STANDARD FOR CERTIFICATION

No. 2.16

SPECIFICATION FOR REDUNDANCY IN POSITION

KEEPING ABILITY
JUNE 2003

DET NORSKE VERITAS

Veritasveien 1, N-1322 Høvik, Norway Tel.: +47 67 57 99 00 Fax: +47 67 57 99 11
FOREWORD
DET NORSKE VERITAS is an autonomous and independent Foundation with the objective of safeguarding life, property and
the environment at sea and ashore.

DET NORSKE VERITAS AS is a fully owned subsidiary Society of the Foundation. It undertakes classification and
certification of ships, mobile offshore units, fixed offshore structures, facilities and systems for shipping and other industries.
The Society also carries out research and development associated with these functions.

DET NORSKE VERITAS operates a worldwide network of survey stations and is authorised by more than 120 national
administrations to carry out surveys and, in most cases, issue certificates on their behalf.

Standards for Certification

Standards for Certification (previously Certification Notes) are publications that contain principles, acceptance criteria and
practical information related to the Society's consideration of objects, personnel, organisations, services and operations.
Standards for Certification also apply as the basis for the issue of certificates and/or declarations that may not necessarily be
related to classification.

A list of Standards for Certification is found in the latest edition of the Pt.0 of the ”Rules for Classification of Ships”, and the
”Rules for Classification of High Speed, Light Craft and Naval Surface Craft”.

The list of Standards for Certification is also included in the current “Classification Services – Publications” issued by the
Society, which is available on request. All publications may be ordered from the Society’s Web site http://exchange.dnv.com.
The list of publications is also available from this site.

© Det Norske Veritas 2003

If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas
shall pay compensation to such person for his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the
fee charged for the service in question, provided that the maximum compensation shall never exceed USD 2 million.

In this provision “Det Norske Veritas” shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and
any other acting on behalf of Det Norske Veritas.
CONTENTS
1. General Requirements.............................................4 3.2 System Arrangement................................................. 8
1.1 The Specification .......................................................4 3.3 Gyro Compass........................................................... 8
1.2 Definitions .................................................................4 3.4 Monitoring ................................................................ 8
1.3 Documentation...........................................................5 4. Thruster Systems..................................................... 8
1.4 Survey and Test upon Completion.............................5 4.1 General ...................................................................... 8
1.5 Alterations .................................................................5 5. Power Systems ......................................................... 9
2. General Arrangement..............................................5 5.1 General ...................................................................... 9
2.1 General.......................................................................5 5.2 Control System Power Supply .................................. 9
2.2 Redundancy and Failure Modes ................................6 6. Auxiliary systems .................................................. 10
2.3 System Arrangement .................................................6 6.1 General .................................................................... 10
2.4 Internal Communication ............................................7 6.2 Fuel oil .................................................................... 10
3. Position keeping system...........................................7 6.3 Cooling water.......................................................... 10
3.1 System Arrangement .................................................7

