Safety and Reliability Engineering Sample Dissertation

Optimisation of Operations and Maintenance of
complex marine assets in the offshore Oil and Gas

industry to maximise asset safety and reliability
EG5906/EG5910 Individual Project in MSc Safety and Reliability Engineering

for Oil and Gas
By
LEWIS HENDERSON, BEng MIMarEST

51772886
A dissertation submitted in partial fulfilment of the requirements of the award of

Master of Science in Safety and Reliability Engineering for Oil and Gas at the
University of Aberdeen
(November, 2021)
1 Abstract
Managing failure of engineering systems is a crucial aspect of responsible asset
custodianship. Organisations are under greater scrutiny than ever before to
demonstrate that the way they own and operate their assets poses the lowest
possible risk to the safety of their personnel, the wider general public and the
environment. The competitive landscape adds the additional pressure of the
demands to maximise profitability and shareholder value, with operational
efficiency and cost effectiveness under constant review.
Many techniques exist that aim to maximise asset safety and reliability but their
implementation can be fraught with difficulty through the varying complexity of the
techniques, contradictory guidance on their application, the experience and
skillset of the personnel involved and the level of risk that the organisation is
willing to accept.
Managing failure must begin with understanding how and why it occurs, but most
importantly there is a need to understand what failure means to the organisation
before attempting to derive a plan to manage it. This requires a methodology that
promotes collaboration between stakeholders to deliver a comprehensive
strategy for managing failure that is relevant, concise and continues to deliver
value throughout every stage of the asset lifecycle.
This paper explores the methodologies commonly used to identify and manage
failure such as FMEA, HAZID, HAZOP, RCA, FTA and RCM with the aim of
capturing the key components of each method for subsequent inclusion into a
comprehensive approach to optimising the O&M stage of the asset lifecycle for
increased safety and reliability. The result has been the development of a
streamlined process that manages safety, environmental, operational and
financial risk that can be repeated for any complex asset, within any industry.
1
2 Table of Contents
1 Abstract ....................................................................................................... 1
2 Table of Contents ........................................................................................ 2
3 List of Tables ............................................................................................... 3
4 Table of Figures .......................................................................................... 3
5 List of Abbreviations .................................................................................... 4
6 Introduction ................................................................................................. 5
7 Aims and Objectives ................................................................................... 7
8 Background Theory ..................................................................................... 8
8.1 The history of failure .............................................................................. 8
8.2 The drivers behind reliability assessment ............................................ 12
8.3 Managing failure .................................................................................. 15
9 Strategy Development ............................................................................... 17
9.1 Vessel Overview ................................................................................. 17
9.1.1 Diesel Engines .............................................................................. 17
9.1.2 Generators .................................................................................... 17
9.1.3 Thruster equipment....................................................................... 18
9.1.4 Steering Gear ............................................................................... 18
9.1.5 Main Electrical Distribution ........................................................... 18
9.1.6 Power Management System ......................................................... 18
9.2 Identifying critical systems................................................................... 19
9.2.1 Selection of candidate system ...................................................... 21
9.2.2 Main Diesel Engines ..................................................................... 21
9.3 Failure analysis ................................................................................... 23
9.3.1 FMEA ............................................................................................ 23
9.3.2 Risk assessment........................................................................... 25
2
9.3.3 Failure management strategies .................................................... 27
9.3.4 Analysis worksheet ....................................................................... 29
10 Results and Discussion .......................................................................... 31
10.1 The reliability - operating age relationship........................................ 31
10.2 The effects and consequences of failure.......................................... 32
10.3 Hidden failures ................................................................................. 33
10.4 Failure management strategy selection ........................................... 35
10.5 Alternative failure management strategies ....................................... 36
11 Conclusions and Recommendations ...................................................... 41
12 References ............................................................................................. 44
3 List of Tables
Table 1: FMEA Definitions (Adapted from Burge, 2018) .................................. 14
Table 2: Vessel Particulars ............................................................................... 17
Table 3: Vessel Systems .................................................................................. 19
Table 4: Probability Classification..................................................................... 25
Table 5: Severity Classification ........................................................................ 26
Table 6: Risk Matrix .......................................................................................... 26
Table 7: Opportunities for missed safety related consequences ...................... 32
Table 8: Protective Devices .............................................................................. 35
Table 9: Task Categorisation............................................................................ 39
Table 10: Task Failure Probability .................................................................... 40
4 Table of Figures
Figure 1: Asset Lifecycle (Life Cycle Engineering, Inc., 2019) ........................... 5
Figure 2: Age-Reliability Patterns of Failure (Nowlan and Heap, 1978) ............. 9
Figure 3: Waddington Effect (Busch, 2014) ...................................................... 10
Figure 4: Group 2 FTA ..................................................................................... 20
Figure 5: Root Causes ..................................................................................... 24
Figure 6: P-F Curve .......................................................................................... 28
3
Figure 7: Reliability - Operating Age Relationship ............................................ 31
Figure 8: Failure Management Strategy Selection ........................................... 35
Figure 9: Manufacturer Guidelines ................................................................... 38
5 List of Abbreviations
Definition Acronym
Operation and Maintenance O&M
Reliability, Availability, Maintainability and Safety RAMS
Federal Aviation Industry FAA
Department of Defence DoD
Oil and Gas O&G
Failure Mode Effects Analysis FMEA
Failure Modes, Effects and Criticality Analysis FMECA
Safety Management System SMS
Dynamic Positioning DP
International Marine Contractors Association IMCA
Root Cause Analysis RCA
Hazard Identification HAZID
Hazard and Operability HAZOP
Anchor Handling Tug Supply AHTS
Health and Safety Executive HSE
Fault Tree Analysis FTA
Power Takeoff PTO
Digital Speed Controller DSC
Original Equipment Manufacturer OEM
Human Reliability Assessment HRA
Mean Time Between Failure MTBF
4
6 Introduction
There is an ever-increasing pressure to maximise the safety and reliability of
engineering assets to prevent injury or loss of life to personnel, reduce
environmental risk and maximise shareholder value allowing the organisation to
remain operational in an ever more competitive landscape. These pressures
bring many challenges which organisations must overcome to stay afloat and has
resulted in various engineering methodologies being designed, refined and
adapted over the past several decades.
The way organisations operate and maintain their assets is under a higher level
of scrutiny than ever before, resulting in investment in such initiatives in an
attempt to identify and manage safety, financial and operational risk. Companies
that have invested heavily in such initiatives should expect a higher level of
reliability of their assets and be able to provide assurance to their personnel and
the wider public that risk is being managed effectively. However, through many
catastrophic failures throughout history, this has been questioned and it must be
understood that failures will always occur as zero risk is impossible.
Figure 1: Asset Lifecycle (Life Cycle Engineering, Inc., 2019)
It is common for the greatest proportion of investment in such initiatives to occur

early in the asset lifecycle, primarily at the design stage using statistical analysis
5
and reliability prediction methods, to calculate and quantify risk thus allowing
extra effort to be expended in ‘designing out’ the most critical failures to prevent
them from ever occurring or put plans in place to reduce their consequences. As
the project matures and enters what would commonly be the lengthiest stage of
the asset lifecycle; Operation and Maintenance (O&M), how failure is managed
throughout this stage is absolutely crucial to ensure asset safety, reliability and
cost effectiveness through life.
However, in order to correctly manage failure, it must first be fully understood and
it is this crucial element that is often poorly addressed as we transition from the
Design/Acquisition stage into O&M. This is due to the simple fact that failure itself
is much more complex than may first appear, and will still occur regardless of
how robust the engineering design. Some of the worst disasters in history have
resulted from root causes that could easily have been prevented, not through
physical design of the system but the way the asset is operated and maintained
including aspects such as routine testing, inspection and verification. The very
reason for conducting such activities is to prevent failure, but often is has the
dramatically reverse effect of inducing failure. This complicates the generation of
an O&M strategy, because the strategy itself can end up doing more harm than
good.
A strategy must be put in place to minimise the probability of such events

occurring that cannot be ‘designed out’, however there is often a disconnect
between what is perceived at the design stage, to what actually happens in reality
during the O&M stages of the asset lifecycle. This paper will explore the impact
of O&M on asset safety and reliability and propose a solution to how this can be
optimised to maximise equipment reliability and operational efficiency whilst
reducing the likelihood of safety related incidents.
6
7 Aims and Objectives
The expected outcome of the project is the creation of a methodology that can be
used to optimise asset Operations and Maintenance to maximise asset safety
and reliability. This will be achieved through the following objectives:
▪ Background research into equipment failure/safety incidents with

emphasis on induced failure via Operation and Maintenance activities.
▪ Appraisal of known failure identification and management strategies /
techniques.
▪ Failure analysis of a complex marine system to identify Failure Modes and
applicable failure management strategies. Analysis of the alternative
strategies to identify risk of maintenance induced failure.
▪ Comparison between alternative strategies to demonstrate the impact on
asset availability and risk to safety.
▪ Experimentation and refinement of the process with emphasis on
maximising process repeatability / suitability for application on any
complex system.
7
8 Background Theory
8.1 The history of failure
Throughout history, asset complexity has gradually increased and this has
changed the way that assets can fail and subsequently the consequences of
failure. The development of new technology as accelerated the possibilities of
what engineering can provide to society, but can also result in catastrophic
failures with a heavy cost to human life and the environment, not to mention
extreme financial impact on organisations.
The growth of industrial scale and technological changes within industry meant
that when failures do occur, the effects and consequences of those failures could
be more severe than in the past. In 1986, the explosion at the Chernobyl Nuclear
Powerplant in the Ukraine initially resulted in an enormous level of damage to the
plant and took the lives of two workers, however the aftermath of the event was
arguably more severe with a further twenty-eight fatalities as a result of acute
radiation syndrome and an unknown figure of radiation induced cancer cases
throughout the post-event years which has taken the lives of many others (World
Nuclear Association, 2021). However, several decades ago, this disaster would
have been physically impossible due to the simple fact that the technology did
not exist, so new technology brings new levels of risk, especially when
considering the severity of failure.
Such incidents also begin to change the operating landscape through an increase
in expectations because with greater effects and consequences of failure comes
greater control by the regulatory bodies to try to ensure that owners and operators
are doing things safely. This has resulted in organisations setting targets on their
assets through statistical analysis techniques such as Reliability, Availability,
Maintainability and Safety (RAMS) studies, not only to maximise the safety and
cost effectiveness of their operations but also respond to increased customer
expectations that demands cheaper, yet more reliable products than they were
yesterday.
The post-WWII era saw a rapid increase in air travel and as this mode of transport
became more affordable and accessible, gradually the number of planes and air
traffic routes increased. However, what this also created is a greater probability
8
of failure due to the increased population of planes in operation, with potentially
catastrophic effects should they occur, given the nature of air travel.
In the 1960’s and 1970’s, this resulted in a vast amount of research into the
increasing failure rate of commercial airlines by the Federal Aviation Industry
(FAA), the Department of Defence (DoD) and the airline companies, to explore
this increasing concern in airline safety and reliability and question the
effectiveness and suitability of the strategies that were in place to try and manage
failure, such as scheduled maintenance. In 1978, the release of a paper titled
Reliability-Centred Maintenance by F. Stanley Nowlan and Howard F. Heap,
documented this research, covering all aspects of failure management from
understanding the true nature failure to the principles of selecting a suitable
failure management strategy.
The research uncovered several insights into the nature of failure, one of which
was the relationship between reliability and operating age. At the time, the
commonly held belief that as items age, they become more prone to failure, was
actually found to be inaccurate from the analysis of failure data collected across
several decades of airline operations, as shown by the six age-reliability patterns
of failure:
Figure 2: Age-Reliability Patterns of Failure (Nowlan and Heap, 1978)
9
The patterns show the conditional probability of failure against the operating age
since manufacture, overhaul or repair with the results changing the way in which
failure was understood.
This was a fundamental realisation as the general approach at the time to

manage failure, was to conduct maintenance on a scheduled basis based on the
age of the item. It was thought that intervening at a set time period before
reaching the wear out zone, where the probability of failure is at it’s lowest would
maximise the chance of preventing failure from occurring. However, the data
analysis showed that this would actually only effectively manage 11% of failures
in any complex system and could often lead to the introduction of a high rate of
infant mortality, which was found to account for 66% of failures. As reliability
decreased, it was also common for more physical maintenance to be conducted
in an attempt to curb the trend, thus introducing more interventions into an
otherwise stable system and further worsening the situation.
Interestingly, some twenty years earlier during WWII, a similar realisation was
made in RAF Bomber Command by the scientist Conrad Hal Waddington. His
research into the downtime being suffered by the bomber fleet included an
investigation into the planned and unplanned maintenance being conducted on
the aircrafts, and when plotted against flying hours, an unexpected result was
obtained, as shown:
Figure 3: Waddington Effect (Busch, 2014)
10
It was discovered that the fleet was suffering its greatest level of breakdowns
immediately after the planned maintenance period, which was being conducted
every 50 flying hours, with the highest level of aircraft reliability being experienced
immediately before the maintenance period. This aligns with the aforementioned
age-reliability patterns of failure derived by Nowlan and Heap, confirming the
weak relationship of age with reliability and the high level of infant mortality in
complex assets. Due to the classified nature of Waddingtons work, it was not
made publicly available until several years after the publication of Nowlan and
Heap’s paper.
In reliability modelling of complex systems, failure rates can be established using

statistical analysis of individual sub-assemblies or components that can take
important aspects such as series and parallel redundancy into account, however
using failure rates alone is insufficient in generating an effective failure
management strategy (Nowlan and Heap, 1978). Accurate failure data can also
be difficult to obtain, if it even exists, and the use of standard industry tables for
component reliability will be unlikely to take all the necessary factors that can
affect reliability, into account. Furthermore, although such data may provide
information for how often an asset is likely to fail, for most assets it does not
provide an indication of when, why and how fast the failure will occur, or what the
effects and consequences would be. All of these factors need to be fully
understood before any justifiable decision can be made as to what should be
done to prevent the failure.
In addition, if used incorrectly, failure data itself can exacerbate the issue of
reliability when decisions for failure management are based on a
misunderstanding of that what data is suggesting. For example, it is not
uncommon for statistical analysis of failure to be confused with the useful life of
the equipment. Equipment can fail in multiple different ways for different reasons,
most of which are purely random in nature and do not occur after a known
operating age. Using a reliability measure such as the Mean Time Between
Failure (MTBF), can provide a figure of how often the item is likely to fail, but does
little to suggest when, as statistically any one particular component will survive to
its calculated MTBF with a probability of 37%. Or, in other words, 63% of
11
components will have failed before reaching the calculated MTBF (David John
Smith, 2017).
Therefore, efforts began to switch from trying to predict the life of assets, to
understanding the true nature of failure and their consequences, generally
through a much more qualitative than quantitative approach. There was also a
realisation that there will always be a risk of failure no matter how reliable the
system has been calculated to be, so how we identify potential failures and
assess their effects are of paramount importance to enable strategies to be put
in place to manage them.
8.2 The drivers behind reliability assessment

In the pursuit of effective engineering asset management, organisations may be
driven by various factors, largely their own commercial pressures and business
objectives but also that of the industry they operate in. Oil and Gas (O&G) is a
high hazard industry that has grown rapidly over the last fifty years which has
resulted in the advancement in the techniques available to assure the safety and
reliability of assets. Such techniques are widespread, generally being conducted
at key stages of the asset lifecycle to achieve set objectives and allow the project
to continue, however quite often these processes are conducted in isolation
resulting in duplicated and wasted effort as the project progresses to the next
stage with a similar analysis being conducted, perhaps by a different department
or external consultancy, using a slightly different technique yet delivering much
of the same information and value. This is further exacerbated through the
different perspectives and level of understanding of the personnel involved, which
quite often consists of a disconnected group of individuals, departments and
consultancies working in isolation. One such example of this is the Failure Mode
Effects Analysis (FMEA).
FMEA has been used extensively in various industries throughout the last sixty
years including military, commercial airliners, shipping, transport and aerospace,
and has led to the creation of various standards and guidelines such as 60812:
Analysis Techniques for System Reliability – Procedure for Failure Mode and
Effects Analysis (FMEA), BS 5760-5:1991 Guide to failure modes, effects and
criticality analysis (FMECA), IMO MSC Resolution 36(63) Annex 4 – Procedures
12
for Failure Mode and Effects Analysis and US Department of Defense military
standard MIL-STD-1629A (1980).
Although a fairly simple tool which can be almost entirely qualitative or semi-
quantitive through the addition of a Criticality Analysis to form a Failure Mode
Effects and Critiality Analysis (FMECA), it’s application can be fraught with
inconsistency. This is potentially due to the different reasons why an FMEA would
be conducted, for example at the design stage to support and justify system
reliability modelling and redundancy analysis, or post-design when supporting the
creation of a maintenance strategy. FMEA has also been used purely to identify
safety related risk to support the Safety Case or the Safety Management System
(SMS), as well as identifying failures of a particular process or business as a
whole. This can often result in several different FMEA’s being conducted within
the same project, but for different purposes, with a significant level of duplicated
effort and opposing recommendations. It is also common for the terminology to
be confused between different standards and users of the process, thus
promoting inconsistency in the process (Burge, 2018). This is presented in the
following table:
Standard text definitions of failure and associated aspects

