05 m07 3166 rep 001 rev o shuttle tanker fmea

7/17/2019 05 M07 3166 REP 001 Rev O Shuttle Tanker FMEA

http://slidepdf.com/reader/full/05-m07-3166-rep-001-rev-o-shuttle-tanker-fmea 1/185

180 Clemenceau Avenue03-03 Haw Par Centre

Singapore 239922

Phone +65 6505 1900Fax +65 6356 7086

www.gl-nobledenton.com

GL Noble Denton of 185 05-M07-3166-Rep-001

SUNGDONG

"157K SHUTTLE TANKER"

FAILURE MODES AND EFFECTS ANALYSISOF THE DP SYSTEM

FEBRUARY 2013

O 4 March 2013 Update after FMEA proving trial SP/TKT CR CR

G 14 Jan 2013 Update according to yard’s comments SP CR CR

F 11 Jan 2013 Update according to yard’s comments SP CR CR

E 8 Jan 2013 Update according to yard’s comments SP/TKT CR CR

D 21 Dec 2012 Update according to yard’s comments SP/TKT CR CR

C 20 Dec 2012 Update according to DNV comments SP/TKT CR CR

B 19 Dec 2012 Update according to DNV comments SP/TKT CR CR

A 22 Aug 2012 Release for Client review SP/LCH/CW AM/LCH

Rev Date Description By Check Approved

Document No. 05/M07/3166/Rep-001/Rev. O



SUNGDONG 157K SHUTTLE TANKER DP SYSTEM FMEA


SUMMARY

The Sungdong 157K Shuttle Tanker has DNV Class and this Failure Modes and Effects Analysis formspart of the document submissions required for vessels with DP Dynpos-AUTR notation. The design of theDP system has been analysed and the failure effects compared against the worst case failure designintent.

The vessel’s worst case failure design intent (WCFDI) can be summarised as:-

No single failure (as defined for Dynpos AUTR) will lead to a failure effect exceeding:

Failure of up to two generators (No.1 DG and No.2 D/G or No.3 DG and No.4 DG)

Failure of one common 6.6kV bus –MV 6.6kV MSB 1 or MSB2.

Failure of three thrusters – ‘one bow tunnel thruster (T1), one stern tunnel thruster(T5) and oneCPP (T6)’ or ‘one bow tunnel thruster (T2), one forward azimuth thruster(T3) and one sternazimuth thruster(T4).

Worst Case Failure: From the desktop analysis, there are no single failure as defined for DP EquipmentClass 2 has been identified that has an effect exceeding the Worst Case Failure Design Intent.





TABLE OF CONTENTS

1 INTRODUCTION .......................................................................................................................................... 9

1.1 Background ................................................................................................................................................................................ 9

1.2 Acknowledgements ...................... ..................... ...................... ...................... ...................... ..................... ...................... ............. 9

1.3 Vessel Particulars ..................................................................................................................................................................... 10

1.4

FMEA Analysis ......................................................................................................................................................................... 12 1.5 FMEA Procedure and Methodology .......................................................................................................................................... 13

1.6 Operational Configuration of the DP System .................... ...................... ...................... ...................... ..................... .................. 14

1.7 Redundancy Concept ............................................................................................................................................................... 15

2

ENGINES AND AUXILIARY SERVICES ......................................................................................................... 18

2.1 Engines..................................................................................................................................................................................... 18

2.2 Main Engine Systems ............................................................................................................................................................... 19

2.3 auxiliary diesel generator system .............................................................................................................................................. 24

2.4 Engine Control System and Safety Shutdowns ......................................................................................................................... 28

2.5 Fuel oil system .......................................................................................................................................................................... 34

2.6 Lubrication System ................................................................................................................................................................... 45

2.7 Seawater Cooling System ......................................................................................................................................................... 48

2.8 Fresh Water Cooling Systems ................................................................................................................................................... 52

2.9

Compressed Air System ........................................................................................................................................................... 66

2.10 Ventilation System .................................................................................................................................................................... 70

2.11 emergency generator ................... ..................... ...................... ...................... ...................... ...................... ..................... ........... 75

3

POWER GENERATION ............................................................................................................................... 77

3.1 Generators ................................................................................................................................................................................ 77

3.2 Automatic Voltage Regulator..................................... ...................... ..................... ...................... ...................... ..................... .... 79

3.3 Engine Governor ................... ..................... ...................... ...................... ...................... ...................... ..................... .................. 79

