundant and common component groups shall be presented in structured manner by means of block or component group diagrams, logic descriptions, tables or drawings covering the high level description of the redundant systems.

4.4 Specification and analyses of dependencies


4.4.1 All subsystem or component dependencies shall be identified and documented in a structured manner by means of tables, logic descriptions, drawings, or diagrams. This system mapping shall be performed both for dependencies within the redundancy groups and between the redundancy groups.
Guidance note 1: All system dependencies shall be identified in tables, or by equivalent means, which main equipment such as engines, generators, thrusters, electrical power switchboards etc. are grouped together to form self-contained systems of which each system is capable of maintaining a residual position keeping capability in a worst case single failure incident. This identification process shall involve all equipment dependencies belonging to each redundant component group. The redundancy may be documented aided by a tag numbering system where one redundant part system is clearly distinguishable from the other redundant part.
Lube Oil

System group A
T1

Fuel Oil Diesel Generator DG1,2 Freshwater,... T3

System group B
Lube Oil T2 Fuel Oil Diesel Generator DG3,4 Freshwater,... T4

Figure 4-7 Illustration of DP thrusters and DP thruster system dependencies in a diagram The intention with this system dependency mapping is to identify all interconnections between redundant partsystems, hardware or software-wise, and prepare for analysis with regard to potential failure propagation within and across the redundant system boundaries.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 17

Guidance note 2: Example related to class notation alternative propulsion (AP-2)

P1A

P2B AUX U

Figure 4-8 Illustration of propulsion system for redundant notation AP-2

Redundancy design intention Normal operation requirement Intended operation after single failure

Subsystem//component groups P1A P2B

Functional redundancy type/description P1A running, P2B not running, Passive redundancy Possible to engage P2B within 5 minutes

Dependency statements: Normal operation mode dependency: P1A dependent on {MV1A, GenSet1, MSB1, Prime mover1, Propulsor1, AUX} Failed operation mode dependency: P2B dependent on {MV2B, GenSet2, MSB2, Prime mover2, Propulsor2, AUX,}
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 3: Example with 4 thrusters and 4 diesel generators for a DP-2 notation
DG1A DG2A DG3B DG4B

SWBA

SWBB

T1A

T3A

T2B

T4B

Figure 4-9 Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.

Redundancy design intention overview by redundant and common component groups Redundant Common groups Redundant A groups X groups B groups Thrusters A Thrusters B T1A AND T3A T2B AND T4B Thrusters A dependent on: Thrusters B dependent on: Diesel generators A Diesel generators B DG1A OR DG2A DG3B OR DG4B Main switchboard A Main bus tie switchboard Main switchboard B SWBA SWBX SWBB DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 18

Redundancy design intention Component groups /subsystems Normal operation: (T1A AND T3A) AND (T2B AND T4B) Operation after failure: (T1A AND T3A) OR (T2B AND T4B)

Redundancy type Active redundancy

Redundancy design intention overview by redundant and common component groups Redundant A groups Common groups X groups Redundant B groups (T1A AND T3A) (T2B AND T4B) Dependent on Dependent on (DG1A OR DG2A) (DG3B OR DG4B) SWBA SWBB Please note that in the operational mode above main bus tie (SWBX) is assumed to be open in the above table, then A and the B groups are not dependent on SWBX. (In case the failure mode spurious closing of main bus tie is to be considered, then SWBX should be included in the common X group.) In the operational mode where SWBX is closed (below table), then both thruster groups A and B, are dependent on SWBX. Redundancy design intention overview by redundant and common component groups Redundant A groups Common groups X groups Redundant B groups (T1A AND T3A ) (T2B AND T4B ) Dependent on Dependent on (DG1A OR DG2A) (DG3B OR DG4B ) SWBA SWBX SWBB
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 4: Example with 5 thrusters and 5 diesel generators and DP-2 notation
DG 5 DG 1A DG 2A DG 3B DG 4B

G G G G G

SWBA SWBX

SWBB

50%

M
T1A

M
50% T3A 100%

M
T2B

M
T4B

T5

Figure 4-10 Example of vessel system with 5 thrusters and 5 diesel generators for a DP-2 notation

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 19

Two operational modes are defined for the above system with 5 thrusters. The difference between these two modes are that the DG5 generator is either supporting the B group thrusters (mode 1) or the A group thrusters (mode 2).
Redundancy design intention Operational mode 1 Normal operation: Operation after failure: Component groups /subsystems Redundancy type

(T1A AND T3A AND T5) AND (T2B AND T4B AND T5) Active redundancy (T1A AND T3A AND T5) OR (T2B AND T4B AND T5)

Dependency statements for operational mode 1


Redundancy design intention overview by redundant and common component groups Redundant A groups Common groups X groups (T1A AND T3A AND T5) Dependent on (DG1A OR DG2A) Redundancy design intention Operational mode 2 Normal operation: Operation after failure: Component groups /subsystems Redundant B groups (T2B AND T4B AND T5) Dependent on (DG3B OR DG4B OR DG5) Redundancy type

(T1A AND T3A AND T5) AND (T2B AND T4B AND T5) Active redundancy (T1A AND T3A AND T5) OR (T2B AND T4B AND T5)

Dependency statements for operational mode 2


Redundancy design intention overview by redundant and common component groups Redundant A groups Common groups X groups (T1A AND T3A AND T5) Dependent on (DG1A OR DG2A OR DG5) Redundant B groups (T2B AND T4B AND T5) Dependent on (DG3B OR DG4B)

Please note the different dependencies statements between operational modes 1 and 2. Thruster group A may be independent of DG5 in operational mode 1 and thruster group B may be independent on DG5 in operational mode 2.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.4. Redundancy Design Intention Page 20

Guidance note 5: Example of system mapping of redundant DP control system:

Control system boundary

Figure 4-11 Example of redundant DP control system

Redundancy design intention overview by redundant and common component groups Redundant A groups Common/connecting groups X groups Thruster System A T1, T3 Dependent on Power System A Diesel generators A; DG1, DG2 Main switchboard A; SWB A Operator Station A: DPP A, DPD A, TRB A, OSC A DP LAN A: DPSW A, Net A1, A2 and A3 DP Controller A: DPC A, Bus A IO System A; IO A1, IO A2 Serial A1, A2 HW A1, A2 Sensor System A: Gyro 1, Gyro 3, VRU 1, VRU 3, Wind 1, Wind 3 Posref System A: DGPS 1, Laser Power Distr A: UPS A, Power A1, A2, A3, A4

Redundant B groups

SWB X

Net X1, X2, X3 and X4

Thruster System B T2, T4 Dependent on Power System B Diesel generators B; DG3, DG4 Main switchboard B; SWB B Operator Station B: DPP B, DPD B, TRB B, OSC B DP LAN B: DPSW B, Net B1, B2 DP Controller B: DPC B, Bus B IO System B: IO B1, IO B2, Serial B1 HW B1, B2 Sensor System B: Gyro 2, VRU 2, Wind 2 Posref System B: DGPS 2 Power Distr B: UPS B, Power B1, B2, B3

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems Page 21

5. Single Failure Propagation in Redundant Systems


5.1 General
5.1.1 The objective of section E is to prepare for an understanding of the underlying complex nature of possible failure propagation in redundant systems. This is illustrated by some examples given in the guidance note below. The intention is to clarify the underlying analytic reasoning that must form the basis for the failure mode analysis and give examples of interpretations and use of terminology (e.g. primary-secondary failure, common component, common cause,).
Guidance note: The simplified abstraction (UAXB model) gives the basic examples of failure propagation, but the model should not be understood to be exhaustive. In general, the basis for an FMEA is that all relevant failure modes shall be considered and that it will not be acceptable to only consider benign failure modes. However, please note that in a practical industrial context of FMEA, it may not be possible that all failure modes and failure mechanisms are to be included in the written identification of failures and common causes. In the case that the list of identified failure modes and common causes are non-exhaustive, a justification of the limited analysis shall be given. Under no circumstances the analysis should be limited to a scope less than the required or otherwise applicable standards (e.g. IMCA and MTS standards). It must be emphasised that the establishment of a standard set of failure modes for specific systems, can not relieve or replace the requirement for an open minded and analytic approach to the identification of failure modes and common causes. The purpose with this approach is to ensure that the relevant set of failure modes will be considered, for the given system (in relation to the UAXB topology, operation, environment and other factors), and to ensure a well managed test and verification scope. The main issue with regard to failures in redundant systems is to clarify that no single failure or no single failure cause may affect the redundant systems as defined in the redundancy design intention. There are basically three effects that may lead to non-acceptable simultaneous failures of redundant systems. 1) Failure in a component group or subsystem which both redundant systems are dependent on or both systems have common components, so that a failure will affect both redundant systems (e.g. common cooling system). 2) Common cause failure affecting both redundant systems (e.g. fire flooding, external EMC, GPS satellites, extreme movements of the vessel). 3) Primary failure in one of the redundant systems propagating to the other redundant systems (e.g. short circuit). Below are illustrated some examples of the above propagation effects:

Figure 5-1 Common component X causing failures in A and B

Figure 5-2 Common cause failure, resulting from a single event related to U, i.e. either as an external common cause (ECC) or an internal common cause (ICC). (E.g. fire and flooding, gas into air intakes, environment, vibration, high seas affecting contamination in fuel tanks, shocks, humidity, EMC,.)

Figure 5-3 Primary failure in subsystem A propagating to a secondary failure in subsystem B (e.g. ignition, fire, heat, vibration, network storm in A propagating to B) DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems Page 22

The above examples are of course not exhaustive and should not limit the scope of failure mode identification in the FMEA. The above principles may be combined in numerous ways and two typical combinations are given in Figure 5-4.