Aspect Reference Text Definition
Failure BS4778-3.1:1991 The termination of the ability of
IEC 60050(191):1990, International an item to perform a required
Electrotechnical Vocabulary (IEV) – Chapter function
191: Dependability and
quality of service
IEC 60812, 2006 Analysis techniques for
system reliability – Procedure for failure
mode and effects analysis (FMEA)
SAE J1739 JAN2009 None given
Failure Mode and Effect Analysis Stamatis None given
D.H. ASQ Quality Press 2003 ISBN 0-
87389-598-3
Function BS4778-3.1:1991 et al None given
SAE J1739 JAN2009 A design function is a
description of the design intent
for a system, subsystem, or
component
Failure Mode and Effect Analysis Stamatis None given
87389-598-3
Failure Mode BS4778-3.1:1991 et al Manner in which an item fails
SAE J1739 JAN2009 the manner in which the item
fails to meet its intended
function.
13
Standard text definitions of failure and associated aspects
Aspect Reference Text Definition
Failure Mode and Effect Analysis Stamatis A design failure is the manner
D.H. ASQ Quality Press 2003 ISBN 0- in which a system, subsystem
87389-598-3 orpart fails to meet its intended
purpose or function. A
processfailure is the manner in
which a system, subsystem or
part fails tomeet its intended
purpose
Consequence of a failure
mode in
BS4778-3.1:1991 et al terms of the operation,
function or
status of the item
A description of the impact of a
Effect failure mode on the operation,
function, or status of the part,
assembly, subsystem, system,
Failure Mode and Effect Analysis Stamatis
product, customer,
manufacturing operations,
87389-598-3
manufacturing operators,
manufacturing tooling and
equipment, or government
regulation.
The physical, chemical or
BS4778-3.1:1991 et al other process that results in
failure.
(1) the process that results in
Failure failure. These processes can
Mechanism include chemical, electrical,
Failure Mode and Effect Analysis Stamatis
physical, thermal and
informational. (2) the process
87389-598-3
of degradation, or chain of
events leading to and resulting
in a particular failure mode.
BS4778-3.1:1991 et al None given
Cause Failure Mode and Effect Analysis Stamatis
The how or why that leads to
the failure mode.
87389-598-3
Table 1: FMEA Definitions (Adapted from Burge, 2018)
The rise of Dynamic Positioning (DP) systems on offshore rigs and vessels has
developed the use of FMEA for assurance and verification purposes. This
powerful tool enables the fault tolerance of the DP system to be analysed and
subsequently proved through DP proving trials to identify shortfalls in the system
and/or the FMEA itself to enable further analysis and corrective action, as well as
providing the auditable trail to Classification Societies to demonstrate system
14
integrity (IMCA, 2016). However, with the focus of the analysis being on the ability
of the vessel to hold it’s position in the event of a system fault, any failure that
does not cause loss of position or degradation of the DP system is generally not
marked for further analysis as it has been demonstrated that the risk of collision
and subsequent risk has been minimised. Although this satisfies the
requirements of the FMEA, in reality the loss of redundancy will not be tolerated
by the vessel operator or charterer as the ability to configure the system to the
requirements of the contract will not be met and the vessel will be forced to go
off-hire at a severe financial loss to the owner. Similarly, without a deeper analysis
of the Failure Modes, it is unknown whether there could be a safety or
environmental risk from certain failures that although do not cause loss of
position, could result in a further event such as a loss of containment which could
lead to a fire scenario or catastrophic secondary damage that could result in
severe injury or even death of the vessel crew. Furthermore, without this
knowledge, it will be near impossible to identify a suitable failure management
strategy to prevent such failures occurring or perhaps manage their
consequences should they be unpreventable.
This switches the focus to overall system reliability and what the user actually
requires from the asset that is not purely focused on one particular top level event,
thus calling for a deeper analysis of failure.
8.3 Managing failure

To successfully manage failure, it must first be fully understood how and why
failure occurs. Methods such as Root Cause Analysis (RCA) have been used
extensively in incident investigation to correctly identify what went wrong however
these are often tomorrow’s answer to today’s problem, with a focus on preventing
similar incidents occurring in future. However, the proactive use of RCA can
anticipate failure before it occurs by focusing on potential failures, thus allowing
a failure management strategy to be put in place. Such methods as FMEA,
Hazard Identification (HAZID) and Hazard and Operability study (HAZOP) are
very effective tools exploring hazards and potential failures that can occur.
However, the point at which they are conducted can drastically affect the value
that they add to the failure management effort due to the knowledge of the
perceived operating context such as environmental conditions, levels of
15
redundancy, interfaces with other systems, modes of operation etc., which can
be subject to change as the project progresses. Ideally these documents will be
kept alive and updated as the project progresses through the asset lifecycle, but
this is a common downfall in through life asset management.
The robustness of such techniques also depend upon the knowledge, experience
and credibility of the review group, and arguably most importantly, of the
workshop leader or facilitator who guides and steers the group through the
chosen methodology to maximise the quality of the output. This in itself can be
the root cause of failure which years down the line could result in a catastrophic
event occurring from a hazard that was improperly analysed or simply not
identified.
In addition to such efforts, various stakeholders such as regulatory bodies and

equipment manufacturers can further muddy the waters through stipulating their
own guidance, rules and regulations which may not neatly align with the various
analysis techniques being conducted. In practice, failure management strategies
are created through a combination of several sources, many of which will not
contain justified reasoning behind the proposed strategy. There is therefore a
requirement for a more holistic approach to safety and reliability, one that aligns
the efforts of various techniques to form a complete strategy to how asset safety
and reliability can be assured through life.
16
9 Strategy Development
In the pursuit of creating a holistic process for through life failure management, a
case study has been chosen which will focus on an offshore Anchor Handling
Tug Supply (AHTS) vessel, operating within the global O&G industry. These
vessels operate in extremely close proximity with high hazard assets, where the
risk of collision is high. Over the past twenty years, DP systems installed on such
vessels have gradually become the norm instead of the exception to maximise
vessel control and ability to hold position when operating within the safety zone
(HSE, 2008).
9.1 Vessel Overview

Particulars Detail
Length overall 73,20 m
Length between perpendiculars 64,20 m
Breadth moulded 20,00 m
Depth main deck 7,60 m
Gross tonnage 3700 gt
F.W. capacity 545 m³
F.O. capacity 1124 m³
Ballast Water / Drill Water 1744 m
Table 2: Vessel Particulars
9.1.1 Diesel Engines

The vessel is equipped with the following seven diesel engines:
▪ Four main diesel engines arranged in a Father and Son configuration of

make MAN B&W type 8L27/38 and 7L27/38, Father Engines delivering
2720 kW@800rpm, Son Engines delivering 2380 kW@800rpm each.
▪ Two auxiliary diesel engines of make MAN B&W type D2842.LE301/LSA
delivering 620 kW@1800 rpm.
▪ One emergency diesel of make MAN B&W type D866 LXE-20 LSAM
delivering 260 kW@1800 rpm
9.1.2 Generators
The vessel is provided with the following five generators:
▪ Two shaft generators of make AvK-Alternators type DSG 114 M 1/6 W

3250 kVA 2600 kW 440 V 60 HZ 1200 rpm. Fresh water cooled
▪ Two auxiliary generators of make Leroy Somer LSA 49.1 M75 Delivering
590KWe, 738kVA. Air cooled
17
▪ One emergency generator of make Leroy Somer LSAM 46.2 Delivering
200Kwe@1800rpm Air cooled.
9.1.3 Thruster equipment

The vessel is equipped with the following thruster equipment:
▪ Two tunnel thrusters of make Brunvoll type FU-80 LRC 2250

▪ Two stern thrusters of make Brunvoll type FU-63 LTC 1550
▪ Two pitch propellers of make MAN B&W. There is one shaft line for each
of the propellers. Each propeller is connected via the respective shaft line’s
reduction gear and driven by its respective main diesel engine. The
propellers have pitch control.
9.1.4 Steering Gear

The vessel is equipped with two steering gear units of make RRM Tenfjord. There
is one steering gear unit located at either side of the vessel, controlled by a
Tenfjord CS control system.
9.1.5 Main Electrical Distribution

The vessel is equipped with the following main/emergency switchboards::
▪ One 440V/60Hz main switchboard with bus tie breaker installed

▪ One 220V/60Hz main switchboard with bus tie breaker installed
▪ One 440V/230V/60Hz emergency switchboard
The emergency switchboard is located in the emergency generator room on B-

deck midship.
The 230V section of the emergency switchboard is supplied from the 440V
section via a transformer.
The main switchboards are located in the switchboard room on Tween deck.
9.1.6 Power Management System

Power Management System is installed, however the DP2 operation will be
executed with open bus tie on the 440V main switchboard.
The pumps for the propulsion are controlled from the engine control room.
18
9.2 Identifying critical systems
A top down approach can be used to determine which systems could be classed
as ‘critical’ to the vessel. The table below shows the groupings of all the main
systems installed and their impact on the vessel should they fail:
Ref Vessel Impact System

Reduction in safety integrity / emergency
Life Rafts
Group 1 response capability
CO2 System
Sea Water Fire Fighting System
Water Mist System
Fire Detection System
Group 2 Loss of DP2 capability / loss of contract Steering Gear
Thrusters
Dynamic Positioning
Navigation system
Gearbox
Controllable Pitch Propellor
Main Engines
Auxiliary Engines
Fuel Oil System
Lub Oil System
Fresh Water Cooling System
Sea Water Cooling System
Reduction in vessel capability / contract

Dry Bulk system
Group 3 limitations
Deck Crane
FO Cargo
FW Cargo
Liquid Mud
Brine
Base Oil
Towing Winch
Shark Jaws and Towing Pins
General reduction in vessel condition /
Anchoring and Mooring
Group 4 fit-for-sea
Incinerator
HVAC
Sanitary System
Waste Oil System
Hot Water System
Ballast System
Bilge System
Fi-Fi System
Communications System
Potable Water Generation
Table 3: Vessel Systems
19
Every system on board has been installed for a particular purpose, and arguably
each system is critical in its own right, however by grouping the systems by the
general impact their failure would have on the vessel enables efforts to be
directed at whichever systems the individual organisation/vessel owner deems to
be the most critical. Partitioning the systems in this way provides focus for the
failure assessment and assist in the selection of system(s) for further analysis.
By using Group 2 for the purposes of experimentation, a Fault Tree Analysis

(FTA) can then be used to identify the high level failures that result in the loss of
critical function, in this case the loss of DP2 capability and subsequent loss of
vessel contract:
Figure 4: Group 2 FTA
The fault tree shows the redundancy concept for the vessel operating in DP2
mode, whereby a failure in both of the redundant groups would be required to
cause the complete loss of position keeping capability, thus reducing the
possibility of a collision which could have catastrophic safety related
consequences. However, although the fault tolerance of the vessel can be proven
from a position keeping perspective, this does not mean that the individual
failures within these systems would not cause a safety or environmental impact
should they occur. Similarly, what can also be deduced from the FTA is that the
vessel’s ability to configure to the DP2 mode of operation would be compromised
20
by the loss of any of these systems, possibly resulting in the vessel going off-hire
due to the inability to meet the requirements of the contract, therefore a much
deeper analysis would need to be conducted to support a failure management
strategy to maintain the inherent reliability of the systems in question.
9.2.1 Selection of candidate system

Although it is possible to continue using the top down approach to analyse failure
to a lower level of indenture, and/or conduct an FMEA to assess the effects of
such failures, the overall focus would remain on the contribution to the top event
with the risk of limiting the rigour of the analysis.
With the overall aim of creating a holistic process to effectively manage failure,
this level of detail would be required. A bottom up approach can therefore be
used to identify the individual Failure Modes that may result not only in the loss
of that critical function but potentially other functions that the system provides that
would be easily missed when using the top down approach. It will also allow these
failures to be fully analysed without the top event in mind, thus increasing the
scope of the FMEA and identifying of all potential failures. Furthermore, this would
also enable the identification of certain hazards that could arise through certain
failures, especially those that could result in less obvious safety related
consequences, and the foundation on which to select a suitable failure
management strategy.
The process continues from the findings of the FTA, allowing the selection of a
candidate system for further analysis; in this case the main Diesel Engines.
9.2.2 Main Diesel Engines

9.2.2.1 Asset overview
The configuration of the machinery for producing power for the propulsion system
and other consumers, includes the following:
▪ Four main engines of the type MAN B&W 27/38 in a Father and Son
configuration. (Two eight cylinder and two seven cylinder).
▪ Each set of engines are connected to a Renk reduction gear fitted with a
PTO driving a shaft generator.
▪ Each main diesel engine is equipped with a turbo charger and a two-stage
charge air cooler.
21
▪ Each engine is fitted with a driven fuel oil feed pump supported by an
electrical standby pump, additionally a fuel oil duplex filter is provided for
each engine.
▪ There are two shaft lines, one at starboard and one at port side. Each of
the shaft lines consists of two diesel engines as the prime mover. This
prime mover is driving the pitch propeller through a reduction gearbox with
clutch, to which the propeller shaft is connected. To each of these
gearboxes, there is connected a shaft generator as well, from a second
power takeoff (PTO).
▪ All main diesel engines are designed for a manual start from the engine
control room, or a local start at the engine itself. There is arranged
emergency stop buttons locally at the engines.
▪ Emergency stop can also be executed from the bridge.
▪ Starting of the main diesel engines is performed using pressurized starting
air (30 bar), supplied from the starting air system. The two starting air
compressors and the receivers are located in the engine room.
▪ The solenoids for shutdown have to be energized to shutdown the engine.
▪ During normal operations all of the main diesel engines are running,
powering the two shaft generators and it has a dual power supply.
▪ The main supply voltage of the safety system is 24V DC, with backup
voltage 24V DC as well.
▪ If the main- or backup supply fails, then the opposite supply will take over,
and the affected main diesel engine will continue to run. Failure at the
main- or backup supply will activate an alarm at the automation alarm
system.
▪ An electric driven lube oil stand by pump, 3 x 440V, is controlled from the
main engines control/safety system.
9.2.2.2 Fuel Oil System

Each engine is fitted with a driven fuel oil feed pump supported by an electrically
operated stand by pump, a duplex fuel oil filter is provided for each engine.
Engine speed control is of make Woodward type DSC (digital speed controller)
with one actuator and two digital governors.
22
9.2.2.3 Lubrication Oil System
The engines are of a wet sump design with a driven lub oil pump. An electrically
operated stand by pump is provided.
9.2.2.4 Cooling System

Each pair of engines have their own cooling water system, the LT system is
common for each pair of engines while the HT loop is controlled separately on
each engine by means of a thermostatic three-way valve. LT pumps are a dual
installation electrically operated while each engine has a driven HT pump with an
electrically operated stand by pump. In addition, each engine has an electrically
operated pre-heater with its own circulation pump.
9.2.2.5 Starting Air System

Each engine is started by means of a pneumatically operated starting motor.
A built on push button for emergency start and manual start valve is provided as
a separate valve on the engine.
Alarm for low starting air pressure is arranged for each engine.
9.2.2.6 Redundancy Concept

The redundancy of the engine installation is based on four engines. Two at the
port side and two at starboard, and includes shaft generator and propeller plant
driven by each of the main engines.
A mechanical failure occurring at one of the main diesel engines will only affect
one of the two propulsion lines, which includes a shaft generator and a gearbox.
Failure occurring on the main or backup supplies of the main diesel engines will
activate an alarm, and the main diesel engines will remain running.
If a failure occurs at the shaft generator, this will affect the generator and the
supply of the thrusters of which it shall supply. The propeller driven by this main
diesel engine will not be affected.
9.3 Failure analysis

9.3.1 FMEA
The analysis began with the generation a function-based FMEA to identify all
plausible failure modes for the main diesel engines.
23
The degree of analysis undertaken was of vital importance as it significantly
affects the amount of time and effort required to complete a satisfactory analysis.
However, it too requires careful consideration because an analysis carried out at
too high a level can become superficial with corrective maintenance
predominating, while one undertaken at too low a level can become too
cumbersome and impracticable to implement.
The FMEA contains the following elements:
i. Failure Mode Ref

ii. Failure Mode
iii. Functional Failure
iv. Failure Pattern
v. Failure Effects (Equipment)
vi. Failure Effects (System)
Through experimentation it was found that if the Failure Modes were identified at
the wrong level of indenture, the identification of a failure management strategy
would be troublesome as the mechanisms of failure were not fully understood. It
was important that the root cause of failure was determined at this stage,
otherwise the failure management strategy could end up managing symptoms of
failure, as opposed to the root cause. This is demonstrated below for failure of
the prelub pump, which shows that three different root causes of failure of the
pump can result in three very different failure management strategies being
applied:
Figure 5: Root Causes
24
If the analysis had stopped at ‘pump fails’, there would be no strategy identified
to manage this vague failure mode, therefore the importance of root cause failure
management cannot be underestimated.
The failure modes were aligned to the aforementioned failure patterns to identify
any possible age relation with failure or if indeed this failure occurred randomly.
The function that the failure causes a loss of, or functional failure, is also recorded
as this allows consideration of what the organisation actually requires from the
asset at a functional level, including any standard of performance that needs to
be met. This will help to understand what the consequences of failure, whilst also
supporting the selection of a suitable failure management strategy, as will be
discussed further throughout this paper.
9.3.2 Risk assessment