DET NORSKE VERITAS

4 Standard for Certification- No. 2.16
1. General Requirements
1.1 The Specification
1.1.1 Intention
Vessels built and tested in compliance with the requirements
in this specification shall not lose position keeping ability in
the event of any defined single failure. This implies that after
any single failure the vessel is to be able to produce
sufficient transverse thrust, longitudinal thrust and a yawing
moment to keep its position and to safely terminate the
operation.
Note
For single failure definition, see Sec.2 B201.
1.1.2 Application
The requirements in this specification are additional to the
rules for main class.
This specification does not include requirements or
recommendations in regard to the vessels operation or other
characteristics.
1.1.3 Letter of compliance
Vessels built and tested according to the requirements in this
specification may be assigned a letter of compliance, which
states compliance with this specification.
Note
Under special consideration a letter of compliance can be
assigned to a vessel not complying with all requirements in this
specification. Divergence from the specification will be listed in
the letter of compliance.
1.2 Definitions
1.2.1 General
Consequence analysis: An automatic monitoring function
that checks the ability of the vessel to maintain position
under prevailing weather conditions, in the event of a worse
case single failure.
Failure: An occurrence in a component or system causing
one or both of the following effects:
− loss of component or system function.
− deterioration of functional capability to such an extent
that the safety of the vessel, personnel, or environment is
significantly reduced.
Note
Certain exceptions will be allowed in the definition of single
failure. Flooding and fire are not to be considered beyond main
class requirements. Failure of non-moving components, e.g.
pipes, manual valves, cables etc. may not need to be considered if
adequate reliability of a single component can be documented,
and the part is protected from mechanical damage.
Independence: Independence is to take into account all
technical functions. Use of shared components can be
accepted if the reliability is sufficiently high and/or the effect
of failure is sufficiently low.
DET NORSKE VERITAS
June 2003
Note
Common operator controls for command inputs will be accepted
when utilising the redundancy mode. Particular attention should
be paid to the redundancy and independence of ventilation and
cooling facilities for equipment where temperature problems are
anticipated. Such facilities will be considered with respect to the
intended area of operation.
Joystick: See DNV Rules for Ships Pt.6 Ch.7 Sec.1 B106.
Position keeping: Maintaining a desired position within the
normal excursions of the system and the environmental
conditions.
Note
Position is kept by an operator operating manual levers, a joystick
system or a dynamic positioning control system, and watching
over the position of the vessel.
Position keeping system: The installation necessary for a
vessel to keep position comprise of the following systems:
− electric power system
− thrusters system
− dynamic position control system and/or joystick system
and manual levers for each thruster.
Power system: All components and systems necessary to
supply the position keeping system with power. The power
system includes:
− prime movers with necessary auxiliary systems
including piping
− generators
− switchboards
− uninterruptible power supplies (UPS) and batteries
− distribution system including cabling and cable routing
− power management system
Propulsion thruster: a thruster that is mainly assigned to
propulsion of the vessel. A propulsion thruster may also
provide steering function.
Redundancy: See DNV Rules for Ships Pt.6 Ch.7 Sec.1
B111.
Reliability: See DNV Rules for Ships Pt.6 Ch.7 Sec.1 B112.
Thruster system: All components and systems necessary to
supply the position keeping system with thrust force and
direction. The thruster system includes:
− Thruster with drive units and necessary auxiliary
systems including piping
− Thruster control
− Associated cabling and cable routing
− Main propellers and rudders if these are under the
control of the position keeping system
Standard for Certification- No. 2.16 5