Figure 5-4 Primary failure in X propagating to A and B and then leading to secondary failures in A and B. The failure propagation from X may also be described as a common cause for the failures in A and B (left figure). In the right figure common causes lead directly to failures in A, X, and B.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.2 Failures, common causes, and systematic failure propagation


5.2.1 Any relevant single random failure or common cause which may propagate within the time requirement and violate the stated acceptance criterion shall be considered, and the effect of these shall be analysed. However, the unlikely event of two independent random failures or common causes occurring within the defined time requirement is normally not considered. 5.2.2 The objective of the single failure analysis is further on to identify possible dependent systematic failure propagation, e.g. for the given class notation like DP, AP, or RP.
Guidance note: The unacceptable failure situations for redundant systems are related to failure propagation between two or more redundant groups, when the failure propagation is occurring in a systematic manner within the time requirements. The most critical situations are related to systematic failure propagation in the following cases: - systematic failure propagation between dependent systems or failure of common components - systematic failure due to common cause propagation - systematic failure propagation due to primary secondary failure propagation.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.2.3 The overall requirement is that the redundant systems shall not fail so that the accept criteria and the redundancy design intent are violated within the defined time requirement. These considerations shall cover all relevant system operational modes and other relevant conditions (e.g. environmental). 5.2.4 For a given system, the selection of scope of relevant failures, common causes, and time requirements, shall be given by the applicable requirements e.g. classification rules.
Guidance note: In addition to software and hardware failures - any combination of hidden failures, - possible effects of inadvertent acts of operation, if reasonable probable, should be considered.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.3 Barriers and other compensating measures


5.3.1 The FMEA shall describe and analyse barriers and other compensating measures established for: prevention of failure propagation, limitation of possible consequence of failures, or improvement of remaining capacity after failure. This includes also compensating measures like failure detection, protective functions, stand-by start, re-start, change-over, etc. 5.3.2 When the system integrity is assumed to be based on two or more barriers, any possible dependencies between such barriers must be analysed. The analysis must verify that the barriers are sufficiently independent so that acceptance criteria are complied with.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems Page 23

Guidance note 1: Requirements to barriers (e.g. protective functions, physical separation, etc) or compensating measures may typically be guided by e.g. by classification rules.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: The red (bold) lines in the figures below indicate where (how) barriers to prevent systematic failure propagation for common component failures, common cause failures, and primary/secondary failures can be visualised.

Figure 5-5 Barriers indicated by red bold lines to prevent internal common causes (ICC) or external common causes (ECC)

Figure 5-6 Barriers indicated by red bold lines to prevent primary failures to propagate to secondary failures
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.4 Failure propagation analysis at subsystem level


5.4.1 All component groups or subsystems (A, B) within a unit (U) shall be subject to single failure propagation analysis. 5.4.2 In addition all common causes affecting two or more system groups have to be identified. 5.4.3 In all cases the failure mode effects must be evaluated in relation to the acceptance criterion and within the given time requirement.
Guidance note 1: The basis for the failure propagation analysis is typically: - the unit FMEA consisting of a specified unit with a given unit boundary - a set of redundant subsystems/component groups - redundancy design intentions for the stated operational modes and time requirement - dependency statements of subsystems and if possible allocated requirements to the subsystems giving functional and redundancy requirements to the subsystems assuming a single failure - any available specific subsystem FMEAs from the manufacturers (e.g. thruster controller systems, DP control systems, power management systems, and the mode selector/change system). The single failure propagation analysis should be organised by handling the subsystem in a sequence.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems Page 24

Guidance note 2: A failure mode is the effect by which a failure is observed on the failed item (subsystem boundary).

Figure 5-7 Primary failure in subsystem A propagating to a secondary failure in subsystem B e.g. fire, vibration, network storm in A propagating to B. Note that the failure mode description is related to the failure effect at the subsystem boundary. The descriptions of the initial causes or internal component failures within the boundary are not necessary in order to describe failure modes (e.g. lubrication pump failure, engine shutdown, Engine to full power, Loss of power to auxiliaries for governor, Generator under-excitation, Generator over-excitation ). However, examples of initial failure (e.g. fuel starvation, pipe rupture, clogged filter) for a given failure mode (e.g. under frequency of generator), should support the analysis in order to justify the relevance of the failure mode. Failures within A have to be identified to such an extent that all failure modes at the A system boundary will be identified. Please observe that failures which have no effect at the subsystem boundary, need not be elaborated in the failure mode propagation analysis. On the other hand, all failures giving the same failure effect at the system boundary can be considered as one failure mode in the failure mode propagation analysis.

GPS A

GPS B
U

ECC

Figure 5-8 Common cause failure, resulting from a single event related to U, i.e. either as an external common cause (ECC) or an internal common cause (ICC). (E.g. GPS satellite signals to redundant GPS systems, fire and flooding, gas into air intakes, environment, vibration, high seas affecting contamination in fuel tanks, ship heeling, shocks, humidity, EMC,.)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.4.4 The single failure propagation analysis shall: investigate possible failure modes for the subsystem and then the possible failure propagation paths from the subsystem to other subsystems, and investigate possible failure modes for the common connecting groups and then the possible failure propagation paths from the common connecting groups to the connected subsystems, and investigate possible common causes which can influence more than one subsystem directly or indirectly by influencing one subsystem or common connecting group. Based on above type investigations, it shall be documented at the unit level which failure modes that may violate the redundancy design intent and acceptance criteria within the stated time requirement.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems Page 25

Figure 5-9 illustrates the main principles for failure mode propagation in a redundancy design intention table:
Redundancy design intention by redundant and common component groups Redundant A groups Thruster System A T1, T3 Dependent on Power System A Diesel generators A; DG1, DG2 Main switchboard A; SWB A Operator Station A: DPP A, DPD A, TRB A, OSC A DP LAN A: DPSW A, Net A1, A2 and A3 DP Controller A: DPC A, Bus A IO System A; IO A1, IO A2 Serial A1, A2, HW A1, A2 Sensor System A: Gyro 1 , Gyro 3, VRU 1, VRU 3, Wind 1, Wind 3 Posref System A: DGPS 1 , Laser Power Distr A: UPS A, Power A1, A2, A3, A4 Common/connecting groups X groups Redundant B groups Thruster System B T2, T4 Dependent on Power System B Diesel generators B; DG3, DG4 SWB X Main switchboard B; SWB B Operator Station B: DPP B, DPD B, TRB B, OSC B DP LAN B: DPSW B, Net B1, B2 DP Controller B: DPC B, Bus B IO System B: IO B1, IO B2, Serial B1 HW B1, B2 Sensor System B: Gyro 2, VRU 2, Wind 2 Posref System B: DGPS 2 Power Distr B: UPS B, Power B1, B2, B3

Net X1, X2, X3 and X4

Common cause

: Failure originating in A group, propagating to B via connecting X-group : Failure originating in connecting X-group propagating to A and B group : External common cause, affecting A and/or B and/or common connecting X-group
Figure 5-9 Failure modes may propagate from subsystems to other subsystems or from common causes outside the component groups. The overall task is to identify possible failure modes which may affect the overall redundancy design intention within the time requirements.

5.4.5 All relevant failure modes for each subsystem shall be identified. As a result of the failure investigation, the following information elements shall be documented in an organised manner e.g. by means of a worksheet. As a minimum the following information elements shall be provided: each component group and subsystem assumed to have a single failure identify potential failure modes at each component and possible common causes initial failure or common cause as justification for including the failure mode identify failure detection methods effect on other subsystems barriers or compensating measures for the failure mode end effect at unit level reference to inspection, testing, and verification necessary to prove and support the conclusions.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.5. Single Failure Propagation in Redundant Systems Page 26

Guidance note:
Example of worksheet table Subsystem Failure Mode Initial failure/ Failure failed (local effect at common detection subsystem cause methods boundary) DG1 DG1 stop Mechanical Alarm breakdown Effect on other sub-systems Higher load DG2 Compensating measure / Barrier DG1 generator breaker opens End effect at unit (U) DG3 or DG4 running normally T1, T2, T3 and T4 positioning Reference to test or verification Ref test #1 Stop DG1 and check alarm and effect Ref test # 2 Ref test # 3

DG1 DG1 DG1 DG1

Low frequency Fuel starvation High bus AVR failure voltage Load sharing failure active power.

Alarm, disconnect Alarm, disconnect

Higher load DG2 Higher load DG2

Bus tie opens SWBX Bus tie opens SWBX

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

5.4.6 The failure propagation analysis for each subsystem shall conclude on the following questions: Can any single failure mode in the subsystem propagate so that it violates the unit acceptance criterion? Can the conclusions be verified by testing? Refer to specific test in a test program. If not possible to test, then is there a need for further verification of functionality or compensating measures? Is there a need for further failure analysis inside the subsystem boundary? (e.g. for FMEA of thrusters, DP control systems, mode selector, PMS). Refer to subsystem FMEA for single and redundant subsystem. 5.4.7 In general conclusions in the theoretical analysis shall be verified by testing. If testing is considered not possible or necessary, such statements shall be justified in the FMEA with sufficient conclusions (evidence, proof). 5.4.8 The results of the FMEA of all subsystems shall be compiled and form the result of the unit FMEA. The unit FMEA shall cover the entire unit with all its relevant systems and components. The unit FMEA shall relate to the overall acceptance criteria including time requirements and shall provide conclusive evidence of compliance with the criteria.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 27

6. Unit and Subsystem FMEA


6.1 Requirements to the unit FMEA including subsystem FMEA
6.1.1 The unit FMEA shall cover the entire unit with all its relevant systems and components. When parts of the unit FMEA is based on subsystem FMEAs (e.g. delivered by subsystem manufacturers), the requirements in G and H apply. 6.1.2 The unit FMEA shall as a minimum include: reference to the subsystem FMEA document and a short description of the subsystem clarification of subsystem boundaries interfaces and dependencies to the subsystem shall be clarified the allocated requirements to the subsystem including the subsystem design intention (see below) an evaluation of the subsystem FMEA to ensure that it is fit for purpose, e.g. that all relevant operational modes and failure modes are considered the subsystem design intention shall be compared with the overall unit design intention in order to verify that intentions are consistent.
Guidance note:
Unit boundary and acceptance criterion A A Subsystem C boundary and acceptance criterion
IO B IO

Unit boundary and acceptance criterion

B Subsystem C boundary and acceptance criterion Sub-system C

IO A MA

Sub-system C
MB

Unit

Unit

Figure 6-1 In the left figure above an FMEA of redundant subsystem C (e.g. redundant control system) is illustrated. In the right figure above, an FMEA of a single system C (e.g. thruster) is illustrated. In both cases the acceptance criteria at the unit boundaries should be clarified (allocated) at the subsystem C boundary.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