Upon completion of the failure effects, Quantitative Risk Assessment (QRA) was
conducted to assign a severity and probability rating to each failure mode
identified, expanding the FEMA into a FMECA. This involved the generation of
the following probability and severity classifications:
Probability
Class Likelihood Numerical Expression Failure Rate/Year
1 Frequent Once per year 1
2 Probable Once every 10 years 0.1
3 Occassional Once every 100 years 0.01
4 Rare Once every 1000 years 0.001
5 Incredible Once every 10000 years 0.0001
Table 4: Probability Classification
Severity
Class Likelihood Definition
1 Negligible Superficial injury
Minimal environmental impact
Re-configuration of systems
Cost of repairs < £1,000
25
Severity
2 Marginal Minor injury
Limited environmental impact
Temporary reduction in vessel capability
3 Significant Permanent injury

Short term damage to environment
Loss of vessel contract
4 Critical 1 - 10 deaths
Prolonged damage to environment
Significant vessel damage
Cost of repairs < £1,000,000
5 Catastrophic > 10 deaths

Long term damage to environmental
Catastrophic vessel damage and early decommissioning
Cost of repairs < £10,000,000
Table 5: Severity Classification
The combination of these two elements can then allow for a calculation of the
overall risk via the creation of a risk matrix:
Severity
Risk Matrix Negligible Marginal Significant Critical Catastrophic
Incredible 5 10 15 20 25
Probability
Rare 4 8 12 16 20
Occasional 3 6 9 12 15
Probable 2 4 6 8 10
Frequent 1 2 3 4 5
Table 6: Risk Matrix
The assignment of these classifications allows the failure modes to be ranked in

order of priority for further analysis as well as supporting probabilistic modelling
for overall system reliability. Although out with the scope of this paper, it can be
easily identified from the analysis which failure modes result in the loss of the
engine and the probabilities for these failure modes can then be used to calculate
the overall failure rate of the engine, which can then be entered into the FTA
presented at figure 4. Upon further analysis of the other systems that are listed
within this group, the same process will apply and figures can be obtained for all
assemblies, allowing the probability of the top event, loss of DP, to be calculated.
26
9.3.3 Failure management strategies
Based on the findings of the FMECA, the most suitable failure management
strategy can then be chosen based on the knowledge of how the failure occurs
and its effects and consequences. This produces the overall failure management
program consisting of the following types of strategy:
▪ Condition Based Maintenance

▪ Scheduled Preventative (Overhaul / Renewal)
▪ Detective
▪ Run to Failure
▪ One-off change
9.3.3.1 Condition Based Maintenance (CBM)

Priority is given to non-intrusive tasks that can identify the early signs of failure
without physically disrupting the system. This aims to minimise the opportunity
for maintenance induced failure and includes tasks such as:
▪ Vibration Analysis
▪ Plant performance monitoring via local and remote sensors
▪ Lubricating oil analysis
▪ Human Senses
Physical inspection is also another form of CBM which aims to check the
condition of the equipment prior to conducting any restorative task but may
involve breaking into the system.
Identifying the early signs of failure allows a plan to then be put in place for when
the equipment should be shutdown for maintenance, which introduces the
principle of the P-F interval (Moubray and Lanthier, 2012).
The P-F allows an assessment to be made on the period of time that would elapse
between the initial detectable signs of the failure, to the point at which it results in
a functional failure. If this interval is found to be long enough to be of use and is
reasonably consistent, then the result is the ability to define how often the task
should be conducted to enable the potential failure condition to be identified.
27
Figure 6: P-F Curve
9.3.3.2 Scheduled Preventative (Overhaul / Renewal)

A task to restore the items original resistance to failure based on an age relation
with failure. Selection of this type of failure management strategy is only
applicable if it has been identified during the FMECA that the there is an
increasing probability of failure as the item ages, and aligns to the age related
failure patterns as shown at figure 2.
This following strategies would be defined as a scheduled preventative task:
▪ Cleaning
▪ Greasing
▪ Overhaul
▪ Renewal
9.3.3.3 Detective Maintenance

Failure-finding maintenance to check if a component is in a failed state. This
applies to ‘hidden’ failures that can occur on backup systems, protective devices
and warning systems such as:
▪ Standby pump
▪ Pressure relief valve
28
▪ High pressure trip circuit
▪ High temperature warning alarm
This task aims to improve the reliability of the protected function (what the device
is protecting) by maximising the availability of the protective device, or in other
words, a task to ensure the protective device is available when needed.
9.3.3.4 Run to Failure

A justified decision to run the equipment to failure. If the effects and
consequences of failure are not severe, the most cost-effective option might be
to let the failure occur to avoid unnecessary expenditure on spare parts and
labour.
This maximises the useful life of the equipment and also removes the risk of
premature maintenance induced failure.
9.3.3.5 One off change

Recommendations for ‘one-off’ actions to avoid, eliminate or reduce the
consequences of failure including:
▪ How the equipment is operated

▪ Increased training
▪ Changes to operating procedures
▪ Physical re-design of the system
9.3.4 Analysis worksheet

The worksheet to record the failure analysis was refined throughout the
experimental process, initially using a standard FMEA template but gradually
being expanded to detail all of the required fields to allow the holistic process for
failure management to be established, the end product consists of the following
fields:
i. Failure Mode Ref

ii. Failure Mode
iii. Functional Failure
iv. Failure Pattern
v. Failure Effects (Equipment)
vi. Failure Effects (System)
29
vii. Safety Impact
viii. Operational Impact
ix. Failure Detection
x. Severity Probability
xi. Risk Rating (Severity x Probability)
xii. Failure Management Type
xiii. Failure Management Strategy
xiv. Task Interval
xv. Task Related Risk
xvi. Justification
xvii. OEM Recommendation
xviii. OEM Task Interval
xix. OEM Task Related Risk
The full failure analysis can be seen at Appendix A – Failure Analysis Worksheet.
30
10 Results and Discussion
10.1 The reliability - operating age relationship
Upon completion of the failure analysis, the divide between age-related failure
and non age-related failure was calculated, as shown below:
Reliability - Operating Age Relationship

Age
relationship
12%
Random
88%
Figure 7: Reliability - Operating Age Relationship
This proved interesting as it agrees with the observation originally proposed by

Nowlan and Heap, whereby in modern complex systems there is unlikely to be
many dominant age-related failure modes that would allow an assessment to be
made on the remaining useful life of equipment. In fact, on this study only 12% of
failure modes were identified as having an age-relationship, with the remaining
88% occurring randomly. This aligns very closely to the 11% / 89% divide
originally proposed by Nowlan and Heap.
This provided an early indication that it would be difficult to limit the operating age
of the asset and that the proposed method of managing failure would need to
consider ways of predicting that failure was occurring, as opposed to scheduled
tasks to overhaul or renew the equipment based on age. This also negates the
need for further in-depth reliability analysis of operating age for the majority of
components as doing so would likely produce inclusive results, or perhaps worse,
31
a proposal of a failure management strategy that could result in the physical
intervention into an otherwise healthy system, thus increasing the probability of
infant mortality through maintenance induced failure.
10.2 The effects and consequences of failure

The failure analysis produced 120 failure modes, with only 54 of those actually
resulting in a functional failure that could have a negative impact on vessel
operations. This demonstrates the limitation of a top down approach which
focuses on a particular loss of function, as many of the failures associated with
the equipment could be missed. Furthermore, it was identified that three of the
failure modes that would not affect operations could actually result in severe injury
or even death of a crew member should they occur, something that again would
likely have been missed from using the top down approach, as shown below:
Failure Failure Mode Failure Effects (System) Safety Operational

Mode Impact Impact
Ref
7A1 Any equipment There will be a risk of severe Permanent No impact on

earth bonding injury / death of personnel injury / vessel
arrangement from electric shock. death. operations.
degrades Cost of repair
only.
7B1 Any machinery In the event of personnel Permanent No impact on
guard missing working in the vicinity, they injury. vessel
would be exposed to rotating operations.
machinery. There is a Cost of repair
possibility of severe injury to only.
personnel.
8C1 Any engine A temporary bandaging of the Permanent No impact on

exhaust system bellows can be carried out to injury. vessel
expansion restore engine redundancy in operations.
bellows a limited downtime. Possible Cost of repair
degrades health hazard to personnel only.
due to exposure to carbon
monoxide and hydrocarbon
particulates.
Table 7: Opportunities for missed safety related consequences
This strengthens the argument for using this approach as the alternative would
be to identify such hazards through a separate process such as a HAZID,
extending the efforts of the project team and risking duplication and inconsistency
between analyses. The findings from the failure analysis could be used to
generate or supplement an existing HAZID through the auto-population of a
32
worksheet template, as shown at Appendix B – HAZID, which uses the data
already obtained to populate the following fields:
i. Hazard Number
ii. Equipment
iii. Hazard Type
iv. Cause
v. Hazard Sequence
vi. Consequences
vii. Severity
viii. Probability
ix. Risk Rating (Severity x Probability)
x. Control Method
xi. Control Measure
Similarly, further value could also be obtained by auto-populating a HAZOP with

further emphasis on achieving operational efficiency through the identification of
key words in the failure analysis, such as ‘Flow’, ‘Pressure’, ‘Level’, ‘Temperature’
and ‘Control’ to identify deviations from known parameters.
The failure effects also needed to identify the signs (if any) that failure was
occurring, otherwise there would be limited information on what could be used to
manage failure. For example, in order to choose a strategy such as Condition
Based Maintenance, there needs to be detectable signs that failure is occurring
otherwise there will be nothing to monitor, such as a drop in performance, warning
alarms, increase in equipment noise and vibration or remote indications etc.
All of these observations demonstrate the level of detail that needs to be captured
within the failure effects which demands a broad knowledge base and firm
understanding of the operating context by the analysis team. If the level of detail
is insufficient, it will be difficult to support the later stages of the process, so the
success of the methodology will be limited by the experience of the analyst / study
team.
10.3 Hidden failures

The analysis produced 11 failures that would not make themselves known the
operator under normal circumstances and were therefore deemed to be hidden
33
failures. These failures would not give any signs that they have occurred and
would only become known to the crew in the event of a further, unrelated failure.
The importance of these types of failures should not be underestimated as these
will generally apply to components that provide a protective function, as shown in
the analysis:
▪ Oil mist detector unit warning circuit

▪ Local panel warning indication
▪ Electro-pneumatic over speed trip arrangement
▪ Low lub oil pressure trip circuit
▪ High cooling water temperature trip circuit
▪ Engine high charge air temperature trip circuit
▪ Engine crankcase explosion relief valve
▪ Equipment earth bonding arrangement
▪ Machinery guards
▪ Engine emergency stop arrangement
▪ Double walled high pressure fuel lines
It was discovered that in the event of these multiple failures occurring, over 50%
could result in safety related consequences so managing these failures becomes
of paramount importance, with the difficulty being the ability to detect that the
component is in a failed state. This led to a high number of detective tasks being
generated as the most appropriate failure management strategy as it aims to
improve the reliability of the protected function by maximising the availability of
the protective device, or in other words, a task to ensure the protective device is
available when needed, as shown by the following excerpt from the analysis:
Failure Failure Mode Failure Failure Failure Management

Mode Detection Management Strategy
Ref Type
6A1 Any engine electro- Requires Detective Main Engine -
pneumatic over multiple Functionally check
speed trip failure. electro-pneumatic over
arrangement fails speed trip arrangement
6B1 Any engine low lub Requires Detective Main Engine -
oil pressure trip multiple Functionally check low
circuit fails failure. lub oil pressure trip
circuit
6C1 Any engine high Requires Detective Main Engine -
cooling water multiple Functionally check high
temperature trip failure. cooling water
circuit fails temperature trip circuit
34
Failure Failure Mode Failure Failure Failure Management
Mode Detection Management Strategy
Ref Type
6C2 Any engine high Requires Detective Main Engine -
charge air multiple Functionally check high
temperature trip failure. charge air temperature
circuit fails trip circuit
9A1 Any engine Requires Detective Main Engine -
emergency stop multiple Functionally test
arrangement fails failure. emergency stops from
all positions
Table 8: Protective Devices
10.4 Failure management strategy selection

The strategy selected to manage each failure mode on the system was based on
the findings of the failure analysis which considered how the failure would occur
and the extent of the effects and consequences. At this point, the importance of
the detail that has gone into the analysis up to this point becomes clear as it
defines the type of strategy that will be selected. If mistakes or errors in
judgement have been made, ultimately the wrong strategy could be selected that
might not fully manage the root cause of failure and possibly even induce failure.
Failure Managent Strategy

Detective Procedural
7% 1%
Run to failure
Scheduled 17%
Preventative
11%
Condition Based
64%
Figure 8: Failure Management Strategy Selection
35
There should be a clear alignment between the selected strategies and patterns
of failure previously discussed, as for example, a high percentage of scheduled
renewal / overhaul tasks should not be seen, given that only 12% of failures have
been identified as having an age relation and would therefore benefit from having
a limit put on the operating age. Ideally, there should be a high number of tasks
that aim to predict that failure is occurring, and this can be seen by the vast
majority of tasks being condition based (64%).
What is also evident from figure 8 is the choice of the ‘Run to Failure’ strategy,
which accounts for 17% which is due to the failure either being impossible to
predict or prevent, or based on the effects and consequences, not considered
worthwhile or cost effective to manage proactively. This is taking the operating
context into account and assessing whether certain failures are worth preventing,
or if the useful life of the equipment could be maximised by allowing the
equipment to run to failure, as long as the effects and consequences do not
impact safety, environment or operational effectiveness.
10.5 Alternative failure management strategies

Generating a bespoke failure management strategy based on the actual ways
that the asset can fail in its present operating context can produce what initially
appears to be obvious results. However, in reality and as discussed earlier in this
paper, many organisations are managing failure through the use of guidelines
and recommendations provided by third parties such as equipment
manufacturers, with little to no justification why certain tasks should be carried
out. This can be problematic for the following reasons:
▪ Manufacturer’s recommendations generally do not take the Operating

Context into account to fully understand how the equipment is operated
within the overall system or vessel. This can focus the efforts of the failure
management strategy at the wrong level and even result in certain system
components being omitted from the management plan, such as protective
devices and backup systems.
▪ Outside of the short-term warranty period, these are purely
recommendations and do not directly manage the specific ways the
36
equipment can fail in it’s Operating Context or consider if the task is even
worthwhile or cost effective based on the consequences of failure.
▪ Subjective interpretation and implementation of manufacturer guidelines
from equipment manuals can often result in duplicated maintenance
efforts; effectively conducting several separate tasks to manage one
particular Failure Mode. This leads to over maintaining the equipment,
thus increasing the likelihood of maintenance induced failure and
increased costs for spare parts and labour.
▪ Opportunities for ‘task packaging’ can be easily missed, again resulting in
frequent intrusive tasks being conducted on equipment and increasing the
likelihood on maintenance induced failure.
▪ Random failures that can be difficult to prevent are generally not
considered, resulting in extensive equipment downtime when critical spare
parts have not been identified and are therefore not immediately available
when reacting to failure.
To demonstrate this disparity, a comparison was made of the tasks produced by

the failure analysis to those recommended by the original equipment
manufacturer (OEM), which produced some very interesting results.
The immediate observation was that much of the suggested tasks were based on
an age relationship with failure, with 46% of tasks involving a scheduled renewal
or overhaul, compared to only 11% generated by the failure analysis. It should
also be noted that only one of these tasks was actually identified as having an
age relation with failure, with the rest occurring randomly with an inability to define
an operating limit on the equipment. This suggests that these tasks could either
be conducted too late risking failure occurring before the recommended interval
is reached, or indeed too early, resulting in the disturbance of a otherwise healthy
system.
37
OEM Tasks
Detective
13%
Condition Based
41%
Scheduled
Preventative
46%
Figure 9: Manufacturer Guidelines
(It should also be noted, that as the OEM guidelines are not based on Failure
Mode management, there could be a percentage of ‘run to failure’ tasks that are
unable to be identified as the failures have not been recorded.)
On the other hand, there does appear to be a healthy percentage of OEM

suggested Condition Based Maintenance which aligns to many of the proposed
strategies generated by the failure analysis, however upon closer inspection,
many of these tasks are actually very intrusive in nature and would result in a
significant amount of disassembly of the equipment to allow the inspection to be
conducted. This increases the risk of maintenance induced failure and potential
increase in infant mortality following the inspection.
In order to provide a level of quantification of this risk, a simple assessment was

made which categorised the proposed strategies based on the level of physical
contact with the equipment, task complexity and opportunity for errors to be made
when conducting the task, as shown below:
38
Task Categorisation
Class Definition
1 Entirely non-intrusive.
No physical contact.
2 Limited physical contact.