3.4 6.6kV Switchgear ...................................................................................................................................................................... 79

4

POWER MANAGEMENT ............................................................................................................................. 83

4.1 Introduction ............................................................................................................................................................................... 83

5 POWER DISTRIBUTION ............................................................................................................................. 87

5.1

Overview of the power distribution system ................................................................................................................................ 88 5.2 6.6kV Distribution System ......................................................................................................................................................... 91

5.3 LV Distribution System .............................................................................................................................................................. 93

5.4 220V Distribution System ........................................................................................................................................................ 104

5.5 24Vdc Power distribution ........................................................................................................................................................ 106

6 THRUSTERS .......................................................................................................................................... 111

6.1 Introduction ............................................................................................................................................................................. 111

6.2 Thruster Mechanical Components and Motor ................... ...................... ...................... ...................... ..................... ................ 113

6.3 Tunnel Thruster Cooling System ............................................................................................................................................. 114

6.4 Azimuth THruster Cooling system ..................... ...................... ...................... ...................... ..................... ...................... ......... 116

6.5 Main Propulsion Controllable Pitch Propeller and Steering Gear ................... ...................... ...................... ..................... ......... 120

6.6 Thruster Electrical Systems..................................................................................................................................................... 126

6.7 Azimuth Thrster electrical systems .................... ...................... ...................... ...................... ..................... ...................... ......... 128

6.8

Propulsion Controllable Pitch Propeller Control System ..................... ...................... ..................... ...................... .................... 132

6.9 Steering Gear Control System ................................................................................................................................................ 134

6.10 Thruster Emergency Stops ..................................................................................................................................................... 137

7 K-CHIEF 600 INTEGRATED CONTROL AND MONITORING SYSTEM ............................................................... 139

7.1 General ................................................................................................................................................................................... 139

7.2 K-Chief 600 Operator Stations: ............................................................................................................................................... 141

7.3 K-Chief 600 Distributed Processing Units (DPU’s) and DPU Cabinets: .................................................................................. 143

7.4 K-CHief 600 Network Communications ................................................................................................................................... 146

7.5 K-CHief 600 Un-interuptable power supplies .................... ...................... ...................... ...................... ..................... ................ 149

8 DP CONTROL SYSTEM ............................................................................................................................ 151

8.1 System Diagram and Overview ............................................................................................................................................... 151

8.2 DP Changeover Switch ........................................................................................................................................................... 154

8.3

DP Operator Stations .............................................................................................................................................................. 154

8.4 DPC-2 Controller .................................................................................................................................................................... 156

8.5 DP System Sensors – MRU – Anemometer - Gyrocompass ................................................................................................... 163





8.6 DP Position Reference Sensors – DGPS, Fanbeam, and artemis ........................................................................................... 168

8.7 cJoy Independent Joystick System ......................................................................................................................................... 175

8.8 BLOM PMS .................... ..................... ...................... ...................... ..................... ...................... ...................... ..................... .. 176

8.9 DP Uninterruptible Power Supplies ......................................................................................................................................... 177

8.10 DP Communications ............................................................................................................................................................... 179

9 EMERGENCY SHUTDOWN (ES) SYSTEM ................................................................................................... 181

9.1

ES System ..................... ..................... ...................... ...................... ..................... ...................... ...................... ..................... .. 181

10 CONCLUSIONS AND RECOMMENDATIONS................................................................................................ 185

10.1 Conclusions ............................................................................................................................................................................ 185

10.2 Concerns ................................................................................................................................................................................ 185

TABLES

Table 2-1 ME LO pump power sources ...................................................................................................................................... 20

Table 2-2 Main Engine Shutdown............................................................................................................................................... 28

Table 2-3 Main Engine Alarms and slowdown setting ...................... ...................... ...................... ...................... ..................... .... 29

Table 2-4 Auxiliary Engine Shutdowns Alarm setting ................... ...................... ...................... ...................... ..................... ........ 32

Table 2-5 Auxiliary Engine Alarm setting ................... ...................... ...................... ...................... ..................... ...................... .... 32

Table 2-6 FO Storage Tank Volumes ......................................................................................................................................... 35

Table 2-7

FO Crossover Valve Configuration During DP ..................... ..................... ...................... ...................... ..................... . 37 Table 2-8 Quick Closing Valves Grouping .................................................................................................................................. 39

Table 2-9 ME FO pump power sources ...................................................................................................................................... 40

Table 2-10 GE FO pump power sources ...................................................................................................................................... 42