6.2 Allocation of unit requirements to subsystems/component groups


6.2.1 In order to support the overall redundancy design intent, requirements must be allocated to the subsystems. The subsystem design intention will be determined (allocated) by these requirements. The objective of 6.2 is to provide explanatory examples of how this allocation can be documented.
Guidance note 1: In general FMEAs of single non-redundant systems will normally require a complete breakdown of all parts of the systems resulting in a large set of possible failure modes with the potential of affecting the function of the system. On the other hand, FMEA of redundant systems with a stated overall functional requirement (e.g. no single failure shall give loss of position and/or loss of heading) may give a possibility of administrating the actual detailed scope of the subsystem FMEAs into a top-down approach and limiting the detailed analysis. The top-down approach thus avoids detailed and complete FMEAs of each of the redundant subsystems. For a specific unit with a redundancy design intention, the allocation task is to establish the requirements at subsystems boundary level (Ref 6.1.2).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: Example: Allocation of redundancy design intention from unit level to subsystem level for redundant DP control system: The unit redundancy design intention for the system described by the below redundancy design intention expressed as: Redundancy design intention: Normal operation before ((T1 AND T3) AND (T2 AND T4)) failure: Operation after single failure: ((T1 AND T3) OR (T2 AND T4)) AND (NODRIVE OFF (T1 AND T3 AND T2 AND T4)) DET NORSKE VERITAS AS Redundancy type/description Active redundancy No drift off and No drive off of any thruster

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 28

Redundancy design intention table by redundant and common component groups Redundant A groups Common/connecting groups X groups Redundant B groups Thruster System A Thruster System B T1, T3 T2, T4 Dependent on Dependent on Power System A Power System B Diesel generators A; DG1, DG2 Diesel generators B; DG3, DG4 Main switchboard A; SWB A SWB X Main switchboard B; SWB B Operator Station A: Operator Station B: DPP A, DPD A, TRB A, OSC A DPP B, DPD B, TRB B, OSC B DP LAN A: DP LAN B: DPSW A, Net A1, A2 and A3 Net X1, X2, X3 and X4 DPSW B, Net B1, B2 DP Controller A: DP Controller B: DPC A, Bus A DPC B, Bus B IO System A; IO System B: IO A1, IO A2 IO B1, IO B2, Serial A1, A2 Serial B1 HW A1, A2 HW B1, B2 Sensor System A: Sensor System B: Gyro 1, Gyro 3, Gyro 2, VRU 1, VRU 3, VRU 2, Wind 2 Wind 1, Wind 3 Posref System A: Posref System B: DGPS 1, Laser DGPS 2 Power Distr A: Power Distr B: UPS A, UPS B, Power A1, A2, A3, A4 Power B1, B2, B3

Control system boundary

Figure 6-2 Redundant automatic DP control system. At the DP control system boundary level the thrusters are connected to IO modules inside the DP control system as indicated below: IOA1 connected to T1 IOA2 connected to T3 IOB1 connected to T2 IOB2 connected to T4 DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 29

The dependency statements including the redundancy design intent for the thrusters are therefore: (T1 AND T3) dependent on (IOA1 AND IOA2) (T2 AND T4) dependent on (IOB1 AND IOB2)

The unit level redundancy requirements allocated down to the outside of the DP control system boundary may now be expressed as:
Redundancy design intent Normal operation before (IOA1 AND IOA2) AND (IOB1 AND IOB2) Active redundancy failure Operation after single ((IOA1 AND IOA2) OR (IOB1 AND IOB2)) AND One IO group to be running and no failure (NODRIVE OFF (IOA1 AND IOA2 AND IOB1 AND IOB2)) drive off of any thruster IO

The redundancy requirement to the DP control system will therefore be the input to the single failure analysis of the DP control system. The analysis of the DP control system may either be carried out as a part of the unit (vessel) FMEA or the FMEA may be delivered as a part of the subsystem delivery. In both cases, the unit FMEA shall handle the comparison between the analyses at the subsystem boundary. As an alternative to the logic expressions in this example the allocation may be stated in a more narrative manner.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 3: Example: Allocation of requirements to a single thruster system boundary Example with 4 thrusters and 4 diesel generators for a DP-2 notation
DG1A DG2A DG3B DG4B

SWBA

SWBB

T1A

T3A

T2B

T4B

Figure 6-3 Example of vessel system with 4 thrusters and 4 diesel generators for a DP-2 notation.

Redundancy design intention overview by redundant and common component groups Redundant Common groups Redundant A groups X groups B groups Thrusters A Thrusters B T1A AND T3A T2B AND T4B Thrusters A dependent on: Thrusters B dependent on: Diesel generators A Diesel generators B DG1A OR DG2A DG3B OR DG4B Main switchboard A Main bus tie switchboard Main switchboard B SWBA SWBX SWBB A benign failure in thruster T1A (causing stop) will affect the positioning capability of the A thruster group. It must be assumed that the A group (T1A AND T3A) has reduced capacity. This is acceptable as long as the single benign failure is assumed not to affect the redundant group (T2B AND T4B). For that reason there will be no need to allocate a functional requirement of normal function of T1A in the case of a single benign failure mode and then it will not be necessary to do detailed analysis of the thruster inside the thruster boundary with regards to all other benign failure modes. However, there will be a functional requirement to the T1A that it shall not fail to an uncontrolled thrust output possibly leading to drive off. This requirement must be allocated to the subsystem thruster FMEA. The requirement will serve as the starting point for the subsystem single failure analysis of T1A. DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 30

This may be stated as: Functional/redundancy requirement to subsystem T1A in the single failure analysis of T1A: No drive off T1A. (Please note that the single failure analysis at unit level on the outside of the T1A thruster boundary still shall investigate if a failure in T1A may propagate to the B thruster group by e.g. propagation via connecting components as Net X1, X2, X3 and X4 in figure 6-2 in Guidance note 2 above.)
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

6.3 Comparison of subsystem design intention with subsystem FMEA acceptance criterion
6.3.1 The objective of section 6.3 is to provide explanatory examples of how the subsystem design intention shall be compared with the overall unit design intention in the unit FMEA in order to verify that intentions are consistent.
Guidance note 1: Typical examples of subsystem FMEAs delivered by other parties than the unit FMEA supplier are control system manufacturers FMEAs of their own deliverables into the project. A pre-requisite for performing the comparisons as described here is that the FMEAs of the subsystems are available and they are containing the necessary information elements as required by this standard.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2: Example: Redundant DP controller subsystem. Task: Compare requirements for a redundant subsystem FMEA for a DP control system with the unit redundancy design intent at DP control unit boundary level.

Control system boundary

Figure 6-4 The automatic DP control system and the control system boundary are shown. The redundancy design intent for dual DP control systems is indicated. Connecting components (X) between redundant control components are also indicated.

The redundancy design intention at the DP system level: Operation before single failure: Operation after single failure: (T1A AND T3A) AND (T2B AND T4B) ((T1A AND T3A) OR (T2B AND T4B)) Active redundancy

meaning that the acceptance criterion for the thruster groups is assumed to be ((T1 and T3) OR (T2 and T4)) assuming a single failure. DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 31

The DP control system redundancy design intention: Normal operation before failure Operation after single failure (IOA1 AND IOA2) AND (IOB1 AND IOB2) ((IOA1 AND IOA2) OR (IOB1 AND IOB2)) AND One IO group to be running (NODRIVE OFF (IOA1 AND IOA2 AND IOB1 and no drive off of any AND IOB2)) thruster IO

meaning that the acceptance criterion for the DP control system is that no single failure shall lead to loss of more than one redundancy group Conclusion: This means that the DP control system acceptance criterion is compliant with the criterion at the thruster group level.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 3: Example based on other DP control system.

DP control System

DP system

Vessel

Figure 6-5 DP control system (example provided by Kongsberg Maritime)

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 32

For a DP control system the DP control system FMEA redundancy design intention may be defined at the system boundary and the I/O (RMP) modules connected to the thruster control systems.
Part of DP control system X1

X2

X3
RMPA RMPB

X4

RMPC RMPD

X6 X5

X6

T1A&T3A
DP system

T2B&T4B

U:Unit, Vessel

Figure 6-6 Vessel boundary, DP system boundary, DP control system, and interfaces. The redundancy design intent for the control system shall be specified at the control system (subsystem) boundary. The allocated unit requirement to the outside boundary of DP control system can be expressed in e.g. a logic or Boolean style of design intention Normal operation before single failure Single failure operation RMPA AND RMPB AND RMPC AND RMPD Active redundancy (RMPA AND RMPB) OR (RMPC AND RMPD)

The internal DP control redundancy design intent equipment: Normal operation before failure Single failure operation RMPA AND RMPB AND RMPC AND RMPD 3 out of {RMPA RMPB, RMPC, RMPD} are working, one RMP is failed

Conclusion: The allocated unit requirement (upper table) will always be true both for normal operation and for operation with failure given that the lower set of requirements are true. The reason is that if 3 out of 4 RMPs are working, then one of the A or B groups will be able to position. This result also comes from that the lower requirement (inside DP control system boundary) is a stricter requirement than the requirement at the DP system (outside boundary) redundancy design requirement.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.6. Unit and Subsystem FMEA Page 33

The above situation may be illustrated by the following enlarged part of the above figure:

Figure 6-7 The allocated redundancy requirements (single failure operation) to the DP control system is compared with the requirements (single failure operation) assumed by the DP control system manufacturer. The comparison shall be carried out in the unit FMEA. In this case it can be seen that the subsystem FMEA is consistent with the allocated requirements from the unit FMEA, as the requirements at the outside always will be true if the DP control system requirement is true.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 4: Example: Single thruster subsystem The unit FMEA must compare the requirements to a manufacturer FMEA for a single thruster controller and the allocated unit redundancy design intent at the thruster boundary level. The unit acceptance criterion for the thruster groups is assumed to be ((T1 and T3) OR (T2 and T4)) and in addition that no thruster shall give drive off. The acceptance criterion for the thruster controller is that a single failure in the thruster control system shall neither cause significant increase in thrust output nor make the thruster rotate. Further on there is no requirement to redundancy inside the boundary since the redundancy design intent is specified at a higher level. Conclusion: This means that the manufacturer subsystem FMEA criterion is compatible with the unit FMEA at the subsystem boundary level.
Emergency stop with loop monitoring FMEA Acceptance criterion: Fail to safe, no drive off Example from the rules 6.7.4 A 303 A single failure in the thruster control system shall neither cause significant increase in thrust output nor make the thruster rotate. Acceptance criterion may alternatively be tailor made for specifiic purposes