No removal of components.
3 Moderate physical contact.

Removal of minor components.
4 Significant physical contact.

Removal of major components.
5 Extensive physical contact.
Removal and overhaul of major components.
Table 9: Task Categorisation
This allowed a comparison to be made between the different strategies, as shown

below:
Failure Task Derived via Analysis OEM Task Failure

Mode Ref Suggested Probability
Task Analysis OEM
1A17 Main Engine - Check lubricating oil Physical 1 3
pressure inspection
1A18 Main Engine - Check engine driven lub Physical 1 4
oil pump pressure inspection
1A26 Main Engine - Check HT and LT Physical 1 2
cooling water temperatures inspection
1A28 Main Engine - Check HT water Physical 1 4
pressure inspection
1A30 Main Engine - Check LT water Physical 1 4
pressure inspection
1A34 Main Engine - Sample engine oil for Physical 1 5
signs of main bearing wear inspection
1A35 Main Engine - Crankshaft - Measure Physical 3 3
deflections inspection
1A38 Main Engine - Carry out engine Physical 1 4
performance trial inspection
1A42 Main Engine - Sample engine oil for Physical 1 4
signs of connecting rod small end inspection
bearing wear
1A44 Main Engine - Camshaft - Inspect Physical 2 2

bearings for wear inspection
1B1 Main Engine - Sample lub oil to Physical 1 2
identify drive gear wear inspection
1B4 Main Engine - Camshaft - Inspect cam Physical 2 2
contact surfaces for signs of wear inspection
39
Failure Task Derived via Analysis OEM Task Failure
Mode Ref Suggested Probability
Task Analysis OEM
1C1 Main Engine - Carry out borescope Physical 2 4
inspection of cylinder liner for signs of inspection
wear
1C6 Main Engine - Carry out engine Physical 1 4

performance trial inspection
Table 10: Task Failure Probability
This is an important observation as it demonstrates the various methods that can

be used to identify the signs of failure to enable the loss of function to be
predicted, many of which require absolutely no physical intervention with the
equipment.
This is most evident with the OEM proposed physical inspection of the engine
driven pumps, which requires significant downtime of the engine and dismantling
of the components, when the same failure can be managed by simply monitoring
the pressure that the pump is producing via the remote pressure indications with
zero possibility of disturbing the system. Furthermore, more advanced modelling
of human reliability would not necessarily add any value to this simple
assessment as it is clear that the method that holds almost zero risk would be the
preferred option.
40
11 Conclusions and Recommendations
The failure analysis has demonstrated the complexity of failure and has shown
that before any attempt can be made to plan how to manage it, failure must first
be fully understood. This begins with understanding what failure actually means
to the organisation to help define the level of reliability that is actually required
from the system. This is an extremely important first step in the process as it will
define the effort that is expended from that point on in trying to maximise
operational efficiency and minimise safety and environmental risk. Most
importantly, it should be derived by consensus between the necessary
stakeholders to ensure applicability to the organisational objectives.
Once this is known, understanding how and why failure occurs is the next step in
the process to identify the root causes, or events that result in an unsatisfactory
condition, or functional failure. At this point, effort is required to fully document
what happens when these failures occur with the aim of building a knowledge
base of the risk to safety, environment and operations as well as the signs that
are given to indicate that the failures are occurring. It is this crucial step that can
homogenise various discrete processes into one analysis to prevent duplicated
effort and conflicting recommendations, thus providing a holistic analysis that can
be used to feed the O&M phase of the asset lifecycle and support the safe and
reliable through-life management of the equipment. Again, this will involve input
from all relevant stakeholders to fully understand what happens in the particular
operating context, and not based on assumption. The technical competence and
engineering knowledge required to deliver this level of rigour is unlikely to ever
be provided by a solo analyst, as this would require an extremely broad area of
expertise. The analysis should therefore be conducted by an expert panel, each
bringing their own area of expertise under the guidance of a workshop facilitator
with the skills necessary to guide the group to reaching consensus.
Only at this point can the most suitable failure management strategy be selected
based on the collective understanding of how failure occurs and how it matters to
the organisation. The failure analysis that has been conducted in this paper and
the subsequent strategies selected for managing failure have shown how a large
proportion of non-intrusive strategies are available to enable potential failures to
be identified, thus minimising the physical interaction with the asset to lower the
41
probability of infant mortality. This evidence supports the findings of the Nowlan
and Heap report and application of Reliability-Centred Maintenance across the
last several decades.
However, for all of the condition based tasks that have been proposed, there must
be a supporting corrective task that would need to be conducted between the
point of identifying the potential failure condition and functional failure occurring.
The analysis has shown how the frequency of these corrective tasks can be
minimised to lower the rate of infant mortality, however this is only the first step
in maximising the inherent reliability of the system.
Corrective maintenance, by its very nature, will almost always involve the physical
interaction with the equipment, not only to disassemble the components for
overhaul or renewal, but also the system isolations that need to be performed to
make the equipment safe to maintain. All of these tasks will carry a level of risk,
both to the safety of personnel and to operations, therefore how these tasks are
conducted are of paramount importance as they can have the greatest impact on
safety and reliability. This was demonstrated by the procedural failures that
occurred on the Piper Alpha platform in 1988, taking the lives of 167 oil workers
and causing significant environmental damage and financial loss (Macalister,
2013).
This paper has demonstrated the firm foundations that need to be laid for
achieving asset safety and reliability by promoting the full understanding of failure
and identifying the most suitable methods of proactively managing it. However,
with the realisation that failure will always occur, the next the next step in the
process is to focus on what can go wrong when these corrective tasks are being
conducted. This would require further qualitative analysis of the vast number of
failure modes that could be introduced from human factors and other context
specific concerns, including:
▪ The skill level and experience of maintenance personnel.

▪ Workplace conditions including climate, working hours, ease of access,
time pressures.
▪ Company culture and employee morale.
▪ The availability of the correct tools, spare parts and specialist equipment.
42
▪ Availability and accuracy of maintenance procedures and instructions
including detailed isolation protocols, permit to work, tag outs and safe job
assessments.
Following identification of any potential failure modes, these can be analysed

using the same methodology and a failure management strategy identified that
will either predict, prevent or manage the consequences of failure. However, the
analysis should never be assumed to be complete as change is an inevitable fact
of life and this is no different when it comes to safety and reliability. This may
result from changes in the operating environment or use of the equipment, the
personnel operating and maintaining it, the company or charterer operating it, or
even the physical design of the asset through years of retrofits and modifications.
Any failure management program must therefore be kept alive, routinely updated,
refined and championed throughout the operating life of the asset, otherwise it
will succumb to natural degradation over time; an inevitable failure mode that if
not prevented, could undo all of the effort invested and in the worst case, result
in catastrophic failure.
43
12 References
Burge, S. (2018). A Systems Approach to Failure Modes, Mechanisms, Effects
and Causes. [online] Available at:
https://www.burgehugheswalsh.co.uk/Uploaded/1/Documents/A-Systems-
Approach-to-Failure-Modes-v1.pdf [Accessed 11 2020].
Busch, M. (2014). The Waddington Effect |. [online] AOPA. Available at:

https://blog.aopa.org/aopa/2014/01/14/the-waddington-effect/ [Accessed 6 Nov.
2021].
David John Smith (2017). Reliability, maintainability and risk : practical methods
for engineers. Oxford, United Kingdom Butterworth-Heinemann.
Davis, R.A. (1993). Human Factors in the Global Marketplace — Keynote

address, Annual Meeting of the Human Factors and Ergonomics Society, Seattle,
12 October 1993.
HSE (2008). Safety zones around oil and gas installations in waters around the
UK. [online] Health and Safety Executive. Available at:
https://www.hse.gov.uk/pubns/indg189.pdf [Accessed 4 Jun. 2021].
International Marine Contractors Association, I. (2016). Guidance on Failure

Modes and Effects Analysis (FMEA). [online] Available at: https://www.imca-
int.com/product/guidance-on-failure-modes-and-effects-analysis-fmea/
[Accessed 6 May 2021].
Life Cycle Engineering, Inc. (2019). Life Cycle Engineering. [online] Lce.com.
Available at: https://www.lce.com/Life-Cycle-Engineerings-Asset-Management-
System-Framework-Using-Asset-Management-Capabilities-to-Create-Value-
1422.html.
Macalister, T. (2013). Piper Alpha disaster: how 167 oil rig workers died. The
Guardian. [online] 4 Jul. Available at:
https://www.theguardian.com/business/2013/jul/04/piper-alpha-disaster-167-oil-
rig.
Maersk (2009). Anchor Handling Tug Supply Vessel, STX 126, ‘Maersk Tender’
Operating Manual.
44
Moubray, J. and Lanthier, J.R. (2012). Reliability-centred maintenance. Oxford:
Butterworth-Heinemann.
Nowlan, F.S. and Heap, H. (1978). Reliability‐Centred Maintenance. [online]

pp.11–13. Available at:
https://reliabilityweb.com/articles/entry/reliability_centered_maintenance_report
_by_f_stanley_nowlan_and_howard/ [Accessed 22 Sep. 2021].
World Nuclear Association (2021). Chernobyl | Chernobyl Accident | Chernobyl

Disaster - World Nuclear Association. [online] World-nuclear.org. Available at:
https://www.world-nuclear.org/information-library/safety-and-security/safety-of-
plants/chernobyl-accident.aspx.
45
Appendix A – Failure Analysis
Failure Failure Mode Functional Failure Failure Pattern Failure Effects (Equipment) Failure Effects (System) Safety Impact Operational Impact Failure Detection Severity Probability Risk Rating Failure Management Type Failure Management Strategy Task Interval Task Related Risk Justification OEM Recommendation OEM Task Interval OEM Task
Mode Ref Related Risk
1A1 Any engine monitoring panel fails Does not generate motive power at Random Communication between the various engine Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
all at each diesel engine sensors and engine monitoring system will be lost. generation on affected shaftline. Power becomes known.
Loss of system parameters will initiate alarms and management system will automatically open bus
the automatic shut down of the engine. tie breaker 7Q1 to re-configure the system.
1A2 Any engine main start air valve Does not generate motive power at Random Over a period of time the valve internals begin to Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Monitor engine start up time On Start Up 1 The P-F interval from initial signs of degradation (increase in start up times) to Overhaul 2000 Run Hour 3
degrades all at each diesel engine degrade. Starting air is not distributed to the starter generation on affected shaftline. Power becomes known. Functional Failure is considered to be > 500 run hours. However, an activity
motor. The start sequence will not be fully initiated. management system will automatically open bus driven task to monitor the start up time is considered worthwhile.
An alarm will be initiated. The engine may not start. tie breaker 7Q1 to re-configure the system.
1A3 Any engine start air system Does not generate motive power at Age relationship Over a period of time, moisture within the control Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 5 10 Scheduled Preventative Main Engine - Manually drain condensate water from the start air 1 Day 1 The time taken for moisture build up is considered to be 1 week, however a
becomes contaminated all at each diesel engine air system will eventually result in the contamination generation on affected shaftline. Power becomes known. reservoir proactive task to drain the condensate during engineer's rounds is considered
of components and possible corrosion leading to management system will automatically open bus worthwhile and cost effective.
seizure. Possible secondary damage to system tie breaker 7Q1 to re-configure the system.
components. It may not be possible to start the
engine.
1A4 Any engine air start motor control Does not generate motive power at Random Applicable items: Solenoid valves, relays, wiring. The operator may be able to start the engine using None. No impact on vessel operations. Cost of repair Failure eventually 2 3 6 Run to failure There is no identifiable method of predicting or preventing this Failure Mode. Test 2000 Run Hours
assembly fails all at each diesel engine Loss of drive to the flywheel. The air starter will be the local manual start facility, otherwise an only. becomes known.
unable to turn the engine. The engine will not start. alternative engine will be run up either by
automated control or operator initiated.
1A5 Any engine air start motor internals Does not generate motive power at Random Over a period of time, wear of the internal An alternative engine will be run up either by None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Monitor engine start up time On Start Up 1 The P-F interval from initial signs of degradation (increase in start up times) to Overhaul 24000 Run Hour 3
wear all at each diesel engine components results in working tolerances being automated control or operator initiated. The air only. becomes known. Functional Failure is considered to be > 500 run hours. However, an activity
exceeded. The air starter is unable to turn the starter motor can be exchanged to restore engine driven task to monitor the start up time is considered worthwhile.
engine to the required speed. It may take longer to redundancy in a limited downtime.
start the engine and eventually the engine may not
start at all.
1A6 Any engine speed monitoring Does not generate motive power at Random Applicable items: Sensors, fuses, relays, cards, Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
assembly fails all at each diesel engine wiring, circuitry. generation on affected shaftline. Power becomes known.
Communication between the various engine management system will automatically open bus
sensors and engine monitoring system will be lost. tie breaker 7Q1 to re-configure the system.
Loss of system parameters will initiate alarms and
the automatic shut down of the engine.
1A7 Any engine speed sensor Does not generate motive power at Random Speed sensor moves from its set position. The Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Inspect speed sensors for security 1 Year 2 The P-F interval from initial signs of loosening to functional failure is considered
arrangement vibrates loose all at each diesel engine sensor may pick up speed signal intermittently or generation on affected shaftline. Power becomes known. to be > 1 year.
not at all. The engine will shut down on loss of a management system will automatically open bus
speed signal. tie breaker 7Q1 to re-configure the system.
1A8 Any engine governor lubricating oil Does not generate motive power at Age relationship Oil degradation leads to increased wear of Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Scheduled Preventative Main Engine - Governor - Renew lubricating oil 2000 Run Hour 2 The useful life of the lubricating oil is considered to be 2000 running hours iaw
degrades all at each diesel engine actuator components and eventual failure. Loss of generation on affected shaftline. Power becomes known. OEM documentation.
hydraulic pressure causes output to move to zero management system will automatically open bus
fuel and also engine to trip on reverse power and tie breaker 7Q1 to re-configure the system.
shut down. Alarm will sound in MCR/SCC.
1A9 Any engine governor actuator filter Does not generate motive power at Age relationship Debris builds up on oil filter surfaces. Restriction Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Scheduled Preventative Main Engine - Governor - Clean oil filter 2001 Run Hour 2 The age relation with blockage is considered to be 2000 hours iaw OEM
blocks all at each diesel engine of oil pressure to Governor feed back oil system. generation on affected shaftline. Power becomes known. guidance.
engine will hunt in response affecting operation of management system will automatically open bus
frequency sensitive equipment. Alarms will be tie breaker 7Q1 to re-configure the system.
initiated. The engine will be shut down
automatically or by the operator before significant
secondary damage.
1A10 Any engine governor drive gear Does not generate motive power at Random Over a period of time, gear wear results in working Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 3 9 Condition Based Main Engine - Inspect governor drive gear for wear 12000 Run Hour 2 The P-F interval from initial signs of wear to gear failure is considered to be >
wears all at each diesel engine tolerances being exceeded, leading to incorrect generation on affected shaftline. Power becomes known. 12000 hours iaw OEM documentation.
meshing of drive teeth and subsequent damage to management system will automatically open bus
tooth surfaces. Continued use leads to intermittent tie breaker 7Q1 to re-configure the system.
drive to engine auxiliaries. Eventually engine
performance will be affected. The engine will be
shut down by the operator.
1A11 Any engine governor actuator drive Does not generate motive power at Random Over a period of time, bearing wear results in Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 4 12 Condition Based Main Engine - Check drive shaft bearing clearance 12000 Run Hour 3 The P-F interval from initial signs of wear to failure is considered to be > 16,000
shaft bearing wears all at each diesel engine working tolerances being exceeded. There will be generation on affected shaftline. Power becomes known. running hours iaw OEM documentation.
increased noise and vibration and governor management system will automatically open bus
performance will eventually be affected. The tie breaker 7Q1 to re-configure the system.
engine will be shut down by the operator.
1A12 Any engine governor actuator fails Does not generate motive power at Random There will be a loss of engine control. Under or Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 3 9 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
all at each diesel engine over fuelling will occur. The engine would trip on generation on affected shaftline. Power becomes known.
reverse power or overspeed and alarms would be management system will automatically open bus
initiated. tie breaker 7Q1 to re-configure the system.
1A13 Any engine governor fuel control Does not generate motive power at Age relationship Over time the lubricating properties of the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 5 10 Scheduled Preventative Main Engine - Governor - Lubricate fuel control mechanism 2 Week 2 The useful life of the lubricant is considered to be 2 weeks in this operating
mechanism lubrication degrades all at each diesel engine oil/grease will break down. Contamination and generation on affected shaftline. Power becomes known. context.
possible oxidation of exposed parts will restrict management system will automatically open bus
movement. Eventaully the linkage will seize. tie breaker 7Q1 to re-configure the system.
Hunting may occur. Parameter alarms will be
initiated.
1A14 Any engine governor fuel control Does not generate motive power at Random Over time the linkage connections work loose due Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Inspect governor fuel control mechanism for signs 4000 Run Hour 1 The P-F from initial signs of wear to loss of function is considered to be > 4000
mechanism wears all at each diesel engine to vibration and continuous movement. Loss of generation on affected shaftline. Power becomes known. of wear hours.
connection could result in engine over speed, management system will automatically open bus
unstable engine operation or a limited engine load tie breaker 7Q1 to re-configure the system.
range. The engine would trip on overspeed and
alarms would be initiated.
1A15 Any engine driven lub oil pump Does not generate motive power at Random Over time the control valve settings deviate from Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Check engine temperatures, pressures and fluid 1 Day 1 The P-F interval from initial signs of drift to Functional Failure is considered to be
thermostatic control valve drifts all at each diesel engine the initial specification. Eventually the temperature generation on affected shaftline. Power becomes known. levels > 3 months in this Operating Context. However, a proactive task to monitor the
will be not be maintained to the correct value. management system will automatically open bus lub oil temperature will give early indication of any potential failure condition and
Alarms will be initiated. tie breaker 7Q1 to re-configure the system. can be incorporated into rounds.
OEM - Inspect valve - 2 years

