Professional Documents
Culture Documents
1.1.2 When systems under control are required to be dupli- 1.5 System failure
cated and in separate compartments, this is also to apply to
control elements within computer based systems. 1.5.1 In the event of failure of part of the system, the
remaining system is to be brought to a downgraded opera-
1.1.3 As a rule, computer based systems intended for ble condition.
essential services are to be type approved.
1.1.4 Programmable electronic systems are to fulfil the 1.5.2 A self-monitoring device is to be implemented so as
requirements of the system under control for all normally to check the proper function of hardware and software in
anticipated operating conditions, taking into account dan- the system. This is to include a self-check facility of input
ger to persons, environmental impact, damage to ship as /output cards, as far as possible.
well as equipment, usability of programmable electronic
systems and operability of non computer devices and sys- 1.5.3 The failure and restarting of computer based systems
tems, etc. should not cause processes to enter undefined or critical
states.
1.1.5 When an alternative design or arrangements deviat-
ing from these requirements are proposed, an engineering
analysis is required to be carried out in accordance with a 1.6 System redundancy
relevant International or National Standard acceptable to
the Society. See also SOLAS Ch II-1/F, Reg. 55. 1.6.1 If it is demonstrated that the failure of the system,
Note 1: As a failure of a category III system may lead to an accident which includes the computer based system, leads to a dis-
with catastrophic severity, the use of unconventional technology ruption of the essential services, a secondary independent
for such applications is only to be permitted exceptionally in cases means, of appropriate diversity, is to be available to restore
where evidence is presented that demonstrates acceptable and reli- the adequate functionality of the service.
able system performance to the satisfaction of the Society.
4.2.3 Where a single component failure results in loss of 4.5.2 Switching of redundant networks from one to the
data communication, means are to be provided to automat- other is to be achieved without alteration of the perfor-
ically restore data communication. mance.
4.2.4 The choice of transmission cable is to be made 4.5.3 When not in operation, the redundant network is to
according to the environmental conditions. Particular atten- be permanently monitored, so that any failure of either net-
tion is to be given to the level characteristics required for work may be readily detected. When a failure occurs in one
electromagnetic interferences. network, an alarm is to be activated.
4.6.3 Wireless data communication is to employ recogn- The user is to be provided with positive confirmation of
ised international wireless communication system protocols action.
that incorporate the following: Control of essential functions is only to be available at one
a) Message integrity: fault prevention, detection, diagnosis, control station at any time. Failing this, conflicting control
and correction so that the received message is not cor- commands are to be prevented by means of interlocks
rupted or altered when compared to the transmitted and/or warnings.
message
b) Configuration and device authentication: shall only per- 5.3.2 When keys are used for common/important controls,
mit connection of devices that are included in the sys- and several functions are assigned to such keys, the active
tem design function is to be recognisable.
c) Message encryption: protection of the confidentiality If use of a key may have unwanted consequences, provision
and or criticality the data content is to be made to prevent an instruction from being executed
by a single action (e.g. simultaneous use of 2 keys, repeated
d) Security management: protection of network assets, pre- use of a key, etc.).
vention of unauthorised access to network assets.
Means are to be provided to check validity of the manual
4.6.4 The wireless system is to comply with the radio fre- input data into the system (e.g. checking the number of
quency and power level requirements of International Tele- characters, range value, etc.).
communications Union and flag state requirements.
Note 1: Consideration should be given to system operation in the 5.3.3 If use of a push button may have unwanted conse-
event of port state and local regulations that pertain to the use of quences, provision is to be made to prevent an instruction
radio-frequency transmission prohibiting the operation of a wire- from being executed by a single action (e.g. simultaneous
less data communication link due to frequency and power level use of 2 push buttons, repeated use of push buttons, etc.).
restrictions. Alternatively, this push button is to be protected against
accidental activation by a suitable cover, or use of a pull
4.7 Protection against modifications button, if applicable.
5.1.1 The design of the operator interface is to follow ergo- The position of the VDU is to be such as to be easily read-
nomic principles. The standard IEC 60447 Man-machine able from the normal position of the personnel on watch.
interface or equivalent recognised standard may be used. The size of the screen and characters is to be chosen
accordingly.
5.2 System functional indication When several control stations are provided in different
spaces, an indication of the station in control is to be dis-
5.2.1 A means is to be provided to verify the activity of the played at each control station. Transfer of control is to be
system, or subsystem, and its proper function. effected smoothly and without interruption to the service.
5.6 Computer dialogue 6.1.4 Alarm messages for essential functions are to have
priority over any other information presented on the display.
5.6.1 The computer dialogue is to be as simple and self-
explanatory as possible.
7 Expert system
The screen content is to be logically structured and show
only what is relevant to the user.
7.1
Menus are to be organised so as to have rapid access to the
most frequently used functions. 7.1.1 The expert system software is not to be implemented
on a computer linked with essential functions.
5.6.2 A means to go back to a safe state is always to be
accessible. 7.1.2 Expert system software is not to be used for direct
5.6.3 A clear warning is to be displayed when using func- control or operation, and needs human validation by per-
tions such as alteration of control condition, or change of sonnel on watch.
data or programs in the memory of the system.
8 System testing
5.6.4 A ‘wait’ indication is to warn the operator when the
system is executing an operation.
8.1
6 Integrated systems 8.1.1 The system tests are to be carried out according to Ch
3, Sec 6.
6.1 General
8.1.2 All alterations of a system (hardware and software)
6.1.1 Operation with an integrated system is to be at least are to be tested and the results of tests documented.
as effective as it would be with individual, stand alone
equipment. 9 System maintenance
6.1.2 Failure of one part (individual module, equipment or
subsystem) of the integrated system is not to affect the func- 9.1 Maintenance
tionality of other parts, except for those functions directly
dependant on information from the defective part. 9.1.1 System maintenance is to be planned and docu-
mented.
6.1.3 A failure in connection between parts, cards connec-
tions or cable connections is not to affect the independent 9.1.2 Remote software maintenance may be considered on
functionality of each connected part. case by case basis.