Cooling Lubrication Ventilation Aux

Sub-system FMEA boundary

Figure 6-8 Thruster example provided by Brunvoll


---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.7. FMEA of Subsystems with Redundancy Page 34

7. FMEA of Subsystems with Redundancy


7.1 General
7.1.1 An FMEA of a subsystem with redundancy (by e.g. a manufacturer) shall be based on the same principles and requirements as an FMEA of a unit with redundant systems. The main difference is the boundary level of the subsystem. Please refer to the requirements to the unit FMEA as described in anterior sections.
Unit boundary and acceptance criterion

B Subsystem C boundary and acceptance criterion


IO B

IO A MA

Sub-system C
MB

Unit

Figure 7-1 Unit and subsystem boundaries

7.1.2 A failure mode and effect analysis (FMEA) of redundant subsystems shall as a minimum consist of the following parts: general information acceptance criteria at the subsystem boundary level the overall subsystem boundary to be subject for FMEA redundancy design intent(s), worst case failure intent, time requirements, and system operational modes all redundant components and single component groups included within the subsystem boundary. The relevant system names, main units, compartments (when applicable), and their main intended functions shall be presented in a structured manner, supported with a descriptive narrative text. all assumptions related to systems interfaces and dependencies of external systems single failure and common cause analysis at subsystem levels if applicable, description of the installation of redundant component groups in fire and flooding protected compartments. This also includes cables and communication lines, and associated equipment. a reference to a test program to support the conclusions shall be included or referred summary, and conclusions a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance criterion including time requirements shall be stated.
Guidance note:
Part of DP control system

DP system

Vessel

Figure 7-2 System boundaries for vessel, DP system and part of DP control system. The interfaces between the I/O modules (RMP) and thrusters are indicated. (Example and figure provided by KM). DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.7. FMEA of Subsystems with Redundancy Page 35

Redundancy design intention at thruster RMP module level: Operation without failure Operation with single failure 4 out of {RMPA, RMPB, RMPC, RMPD} = RMPA AND RMPB AND RMPC AND RMPD 3 out of {RMPA, RMPB, RMPC, RMPD}

A
PSU A from UPS A RCU A NET A RedNet RHUB A RMP A* RSER A* cJoy DP OT (PSU A) OS A (from UPS A)

B
PSU B from UPS B RCU B NET B RedNet RHUB B RMP B* RSER B* RMP C* RSER C*

X-components

Comments
Fire, flooding (DPC cabinet)

(RCU C)

X1, X2, X6 X1 Redundant Net for RCU, OS

(RedNet)

X3 X5, X6

RMP D*

X6 X4, X6

Dedicated RMP-module for each Thruster Dedicated RSER-module for each sensor group

cJoy DP OT (PSU B) OS B (from UPS B)

(cJoy DP OT) (OS C)

Table shows redundancy design intention for RMP (A,B,C,D) modules and A, B, C groups (Courtesy KM). The single failure mode propagation analysis can be based on above table and diagrams.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.8. FMEA of Single Sub-Systems Page 36

8. FMEA of Single Sub-Systems


8.1 General
8.1.1 An FMEA of a single subsystem without redundancy (by e.g. a manufacturer) shall be based on the same principles and requirements as an FMEA of a unit with redundant systems.
Guidance note: A manufacturer FMEA of a single subsystem without redundancy differs in some respects from the FMEA of a subsystem with redundancy. The main difference is that it is accepted that the function of the single subsystem is lost as a consequence of a single failure. A single sub-system will normally not have redundancy design intent of the UAXB type as described in anterior sections. The acceptance criterion will typically be that the effect of the single failure mode shall be fail to safe.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--Unit boundary and acceptance criterion A

B Subsystem C boundary and acceptance criterion


IO

Sub-system C
M

Unit

Figure 8-1 Illustration of a unit boundary with two redundant systems A and B. System C is assumed to be a single system and the manufacturer may deliverer the FMEA for this subsystem.

8.1.2 A failure mode and effect analysis (FMEA) of a single subsystem shall as a minimum consist of the following parts: general information acceptance criteria at the subsystem boundary level the overall subsystem boundary to be subject for FMEA design intent(s) and system operational modes for the subsystem all component groups included within the subsystem boundary. The relevant system names, main units, compartments (when applicable), and their main intended functions shall be presented in a structured manner, supported with a descriptive narrative text. all assumptions related to systems interfaces and dependencies of external systems single failure and common cause analysis at subsystem levels if applicable, description of the installation of component groups in fire and flooding protected compartments. This also includes cables and communication lines, and associated equipment. a reference to a test program to support the conclusions shall be included or referred summary, and conclusions a compliance statement referring to the sub-system boundary, operational modes, tests, and acceptance criterion including time requirements shall be stated.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.8. FMEA of Single Sub-Systems Page 37

Guidance note: Example of a boundary for FMEA of single thruster (Courtesy Brunvoll):
Emergency stop with loop monitoring FMEA Acceptance criterion: Fail to safe, no drive off Example from the rules 6.7.4 A 303 A single failure in the thruster control system shall neither cause significant increase in thrust output nor make the thruster rotate. Acceptance criterion may alternatively be tailor made for specifiic purposes

Cooling Lubrication Ventilation Aux

Sub-system FMEA boundary

Figure 8-2 Brunvoll thruster system

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.8. FMEA of Single Sub-Systems Page 38

Single failure analysis Table 8-1 is an example of FMEA work sheet for the parts of thruster sub-system part. Please note that these example failure modes are not intended to be exhaustive for such a subsystem and that similar work sheets for the other parts of the thruster subsystem and other failure modes must be provided in a real FMEA. Table 8-1 Part of thruster System worksheet
Item Ref. Fig. Item description Failure mode Failure cause Expected Failure Local Effect Loss of PLC unit Bridge. No thrust command active from bridge system. Loss of PLC unit Thruster room. No remote control or local control possible. Loss of PLC unit bridge. No communication to panels or thruster room. Loss of PLC unit thruster room. Expected Failure Expected System Effect Detection of failure/ Alarm Pitch to zero, no Control thrust produced. system Thruster out of failure. DP. No positioning effect. Auto stop of Control Drive motor, no system thrust produced. failure. Thruster out of DP. No positioning effect. No thrust Control command active system from bridge failure. system. Pitch to zero, no thrust produced. Thruster out of DP. No remote Control control function system possible. Auto failure stop of Drive alarm Auto motor. Thruster stop. out of DP. No positioning effect. No thrust Control command active system from bridge failure. system. Pitch to zero, no thrust produced. Thruster out of DP. Pitch set point to Loop failure zero. / thrust command failure. Compensating Reference provision to tests against failure Independent power supply. No influence on other operating thrusters Independent power supply. No influence on other operating thrusters Thruster can be operated by manual push buttons if needed.

Power supply Loss of Bridge system: power 1 -A5 Loss of Power Loss of supply power Thruster room: -A6

Loosening of cable termination

Loosening of cable termination.

Loss of PLC PLC unit on Bridge bridge -A5-A1 stopped 1

PLC halted, no function active

Loss of PLC unit in thruster room -A6-A1

PLC thruster room stopped

PLC halted, no function active

No influence on other operating thrusters.

Loss of Serial line between control cabinet bridge and thruster room. Profibus Cable. Loss of thrust command signal from active bridge panel. 4-20mA Loss of thrust command signal from bridge panel not in command Fault in thrust indicator

No communi cation between thruster room and bridge.

Wire break, loosening of cable termination.

No communication between PLC units.

Thruster can be operated by manual push buttons if needed.

4.5

4.5

No signal Potentiometer Loss of signal from fault or fault from control lever in control lever. card in lever. Wire break, loosening of cable termination. No signal Potentiometer Loss of signal from fault or fault from control actual in control lever lever card in lever. Wire break, loosening of cable termination. Failure in Incorrect thrust indicator indication on or loss of actual panel signal.

Change to other control panel or control by manual push buttons.

No influence on command from active panel

Loop failure from actual lever.

No effect on system

Fault indication on component

Thrust indication to be read on other panel.

Comments:

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.9. Redundant Systems with Physical (Fire and Flooding) Separation Page 39

9. Redundant Systems with Physical (Fire and Flooding) Separation


9.1 Separation design intent
9.1.1 For FMEAs of redundant systems with requirements to physical (typically to prevent failure propagation due to fire and flooding events) separation, the separation design intent of the redundant systems in separated zones shall be described at a high level by means of layout drawings, equipment lists, figures, tables, and supported by a descriptive narrative text. The separation intent shall specify how all redundant component groups are located in separated zones with fire and flooding protection. All zones shall be identified by unique identifications in addition to the identification of the component groups located within the zones.
Compartment A fire/flooding Redundant component group A Compartment B fire/flooding

B
U

Redundant component group B Unit U

Figure 9-1 The separation design intent for redundant systems requires specifications of the redundancy component group A within the A zone (compartment). Specifications of the redundant component group B within the B compartment/ zone shall also be stated. Guidance note 1: The requirement for specification and identification includes all zones, spaces, and cable trays where the equipment is installed. Equipment is understood as all components, including piping and cabling which may influence the redundancy design intent and acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note 2:
Tank top Zone A Zone B Tween deck Main deck Bridge deck

Redundant component groups

Figure 9-2 Separation design intent diagram with separated zones and redundant component group. The following abbreviations are used in above figure and table below Separation design intent table with separated zones and redundant component groups: Separation design intent table Zone Component groups Zone A tank top T1, Tk1, DG1, DG2, SWBA, T3 Zone A tween A6, A7 Zone A main A8 Zone A bridge DPA T : Thruster Tk : Fuel tank DG : Diesel generator SWB : Main switch board DP : Dynamic positioning controller