1A16 Any engine driven lub oil pump Does not generate motive power at Random Over time, clearance develops between the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Carry out vibration analysis 3 Month 1 The P-F interval from initial signs of vibration signature to bearing failure is Renew 3 years 4
bearings wear all at each diesel engine rotating and stationary elements. There will be an generation on affected shaftline. Power becomes known. considered to be > 1500 hours.
increase in noise and vibration. Eventually the management system will automatically open bus
pump may seize. Output pressure will drop. A low tie breaker 7Q1 to re-configure the system.
lub oil pressure alarm will be activated. On
continued loss of pressure the engine will shut
down.
1A17 Any engine driven lub oil pump Does not generate motive power at Random Over time the control valve settings deviate from Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Check lubricating oil pressure 1 Day 1 The P-F interval from initial signs of drift to functional failure is considered to be Inspect 2 years 3
pressure control valve drifts all at each diesel engine the initial specification. The valve does not generation on affected shaftline. Power becomes known. > 3 months. It is considered that a task to monitor the lub oil pressure will give
respond to the pressure fluctuations within the lub management system will automatically open bus early indication of any potential failure condition.
oil manifold. In the worst case excessive lub oil is tie breaker 7Q1 to re-configure the system.
diverted back to the pump suction. Output
pressure will fall. A low lub oil pressure alarm will
be activated. On continued loss of pressure the
engine will shut down.
1A18 Any engine driven lub oil pump Does not generate motive power at Random Over a period of time the operating clearance Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Check engine driven lub oil pump pressure 1 Day 1 The P-F interval from initial signs of wear (reduction in discharge pressure) to Inspect 8000 Run Hour 4
internals wear all at each diesel engine between the pump internals and housing generation on affected shaftline. Power becomes known. Functional Failure is considered to be > 3 months. However, it is considered that
increases. As the tolerance is exceeded the output management system will automatically open bus a task to monitor the lub oil pressure during engineer's rounds will give early
pressure will reduce. Eventually a low lub oil tie breaker 7Q1 to re-configure the system. indication of any potential failure condition.
pressure alarm will be activated. The engine will be
shut down.
1A19 Any engine lub oil filter blocks Does not generate motive power at Random Over a period of time, debris builds up on the filter Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 5 10 Condition Based Main Engine - Check lub oil filter differential pressure 1 Day 1 The P-F interval from initial signs of blockage to significant reduction in flow is Renew 2000 Run Hour 3
all at each diesel engine element. Oil flow through the filter will decrease. generation on affected shaftline. Power becomes known. considered to be > 1 month, however a proactive task to check the pressure
An alarm will be initiated if the filter dP increases management system will automatically open bus during engineer's rounds is considered worthwhile and cost effective.
above the set point. In the worst case, the operator tie breaker 7Q1 to re-configure the system.
will shut down the engine.
1A20 Any engine lub oil cooler blocks (oil Does not generate motive power at This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the cleanliness of the
side) all at each diesel engine to the cleanliness of the operating medium and oil operating medium and oil filtration system.
filtration system.
1A21 Any engine lub oil cooler blocks Does not generate motive power at This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the cooling water
(water side) all at each diesel engine to the cooling water treatment. treatment.
1A22 Any engine lub oil becomes Does not generate motive power at Random Over a period of time, contamination of the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 2 6 Condition Based Main Engine - Lubricating Oil - Take sample and conduct on 1 Week 1 The P-F interval from initial signs of contamination to possible secondary
contaminated all at each diesel engine lubricating oil increases viscosity. Poor lubrication / generation on affected shaftline. Power becomes known. board test damage is considered to be > 1 week in this Operating Context.
cooling of engine components resulting in management system will automatically open bus
increased wear and possible secondary damage. tie breaker 7Q1 to re-configure the system.
Parameter alarms will be initiated and the engine
will be shut down.
1A23 Any engine lub oil degrades Does not generate motive power at Random Over a period of time, the lubricative properties of Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 5 15 Condition Based Main Engine - Lubricating Oil - Take sample and send ashore for 3 Month 1 The P-F interval from initial signs of degradation to possible secondary damage
all at each diesel engine the oil breaks down. Poor lubrication / cooling of generation on affected shaftline. Power becomes known. analysis is considered to be > 3 months in this Operating Context.
engine components resulting in increased wear management system will automatically open bus
and possible secondary damage. Parameter tie breaker 7Q1 to re-configure the system.
alarms will be initiated and the engine will be shut
down.
1A24 Any engine cooling water corrosion Does not generate motive power at Random Over an extended period of time, the In the worst case there may be secondary damage None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 5 15 Condition Based Main Engine - Sample cooling water and conduct on board test 1 Week 1 The P-F interval from initial signs of degradation to loss of protective properties
inhibitor depletes all at each diesel engine corrosion/scale inhibitive properties of the coolant to engine internals. Loss of 50% propulsion power becomes known. is considered to be > 1 week.
will reduce. Scale will build up in the cooling and electrical generation on affected shaftline.
passages, leading to higher running temperatures. Power management system will automatically open
Engine components will be subjected to thermal bus tie breaker 7Q1 to re-configure the system.
stress and corrosion. Eventually blockages or
thermal inefficiency will cause the cooling water
parameter alarms to be initiated. The engine will be
shut down.
1A25 Any engine cooling water depletes Does not generate motive power at Random Over a period of time, the cooling water depletes The operator will either replenish the system with None. No impact on vessel operations. Cost of repair Failure eventually 1 5 5 Condition Based Main Engine - Check cooling water level 1 Day 1 The P-F interval from initial signs of level drop to significant reduction in cooling
all at each diesel engine through evaporation and small system leakages. no effect on system operation. only. becomes known. water is considered to be > 1 month, however a proactive task to check the level
Alarms for low cooling water level or high system during engineer's rounds is considered worthwhile and cost effective.
temperatures will be initiated.
1A26 Any engine cooling system Does not generate motive power at Random Over a period of time, the internal element of the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Check HT and LT cooling water temperatures Occasional 1 The P-F interval from initial signs of degradation (temperature drift) to functional Inspect 2 years 2
thermostatic control valve degrades all at each diesel engine valve degrades. The thermostat will be unable to generation on affected shaftline. Power becomes known. failure is considered to be > 3 months. It is considered that a task to monitor the
regulate and distribute the flow of coolant between management system will automatically open bus lub oil pressure will give early indication of any potential failure condition.
the split LT and HT circuit. System operating tie breaker 7Q1 to re-configure the system.
temperatures may increase and parameter alarms
will be initiated.
1A27 Any engine driven HT cooling pump Does not generate motive power at Random Over time, clearance develops between the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Engine Driven HT Cooling Pump - Carry out 3 Month 1 The P-F interval from initial signs of vibration signature to bearing failure is Renew 3 years 4
bearings wear all at each diesel engine rotating and stationary elements. There will be an generation on affected shaftline. Power becomes known. vibration analysis considered to be > 1500 hours.
HT coolant pressure alarm will be activated.
1A28 Any engine driven HT water pump Does not generate motive power at Random Over a period of time the operating clearance Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Check HT water pressure 12000 Run Hour 1 The P-F interval from initial signs of wear (pressure decrease) to Functional Inspect 6000 Run Hour 4
internals wear all at each diesel engine between the pump internal gearing and housing generation on affected shaftline. Power becomes known. Failure is considered to be > 1000 running hours. However, it is considered that
increases. Specified tolerances will be exceeded management system will automatically open bus a task to monitor the pressure will give early indication of any potential failure
and coolant pressure will decrease. An alarm will tie breaker 7Q1 to re-configure the system. condition and can be incorporated into engineer's rounds.
be initiated when the pressure falls below the set
point, the control system will automatically shut
down the engine if the pressure continues to fall.
1A29 Any engine driven LT water pump Does not generate motive power at Random Over time, clearance develops between the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Engine Driven LT Cooling Pump - Carry out 3 Month 1 The P-F interval from initial signs of vibration signature to bearing failure is Renew 3 years 4
bearing wears all at each diesel engine rotating and stationary elements. There will be an generation on affected shaftline. Power becomes known. vibration analysis considered to be > 1500 hours.
LT coolant pressure alarm will be activated.
1A30 Any engine driven LT water pump Does not generate motive power at Random Over a period of time the operating clearance Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Condition Based Main Engine - Check LT water pressure 12000 Run Hour 1 The P-F interval from initial signs of wear (pressure decrease) to Functional Inspect 6000 Run Hour 4
internals wear all at each diesel engine between the pump internal gearing and housing generation on affected shaftline. Power becomes known. Failure is considered to be > 1000 running hours. However, it is considered that
and coolant pressure will decrease. An alarm will tie breaker 7Q1 to re-configure the system. condition and can be incorporated into engineer's rounds.
be initiated when the pressure falls below the set
point, the control system will automatically shut
down the engine if the pressure continues to fall.
1A31 Any engine driven fuel pump Does not generate motive power at Random Over time, clearance develops between the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Engine Driven Fuel Pump - Carry out vibration 3 Month 1 The P-F interval from initial signs of vibration signature to bearing failure is Renew 3 years 4
bearing wears all at each diesel engine rotating and stationary elements. There will be an generation on affected shaftline. Power becomes known. analysis considered to be > 1500 hours.
fuel pressure alarm will be activated.
1A32 Any engine driven fuel pump Does not generate motive power at Random Over a period of time, the operating clearance Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Condition Based Main Engine - Check fuel oil feed pump pressure Occasional 1 The P-F interval from initial signs of wear (pressure decrease) to Functional
internals wear all at each diesel engine between the pump internals and housing generation on affected shaftline. Power becomes known. Failure is considered to be > 1000 running hours. However, it is considered that
and oil pressure will decrease. An alarm for low tie breaker 7Q1 to re-configure the system. condition and can be incorporated into engineer's rounds.
fuel pressure will be initiated and the engine will be
shut down by the operator.
1A33 Any engine fuel oil filter blocks Does not generate motive power at Random Over a period of time, debris builds up on the filter The system can be re-configured to the alternative None. No impact on vessel operations. Cost of repair Failure eventually 1 5 5 Condition Based Main Engine - Check fuel filter differential pressure 1 Day 1 The P-F interval from initial signs of blockage to significant reduction in flow is Renew 500 Run Hour 3
all at each diesel engine restricting the flow of fuel oil to the pump. Alarms filter to sustain engine operation. There will be no only. becomes known. considered to be > 2 days, however a proactive task to check the pressure
for high differential pressure will be initiated. effect on system availability. during engineer's rounds is considered worthwhile and cost effective.
1A34 Any engine crankshaft main bearing Does not generate motive power at Random Over a period of time. clearance develops Major secondary damage will occur as a result of None. Loss of DP2 capability. Vessel off-hire. Failure eventually 4 3 12 Condition Based Main Engine - Sample engine oil for signs of main bearing wear 3 Month 1 The P-F interval from initial signs of wear (oil contamination) to bearing failure is Inspect 12000 Run Hour 5
wears all at each diesel engine between the crankshaft main journal and bearing the crankshaft bearing failure. An alternative engine becomes known. considered to be > 5000 run hours, however task interval amended to 3 months
surfaces. Specified tolerances will be exceeded will be run up either by automated control or to align with vessel routine oil sampling.
and in the worst case may eventually lead to operator initiated. The availability of alternative
wipening of the bearing and possible crank engines will facilitate graceful degradation.
seizure. Parameter alarms will be initiated and
engine will shut down automatically.
1A35 Any engine crankshaft deflects Does not generate motive power at Random The crank may deflect due to high axial operating Major secondary damage may occur as a result of None. Loss of DP2 capability. Vessel off-hire. Failure eventually 4 4 16 Condition Based Main Engine - Crankshaft - Measure deflections 12000 Run Hour 3 The P-F interval from initial signs of deflection to possible secondary damage is Inspect 12000 Run Hours 3
all at each diesel engine forces and stresses. Eventually misalignment will the crankshaft deflection. An alternative engine will becomes known. considered to be > 12000 hours iaw OEM documentation.
occur leading to bending stresses on the shaft and be run up either by automated control or operator
possible failure of major components. Eventually initiated. The availability of alternative engines will
engine parameters will be affected, alarms will be facilitate graceful degradation.
initiated and engine will be shut down.
1A36 Any engine turbocharger oil Does not generate motive power at Random Loss of lubrication of the bearings. There will be In the worst case, there will be a risk of severe None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 2 6 Condition Based Main Engine - Turbocharger - Check lubricating oil level 1 Day 1 The P-F interval from initial signs of level drop to loss of lubrication is
depletes all at each diesel engine an increase in running noise and vibration. secondary damage to the turbocharger. Loss of becomes known. considered to be > 2 weeks, however a proactive task to check the level during
Eventually the affected turbo charger will seize. 50% propulsion power and electrical generation on engineer's rounds is considered worthwhile and cost effective.
Parameter alarms will be initiated. The operator will affected shaftline. Power management system will
shut down the engine. automatically open bus tie breaker 7Q1 to re-
configure the system.
1A37 Any engine turbocharger bearing Does not generate motive power at Random Over a period of time, increased clearances In the worst case, there will be a risk of severe None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 4 12 Condition Based Main Engine - Turbocharger - Carry out vibration analysis 12000 Run Hour 1 The P-F interval from initial signs of vibration signature to bearing failure is Renew 12000 Run Hour 5
wears all at each diesel engine between the mating surfaces lead to internal secondary damage to the turbocharger. Loss of becomes known. considered to be > 1500 hours.
component misalignment. There will be an 50% propulsion power and electrical generation on
increase in running noise and vibration. Eventually affected shaftline. Power management system will
the affected turbo charger will seize. Parameter automatically open bus tie breaker 7Q1 to re-
alarms will be initiated. The operator will shut down configure the system.
the engine.
1A38 Any engine turbocharger internals Does not generate motive power at Random Over a period of time, the working tolerances are Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 4 12 Condition Based Main Engine - Carry out engine performance trial 1000 Run Hour 1 The P-F interval from initial signs of wear (combustion ratios) to Functional Inspect 12000 Run Hour 4
wear all at each diesel engine exceeded resulting in reduced compressor generation on affected shaftline. Power becomes known. Failure is considered to be > 1000 run hours in this Operating Context.
efficiency. Increased specific fuel consumption. management system will automatically open bus
Charge air pressure will decrease and exhaust tie breaker 7Q1 to re-configure the system.
temperatures will increase. Parameter alarms will
be initiated. The operator will shut down the
engine.
1A39 Any engine holding down bolts work Does not generate motive power at Age relationship Over time due to vibration and torsional stresses, Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 4 12 Scheduled Preventative Main Engine - Tighten holding down bolts 12000 Run Hour 3 The age relation with working loose is considered to be 12000 hours iaw OEM Tighten 12000 Run Hour 3
loose all at each diesel engine the holding down bolts may work loose. There will generation on affected shaftline. Power becomes known. recommendation.
be an increased stress on the engine. management system will automatically open bus
Misalignment between the diesel and alternator will tie breaker 7Q1 to re-configure the system.
develop. The unit will vibrate under load. In the
worst case, if not shut down damage could occur.
1A40 Any engine flexible coupling Does not generate motive power at Random Over a period of time, the flexible material breaks Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 4 12 Condition Based Main Engine - Check flexible coupling for signs of degradation 1 Year 3 The P-F interval from initial signs of degradation to failure is considered to be >
degrades all at each diesel engine down. The coupling will be weakened and may part generation on affected shaftline. Power becomes known. 1 year.
under load. Eventually the coupling will fail. Loss of management system will automatically open bus
drive to the alternator. tie breaker 7Q1 to re-configure the system.
1A41 Any engine lubricating oil depleted Does not generate motive power at Random During normal running oil is lost during the Loss of 50% propulsion power and electrical None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Condition Based Main Engine - Check lubricating oil sump level 1 Day 1 The P-F interval from initial signs of level drop to loss of lubrication is
all at each diesel engine combustion process. Eventually the level of oil generation on affected shaftline. Power becomes known. considered to be > 2 days, however a proactive task to check the level during
within the sump will fall below the required running management system will automatically open bus engineer's rounds is considered worthwhile and cost effective.
level. A low lub oil level alarm will be initiated. The tie breaker 7Q1 to re-configure the system.
engine may be shut down.
1A42 Any engine connecting rod small Does not generate motive power at Random Over a period of time, clearance develops Major secondary damage may occur as a result of None. Loss of DP2 capability. Vessel off-hire. Failure eventually 4 3 12 Condition Based Main Engine - Sample engine oil for signs of connecting rod 3 Month 1 The P-F interval from initial signs of wear (oil contamination) to bearing failure is Inspect 24000 Run Hour 4
end bearing wears all at each diesel engine between the gudgeon pin and bearing surfaces. the possible bearing failure. Loss of 50% becomes known. small end bearing wear considered to be > 5000 run hours, however task interval amended to 3 months
Specified tolerances will be exceeded. Knocking propulsion power and electrical generation on to align with vessel routine oil sampling.
will occur under load which may be noticed by affected shaftline. Power management system will
personnel. Eventually the bearing may fail and automatically open bus tie breaker 7Q1 to re-
parameter alarms will be initiated. configure the system.
1A43 Any engine connecting rod big end Does not generate motive power at Random Over a period of time, clearance develops Major secondary damage may occur as a result of None. Loss of DP2 capability. Vessel off-hire. Failure eventually 4 3 12 Condition Based Main Engine - Sample engine oil for signs of connecting rod big 3 Month 1 The P-F interval from initial signs of wear (oil contamination) to bearing failure is Renew 24000 Run Hour 5
bearing wears all at each diesel engine between the bearing surfaces. Specified the possible bearing failure. Loss of 50% becomes known. end bearing wear considered to be > 5000 run hours, however task interval amended to 3 months
tolerances will be exceeded. Knocking will occur propulsion power and electrical generation on to align with vessel routine oil sampling.
under load which may be noticed by personnel. affected shaftline. Power management system will
Eventually the bearing may fail and parameter automatically open bus tie breaker 7Q1 to re-
alarms will be initiated. configure the system.
1A44 Any engine camshaft bearings wear Does not generate motive power at Random Over a period of time, clearance develops Secondary damage may occur to camshaft and None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 3 9 Condition Based Main Engine - Camshaft - Inspect bearings for wear 12000 Run Hour 3 The P-F interval from initial signs of wear to bearing failure is considered to be > Inspect 12000 Run Hour 2
all at each diesel engine between the camshaft and bearings resulting in valve gear. Loss of 50% propulsion power and becomes known. 12,000 hours iaw OEM documentation
excessive movement and increased running electrical generation on affected shaftline. Power
temperature and noise. Valve operation will be management system will automatically open bus
affected and parameter alarms for exhaust gas tie breaker 7Q1 to re-configure the system.
temperature deviation will be initiated.
1B1 Any engine drive gear assembly Does not generate motive power of Random Over time the drive gear wears, working tolerances The engine will remain available but at a reduced None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Condition Based Main Engine - Sample lub oil to identify drive gear wear 3 Months 1 The P-F interval from initial signs of wear (oil contamination) to gear failure is Inspect 12000 Run Hour 2
wears up to a nominal specified rating will be exceeded resulting in incorrect meshing of capacity. This may result in a slow response to DP becomes known. considered to be > 10000 run hours, however task interval amended to 3
(8L27/38 - 2720kW@800rpm, drive teeth and subsequent damage to tooth operations and possible auto shut down of the months to align with vessel routine oil sampling.
7L27/38 - 2380 kW@800rpm) at surfaces. Continued use leads to intermittent drive engine under high loads.
each diesel engine to engine auxiliaries. Eventually engine
performance will be affected and parameter
alarms will be initiated.
1B2 Any engine cylinder head valve Does not generate motive power of Random Over a period of time, valve seat material wears The engine will remain available but at a reduced None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Cylinder Head - Check inlet and exhaust valve 1000 Run Hour 3 The P-F interval from initial signs of wear to functional failure is considered to be Overhaul 24000 Run Hour 4
wears up to a nominal specified rating reducing tappet clearance and may affect the capacity. This may result in a slow response to DP becomes known. clearances > 1000 hours iaw OEM documentation.
(8L27/38 - 2720kW@800rpm, sealing efficiency of the valve. Parameter alarms operations and possible auto shut down of the
7L27/38 - 2380 kW@800rpm) at for exhaust gas temperature deviation will be engine under high loads.
each diesel engine initiated.
1B3 Any engine fuel rack lubrication Does not generate motive power of Age relationship Over time the lubricating properties of the The engine will remain available but at a reduced None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 3 9 Scheduled Preventative Main Engine - Lubricate fuel racks 2 Week 1 The useful life of the lubricating oil in this operating context is considered to be 2
degrades up to a nominal specified rating oil/grease will break down. Contamination and capacity. This may result in a slow response to DP becomes known. weeks.
(8L27/38 - 2720kW@800rpm, possible oxidation of exposed parts will restrict operations and possible auto shut down of the
7L27/38 - 2380 kW@800rpm) at movement. Eventaully the linkage will seize. engine under high loads.
each diesel engine Hunting may occur. Parameter alarms will be
initiated.