Table 2-11 Central FW & ME CFW pump power sources ...................... ..................... ...................... ...................... ..................... . 55

Table 2-12 Auxiliary Freshwater Cooling System DP Associated Equipment................................. ...................... ..................... .... 57

Table 2-13 Forward Freshwater Cooling System DP Related Equipment ................... ...................... ...................... ..................... . 61

Table 2-14 GE 1/2 Freshwater Cooling System DP Related Equipment ..................... ...................... ..................... ...................... . 63

Table 2-15 No.3/4 GE Freshwater Cooling System DP Related Equipment.................... ...................... ...................... .................. 65

Table 2-16 DP Related Equipment supplied from the Control and GS Air System ................................ ..................... ................... 68

Table 2-17 Ventilation system power sources .............................................................................................................................. 70

Table 2-18 Engine Room Fire Dampers ....................................................................................................................................... 71

Table 2-19 HVAC Unit Power Supplies ........................................................................................................................................ 73

Table 4-1 PMS software Interlock functionality ........................................................................................................................... 83

Table 5-1 Power supplies for the essential equipments ................... ...................... ...................... ...................... ..................... .... 89

Table 5-2 Distribution of MV generators and consumers ................................... ...................... ...................... ..................... ........ 91

Table 5-3

440V feeder panel: LV1 and LV2 ................................................................................................................................ 94 Table 5-4 440V Group Starter Panels ........................................................................................................................................ 95

Table 5-5 Emergency Power Distribution ................................................................................................................................... 99

Table 5-6 220V feeder panel No.1 and No.2 ............................................................................................................................ 104

Table 5-7 220V Distribution Panel ............................................................................................................................................ 105

Table 5-8 24Vdc Supplies to Engine Junction Boxes ................... ...................... ...................... ...................... ..................... ...... 107

Table 6-1 Tunnel Thruster Motor Particulars ............................................................................................................................ 112

Table 6-2 Tunnel Thruster Motor Details .................................................................................................................................. 113

Table 6-3 Azimuth Thruster Motor Specifications ..................... ..................... ...................... ...................... ..................... .......... 113

Table 7-1 Operating Stations Power Supply ............................................................................................................................. 142

Table 7-2 DPU’s Location and Power Supplies ........................................................................................................................ 143

Table 7-3 K-Chief UPS Distribution .......................................................................................................................................... 149

Table 8-1 DP Power Supply Matrix ........................................................................................................................................... 153

Table 8-2 RSER/RMP Module Assignments for Ref Sys/Sensors ......................... ...................... ..................... ...................... .. 160

Table 8-3 RMP Module Assignments for Thrs/machinery .................... ..................... ...................... ...................... .................... 161

Table 8-4 Power supplies for Gyros ......................................................................................................................................... 163

Table 8-5

Power supplies for MRUs ......................................................................................................................................... 164

Table 8-6

Power supplies for wind sensor ................................................................................................................................ 165

Table 8-7 DP UPS Distribution ................................................................................................................................................. 178

Table 9-1 ES System ............................................................................................................................................................... 181

FIGURES

Figure 1-1 General Arrangement 157K Shuttle Tanker ..................... ...................... ...................... ...................... ..................... .... 10

Figure 1-2 Thruster Arrangement ................................................................................................................................................ 15

Figure 1-3 Power Distribution ...................................................................................................................................................... 17

Figure 2-1 Main Engine Freshwater Cooling System .................... ...................... ...................... ...................... ..................... ........ 19

Figure 2-2 Main Engine Lubrication System ................................................................................................................................ 20

Figure 2-3 Main Engine Compressed Air System ........................................................................................................................ 21

Figure 2-4 7-9H32/40 Engine Lubricating System........................................................................................................................ 24

Figure 2-5 Auxiliary Engine Freshwater Cooling System ................................ ...................... ...................... ..................... ............ 25

Figure 2-6 7-9H32/40 Engine Compressed Air System................................................................................................................ 26

Figure 2-7

Fuel Oil Transfer System ............................................................................................................................................ 34 Figure 2-8 Fuel Oil Purification System and Settling System ....................................................................................................... 36

Figure 2-9 Fuel Oil Distribution System ....................................................................................................................................... 38

Figure 2-10 Pneumatic Fuel Oil Quick Closing Valve System .................... ...................... ...................... ..................... ................... 39





Figure 2-11 Main Engine Fuel Oil System ..................................................................................................................................... 40