Component groups T2, Tk2, DG3, DG4, SWBB, T4 B6, B7 B8 DPC

Zone Zone B tank top Zone B tween Zone B main Zone B bridge

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.9. Redundant Systems with Physical (Fire and Flooding) Separation Page 40

Guidance note 3: The table in guidance 2 may be inconvenient when there are more than two zones and cross sectional dependencies. The below table is an example of a separation design intent table for a system with 3 separated zones and 3 redundant component groups: Separation design intent table Zone Room Component groups 1 Engine room 1 Tk1, DG1, DG2, 1 Switch board room 1 SWBA, SWBB, 2 Engine room 2 Tk2, DG3, DG4, 2 Switch board room 2 SWBC, 3 3 T : Thruster Tk : Fuel tank DG : Diesel generator SWB : Main switch board DP : Dynamic positioning controller

Effect of failure

Comments

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

9.1.2 The separation acceptance criterion shall be stated. Any possible time requirements shall also be stated.
Guidance note: The separation acceptance criterion for e.g. IMO DP3 is that the applicable zones should be separated by A60 rated materials and the zones constructed should be watertight under the waterline. In case of a fire or flooding event all components in the components groups in the zone should be considered as failed. Reference is also made to annex D3 where failure modes for separated electrical power systems operating in parallel and separated power systems simultaneously supplying equipment placed in non-separated areas are discussed.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

9.2 Separation analysis


9.2.1 The separation analysis shall clarify the installation of redundant equipment into the physically separated zones according to the separation design intent and the acceptance criteria. The method of separating the different zones shall be described.
Guidance note: The requirement for the analysis includes all zones, spaces where equipment is installed. Equipment is understood as all components, including piping and cabling which may influence the redundancy design intent and acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

9.2.2 The separation analysis shall result in a statement that confirms that no fire or flooding events in any of the separated compartments shall be able to influence the operation of both (or all) the separated systems and subsystems in such a manner that the acceptance criteria is violated within the stated time requirement.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.10. Inspections and Tests Page 41

10. Inspections and Tests


10.1 General
10.1.1 A test plan for verification of conclusions in the FMEA shall be prepared and submitted to the certification body. The test plan shall support verification of the following: redundancy design intention worst case redundancy design intention single failure tolerance within the given time requirement and acceptance criteria barriers and other compensating measures, including sufficient independencies between these if relevant, separation requirements.
Guidance note: Verification of pre-requisites for the FMEA may be carried out at the dock. It may be beneficial to first carry out a Test plan for system verification before main test e.g. at the dock before the sea-trial. This could be related to parameterisation of protective functions, software versions installed, inspection and verification of design assumptions of fire and flooding protected compartments, etc Typically a large part of the testing will be related to the redundancy verification where redundant groups should be tested by running both the A and B components groups in parallel, and introducing failure to one group in order to verify the required redundancy. Examples of such tests are blackout tests of AC and DC systems. Failure of equipment which has not been without power during the blackout tests (typically process stations with dual power supply, or battery backup) must be tested separately. When physical separation is required, simultaneous failure of all components within relevant boundaries (e.g. to simulate the effect of fire or flooding) will be a relevant test strategy. In the case that redundancy is dependent on switchover mechanisms, e.g. standby start, change over or restart, such functions must be tested (e.g. loss of one computer or network in a redundant control system). Single failure or common cause related testing. The tests should simulate the failure modes identified in the single failure analysis in order to verify: that a failure will not propagate so that the acceptance criteria or redundancy design intention are violated failure response outside the acceptance criteria (e.g. thruster failure leading to drive off on a DP vessel) In general tests should be carried out end to end from initiator to final element/output.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

10.1.2 The test program shall have an introduction which as a minimum shall include the following: reference to the specific FMEA document (title, version and date) specification of (or reference to) all specified system operational modes and technical system configurations that shall be verified by testing (ref 1.1.3). 10.1.3 Each test shall as a minimum contain: test identification (e.g. test number) reference to the specific part in the FMEA to be verified (e.g. redundancy design intent, worksheets, ) test intention test prerequisites and test setup specific for this test test method and actions to be performed expected results and acceptance criteria including time requirements if relevant space for actual observation, test results, and conclusions.
Guidance note: In order to facilitate the practical testing, description of the test method should include detailed locations where the physical and practical actions should be carried out. The location should be detailed to which space, cabinet, switch, fuse, termination board, wire, as relevant.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

10.1.4 For systems and subsystems where separation is required, a set of inspections, tests and verification activities shall be prepared and referenced. These inspections, tests, and verifications shall support the conclusions of the separation analysis. 10.1.5 All systems subject to testing and systems that may influence the test results, shall be completed and commissioned ready for final testing before the FMEA tests can start. 10.1.6 Before the actual testing commences, a planning meeting between the involved parties shall be arranged. The objective is to organise the test execution.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.10. Inspections and Tests Page 42

10.1.7 After each test, the actual observations and results shall be recorded. After the test session, the records shall be reviewed in a meeting where involved parties are present. The meeting shall conclude on findings, conclusions and responsibilities for further actions.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 Sec.11. FMEA Report and Compliance Statement Page 43

11. FMEA Report and Compliance Statement


11.1 General
11.1.1 The FMEA and the test report shall be updated according to observations and test results from the actual testing. 11.1.2 The updated FMEA and the test records shall together with the findings, conclusions and test summary be compiled into an FMEA report.
Guidance note: The conclusion and test summary should include the worst case failure mode(s) and example of related failure causes in order to identify which parts of the system that has the highest impact on the capacity. The remaining capacity after such failures should be stated. For the redundant system to be approved, these conclusions must comply with the overall design intent and given acceptance criteria.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

11.1.3 A compliance statement referring to the overall unit (U), operational modes, test conclusion, and acceptance criterion including time requirements shall be stated in the FMEA report.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.A IMCA references Page 44

APPENDIX A IMCA REFERENCES


The International Marine Contractors Association (IMCA) has a wide range of publications available for members and non-members. Several of these documents give basic introduction to FMEA of marine systems. Examples of such documents are: Methods of Establishing the Safety and reliability of Dynamic Positioning systems, information note IMCA M 04/04 IMCA M 166 Guidance on failure modes and effect analysis (FMEAs) These and other documents also include information and examples on relevant systems and their failure modes.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.B DNV references Page 45

APPENDIX B DNV REFERENCES


Below are given some DNV rule references related to typical notations which requires FMEA or may otherwise give requirements to relevant failure modes to be considered for different systems and notations. RULES FOR CLASSIFICATION OF SHIPS Pt.6 Ch.2 Redundant Propulsion Pt.6 Ch.7 Dynamic Positioning Systems Pt.6 Ch.19 Alternative Propulsion Pt.6 Ch.22 Enhanced System Verification (ESV) Please refer to section 2, D106 to see typical failure modes for programmable control system: 106 The HIL test-package shall contain test cases related to the normal, degraded and abnormal operation of the target and simulated systems. Normally single and common failure modes and common components should be extensively analysed and tested. Multiple failures should be tested if found relevant.
Guidance note: Operation in all normal modes and transfer between operational modes and the corresponding functional requirements, should be the basis for establishing the HIL test scope. In addition, failure testing is also to be included in the test scope. General types of failures to be simulated could be, but not limited to: - sensors or input devices failure modes (dropout, noise, calibration errors, drift, bias, signal freeze, wild point,) - failure mode of actuators, drives, power system components or other electro-mechanical components - feedback from sensors on actuator failure modes - failure modes in computer networks - failure modes related to overload of networks - failures affecting weighting and voting mechanisms - failures affecting protective safety functions - failures affecting alarms, monitoring, and analysis functions - failures causing and/or otherwise affecting switch-over in redundant systems - common mode failures affecting several components and/or signals - emergency handling (special emergency functions required during emergency handling could be tested) - reconstruction of relevant reported failures/incidents related to the system and/or operations.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Please note that the above listed failure modes are relevant also for general FMEAs (not only HIL testing). Pt.6 Ch.26 Dynamic Positioning System - Enhanced Reliability Dynpos-er

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.C Typical table of contents for a minimum DP FMEA Page 46

APPENDIX C TYPICAL TABLE OF CONTENTS FOR A MINIMUM DP FMEA


The overall requirements to the contents of an FMEA are given in section A. The simplified example given below of a table of contents for a DP FMEA shows typical systems to be analysed in the FMEA: introduction (general vessel information and acceptance criteria) system description and boundaries redundancy design intent and worst case failure intent vessel operational modes and technical system configurations for DP operations power systems high voltage systems low voltage distributions emergency power battery and UPS systems and distributions.

machinery system diesel engines / diesel generator sets fuel oil system lubrication oil system seawater / freshwater cooling system compressed air system engine room ventilation.

thruster system thruster control system thruster hydraulic system thruster cooling system control mode selection power supplies to control and auxiliary pumps.

IAS / power management / engine control system Integrated automation system power management system generator voltage control system diesel engine governor control.

emergency stop / shutdowns other relevant systems fire fighting system ventilation system shut down system (ESD) cooling system in computer rooms etc

conclusions / findings / recommendations if applicable test program in principle, all statements and conclusions of FMEA are to be verified by testing (as far as possible). it is accepted that several conclusions is verified by one test, e.g. by a partial blackout in general, the following main groups of tests will be required (each group typically contains several tests): - partial black-out on the main- and distribution switchboards (AC) - loss of distribution board or equipment with dual power supply - loss of (black-out) each battery and UPS distributions - fail to safe response on single failures (e.g. thruster control systems) - simulation of failures requiring manual or automatic intervention - dependant on the actual design, other tests might be required.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 47

APPENDIX D FAILURE MODES IN ELECTRICAL POWER SYSTEMS OPERATING WITH CLOSED BUS TIE(S)
D.1 Introduction
There are certain single failures that in case of open tie breakers only will affect one of the systems (A or B), but that in case of closed tie breakers, might jeopardize both the A and B systems. Such failures need not to be analysed in depth for open tie breakers operation since it is then accepted that one of the system A or B fails. In the situation where the electrical power systems belonging to different redundancy groups are electrically connected and arranged by bus-tie breakers to separate automatically upon failures(closed bus-tie), a failure in one system (A) may propagate via the closed bus-tie (X-group) to the redundant systems (e.g. B). In this situation a large number of additional failure modes may violate the overall redundancy design intent. The FMEA must consider the additional failure modes relevant for the given design in relation to the applicable requirements. Section A4 describes requirements and examples typical for DP systems. However, the nature of such failure modes is similar for all marine electrical power systems running in parallel. The relevant failure modes for an FMEA for a given system are typically influenced by the required rules or applicable standards. The FMEA has to verify that the control and protection systems is able to automatically bring the system into a safe state whenever a single failure occur that might lead to a worse failure than the defined worst case acceptable failure in the design intend (usually loss of either the A or B system).