1B4 Any engine camshaft profile wears Does not generate motive power of Random Over an extended period of time, the cam The engine will remain available but at a reduced None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 2 6 Condition Based Main Engine - Camshaft - Inspect cam contact surfaces for signs 12000 Run Hour 2 The P-F interval from initial signs of wear to functional failure is considered to be Inspect 12000 Run Hour 2
up to a nominal specified rating surfaces begin to wear, eventually affecting the capacity. This may result in a slow response to DP becomes known. of wear > 12000 hours iaw OEM documentation.
(8L27/38 - 2720kW@800rpm, smooth operation of the valve gear and fuel operations and possible auto shut down of the
7L27/38 - 2380 kW@800rpm) at pumps. Eventually engine performance will be engine under high loads.
each diesel engine affected and parameter alarms will be initiated.
1C1 Any engine cylinder liner wears Does not generate motive power Random Over a period of time, normal metal to metal The engine can be run in the short term whilst None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 3 6 Condition Based Main Engine - Carry out borescope inspection of cylinder liner for 12000 Run Hour 2 The P-F interval from initial signs of wear to failure is considered to be > 12,000 Inspect 12000 Run Hour 4
efficiently contact of the components causes erosion of the being monitored if required to maintain engine becomes known. signs of wear hours iaw OEM documentation
materials. This will lead to increased lub oil redundancy. Otherwise, an alternative engine will
consumption, blow past and hence reduced be run up either by automated control or operator
compression pressure. Crankcase pressure will initiated.
rise. Carbon deposits will enter the lub oil. Exhaust
temperature for the associated cylinder may rise.
Increase in fuel consumption to maintain load.
Alarms will be initiated. The engine will be shut
down.
1C2 Any engine piston ring wears Does not generate motive power Random Over a period of time, normal metal to metal The engine can be run in the short term whilst None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Carry out engine performance trial 1000 Run Hour 1 The P-F interval from initial signs of wear (combustion ratios) to Functional Overhaul 24000 Run Hour 4
efficiently contact of the components causes wear of the being monitored if required to maintain engine only. becomes known. Failure is considered to be > 1000 run hours in this Operating Context.
material. This will lead to increased lub oil redundancy. Otherwise, an alternative engine will
consumption, blow past and hence reduced be run up either by automated control or operator
compression pressure. Crankcase pressure will initiated.
rise. Carbon deposits will enter the lub oil. Exhaust
temperature for the associated cylinder may rise.
Increase in fuel consumption to maintain load.
Alarms will be initiated.
1C3 Any engine cylinder head assembly Does not generate motive power Random Applicable items: Valves, rotators, push rods, The engine can be run in the short term whilst None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Carry out engine performance trial 1000 Run Hour 1 The P-F interval from initial signs of wear (combustion ratios) to Functional Overhaul 24000 Run Hour 4
wears efficiently rocker arms, rocker arm bearings. being monitored if required to maintain engine only. becomes known. Failure is considered to be > 1000 run hours in this Operating Context.
Over time the head assembly will wear causing redundancy. Otherwise, an alternative engine will
incorrect air or fuel delivery ratios. Combustion will be run up either by automated control or operator
be affected. Parameter alarms will be initiated. initiated.
Eventually the engine will be shut down by the
operator.
1C4 Any engine turbocharger Does not generate motive power Age relationship Over time combustion products build up on the The engine can be run whilst being monitored if None. No impact on vessel operations. Cost of repair Failure eventually 2 5 10 Scheduled Preventative Main Engine - Carry out water washing of turbocharger 1 Week 2 The time taken for fouling to occur is considered to be 1 week in this Operating
compressor becomes fouled efficiently turbocharger internals. The performance will be required to maintain engine only. becomes known. compressor end Context.
degraded significantly and there will be an redundancy. Otherwise, an alternative engine will
increase in running noise. Combustion ratios will be run up either by automated control or operator
be affected causing performance degradation. initiated. The turbocharger can be cleaned to
Parameter alarms may be initiated. It is expected restore engine redundancy in a limited downtime.
that the engine will be shut down prior to severe
damage.
1C5 Any engine turbocharger turbine Does not generate motive power This Failure Mode is not considered plausible in This Failure Mode is not considered plausible in this Operating Context as the
becomes fouled efficiently this Operating Context as the engines run on engines run on diesel oil.
diesel oil.
1C6 Any engine cylinder head valve Does not generate motive power Random Applicable items: Swing follower, swing follower The engine can be run whilst being monitored if None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Carry out engine performance trial 1000 Run Hour 1 The P-F interval from initial signs of wear (combustion ratios) to Functional Inspect 20000 Run Hour 4
operating assembly wears efficiently shaft, pushrods, bearing pedestal, rocker arm, required to maintain engine redundancy. only. becomes known. Failure is considered to be > 1000 run hours in this Operating Context.
valve bridge, valve springs. Otherwise, an alternative engine will be run up
Over a period of time, wear of the working either by automated control or operator initiated.
components results in specified tolerances being
exceeded. Eventually combustion performance will
be affected. Parameter alarms will be initiated.
1C7 Any engine charge air cooler blocks Does not generate motive power Random Over a period of time, deposits form on the The engine can be run whilst being monitored if None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check charge air temperatures 1 Day 1 The P-F interval from initial signs of blocking (charge air temperature) to
(air side) efficiently cooling surfaces. There will be a reduced heat required to maintain engine only. becomes known. Functional Failure is considered to be > 3 months in this Operating Context.
transfer. The combustion air temperature will rise redundancy. Otherwise, an alternative engine will However, a proactive task to monitor the temperature will give early indication of
resulting in poor combustion. Exhaust be run up either by automated control or operator any potential failure condition and can be incorporated into rounds.
temperatures will rise. A charge air temperature initiated.The engine charge air cooler could be
alarm will be initiated. Following diagnosis, the cleaned to restore cooling and to maintain engine
engine will be shut down by the operator. redundancy.
1C8 Any engine charge air cooler blocks Does not generate motive power This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the perceived cleanliness
(water side) efficiently to the perceived cleanliness of the system and of the system and cooling water treatment.
cooling water treatment.
1C9 Any engine fuel injection valve Does not generate motive power Random Over a period of time the fuel injection nozzle will The engine can be run whilst being monitored if None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Carry out engine performance trial 1000 Run Hour 1 The P-F interval from initial signs of wear (combustion ratios) to Functional Overhaul 6000 Run Hour 4
wears efficiently wear resulting in fuel being injected at a lower required to maintain engine only. becomes known. Failure is considered to be > 1000 run hours in this Operating Context.
pressure resulting in incomplete combustion. redundancy. Otherwise, an alternative engine will
Combustion ratios will be affected causing be run up either by automated control or operator
performance degradation. Parameter alarms may initiated.
be initiated.
1C10 Any engine fuel injection pump Does not generate motive power Random Over time the operating clearances of the internals The engine can be run whilst being monitored if None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Carry out engine performance trial 1000 Run Hour 1 The P-F interval from initial signs of wear (combustion ratios) to Functional Overhaul 24000 Run Hour 4
wears efficiently such as the plunger and the pumps working required to maintain engine only. becomes known. Failure is considered to be > 1000 run hours in this Operating Context.
tolerances are exceeded. Reduced amount of fuel redundancy. Otherwise, an alternative engine will
will be injected per stroke along with a reduced be run up either by automated control or operator
maximum fuel pressure and a later point of initiated.
injection in the combustion cycle. Reduced power
output and increased specific fuel consumption.
The affected cylinder parameters may alarm.
1C11 Any engine cylinder head indicator Does not generate motive power Random The cock cannot be opened or closed when The indicator cock will be removed and freed to None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Run to failure A proactive task to check / overhaul the indicator cocks is not considered Inspect 24000 Run Hour 2
cock degrades efficiently required. This may occur when trying to run or shut restore engine redundancy in a limited downtime. only. becomes known. worthwhile or cost effective due to the Failure Effects.
down an engine.
1C12 Any engine fuel pressure control Does not generate motive power Random Over a period of time, the control valve settings The engine can be run whilst being monitored if None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Run to failure A proactive task to check the adjustment of the fuel control valves is not
valve drifts efficiently begin to drift, eventually affecting the flow of fuel required to maintain engine only. becomes known. considered worthwhile or cost effective due to the Failure Effects.
to/from the supply pump. There may be a lack of redundancy. Otherwise, an alternative engine will
fuel to the injection pumps. Combustion ratios will be run up either by automated control or operator
be affected causing performance degradation. initiated. The control valve can be adjusted /
Parameter alarms may be initiated. renewed to restore full engine redundancy within a
limited downtime.
1C13 Any engine cooling water channel Does not generate motive power This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the perceived cleanliness
becomes contaminated efficiently to the perceived cleanliness of the system and of the system and cooling water treatment.
cooling water treatment.
2A1 Any engine prelub pump pressure Unable to pre-lubricate the engine Random Over a period of time, the control valve settings If required, it may be possible to override the None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Condition Based Main Engine - Check prelubricating oil pressure 1 The P-F interval from initial signs of drifting to functional failure is considered to
control valve drifts when shut down begin to drift, eventually reducing the prelub prelub sequence and start the engine without only. becomes known. be > 1 year. However, a proactive task to check the pump output pressure
pressure. Alarms will be initiated. prelubrication to maintain engine redundancy. during use is considered the most practical method of managing this Failure
Mode.
2A2 Any engine prelub pump motor fails Unable to pre-lubricate the engine Random Loss of drive to the pump. If stopped, the engine If required, it may be possible to override the None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
when shut down start sequence may be blocked by the engine prelub sequence and start the engine without only. becomes known.
control system. If running, lub oil pressure will prelubrication to maintain engine redundancy.
decrease and an alarm will be initiated.
2A3 Any engine prelub pump bearing Unable to pre-lubricate the engine Age relationship Over a period of time, the lubricative properties of If required, it may be possible to override the None. No impact on vessel operations. Cost of repair Failure eventually 1 5 5 Scheduled Preventative Main Engine - Prelubricating Pump – Grease bearings 6 Month 2 The useful life of the grease is considered to be 6 months in this Operating
lubrication degrades when shut down the grease breakdown. There will be an increase in prelub sequence and start the engine without only. becomes known. Context.
noise and vibration and the bearing may eventually prelubrication to maintain engine redundancy.
seize. Loss of prelub pressure. An alarm will be
initiated.
2A4 Any engine prelub pump bearings Unable to pre-lubricate the engine Random Over a period of time, bearing wear results in If required, it may be possible to override the None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Prelubricating Pump - Carry out vibration analysis 1500 Run Hour 1 The P-F interval from initial signs of vibration signature to bearing failure is Renew 2 years 4
wear when shut down increased clearances between the mating prelub sequence and start the engine without only. becomes known. considered to be > 1500 hours.
surfaces. There will be an increase in running prelubrication to maintain engine redundancy.
noise and vibration. Eventually the bearings will fail
causing the pump and motor to seize, the motor
will be tripped by the MTPU.
2A5 Any engine prelub pump internals Unable to pre-lubricate the engine Random Over a period of time the operating clearance If required, it may be possible to override the None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check prelubricating oil pressure During Use 1 The P-F interval from initial signs of wear to functional failure is considered to be
wear when shut down between the pump internals and housing prelub sequence and start the engine without only. becomes known. > 3 months. However, a proactive task to check the pump output pressure during
increases. Specified tolerances will be exceeded prelubrication to maintain engine redundancy. use is considered the most practical method of managing this Failure Mode.
and oil pressure will decrease. An alarm will be
initiated.
3A1 Any engine turning gear assembly Unable to turn the engine when shut Random Applicable items: Motor, starter, control box, It may not be possible to manually turn the engine None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
fails down gearing, worm drive for maintenance purposes or following a only. becomes known.
There will be no drive to the crankshaft. The prolonged shutdown. It is not anticipated that the
engine cannot be turned on the shaft. delay to maintenance evolutions will have any
significant operational impact.
4A1 Any engine fuel filter dP indicator Does not indicate system Random Loss of local dP indication across the filter. The The operation of the system will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
fails parameters locally operator will be unable monitor filter condition The operator can ascertain true system pressure only. becomes known.
locally. using alternative methods.
4A2 Any engine lub oil filter dP indicator Does not indicate system Random Loss of local dP indication across the filter. The The operation of the system will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
fails parameters locally operator will be unable monitor filter condition The operator can ascertain true system pressure only. becomes known.
locally. using alternative methods.
4A3 Any engine local panel indication Does not indicate system Random Applicable items: LEDs, circuitry, relays, fuses. The operation of the engine will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
fails parameters locally The affected lamp does not illuminate or is The operator can ascertain true system only. becomes known.
extinguished when required. parameters using alternative methods.
4A4 Any engine mechanical gauge drifts Does not indicate system Random Over a period of time, the gauge internals distort. The operation of the engine will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 5 5 Run to failure Time taken to drift is considered to be 2 years, however a proactive task to
parameters locally The gauge does not indicate the correct pressure. The operator can ascertain true system only. becomes known. calibrate the gauge is not considered worthwhile or cost effective due to the
The operator will be unable monitor engine parameters using alternative methods. Failure Effects.
parameters locally.
4A5 Any engine mechanical gauge fails Does not indicate system Random The gauge does not indicate the correct pressure. The operation of the engine will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
parameters locally The operator will be unable monitor engine The operator can ascertain true system only. becomes known.
pressures locally. parameters using alternative methods.
4A6 Any engine turbocharger bearing Does not indicate system This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the cleanliness of the
sightglass obscures parameters locally to the cleanliness of the lubricating oil. lubricating oil.
4A7 Any engine oil mist detector unit Does not indicate system Random Applicable items: Lamp, circuit, relays, fuses. The operation of the system will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
indication circuit fails parameters locally The affected lamp does not illuminate or is The operator can ascertain true system only. becomes known.
extinguished when required. parameters using alternative methods. All system
parameters are replicated via ECR.
4B1 Any engine sensor drifts Does not indicate system Random Applicable items: Temperature transmitters, The operation of the system will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 3 4 12 Run to failure Proactive task to alibrate the gauges not is considered worthwhile and cost
parameters remotely pressure transmitters, level transmitters. The operator can ascertain true system only. becomes known. effective.
The indication display will show the incorrect value. parameters using alternative methods. Most
An alarm signal may be initiated. The watchkeeper system parameters are replicated on the control
will investigate the parameter locally. panels locally.
4B2 Any engine sensor fails Does not indicate system Random Applicable items: Temperature transmitters, The operation of the system will not be affected. None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
parameters remotely pressure transmitters, level transmitters. The operator can ascertain true system only. becomes known.
The indication display will show a fault signal. An parameters using alternative methods. Most
alarm signal may be initiated. The watchkeeper will system parameters are replicated on the control
investigate the parameter locally. panels locally.
5A1 Any engine oil mist detector unit Does not warn of any abnormal Random Applicable items: LED's, wiring, circuitry. The failure will be indication only, any trip condition None. No impact on vessel operations. Cost of repair Requires multiple failure. 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
warning circuit fails conditions locally In the event of an abnormal condition, the fault will still be satisfied. Alarms will be initiated via only.
lamp on the unit does not illuminate. ECR. Fault diagnosis times may be slightly
extended.
5A2 Any engine local panel warning Does not warn of any abnormal Random Applicable items: Lamp, wiring, circuitry. The failure will be indication only, any trip condition None. No impact on vessel operations. Cost of repair Requires multiple failure. 1 3 3 Run to failure There is no identifiable method of predicting or preventing this Failure Mode.
indication fails conditions locally In the event of an abnormal condition, the warning will still be satisfied. Alarms will be initiated via only.
circuit on the LCP does not illuminate. ECR. Fault diagnosis times may be slightly
extended.
5B1 Any engine sensor feeding ECR Does not warn of any abnormal Any warning circuit failure will initiate a fault signal Any warning circuit failure will initiate a fault signal therefore the inability to warn is
fails conditions remotely therefore the inability to warn is not considered not considered plausible.
plausible.
6A1 Any engine electro-pneumatic over Does not protect the engine in the Random In the event of the engine overspeeding, the In the worst case, any delay in shutting down the Permanent injury / Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 4 3 12 Detective Main Engine - Functionally check electro-pneumatic over speed 1 Year 2 There is no identifiable method of predicting or preventing this Failure Mode, Test 6000 Run Hour
speed trip arrangement fails event of overspeed engine is not automatically shut down. The engine engine may result in severe secondary damage to death. trip arrangement however as this failure is 'Hidden', a detective task can be conducted to check if
will continue to overspeed and if no one is in the engine casing with component parts being a the component is in a failed state.
attendance (to shut fuel valve or activate safety hazard to personnel.
emergency stop) eventually engine failure will
occur.
6B1 Any engine low lub oil pressure trip Does not protect the engine in the Random In the event of low LO pressure, the switch does There will be a reduction in cooling and lubricating None. Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 4 3 12 Detective Main Engine - Functionally check low lub oil pressure trip circuit 6 Month 2 There is no identifiable method of predicting or preventing this Failure Mode, Test 6000 Run Hour
circuit fails event of low lubricating oil pressure not operate to activate the shutdown. The engine of the engine components. Parameter alarms will however as this failure is 'Hidden', a detective task can be conducted to check if
will continue to run. eventually be initiated however in the worst case the component is in a failed state.
there could be severe secondary damage. The
engine could be rendered inoperable.
6C1 Any engine high cooling water Does not protect the engine in the Random In the event of high cooling water temperature, the Other system parameter alarms will be initiated None. Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 4 3 12 Detective Main Engine - Functionally check high cooling water temperature 6 Month 2 There is no identifiable method of predicting or preventing this Failure Mode, Test 6000 Run Hour
temperature trip circuit fails event of over temperature switch does not operate to activate the shutdown. and the operator will manually shut down the trip circuit however as this failure is 'Hidden', a detective task can be conducted to check if
The engine will continue to run. engine. However in the worst, there is a possibility the component is in a failed state.
of secondary damage to the engine.
6C2 Any engine high charge air Does not protect the engine in the Random In the event of high charge air temperature, the Other system parameter alarms will be initiated None. Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 4 3 12 Detective Main Engine - Functionally check high charge air temperature trip 6 Month 2 There is no identifiable method of predicting or preventing this Failure Mode, Test 6000 Run Hour
temperature trip circuit fails event of over temperature switch does not operate to activate the shutdown. and the operator will manually shut down the circuit however as this failure is 'Hidden', a detective task can be conducted to check if
The engine will continue to run. engine. However in the worst, there is a possibility the component is in a failed state.
of secondary damage to the engine.
6D1 Any engine crankcase explosion Does not protect the engine in the Age relationship Due to being set in the same position on the side Possibility of severe secondary damage to the Permanent injury / Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 4 4 16 Scheduled Preventative Main Engine - Check correct operation of explosion relief valves 4000 Run Hour 2 Time taken for seizure to occur is considered to be 4000 hours iaw OEM
relief valve seizes event of over pressurisation of a hot contaminated crankcase for extended engine casing with component parts being a safety death. documentation. Operating the valve will prevent seizure.
periods, the arrangement seizes. In the event of hazard to personnel.
the pressure within the crankcase building up due
to a primary explosion, the valve will not lift at the
designed pressure. Once the valve lifts it may then
stick in an open position, allowing air to be drawn
back into the crankcase. It is highly probable that
this fresh charge of air will allow combustion to
take place for the much more serious crankcase
explosion.
7A1 Any equipment earth bonding Does not protect personnel from Random Over a period of time, degradation of the cable There will be a risk of severe injury / death of Permanent injury / No impact on vessel operations. Cost of repair Requires multiple failure. 4 3 12 Condition Based Main Engine - Carry out earth bonding continuity checks 6 Month 1 The P-F interval from initial signs of degradation to Functional Failure is
arrangement degrades electric shock insulation results in exposure of the copper and personnel from electric shock. death. only. considered to be > 1 year in this Operating Context.
reduction in continiuity. Earth Bonding continuity
resistance will be greater than a specified safe
resistance. In the event of an electrical failure to
the body of the affected equipment, loss of Earth
Bonding may result in the equipment becoming
electrically charged. Risk of electrical shock in the
event of an equipment fault.
7B1 Any machinery guard missing Does not protect personnel from Random This is most likely to occur following maintenance. In the event of personnel working in the vicinity, Permanent injury. No impact on vessel operations. Cost of repair Requires multiple failure. 3 3 9 Change Action Main Engine - Ensure Machinery Guards Are Fitted After Each 1 Proactive task cannot manage, prevent or predict this failure mode. Mandatory
rotating machinery they would be exposed to rotating machinery. only. Maintenance Evolution change action generated.