June 2003

1.3 Documentation control-manual override of thruster control- emergency stop-

1.3.1 Instrumentation and automation
For general requirements for documentation of
instrumentation and automation, including computer based
control and monitoring, see DNV Rules for Ships Pt.4 Ch.9
Sec.1.
1.3.2 Thruster documentation and Electric power
system documentation
Documentation shall be submitted as required for main class.
1.3.3 Failure mode and effect analysis (FMEA)
Documentation of the reliability of the position keeping
system is required in the form of a failure mode and effect
analysis (FMEA).
The purpose of the FMEA is to give a description of the
different failure modes of the equipment when referred to its
functional task. Special attention shall be paid to the analysis
of systems that may enter a number of failure modes and thus
induce a number of different effects on the position keeping
system. The FMEA shall include the information specified in
303 to 305.
A breakdown of the position keeping system, into functional
blocks shall be made. The functions of each block shall be
described. The breakdown shall be performed to such a level
of detail that the functional interfaces between the functional
blocks are shown.
A description of each physically and functionally
independent item and the associated failure modes with their
failure causes related to normal operational modes of the
item is to be furnished.
A description of the effects of each failure mode alone on
other items within the system and on the overall position
keeping system is to be made.
Note
Description of FMEA systematic may be found in IEC
Publication 60812 and IMO HSC Code, Annex 4.
1.3.4 Programme for tests and trials
A programme for tests and trials including redundancy tests
are to be submitted for approval. The requirements for the
programme are described in D.
1.4 Survey and Test upon Completion
1.4.1 General
Upon completion, the position keeping system is to be
subjected to final tests. The program is to contain test
procedures and acceptance criteria.
Note
It is assumed that prior to the position keeping system test, all
systems and equipment included in the position keeping system
have been tested according to main class. This should at least
include:- load test according to main class- transfer of thruster
"ready" signals-failure in thruster command/feedback signals.
1.4.2 Measuring system
The gyro compass is to be tested as part of the complete
system.
Failures of the gyro compass are to be simulated to verify
that alarm is initiated upon failure.
1.4.3 Thrusters
Functional tests of control and alarm systems of each thruster
are to be carried out.
All signals exchanged between each thruster and the position
keeping system are to be checked.
The different modes of thruster control are to be tested.
Proper operation of mode selection is to be verified.
1.4.4 Electric power supply
The capacity of the UPS batteries is to be tested.
1.4.5 Joystick
All functions of the joystick are to be tested.
1.4.6 Redundancy tests
A selection of tests within each system analysed in the
FMEA is to be carried out. Specific conclusions of the
FMEA for the different systems are to be verified by tests
when redundancy or independence is required.
The test procedure for redundancy is to be based on the
simulation of failures and shall be performed under as
realistic conditions as practicable.
1.5 Alterations
1.5.1 Recommendation to owner
The owner is to advise the Society of major alterations to the
position keeping system hardware or software. The Society
will consider the need for a re-survey or test.
Note
A major alteration might be:
− installation of new thrusters
− software changes
− structural changes
− changes in electric power system
2. General Arrangement
2.1 General
2.1.1 General
The general requirements for position keeping system design
are presented in Table C1.

DET NORSKE VERITAS

6 Standard for Certification- No. 2.16

June 2003

The design and level of redundancy employed in system − Any active component or system
arrangements is to the extent that the vessel maintains the − Static components which are not properly documented
ability to keep position after worst case failure(s). with respect to protection
− A single inadvertent act of operation. If such an act is
2.2 Redundancy and Failure Modes reasonably probable
− Systematic failures or faults that can be hidden until a
2.2.1 Redundancy new fault appears
Position keeping ability is to be maintained without
disruption upon any single failure. Full stop of all thrusters
and subsequent start-up of available thrusters, is not Note
considered as an acceptable disruption. In order to reduce the probability of inadvertent acts, the
following may be used:
Note − double action
Component and system redundancy, in technical design and − operation of two separate devices
physical arrangement, should in principle be immediately
available with the capacity required for the position keeping − using screen based question pop-ups
system to safely terminate the work in progress. The consequence Note
analysis required in Sec.3 E200 will give an indication whether For the purpose of this analysis, the following are also considered
the position and heading can be maintained after a single failure. as active:
The transfer to components or systems, designed and arranged to − coolers
provide redundancy, should be automatic and the operator
intervention should be kept to a minimum. − filters
− motorised valves
Automatic or manual interconnections arranged to improve − fuel oil tanks
the position keeping ability after a failure will be considered, − electrical and electronic equipment
but will be accepted as contributing to redundancy only if
their reliability and simplicity of operation is satisfactory. Based on the single failure definition in 201 worst case
failure are to be determined and used as the criterion for the
Note consequence analysis.
The starting of a generator after black-out is not accepted in this
context, whereas restart of a thruster will be accepted on the 2.3 System Arrangement
condition that start facilities are arranged in the position keeping
control centre. 2.3.1 General
2.2.2 Failure modes The requirements for system arrangement are summarised in
Table C1. Specific requirements for each subsystem are
Loss of position keeping ability is not to occur in the event of presented under the respective section headings.
a single failure in any active component or system as
specified. Normally static components will not be considered
to fail if adequate protection is provided. Single failure
criteria:
Table C1 System arrangement
Subsystem or component Minimum requirements
Generators and prime movers Redundancy in technical design
Main switchboard 1 with bus-tie
Electrical
power Bus-tie breaker 1
system
Distribution system Redundancy in technical design
Power management Yes
Generally Redundancy in accordance with single failure criteria
Auxiliary
system Fuel oil system Separation (*)
Fresh water cooling system Separation (*)
Arrangement of thrusters Redundancy in technical design
Thrusters Single levers for each thruster (**) Yes
at position keeping control centre
Control Manual control; joystick (***) Yes
system with auto heading
External Gyro compass 2
Sensor
UPS /Continuously charged battery 1