D.2 Typical failure modes for a closed bus tie for a DP 2 FMEA analysis
The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.3 (which also is a guidance note in the DNV DP rules): For equipment class 2, the power system should be divisible into two or more systems such that in the event of failure of one system at least one other system will remain in operation. The power system may be run as one system during operation, but should be arranged by bus-tie breakers to separate automatically upon failures which could be transferred from one system to another, including overloading and short-circuits. Based on this IMO guideline the industry trend is to design and operate an increased number of DP class 2 notation vessels with closed bus-tie. Through experience from closed bus tie testing and operation over the last years more and more failures modes are being considered relevant for DP class 2 notations. The typical standard minimum set of functions, failure modes and tests to be considered for DP class notations should include: Protection philosophy to support redundancy design intent - (short circuit and other selectivity calculations must be approved - In particular those related to operation of the bus tie). Frequency and active power control (governor failure, high /low frequency and active power imbalance). Voltage and reactive power control (AVR failure, high /low voltage and reactive power imbalance). Power management (e.g. load sharing, malfunction,.). Power system transients and distortion (e.g. power dips, voltage dip ride through capabilities, harmonics, unbalanced currents). Other relevant tests must also be included in the DP FMEA test program in order to verify that the system has the expected robustness and transitional ride through capabilities. As the industry and rules are evolving, it is considered natural that the list of relevant failure modes for DP class 2 notations will be expanded, in order to provide more comprehensive integrity against failure propagation across the closed bus-tie. Please note that the list provided for DP class 3 notations in D3 below gives more details on the failure modes listed for DP class 2 notations in addition to many more failure modes relevant for closed bus tie systems.

D.3 Typical failure modes for a closed bus tie for a DP 3 FMEA analysis
The traditional interpretation of the DP-3 requirements has been that in order to achieve the intended integrity, the power systems must be run as separated systems with open bus-tie breakers. However, there are a number of benefits (technical, environmental, economic and operational) with operation with closed bus-ties. Due to these benefits some operators to run the DP-3 systems with closed bus-ties for as large periods of the operations as possible. The IMO MSC/Circ.645 Guidelines for vessels with dynamic positioning systems states in item 3.2.4 (which also is a guidance note in the DNV DP rules): For equipment class 3, the power system should be divisible into two or more systems such that in the event of failure of one system, at least one other system will remain in operation. The divided power system should be located in different spaces separated by A-60 class division. Where the power systems are located below the operational waterline, the separation should also be watertight. Bus-tie breakers should be open during class 3 operations unless equivalent integrity of power operation can be accepted according to 3.1.3.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 48

The challenge is to ensure the above equivalent safety level of the rules and at the same time enable closed bustie operations to achieve the desired benefits. The following issues should at least be adequately addressed in DP FMEA for analysis of DP3 with closed tie-breakers or automatic change over of supply between systems: 1) Active and reactive load sharing: - Active power load sharing failure (e.g. caused by governor failure, insufficient, excess or unstable active power, fuel rack failure, active power or frequency sensor failures, signal failures, load-sharing line failures) - Reactive power load sharing failure (e.g. caused by AVR failure, insufficient, excess or unstable reactive power, reactive power sensor failures, voltage sensor failures, signal failures) - Detection methods and actions to bring the system to a safe state with conditions and time responses 2) Consequences of voltage transients: - Reference to analysis of worst case voltage dip (depth and duration) on healthy bus after short-circuit on other bus (in closed tie-breaker operation) - Document adequate voltage dip ride-through capability of necessary systems to remain in position: thruster drives, computer systems, networks, contactors, pumps, ventilation, and other axillaries. 3) Risk for simultaneous trip or load reduction of all thrusters: - Are there built-in protections in thruster variable speed drives that cause trip or load reduction? If yes; how is it ensured that not all thrust are lost at the same time by the same trigger? Examples of such protection can be high/low voltage and/or frequency. - Are there situations where all thrusters will reduce their power simultaneously to such a level that position cannot be maintained? E.g. built-in load reduction functionality in drives that may reduce power to zero if one diesel engine fails to full speed. 4) Ensure that no hidden failure renders it impossible to open tie-breaker from PMS or other protection devices: - Do the PMS have direct HW open command signals to both tie-breakers? - Redundant open command signals? - Fail safe system that trips breaker on wire break on open command signal? - Is it sufficiently ensured that tie-breaker is not in local mode during DP3 operation? (e.g. clear indication of local/remote status on PMS GUI) - Include check of tie breaker operability in procedures for DYNPOS-AUTRO/DPS3 operation? 5) Fault tolerance in PMS system: - How is it ensured that a single feedback failure to PMS does not cause the PMS to carry out action that result in loss of position? - Can for instance a single failure on feedback signal to PMS cause: - PMS to connect generator (or bus-tie) without synchronization? - Force full load reduction to all running thrusters simultaneously? - PMS to decrease generator frequencies to a level that causes risk of automatic load reduction of drives / tripping of drives? - PMS to increase frequency to a level that causes systems to trip? - PMS to jump to manual mode? - Can single PMS operator failure cause blackout? - Can one single PMS unit trip all generator breakers? - Failure to start and connect - Crash synchronization on connect - Connection of a stopped generator 6) Documentation and verification of protection settings: - Is there protection functionality in PMS that can trip generator breakers and thus need to be included in discrimination analysis? - Require tables with settings of all protection equipment both in relays on breaker and in PMS. - As part of FMEA: Verify by onboard inspection all protection settings on breakers, not only short circuit. Special focus on tie-breaker. 7) Short circuit selectivity between bus-tie and generator breakers: - Selectivity documented also for highest maximum short circuit current? - Zero delay in bus-tie short circuit protection? 8) Mode monitoring in PMS / IAS system: - Warning/alarm if power system setup is in conflict with defined prerequisite for DYNPOS-AUTRO/ DPS3 operation. 9) Loop monitoring (or similar) on feedback to e.g. PMS 10) Bus-tie breaker shunt-trip, can this be used? Need to be able to open in case of voltage dip
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 49

11) Failures causing high harmonic distortion in the system, where the new situation causes other components to fail? E.g. filter failure giving high 11th and 13th harmonics causing resonance in internal filters in VFDs to auxiliaries, again causing these to fail and the auxiliary function is lost for e.g. all thrusters. 12) Negative sequence. 13) Loss of synchronization: - Maintenance of synchronization after voltage dip e.g. related to short circuit. - Loss of synchronization pole slipping (including severe mechanical failure) 14) Earth faults generally. 15) System parameters outside normal operational ranges/boundaries applicable to voltage and frequency. 16) System imbalance: - Severe line or phase voltage imbalance (short circuit or similar condition) - Severe line current imbalance 17) There should be implemented a system to ensure that the set point of all kind of trips functions in the electrical system are based on data that are verified/tested. Assumed data should not be accepted. All trip functions should be included in a maintained list. There should be a systematic periodic check of all set points. 18) The discrimination analysis is to be reviewed with careful attention that all functions and settings are to be properly justified. 19) Other design related issues which are identified during the design review or testing. 20) As many of these design elements as possible shall be verified by FMEA testing. As the industry and rules are evolving and experiences collected, it is considered natural that this list of relevant failure modes will be expanded. When the system is intended to be operated with closed bus tie(s) between redundant power systems, the above requirements to analyses must be supported with extensive verification by FMEA testing. Especially, in the situation where the intention is to justify the equivalent integrity of power operations as required by IMO MSC/Circ. 645 the extent of necessary FMEA testing may include tests that traditionally have been considered to be potentially destructive (e.g. short circuits and earth failures on electrical system). Although an equivalent safety level is considered to be achieved by documented analysis and testing, it should be understood that there will always be a residual probability for failure propagation. For operations (e.g. diving) where loss of position may result in unacceptable consequences, risk considerations should be performed in order to evaluate the system operational modes including open or closed bus-ties. This principle is valid for both DP-2 and DP-3 systems. The intended equivalent safety level may be achieved by other measures than discussed in this section. In general such equivalent measures will be accepted.

D.4 Separated power systems simultaneous supplying equipment placed in a non-separated area
Separated power systems simultaneous supplying equipment placed in a non-separated area, may impose risk of both power systems being affected by the same fire or flooding incident. Depending on the system the following typical descriptions and analysis is required by the FMEA: Location of equipment and cables routing belonging to different systems. This drawing should also indicate any possible separations, watertight and passive fire protection. This also includes any slip ring assembly. Equipment being supplied from different redundancy groups should be installed to provide best possible protection for failure propagation, and installed in separate cabinets. Discrimination analysis: Generator Circuit Breakers (CB), Main Switch Board (MSB) equipment feeder CB, equipment MSB incoming CB (if applicable), equipment MSB feeders, and CBs further downstream until end consumers. This is applicable for all relevant power systems. This must be presented as graphs in a common diagram and preferably supported by CB makers discrimination tables. Earth fault discrimination shall also be included (if applicable). Installation of current limiting breakers should be considered. Short circuit analysis: Maximum and minimum short circuit levels shall be documented for all distributions (single and three phase fault). Generator decrement curves taking in to consideration. Under voltage: As a consequence of a worst case failure scenario both power systems may experience a short circuit within a short time period. Consequence of short circuit will be under voltage in the systems which may affect connected equipment. Analysis of the transient voltage dip and duration must be documented. This must include an evaluation and conclusion on the effect on other equipment and systems. Bearing in mind the sensitivity of power electronics, contactors, computer systems, etc... Parameterisation of protective devices/functions.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 50

Fire/flooding monitoring (extended systems may be used to increase the possibility to set the system in a safe mode upon such an incident). Operational philosophy (power system, crane/diving/DP operations, etc). Load balance considerations. Such analysis should be focused on the highest voltage levels in the AC power generation plants and on battery and UPS distribution systems.