There is a possibility of severe injury to personnel.
8A1 Any engine fuel injection system Does not contain fuel oil Random Over a period of time, the seal material begins to The operator will investigate the cause of the Permanent injury / Loss of DP2 capability. Vessel off-hire. Failure eventually 4 3 12 Condition Based Main Engine - Check the quantity of leak fuel 1 Day 1 The P-F interval from initial signs of degradation to significant loss of
seal degrades deteriorate eventually allowing fuel to pass. Any alarm. An alternative engine will be run up either by death. becomes known. containment is considered to be > 1 week, however a proactive task to check
leakage will drain to the leak tank and an alarm will automated control or operator initiated. In the worst the leak fuel during engineer's rounds is considered worthwhile and cost
be initiated. case, a sustained fuel leak will pose a fire risk on a effective.
hot running engine.
8A2 Any on engine fuel system Does not contain fuel oil Random Applicable Items: Pipework, joints, flanges, The operator will investigate the cause of the Permanent injury / Loss of DP2 capability. Vessel off-hire. Failure eventually 4 4 16 Condition Based Main Engine - Check for on engine system leaks 1 Day 1 The P-F interval from initial signs of degradation to significant loss of
pipework degrades gaskets, soft seals, 'O' Rings (any open ended alarm. An alternative engine will be run up either by death. becomes known. containment is considered to be > 1 week, however a proactive task to check for
component). automated control or operator initiated. In the worst leaks during engineer's rounds is considered worthwhile and cost effective.
Over a period of time the affected case, a sustained fuel leak will pose a fire risk on a
seal/joint/component breaks down eventually hot running engine.
allowing fuel to seep from the pipework.The leak
will be visible to the operator. A dirty fuel tank
leakage alarm may be initiated. The engine will be
shut down.
8B1 Any engine starter motor seal Does not contain lubricating oil Random Over a period of time, the seal material breaks There will be no affect on engine availability as the None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Condition Based Main Engine - Check starter motor for leaks Once Per Watch 1 The P-F interval from initial signs of degradation to significant oil loss is
degrades down eventually allowing servo oil to pass. The start system will remain available. only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
rate of leakage will be gradual. This will be noticed engineer's rounds is considered worthwhile and cost effective.
by the operator during rounds or due to the
excessive consumption of start air.
8B2 Any engine lub oil system pipework Does not contain lubricating oil Random Applicable Items: Pipework, joints, flanges, The engine can be run in the short term whilst None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation in pipework to leakage is
degrades gaskets, soft seals, 'O' Rings. being monitored if required to maintain engine only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
Over a period of time the affected redundancy. engineer's rounds is considered worthwhile and cost effective.
seal/joint/component breaks down eventually
allowing lub oil to seep from the pipework. The
leak will be visible to the operator. A dirty fuel tank
leakage alarm may be initiated or the leak will be
visible. Eventually a sump level alarm would also
be activated.
8B3 Any engine inspection door gasket Does not contain lubricating oil Random Over a period of time, the gasket material begins The engine can be run in the short term whilst None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation in pipework to leakage is
degrades to deteriorate eventually allowing lub oil to pass. being monitored if required to maintain engine only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
This will be noticed by the operator during rounds, redundancy. engineer's rounds is considered worthwhile and cost effective.
otherwise eventually an alarm will be initiated for oil
sump level low.
8B4 Any lub oil cooler seals degrade Does not contain lubricating oil Random Over a period of time, the seal material breaks The engine can be run in the short term whilst None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation in pipework to leakage is
down eventually allowing lub oil to pass. The rate being monitored if required to maintain engine only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
of leakage will be gradual. This will be noticed by redundancy. engineer's rounds is considered worthwhile and cost effective.
the operator during rounds, otherwise eventually an
alarm will be initiated for oil sump level low.
8B5 Any engine driven pump seal Does not contain lubricating oil Random Over a period of time, the seal material begins to The engine can be run in the short term whilst None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation to significant leakage is
degrades deteriorate eventually allowing lub oil to pass. This being monitored if required to maintain engine only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
will be noticed by the operator during rounds, redundancy. engineer's rounds is considered worthwhile and cost effective.
otherwise eventually an alarm will be initiated for oil
sump level low.
8B6 Any engine lub oil cooler plate Does not contain lubricating oil This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the lubricative medium and
corrodes to the lubricative medium and the cooling water the cooling water treatment.
treatment.
8B7 Any engine prelub pump shaft seal Does not contain lubricating oil Random Over a period of time, the mating faces are If required, the pre-lub oil pump can be isolated to None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check prelub pump for leaks 1 The P-F interval from visible signs of degradation to significant leakage is
degrades depleted by the action of rotational friction, the prevent further leakage until repairs can be made only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
surfaces will become worn and eventually they will and the engine turned over slowly to pre-lubricate engineer's rounds is considered worthwhile and cost effective.
no longer form a tight seal. Eventually lub oil will prior to main start.
leak from the affected pump seal. The rate of the
leak will be gradual. Eventually an alarm will be
initiated for oil sump level low.
8C1 Any engine exhaust system Does not contain exhaust gas Random Over a period of time, the bellows material breaks A temporary bandaging of the bellows can be Permanent injury. No impact on vessel operations. Cost of repair Failure eventually 3 3 9 Condition Based Main Engine - Visually inspect exhaust bellows for signs of 1 Year 1 The P-F interval from visible signs of degradation in bellows to leakage is
expansion bellows degrades down eventually allowing exhaust gases to be carried out to restore engine redundancy in a only. becomes known. degradation considered to be > 2 years.
passed into the engine room atmosphere. This will limited downtime. Possible health hazard to
be noticed by Engine Crew due to the smell/heat personnel due to exposure to carbon monoxide
or the signs of bi-products on the lagging. The and hydrocarbon particulates.
engine will be shut down.
8D1 Any on engine cooling water Does not contain cooling water Random Applicable Items: Pipework, joints, flanges, A temporary repair can be carried out to restore None. No impact on vessel operations. Cost of repair Failure eventually 1 4 4 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation in pipework to leakage is
system pipework degrades gaskets, seals. engine redundancy in a limited downtime. only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
Over a period of time, the affected component engineer's rounds is considered worthwhile and cost effective.
breaks down eventually allowing coolant to leak
from the pipework. The leak will be noticed by the
operator, otherwise eventually an alarm will be
initiated for expansion tank level low.
8D2 Any engine cylinder liner seal Does not contain cooling water Random Over a period of time, the seal material hardens The oil will be circulated through the purifiers to None. No impact on vessel operations. Cost of repair Failure eventually 3 4 12 Condition Based Main Engine - Sample oil and check for water quantity 1 Week 1 The P-F interval from initial signs of degradation (water in oil) to significant loss
degrades and deteriorates, eventually allowing cooling water remove any significant water build up to maintain only. becomes known. of containment is considered to be > 1 week.
to pass into the crankcase. Increased water levels engine availability.
will be present in the lubricating oil which may
accelerate component wear. Coolant expansion
tank level will gradually decrease until the low level
alarm is initiated and the operator shuts down the
engine.
8D3 Any engine cylinder liner erodes Does not contain cooling water This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the water treatment and
(water side) to the water treatment and operating pressure. operating pressure.
8D4 Any engine charge air cooler tubes Does not contain cooling water Random Over time the flow of water through the tubes A temporary repair can be carried out to restore None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Condition Based Main Engine - Check charge air cooler drain for water leakage Occasional 1 The P-F interval from initial signs of erosion to significant loss of containment is
erode causes material wastage. Eventually the reduction engine redundancy in a limited downtime. only. becomes known. considered to be > 4000 hours. However, a daily proactive task check for
in wall thickness will result in the tube failing under leakage through the open drain line is considered worthwhile and cost effective
pressure. Water will leak from the water drain and can be incorporated into engineer's rounds.
holes. This will be noticed by the operator. The
header tank level will also drop.
8D5 Any engine cylinder head gasket Does not contain cooling water Random Over a period of time, the cylinder head gasket The leak will be tolerated and the expansion tank None. No impact on vessel operations. Cost of repair Failure eventually 2 4 8 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation to significant leakage is
degrades material begins to break down, eventually allowing kept topped up until repairs can be made. only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
system mediums to leak from the affected engineer's rounds is considered worthwhile and cost effective.
cylinder. The leak will either be noticed by the
operator or the level of coolant in the expansion
tank will gradually decrease until the low level alarm
is raised.
8D6 Any engine charge air cooler Does not contain cooling water Random Over a period of time, the gasket material begins An alternative engine will be run up either by None. Loss of DP2 capability. Vessel off-hire. Failure eventually 2 4 8 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation to significant leakage is
gasket degrades to break down, eventually allowing system automated control or operator initiated. The becomes known. considered to be > 1 week, however a proactive task to check for leaks during
mediums to leak . The leak will either be noticed by availability of alternative engines will facilitate engineer's rounds is considered worthwhile and cost effective.
the operator or the level of coolant in the graceful degradation.
expansion tank will gradually decrease until the low
level alarm is raised and the engine is shut down
by the operator.
8D7 Any engine lub oil cooler tubes Does not contain cooling water This Failure Mode is not considered plausible in This Failure Mode is not considered plausible in the lifetime of the vessel due to
erode the lifetime of the vessel due to the cleanliness of the cleanliness of the cooling water.
the cooling water.
8E1 Any air start system pipework Does not contain start air Random Applicable Items: Pipework, joints, flanges, The leak will be tolerated until repairs can be None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Condition Based Main Engine - Check for on engine system leaks 1 The P-F interval from visible signs of degradation to significant leakage is
degrades gaskets, seals. made. only. becomes known. considered to be > 1 week, however a proactive task to check for leaks during
Over a period of time, the affected component engineer's rounds is considered worthwhile and cost effective.
breaks down eventually allowing air to leak from
the pipework. The leak will be noticed by the
operator. The start air supply can be isolated to
prevent further leakage allowing the engine to
continue running or the engine will be shut down.
9A1 Any engine emergency stop Unable to shutdown the engine in an Random In the event of the requirement to initiate an The engine will be stopped in some other manner Permanent injury. Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 3 2 6 Detective Main Engine - Functionally test emergency stops from all 6 Month 2 There is no identifiable method of predicting or preventing this Failure Mode,
arrangement fails emergency emergency stop, the engine does not stop. (e.g. closing the fuel valve) however the delay may positions however as this failure is 'Hidden', a detective task can be conducted to check if
escalate an emergency scenario causing more the component is in a failed state.
engine damage or injury to personnel.
10A1 Any engine resilient mount Does not attenuate noise and Random Over a period of time, the mount compound will The engine will be shut down but will be available None. No impact on vessel operations. Cost of repair Failure eventually 2 3 6 Condition Based Main Engine - Check and record resilient mount deflections and 5 Year 1 The P-F interval from initial signs of degradation to loss of function is considered
degrades vibration break down. Machinery vibration will be transmitted as a standby to sustain engine redundancy. only. becomes known. inspect for condition to be > 5 years in this Operating Context.
to the ships hull via the bedplate and this will
eventually be apparent to Engine Crew due to the
increase in noise. Mis-alignment may eventually
occur.
11A1 Any engine exhaust insulation Does not thermally insulate the on Random Over time the insulation material will break down #The insulation can be temporarily refitted to None. No impact on vessel operations. Cost of repair Failure eventually 1 3 3 Condition Based Main Engine - Visually inspect exhaust insulation for condition 1 Year 1 The P-F interval from initial signs of degradation to loss of function is considered
degrades engine exhaust system due to heat, gases and condensation. The restore engine redundancy in a limited downtime. only. becomes known. to be > 1 year in this Operating Context.
operator will notice an increase in radiated noise
and heat. Smoking may occur when the lagging
touches the hot exhaust trunking. This is not
expected to result in a fire due to the materials
used. The engine may be shut down.
12A1 Any engine lub oil centrifugal filter Does not filter system mediums Age relationship Over a period of time, deposits begin to build up Filtration will be maintained by the main lub oil None. No impact on vessel operations. Cost of repair Failure eventually 1 5 5 Scheduled Preventative Main Engine - Lubricating Oil - Clean centrifugal filter 1000 Run Hour 2 The time taken for blockage is considered to be 1000 running hours in this
blocks on the filter periphery until eventually restricting the filters however blocking rates may be increased. only. becomes known. Operating Context.
flow of oil and centrifugal action of the filter.
12A2 Any engine lub oil centrifugal filter Does not filter system mediums This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the robust design of the
assembly wears to the robust design of the filter. filter.
12A3 Any engine lub oil filter degrades Does not filter system mediums This useful life of the filter is expected to be in This useful life of the filter is expected to be in excess of the time taken to block,
excess of the time taken to block, at which point at which point the filter cartridge will be renewed. Therefore this Failure Mode is
the filter cartridge will be renewed. Therefore this not considered plausible.
Failure Mode is not considered plausible.
12A4 Any engine fuel oil filter degrades Does not filter system mediums This failure mode is not considered plausible due This failure mode is not considered plausible due to the strainer material and
to the strainer material and system medium. system medium.
12A5 Any engine air start motor filter Does not filter system mediums This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the simple and robust
degrades to the simple and robust construction of the filter. construction of the filter.
12A6 Any engine governor actuator oil Does not filter system mediums This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the robust construction of
filter degrades to the robust construction of the filter and being the filter and being submerged in lubricating oil.
submerged in lubricating oil.
13A1 Any engine manual start assembly Unable to manually start the engine This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the simple and robust
fails on loss of remote operation to the simple and robust design of the air start design of the air start valve pushbutton assembly.
valve pushbutton assembly.
14A1 Any engine control air reservoir Unable to drain system mediums This Failure Mode is not considered plausible in This Failure Mode is not considered plausible in the operating environment.
manual drain valve seizes the operating environment.
14A2 Any engine charge air cooler drain Unable to drain system mediums This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the constant flow of air
line blocks to the constant flow of air during operation which during operation which will prevent any debris build up.
will prevent any debris build up.
14A3 Any engine lub oil sample valve Unable to drain system mediums This Failure Mode is not considered plausible due This Failure Mode is not considered plausible due to the lubricative properties of
seizes to the lubricative properties of the system medium. the system medium.
14A4 Any engine equipment vent plug Unable to drain system mediums Age relationship The operator will be unable to vent the affected The plug can be forced and the assembly None. No impact on vessel operations. Cost of repair Failure eventually 1 5 5 Run to failure A proactive task to clean / inspect the plug is not considered worthwhile or cost
seizes equipment during maintenance. repaired. Any delay to maintenance evolutions is only. becomes known. effective due to the effects of failure.
not anticipated to have any operational impact.
15A1 Any engine HP fuel line fractures Does not contain HP fuel following Random Over a period of time, a combination of the fuel HP fuel will pose a fire risk on a hot running engine. Permanent injury / Loss of DP2 capability. Vessel off-hire. Requires multiple failure. 4 3 12 Condition Based Main Engine - Visually inspect HP fuel pipes for condition 1 Month 1 The P-F interval from initial signs of fracturing to failure is considered to be > 2
an internal fuel line leak pressure, temperature and fuel line leak internal There will be a risk of severe injury / death of death. months.
fuel line leak vibration cause the fuel pipe or personnel in a fire scenario.
connections to break down. Surface cracks,
discolouration or loose connections will appear. In
the event of a fuel leak from an internal pipe, the
sheath may not contain the fuel.
16A1 Any engine degrades whilst shut Unable to generate motive power Age relationship The lubricating oil within the engine eventually Possibility of secondary damage to engine None. Loss of DP2 capability. Vessel off-hire. Failure eventually 3 5 15 Scheduled Preventative Main Engine - Turn engine if not run in the past 7 days 1 Week 2 The age relation with component degradation when shut down is considered to
down following a prolonged period of drains to the sump. Loss of protective film on components may render the engine inoperable. becomes known. be 1 week in this Operating Context.
shutdown metal surfaces results in possible corrosion and Loss of 50% propulsion power and electrical
seizure of components. The engine will either fail generation on affected shaftline. Power
to start following a prolonged period of shutdown, management system will automatically open bus
or secondary damage will result. tie breaker 7Q1 to re-configure the system.
Appendix B – HAZID
Hazard Number Equipment Hazard Type Cause Hazard Sequence Consequences Severity Probability Risk Rating Control Method Control Measure
(Severity x
Probability)
6A1 Main Engine Equipment failure Any engine electro- In the event of the engine overspeeding, the engine is In the worst case, any delay in shutting down the 4 3 12 Maintenance Main Engine - Functionally check electro-pneumatic over speed trip arrangement
pneumatic over speed not automatically shut down. The engine will continue engine may result in severe secondary damage
trip arrangement fails to overspeed and if no one is in attendance (to shut to the engine casing with component parts
fuel valve or activate emergency stop) eventually being a safety hazard to personnel.
engine failure will occur.
6D1 Main Engine Equipment failure Any engine crankcase Due to being set in the same position on the side of a Possibility of severe secondary damage to the 4 4 16 Maintenance Main Engine - Check correct operation of explosion relief valves
explosion relief valve hot contaminated crankcase for extended periods, the engine casing with component parts being a
seizes arrangement seizes. In the event of the pressure safety hazard to personnel.
within the crankcase building up due to a primary
explosion, the valve will not lift at the designed
pressure. Once the valve lifts it may then stick in an
open position, allowing air to be drawn back into the
crankcase. It is highly probable that this fresh charge
of air will allow combustion to take place for the much
more serious crankcase explosion.
7A1 Main Engine Electric shock Any equipment earth Over a period of time, degradation of the cable There will be a risk of severe injury / death of 4 3 12 Maintenance Main Engine - Carry out earth bonding continuity checks
bonding arrangement insulation results in exposure of the copper and personnel from electric shock.
degrades reduction in continiuity. Earth Bonding continuity
resistance will be greater than a specified safe
resistance. In the event of an electrical failure to the
body of the affected equipment, loss of Earth Bonding
may result in the equipment becoming electrically
charged. Risk of electrical shock in the event of an
equipment fault.
7B1 Main Engine Entanglement Any machinery guard This is most likely to occur following maintenance. In the event of personnel working in the vicinity, 3 3 9 Procedural change Main Engine - Ensure Machinery Guards Are Fitted After Each Maintenance Evolution
missing they would be exposed to rotating machinery.
There is a possibility of severe injury to
personnel.
8A1 Main Engine Loss of containment Any engine fuel injection Over a period of time, the seal material begins to The operator will investigate the cause of the 4 3 12 Maintenance Main Engine - Check the quantity of leak fuel
system seal degrades deteriorate eventually allowing fuel to pass. Any alarm. An alternative engine will be run up either
leakage will drain to the leak tank and an alarm will be by automated control or operator initiated. In the
initiated. worst case, a sustained fuel leak will pose a fire
risk on a hot running engine.
8A2 Main Engine Loss of containment Any on engine fuel Applicable Items: Pipework, joints, flanges, gaskets, The operator will investigate the cause of the 4 4 16 Maintenance Main Engine - Check for on engine system leaks
system pipework soft seals, 'O' Rings (any open ended component). alarm. An alternative engine will be run up either
degrades Over a period of time the affected by automated control or operator initiated. In the
seal/joint/component breaks down eventually allowing worst case, a sustained fuel leak will pose a fire
fuel to seep from the pipework.The leak will be visible risk on a hot running engine.
to the operator. A dirty fuel tank leakage alarm may be
initiated. The engine will be shut down.
8C1 Main Engine Loss of containment Any engine exhaust Over a period of time, the bellows material breaks A temporary bandaging of the bellows can be 3 3 9 Maintenance Main Engine - Visually inspect exhaust bellows for signs of degradation
system expansion down eventually allowing exhaust gases to be passed carried out to restore engine redundancy in a
bellows degrades into the engine room atmosphere. This will be noticed limited downtime. Possible health hazard to
by Engine Crew due to the smell/heat or the signs of personnel due to exposure to carbon monoxide
bi-products on the lagging. The engine will be shut and hydrocarbon particulates.
down.
9A1 Main Engine Equipment failure Any engine emergency In the event of the requirement to initiate an The engine will be stopped in some other 3 2 6 Maintenance Main Engine - Functionally test emergency stops from all positions
stop arrangement fails emergency stop, the engine does not stop. manner (e.g. closing the fuel valve) however the
delay may escalate an emergency scenario
causing more engine damage or injury to
personnel.
15A1 Main Engine Loss of containment Any engine HP fuel line Over a period of time, a combination of the fuel HP fuel will pose a fire risk on a hot running 4 3 12 Maintenance Main Engine - Visually inspect HP fuel pipes for condition
fractures pressure, temperature and fuel line leak internal fuel engine. There will be a risk of severe injury /
line leak vibration cause the fuel pipe or connections death of personnel in a fire scenario.
to break down. Surface cracks, discolouration or
loose connections will appear. In the event of a fuel
leak from an internal pipe, the sheath may not contain
the fuel.
Appendix C – Risk Assessment Form
[Not produced as no field work was undertaken during this project]