DET NORSKE VERITAS

Standard for Certification- No. 2.16
June 2003
( )
* Normally closed cross-over are accepted
(
**) The requirement for single levers for each thruster may be omitted if the vessel is equipped with two joystick control
(
***) systems with auto heading.
The requirement for a joystick control system may be omitted if the vessel is equipped with a dynamic position control
system
2.3.2 Position keeping control centre
The vessel is to have a position keeping control centre
designated for position keeping control, where necessary
information sources, such as indicators, displays, alarm
panels, control panels and internal communication system
are installed.
The position keeping control centre is preferable to be
located on the bridge. If the position keeping centre is not on
bridge the work environment in the control centre is to
satisfy the requirements in DNV Rules for steel ships Pt.4
Ch.9 Sec.6 F.
Note
National and international regulations on noise levels should be
observed.
The location of the position control centre is to be chosen to
suit the main activity of the vessel.
The position control centre is normally to be arranged such
that the position keeping operator has a good view of the
vessel’s exterior limits and surrounding area.
2.3.3 Arrangement of position keeping control system
Position keeping system is to include:
− independent joystick with heading control
− manual leavers for each thruster
2.3.4 Arrangement and layout of control panels
The information sources like displays, indicators, etc. are to
provide information in a readily usable form.
The operator is to be provided with immediate information of
the effect of any actions.
Where applicable, feedback signals are to be displayed, not
only the initial command.
Easy switch-over between operational modes is to be
provided. Active mode is to be positively indicated.
Positive indications of the operational status of the different
systems are to be given.
Indicators and controls are to be arranged in logical groups,
and are to be co-ordinated with the geometry of the vessel,
when this is relevant.
If control of a sub-system can be carried out from alternate
control stations, positive indication of the station in charge is
to be provided. When responsibility is transferred from one
station to another, this is to be indicated.
DET NORSKE VERITAS
7
Note
For control transfer arrangements, see DNV Rules for Steel Ships
Pt.4 Ch.9 Sec.3.
Precautions are to be taken to avoid inadvertent operation of
controls if this may result in a critical situation. Such
precautions may be proper location of handles etc, recessed
or covered switches, or logical requirements for operations.
Interlocks are to be arranged, if erroneous sequence of
operation may lead to a critical situation or damage of
equipment.
Controls and indicators placed on the navigation bridge are
to be sufficiently illuminated to permit use at night without
difficulty. Lights for such purposes are to be provided with
dimming facilities.
2.3.5 Arrangement and layout of data communication
links
When two or more thrusters systems and their manual
controls are using the same data communication link, this
link is to be arranged with redundancy in technical design.
When the joystick and/or a dynamic positioning control
system uses a data communication link, this link is to be
separate from the communication link(s) for manual control.
2.4 Internal Communication
2.4.1 Internal communication
A two-way voice communication facility is to be provided
between the position keeping control centre and the
navigation bridge, engine control room and relevant
operation control centres.
The internal communication system is to operate
independently of the vessel's main power system.
3. Position keeping system
3.1 System Arrangement
3.1.1 Joystick thruster control
The joystick controller is to include selectable automatic
heading control.
Note
The requirement for a joystick system may be omitted if the
vessel is equipped with a dynamic position control system.
Any failure in the joystick control system is to set the thrust
commands to zero and initiate an alarm.
Loss of heading alarm is to be initiated when the actual
heading differs from the heading order.
8 Standard for Certification- No. 2.16
Note
The alarm limit is to be set individually for each vessel, but it
should generally not exceed 5°C.
3.2 System Arrangement
3.2.1 Thruster control mode selection
The thruster control mode, i.e. manual and joystick, is to be
selectable by a simple device located in the position keeping
control centre. The control mode selector may consist of a
single selector switch, or individual selectors for each
thruster.
The control mode selector is to be arranged so that it is