D.5 Additional discussion and examples


A.4.4 include some further discussion and examples of some of the topics stated in A.4.3. Please note that for a given FMEA, all relevant topics must be addressed. A general recommendation is that upon detection of abnormal condition, action to bring the system into split mode shall be automatically executed. Abnormal situations may include: Load sharing failure active power. Load sharing failure reactive power. High/Low bus voltage. High/Low frequency. Communication failure in PMS or load sharing system. Thruster load reduction activated. PMS failure or PMS change to manual mode. Feedback failure on bus-tie status signals.

Some of the most common failure modes that need to be addressed are outlined in the following subsections. Note that other failure modes might also be critical (depends on type of equipment, configuration and control systems installed). D.5.1 Tie breaker short circuit protection All generator breakers are equipped with short circuit protection trip functionality such that they will open in case of short circuit on the bus. In closed tie-breaker operation it will be crucial that the tie breaker(s) opens before the generator breakers. A full blackout (A and B side) will be the result if tie breaker fails to open before generator breakers since short circuit current will flow through all generator breakers and thus they will all trip. The FMEA has to verify that the breakers to be installed and parameterized such that it is ensured that tie breakers opens first. It has also to be verified that the tie breaker is able to break the worst case short circuit current. For the tie-breaker, maximum upstream selectivity has higher priority than the downstream selectivity. For safest operation tie breaker should be considered to open as fast as possible (configured with zero delay) although this might be in conflict with downstream selectivity. For DP3 it is required to have a tie breaker at both sides of fire and flooding division. The division have little or no value unless the tie breaker on both sides of the division is equipped with short circuit protection. This has to be verified as part of the FMEA. The FMEA has to address maker documentation regarding breaking capacity and selectivity/discrimination. The FMEA needs to verify that the required discrimination is implemented in the system. *** Example of how tie breaker short circuit protection can be addressed in the FMEA: The worst case short circuit current on Vessel switchboards are in short circuit analysis shown to be: Generator breakers: 35 kA Tie-breaker: 55 kA The table below shows the breaking capacity and trip setting for the generator and tie breakers.
Breaker BT1 (Master) BT1 (Slave) Generator breakers Breaking capacity (kA) 65 kA 65 kA 65 kA Short circuit trip setting 8 kA 8 kA 12 kA Delay setting 80 ms 80 ms 500 ms

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 51

The discrimination curves for generator breaker and tie breaker are shown below.
s

10ks

1ks

1hs

1das

1s

1ds Bus-tie breaker should break before generator breaker A 1A 1daA 1hA 1kA 10kA 100kA 1MA 10MA

1cs

Generator breaker maker and type

Tie breaker maker and type

Documentation of selectivity / discrimination

According to maker documentation (ref. .) discrimination is assured Siemens 3WL 3000 A Siemens 3WL 3000 A up to 65 kA provided trip current setting difference is >2 kA and time delay difference is >200 ms.

It is based on the maker documentation concluded that the tie breaker will open before generator breakers in case of worst case short circuit. To be verified on board that breaker maker, type and protection settings are as specified. *** End of example. D.5.2 Under-voltage release / Voltage transients / high and low bus voltage Generator breakers will usually be equipped with under-voltage release which opens the breaker if the voltage is below a specified level for a specified period. All generator breaker protection relays will measure the same voltage when tie-breaker is closed. A voltage dip will thus potentially cause all generator breakers to trip simultaneously (full blackout). Similar consequences can arise if thruster breakers are equipped with under voltage release. All thruster breakers will measure the same voltage when tie breaker is closed. Thus, they may all trip simultaneously with loss of position as potential consequence. Note also that the thruster drive controllers typically also monitor voltage and might also command thrusters breakers to open. This is also a function that might cause all thrusters to trip simultaneously. Simultaneous trip of generators or thrusters can be avoided by ensuring that the tie-breaker will always be the first to open in case of under voltage. It is also important to ensure that no normal voltage dip to be expected in the actual power system will cause any trip (e.g. voltage dip due to start of large motors and voltage dip due to a short circuit). A challenging task is to verify that a short circuit on one bus will be cleared fast enough to avoid that feeders and contactors to essential auxiliary systems does not open due to low voltage. The same type of equipment will usually be used on both A and B side. Thus, if one looses a pump on A side during a short circuit due to low voltage, it is also likely that the one for the B system will trip since it will see more or less the same voltage. A very fast short circuit trip of the tie breaker will reduce the voltage dip in either the A or B system and will thus be a method to avoid loosing auxiliary systems on both A and B side. Bus tie breakers may be considered to be equipped with under voltage trip. Any protection functions acting on high bus voltage will have to be addressed in the same way. *** Example of how under voltage release can be addressed in the FMEA: Worst case voltage dip has been analysed for a given vessel switchboard. The results are summarized in the below table:
Case Start of heavy consumer in DP mode. Two generators running. Short circuit Voltage 90% 0% Duration 3 seconds 100ms (maximum time for the bus-tie to clear fault)

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 52

The table below shows the settings of under-voltage release protection functions in the Vessel switchboard:
Breaker Bus-tie 1 (Master) Bus-tie 1 (Slave) Generator breakers Breakers to thruster T1, T2, T3 and T4 Thruster drive controller (T1 and T2) Thruster drive controller (T3 and T4) Breakers to DP essential auxiliaries Contactors and low voltage breakers to DP essential auxiliaries Under voltage Under voltage release / release trip level Yes 85% Yes 85% Yes 80% Yes 80% Yes 85% No < 85% < 85% Delay 100 ms 100 ms 1s 1s 900 ms >100 ms >100 ms

It is based on these settings concluded that there are no risk of losing all generators or thrusters simultaneously in closed tie breaker operation. To be verified on board that settings are as specified. *** End of example. D.5.3 Load sharing monitoring Load sharing failure between generators is a common mode failure that can lead to total blackout or full thrusters load reduction (and thus also loss of position). This includes both active and reactive power sharing failure. Active and reactive load sharing monitoring is a function typically handled by the PMS. Active power load sharing failure can be caused by governor failure, fuel rack failure, active power or frequency sensor failures, other signal failures and load-sharing line failures. (Examples of failure causes relevant in systems with load sharing performed by stand-alone units (isochronous) could be earth failure on, broken line in, and short circuit of the load sharing.) Note that in case the PMS is performing load sharing control, a load sharing failure might also be caused by the PMS itself if for instance a feedback signal to the power management system fails and this failure is not properly detected and handled. Reactive power load sharing failure can for instance be caused by AVR failure, reactive power sensor failures, and voltage sensor failures. Possible consequences of load sharing failures are: Generator protection relays (reverse power and over-current) might in such cases trip healthy generator instead of faulty, with blackout as the final state. PMS might command full load reduction to all thrusters due to high load on one generator (might lead to loss of position) Typical barriers against such outcome can be control or protection systems that automatically open the tie breaker upon detection of load sharing failure (active or reactive). The FMEA has to analyse and describe how the actual system will handle load sharing failures. It might also be needed to prove that the measures are effective. Typical questions to be answered by FMEA: How are active and reactive load sharing failures detected in the system? What is the action to bring system to safe state? (opening of tie-breaker will usually be part of an appropriate action) Immediate or delayed action? Time delays in detection and action? This kind of information may be found in functional design specification of the PMS system. This issue will probably also be covered by vendors FMEA of the PMS if such is available and used as input to the FMEA. It is not straightforward to prove that the measures against load sharing failure consequences are effective. Tests can be carried out on sea-trials or at dock if necessary generator loads are available. An alternative is to verify this by use of HIL-testing.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 53

*** Example of how the load sharing monitoring can be summarized in the FMEA: The table below shows which Vessel controls system that is responsible for active and reactive power load sharing monitoring in different modes.
Mode Monitoring Active power Open tie-breaker Reactive power Closed tie-breaker Active power Reactive power Control system / PLC PMS A PMS B PMS A PMS B PMS A PMS A Monitors sharing between DG1, DG2 DG3, DG4 DG1, DG2 DG3, DG4 DG1, DG2, DG3, DG4 DG1, DG2, DG3, DG4

Automatic action to bring system in safe state (split system) in case of active power load sharing failure:
Mode Open tie-breaker Measure Warning Alarm Other action (specify) Warning Alarm Trip of tie breaker Other action (specify) Level > 200 kW difference > 200 kW difference > 300 kW difference Delay 10 sec

Closed tie-breaker

10 sec 5 sec

Automatic action to bring system in safe state (split system) in case of reactive power load sharing failure:
Mode Open tie-breaker Measure Warning Alarm Other action (specify) Warning Alarm Trip of tie breaker Other action (specify) Level > 100 kVAr difference > 100 kVAr difference > 200 kW difference Delay 4 sec

Closed tie-breaker

4 sec 2 sec

The tables show that appropriate measures for the system in this example are taken in case of load sharing failures (active or reactive). (Note that other system designs might require additional analyses). It is also seen that PMS A is responsible for the monitoring when tie breaker is closed. This is a potential single point failure that requires additional attention. Identified failure modes that need to be tested on FAT/Dock/Sea trial:
Failure mode (with closed tie-breaker) Active power load sharing failure with closed tie-breaker Reactive power load sharing failure with closed tie breaker Loss of PMS A Possible worst case consequence Full blackout may be the consequence in case the tie breaker is not opened fast enough, or in case no other action is initiated to bring the system in safe state. Full blackout may be the consequence in case the tie breaker is not opened fast enough, or in case no other action is initiated to bring the system in safe state. This might be a critical failure since loss of PMS A will lead to loss of both load sharing monitoring and the load sharing control (see drawing in section A.4.5.4). Worst case consequence will be full blackout. Has to be verified that the tie breaker is automatically opened in case of loss of PMS A. This might be a critical failure since loss of PMS B will cause loss of both load sharing monitoring and the load sharing control (see drawing section A.4.5.4) since the monitoring carried out by PMS A is based on DG3 and DG4 signals routed through PMS B (see figure in section A.4.5.4). Worst case consequence might be full blackout. Has to be verified that the tie breaker is automatically opened in case of loss of PMS B.