Safety and Reliability Engineering Sample Dissertation

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Safety and Reliability Engineering Sample Dissertation

Uploaded by

Copyright:

Available Formats

Optimisation of Operations and Maintenance of

complex marine assets in the offshore Oil and Gas

EG5906/EG5910 Individual Project in MSc Safety and Reliability Engineering

LEWIS HENDERSON, BEng MIMarEST

A dissertation submitted in partial fulfilment of the requirements of the award of

2 Table of Contents ........................................................................................ 2

3 List of Tables ............................................................................................... 3

4 Table of Figures .......................................................................................... 3

5 List of Abbreviations .................................................................................... 4

7 Aims and Objectives ................................................................................... 7

8 Background Theory ..................................................................................... 8

8.1 The history of failure .............................................................................. 8

8.2 The drivers behind reliability assessment ............................................ 12

8.3 Managing failure .................................................................................. 15

9 Strategy Development ............................................................................... 17

9.1 Vessel Overview ................................................................................. 17

9.1.1 Diesel Engines .............................................................................. 17

9.1.2 Generators .................................................................................... 17

9.1.3 Thruster equipment....................................................................... 18

9.1.4 Steering Gear ............................................................................... 18

9.1.5 Main Electrical Distribution ........................................................... 18

9.1.6 Power Management System ......................................................... 18

9.2 Identifying critical systems................................................................... 19

9.2.1 Selection of candidate system ...................................................... 21

9.2.2 Main Diesel Engines ..................................................................... 21

9.3 Failure analysis ................................................................................... 23

9.3.1 FMEA ............................................................................................ 23

9.3.2 Risk assessment........................................................................... 25

9.3.4 Analysis worksheet ....................................................................... 29

10 Results and Discussion .......................................................................... 31

10.1 The reliability - operating age relationship........................................ 31

10.2 The effects and consequences of failure.......................................... 32

10.3 Hidden failures ................................................................................. 33

10.4 Failure management strategy selection ........................................... 35

10.5 Alternative failure management strategies ....................................... 36

11 Conclusions and Recommendations ...................................................... 41

Figure 1: Asset Lifecycle (Life Cycle Engineering, Inc., 2019)

It is common for the greatest proportion of investment in such initiatives to occur

A strategy must be put in place to minimise the probability of such events

▪ Background research into equipment failure/safety incidents with

Figure 2: Age-Reliability Patterns of Failure (Nowlan and Heap, 1978)

This was a fundamental realisation as the general approach at the time to

Figure 3: Waddington Effect (Busch, 2014)

In reliability modelling of complex systems, failure rates can be established using

8.2 The drivers behind reliability assessment

Standard text definitions of failure and associated aspects

8.3 Managing failure

In addition to such efforts, various stakeholders such as regulatory bodies and

9.1 Vessel Overview

9.1.1 Diesel Engines

▪ Four main diesel engines arranged in a Father and Son configuration of

▪ Two shaft generators of make AvK-Alternators type DSG 114 M 1/6 W

9.1.3 Thruster equipment

▪ Two tunnel thrusters of make Brunvoll type FU-80 LRC 2250

9.1.4 Steering Gear

9.1.5 Main Electrical Distribution

▪ One 440V/60Hz main switchboard with bus tie breaker installed

The emergency switchboard is located in the emergency generator room on B-

9.1.6 Power Management System

Ref Vessel Impact System

Reduction in vessel capability / contract

By using Group 2 for the purposes of experimentation, a Fault Tree Analysis

Figure 4: Group 2 FTA