always possible to select manual controls after any single
failure in the automatic/semi-automatic position keeping
control mode.
Note
If the selector system is based on relays, manual control should
be accessible after power failure to the selector relays.
The mode selector is not to violate redundancy requirements.
Note
A common switch will be accepted, but each system is to be
electrically independent.
3.3 Gyro Compass
3.3.1 General
Monitoring of the gyro compass is to include alarms for
electrical and mechanical functions.
When failure of the gyro compass is detected, an alarm is to
be initiated even if the gyro compass is in a stand-by or off-
line use at the time of failure.
Note
During position keeping operation, it is important that permanent
failures of any gyro compass, whether it is being used or not at
the time, is brought to the attention of the operator. Temporary
trouble of an operational nature, e.g. disturbance of acoustic
systems, out of range warnings, in off-line or stand-by gyro
compass do not need to initiate an alarm.
Gyro compasses may be shared with other systems provided
failure in any of the other systems cannot spread to the
position keeping system.
Note
Gyro compasses that are separated electrically are regarded as
fulfilling the requirement in 104.
3.4 Monitoring
3.4.1 Alarm system
The position keeping control centre is to receive alarms and
warnings reflecting the status of the position keeping system.
Note
The alarms from power and thruster systems may be group
alarms for each prime mover, generator, or thruster, as generated
by the general alarm system of the vessel.
DET NORSKE VERITAS
June 2003
If the alarms in the position keeping control centre are slave
signals of other alarm systems, there is to be a local
acknowledgement and silencing device.
The silencing device in 102 shall not inhibit new alarms.
The alarms to be presented in the position keeping centre are
normally to be limited to functions relevant to position
keeping operation.
3.4.2 Consequence analysis
The positioning keeping control systems are to perform an
analysis of the ability to maintain position after worst case
failures. An alarm is to be initiated, with a maximum delay
of 5 minutes, when a failure will cause loss of position
keeping capability in the prevailing weather conditions.
Note
This analysis should verify that the thrusters remaining in
operation after the worst case failure can generate the same
resultant thruster force and moment as required before the failure.
The analysis is to consider the average power and thrust
consumption. Brief, dynamic effects should be removed by
filtering techniques.
4. Thruster Systems
4.1 General
4.1.1 Rule application
Thrusters are to comply with main class requirements.
The thrusters are to be designed as "dynamic positioning
thrusters" or "propulsion thrusters". The thruster systems are
to be designed for continuous operation.
Note
Generally no restrictions should be put on the starting intervals of
electrical machines. If required, the arrangement is subject to
approval in each case.
4.1.2 Thruster configuration
In a thruster configuration, provided with redundancy in
design and physical arrangement, there is to be transverse
and longitudinal thrust, and yawing moment after any single
failure.
Note
Transverse thrust generated by the combined use of propellers
and rudders may upon special consideration, be accepted as
equivalent to a side thruster for back-up purposes.
Note
The rules do not specify the number or size of thrusters to make
up the configuration.
Thrusters are to be located with consideration of effects, which
will reduce their efficiency, e.g. thruster-hull, and thruster-
thruster interaction, and shallow-immersion effects.
Standard for Certification- No. 2.16
June 2003
4.1.3 Thruster control
It shall be possible to stop the thrusters individually from the
position keeping control station by means independent of the
positioning and thruster control systems. This emergency
stop is to be arranged with separate cables for each thruster.
An alarm is to be initiated upon loop failure, i.e. broken
connections or short-circuit, in the emergency stop system.
A failure in the thruster control system is neither to cause
significant increase in thrust output nor make the thruster
rotate.
4.1.4 Indication
Running and stop, pitch and r.p.m. and azimuth for each
thruster are to be displayed at the position keeping control
stand.
The displays of 401 are to be continuously available. At least
pitch and r.p.m. and azimuth displays are to be readable from
the normal position of the operator. Slave panel meters are to
be installed if the displays are not readable from the normal
position of operator.