Loss of PMS B

*** End of example.

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 54

D.5.4 Active power load sharing control system Load sharing between generators will typically be controlled by one of the following control systems: Load sharing by PMS Load sharing by dedicated, stand alone load sharing module Load sharing integrated system in governors with communication between governors (e.g. analogue load sharing lines or digital communication) Note: Load sharing control and load sharing monitoring (ref. A.4.5.3) is two different functions that both have to be addressed. It is not uncommon to have a backup system were one of the above is the preferred system and one of the others is used as backup. The FMEA has to address the load sharing system thoroughly when operating with closed tie-breaker, since in this case the load sharing system will be common for both A and B side, or at least, the system will depend on measurements from both A and B side. The FMEA has to identify possible common mode failures. Typical signals used by the control system in the load sharing control are (PMS or stand alone dedicated system): Running signal from all generators Open / closed status from all generator circuit breakers Open / closed status from tie-breaker(s) (both master and slave breakers if applicable) Active power measurement from all generators Speed up/down command signal to all generators.

It is thus quite clear that in a load sharing system there are a potential for single failures affecting both the A and B system. It will usually be necessary that the tie breaker is automatically opened if any failure in the load sharing system is detected. This applies both to load sharing by PMS and to load other load sharing systems. *** Example of how the load sharing system can be summarized in the FMEA: The load sharing is controlled by the PMS. The load sharing is controlled as follows: Open tie-breaker: PMS A performs load sharing between DG1 and DG2 PMS B performs load sharing between DG3 and DG4 Closed tie breaker PMS A performs load sharing between DG1, DG2, DG3 and DG4.

The signals used for load sharing by PMS are shown in the figure below (for both open and closed tie-breaker mode). As can be seen, there are dependencies between the A and B systems both with closed and open tiebreaker. The FMEA analysis has concluded that the tests listed in the below tables has to be carried out in order to verify the load sharing system conforms to the redundancy requirements. Closed tie-breaker
A B

DG1

DG2

DG3

DG4

Speed Up/down

P G1 DG1running CB1cl osed

Speed Up/down

Speed Up/down

Speed Up/down PG4 DG4runni ng CB4closed

SWBD A+ B

PG3 DG3running CB3cl osed

PG2 DG2running CB2cl osed

Tie breaker status

PMS A

PG3 PG4 DG3runni ng CB3closed DG4runni ng CB4closed

PMS B

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 55

Open tie-breaker
A B

DG1

DG2

DG3

DG4

Speed Up/down

P G1 DG1runni ng CB1closed

Speed Up/down

Speed Up/down

Speed Up/down PG4 DG4running CB4cl osed

SWBD A

SWBD SWBD A B

PG3 DG3running CB3cl osed

PG2 DG2runni ng CB2closed Tie breaker status

PMS A
Tie breaker status

PMS B

Identified failure modes for closed tie-breaker that need to be tested:


Failure mode (with closed tie-breaker) Power supply failure or complete loss of PMS A Power supply failure or complete loss of PMS B Tie breaker opened/closed status feedback failure Possible worst case consequence No active power load sharing. May lead to load sharing failure and finally complete blackout (A + B) if not properly handled. Has to verify that tie breaker is automatically opened. Will cause faulty / frozen measurements from DG3 and DG4 in the load sharing control since these are routed through PMS B. May lead to load sharing failure and finally complete blackout (A + B) if not properly handled. Has to verify that tie breaker is automatically opened. If PMS acts as if tie-breaker is open when actually closed (and vice versa), load sharing will fail and complete blackout (A+B) may be the final result. Has to verify that the system will detect failure on tie breaker status signal and that system is automatically split by opening tie breaker in such case.

Identified failure modes for open tie-breaker that need to be tested:


Failure mode Tie breaker opened/closed status feedback failure Possible worst case consequence As shown on the drawing, system A and system B uses the same tie breaker status signal. A failure on this signal will affect both A and B side. It has to be verified that the integrity of the tie breaker status signal is monitored and that tie breaker is commanded to open if a feedback failure is detected (even if breaker is apparently open already).

*** End of example. D.5.5 Blackout prevention, load reduction, load limitation system, and blackout recovery To avoid generator overload, the load on generators typically are automatically reduced or shed. This is essential to avoid partial or full blackout. This functionality is required also for open tie-breaker operation, but will be even more important when operating with closed tie-breaker since an overload in this case may cause immediate full blackout. The FMEA has to address the intended functionality of the blackout prevention / load reduction/ load limitation system and has also to verify that the system is fail safe such that no single failure related to this functionality can violate the acceptance criteria, e.g. for DP2 blackout, or full loss of thrust. The blackout prevention / load reduction / load shedding functionality might typically be implemented in more than one control system. Thus, on the same vessel one might find blackout prevention / load limitation / load reduction functionality in the: DP control system PMS a stand alone load limiting system variable frequency drives controllers.
DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 56

The blackout prevention / load reduction / load shedding might typically be trigged by one or more of the following: high generator active power high generator reactive power (not common) high generator current high total load on bus (sum of generator active power) low bus frequency low bus voltage.

Such functionality may cause failure propagation between A and B side when operating with closed tiebreaker. This could happen because the control system has to take into consideration all generators, both on A and B side in order to check for overload. Further, load reduction based on bus frequency or bus voltage may cause failure propagation between the A and B system. Frequency and voltage are equal on A and B side as long as the tie-breaker is closed. This means that low voltage or low frequency might cause simultaneous load reduction of all running thrusters and consequently risk of position loss. It might be necessary to carry out tests on FAT/Dock/Sea trial to: prove that system works as indented prove that critical failures in the Blackout prevention / Load reduction/ Load limitation are detected by the control systems (typically failure on active power measurement signal to the control system and the load reduction command signal to the thrusters) prove that no single failure will cause all thrusters to be reduced to a very low or zero speed simultaneously (risk of drift off). Blackout recovery systems may also need to be analysed. It should be ensured that unintended operation cannot create a blackout, e.g. as a result of false blackout detection. *** Example of how the blackout prevention / load reduction / load shedding can be presented in the FMEA: Overview of blackout prevention / load reduction / load shedding functionality on Vessel:
Mode Control Criteria to initiate action system / PLC PMS A Bus A+B load > 98% PMS A PMS A Bus A+B frequency < 56Hz DG1 load > 98% DG2 load > 98% DG3 load > 98% DG4 load > 98% DG1 load > 105% DG2 load > 105% DG3 load > 105% DG4 load > 105% Bus A+B load > 98% Bus A+B frequency < 56Hz DG1 load > 98% DG2 load > 98% DG3 load > 98% DG4 load > 98% DG1 load > 105% DG2 load > 105% DG3 load > 105% DG4 load > 105% Bus A load > 95% Bus B load > 95% Bus A+B frequency < 56Hz Bus A+B Voltage < 90% Bus A+B frequency < 56Hz Bus A+B Voltage < 90% Bus A+B frequency < 56Hz Bus A+B Voltage < 90% Bus A+B frequency < 56Hz Bus A+B Voltage < 90% Delay 200ms 200ms 200ms Action Load reduction command is send to THR1, THR2, THR3, THR4 Load reduction command is send to THR1, THR2, THR3, THR4 Load shedding of non-thruster heavy consumers on bus A Load reduction command to THR1, THR2, THR3, THR4 Load reduction command send to THR1, THR2, THR3, THR4 Load reduction command send to THR1, THR2, THR3, THR4 Load shedding of non-thruster heavy consumers on bus B Load reduction command to THR2 and THR4

PMS A

200ms

PMS B PMS B Closed tie-breaker PMS B

200ms 200ms 200ms

PMS B

200ms

DP DP THR1 THR2 THR3 THR4

1 sec 1 sec 200ms 200ms 200ms 200ms

Command signal to THR1 and/or THR3 reduced Command signal to THR2 and/or THR4 reduced THR1 reduces speed by itself THR2 reduces speed by itself THR3 reduces speed by itself THR4 reduces speed by itself

DET NORSKE VERITAS AS

Recommended Practice DNV-RP-D102, January 2012 App.D Failure modes in electrical power systems operating with closed bus tie(s) Page 57

The figure below shows how the blackout prevention / load limiting functions may lead to failure propagation from e.g. from the A to the B system (or vice versa). This system has thus to be addressed further. The table below summarizes identified failure modes that will have to be tested in order to verify that no single failure will lead to loss of position.
A B

DG1

DG2

DG3

DG4

kW Hz V

kW

SWBD A + B (closed tiebreaker )

kW

kW Hz V

Hz V

Hz V

PMS A

kW (DG1,DG2) kW (DG3,DG4)

PMS B

Power limit Power limit Power limit Power limit Power limit Power limit Power limit

Power limit

THR1

THR3

THR2

THR4

Identified failure modes that need to be tested on FAT/Dock/Sea trial:


Failure mode One generator power measurement fails to maximum Possible worst case consequence All thrusters (THR1, THR2, THR3, THR4) will in worst case be reduced to 0% thrust (from both PMS A and PMS B) Need to verify that this is avoided. Possible measure will be to open tie breaker One generator fails to full power All thrusters (THR1, THR2, THR3, THR4) will in worst case be reduced to 0% thrust (from both PMS A and PMS B) Need to verify that this is avoided. Possible measure will be to open tie breaker Failure on Bus A or Bus B frequency The PMS receiving faulty measurement might command load reduction to all or voltage measurement to PMS thrusters simultaneously Need to verify that the system checks inconsistency in frequency and voltage measurement and that system is brought to safe state in case such failure is detected.

*** End of example. D.5.6 PMS The analysis of the power management system (PMS) must verify that no single failure in the PMS can violate the given acceptance criteria. Some relevant issues for the analysis are listed below: How is it ensured that a single feedback failure to PMS does not cause violation of the acceptance criteria? Can PMS connect generator (or bus-tie) without synchronization? Can PMS cause full load reduction to all running thrusters simultaneously? Can PMS decrease generator frequencies to a level that causes risk of automatic load reduction of drives / tripping of drives? Can PMS increase frequency to a level that causes systems to trip? Can single PMS operator failure cause blackout? What are the consequences of communication failures?

DET NORSKE VERITAS AS