The indication is to be independent of the thruster control
system.
5. Power Systems
5.1 General
5.1.1 General
The power systems are to comply with the relevant rules for
main class.
5.1.2 Number and capacity of generators
Number of generators are to comply with the redundancy
requirements as defined in the single failure criteria in Sec.2.
To prevent overloading the power plant, interlocks or thrust
limitations are to be arranged.
Note
This arrangement may be integral to part of the vessel's power
management system.
5.1.3 Power management
An automatic power management system is to be arranged,
operating with both open and closed bus-bar breakers. This
system is to perform the following functions:
− load dependent starting of additional generators
− block starting of large consumers when there is not
adequate running generator capacity, and to start up
generators as required, and hence to permit requested
consumer start to proceed
− if load dependent stop of running generators is provided,
facilities for disconnection of this function is to be
arranged
DET NORSKE VERITAS
9
− if breaker control is provided, facilities for disconnection
of this function is to be arranged.
A failure in the power management system is not to cause
alteration to the power generation, and is to initiate an alarm
in the position keeping control centre.
It is to be possible to operate the switchboards in manual as
required by the main class, with the power management
system disconnected.
Overload, caused by the stopping of one or more generators,
shall not create a black-out.
Note
Reduction in thruster load, i.e. pitch or speed reductions, should
be introduced to prevent blackout and enable stand-by generators
to come on line. If this function is taken care of by the positioning
control system, the effect is to be co-ordinated with the power
management system.
Load reductions should preferably be achieved through the
tripping of unimportant consumers, and the requirement does not
exempt such means. But, it is common that the relative load
proportions will require thruster load reduction, in order to
effectively reduce overload situations.
5.1.4 Main and distribution switchboards arrangement
The switchboard arrangement is to be such that no single
failure will give a total black-out, this means equipment
failures.
When considering single failures of switchboards, the
possibility of short-circuit of the bus-bars has to be
considered.
A main bus-bar system consisting of at least two sections,
with bus-tie or inter-connector breaker(s), are to be arranged.
This breaker is to be a circuit breaker capable of breaking the
maximum short circuit current in the system, and which is
selective in relation to generator breakers to avoid total loss
of main power (black-out).
Bus-bar control and protection systems are to be designed to
work with both open and closed bus-tie breakers.
The on-line power reserve, i.e. the difference between on-
line generator capacity and generated power at any time, is to
be displayed in the position keeping control centre. The
indication is to be continuously available. For split-bus
power arrangements, indications are to be provided for
individual bus sections.
5.2 Control System Power Supply
5.2.1 General
The joystick system and the gyro compasses are to be
powered from continuously charged battery/UPS. The
battery/UPS is to have alarm for charging failure.
The battery is to be able to provide maximum load output
power for 30 minutes after loss of charger input power.
10
6. Auxiliary systems
6.1 General
6.1.1 General
The auxiliary systems are to be arranged so that any defined
single failure will not exceed the maximum failure.
Note
For single failure definition, see Sec.2 B201.
Failure is to be considered for all active components as
specified in Sec.2 B. Unless otherwise specified in this
specification, fixed piping may be shared by components
designed with redundancy.
6.2 Fuel oil
6.2.1 Fuel oil
The fuel oil supply systems are to be arranged with full
separation between systems designed with redundancy.
DET NORSKE VERITAS
Standard for Certification- No. 2.16
June 2003
There is to be at least one service tank serving each dedicated
system. Cross-over facilities may be arranged, but are to be
kept closed in normal operation.
If the fuel system requires heating, then the heating system is
to be designed with the appropriate level of redundancy.
6.3 Cooling water
6.3.1 Cooling water
Fresh water cooling systems are to be arranged with full
separation between systems designed with redundancy, in
view of the risk of severe loss of water or accumulation of
gas due to leakage. Cross-over facilities may be arranged, but
are to be kept closed in normal operation.