Figure 2-12 Diesel Generator Fuel Oil System .............................................................................................................................. 41

Figure 2-13 Lubricating Oil System................................................................................................................................................ 45

Figure 2-14 Aft Seawater Cooling System .................... ...................... ...................... ...................... ..................... ...................... .... 48

Figure 2-15 Forward Seawater Cooling System ............................................................................................................................ 49

Figure 2-16 Auxiliary Freshwater Cooling System ................................. ...................... ...................... ..................... ...................... . 54

Figure 2-17 Main Engine Freshwater Cooling System .................... ...................... ...................... ...................... ..................... ........ 55

Figure 2-18 Forward FW cooling System ...................... ...................... ...................... ...................... ..................... ...................... .... 59

Figure 2-19

No. 1/2 GE FW cooling system ...................... ...................... ..................... ...................... ..................... ...................... . 62 Figure 2-20 No.3/4 GE FW cooling System ................................................................................................................................... 64

Figure 2-21 Compressed Air System ............................................................................................................................................. 67

Figure 3-1 Single Line Diagram for 6.6kV .................................................................................................................................... 77

Figure 5-1 Simplified Single Line Drawing of Power Distribution ...................... ..................... ..................... ...................... ............ 87

Figure 6-1 Arrangement of Thrusters ...................... ...................... ...................... ...................... ...................... ..................... ...... 111

Figure 6-2 Tunnel Thruster Hydraulics....................................................................................................................................... 115

Figure 6-3 Azimuth Thruster Hydraulic System ...................... ...................... ...................... ...................... ..................... ............. 117

Figure 6-4 Propulsion Controllable Pitch Propeller Hydraulic Diagram .................... ...................... ...................... ..................... .. 121

Figure 6-5 Steering Gear ................... ..................... ...................... ...................... ...................... ...................... ..................... ...... 123

Figure 6-6 Thruster Remote Control System ............................................................................................................................. 126

Figure 6-7 Azimuth Thruster Remote Control System ................... ...................... ...................... ...................... ..................... ...... 129

Figure 6-8 Propulsion CPP Control System .................... ..................... ...................... ...................... ..................... ..................... 133

Figure 6-9 Steering Gear Control System .................................................................................................................................. 135

Figure 7-1 General Architecture of K-Chief 600 System .............................. ...................... ...................... ...................... ............ 140

Figure 7-2 157K Shuttle Tanker K-Chief Networks .................................................................................................................... 147

Figure 8-1

Simplified Drawing of DP Control System .................... ...................... ...................... ...................... ..................... ...... 152

Figure 8-2

DPC-2 Simplified Drawing ........................................................................................................................................ 158

Figure 8-3 Variation of wind Speed with elevation above sea level ..................... ...................... ..................... ...................... ...... 168

Figure 8-4 Simplified calculation of relative DARPS data ...................... ..................... ...................... ...................... .................... 170

Figure 8-5 Principle of standard Artemis .................................................................................................................................... 172

Figure 8-6 Principle of Artemis Beacon system ......................................................................................................................... 173





ABBREVIATIONS

AC Alternating Current

ACB Air Circuit Breaker

ACU Auxiliary Control Unit

AHU Air Handling Unit

ICMS Integrated Control and Monitoring System

AVR Automatic Voltage Regulator

BAZ Bow Azimuth Thruster

BTH HV Bus Tie

BT Bow Tunnel Thruster

BTL LV Bus Tie

CB Circuit Breaker

CCU Cylinder Control Unit

CFW Cooling Fresh Water

CMF Common Mode FailureCPP Controllable Propeller Pitch

CPU Central Processing Unit

CT Current Transformer

DB Distribution Board

DC Direct Current

DG Diesel Generator

DGPS Differential Global Positioning System

DI Digital Input

DNV Det Norske Veritas

DO Diesel OilDP Dynamic Positioning

DPC Dynamic Positioning Controller

DPO Dynamic Positioning Operator

DPS Dynamic Positioning System

DPU Distributed Processing Units

ECC Engine Control Console

ECR Engine Control Room

ECS Engine Control System

ECU Engine Control Unit

EG Emergency GeneratorEICU Engine Interface Control Unit

EM’CY Emergency

ER Engine room

ESB Emergency Switchboard

ESD Emergency Shut Down

FAD Free Air Delivery

FMEA Failure Mode and Effect Analysis

FO Fuel Oil

FW Fresh Water

FWD ForwardG / GE Generator

GS Gas Station





GSP Group Starter Panel

GPS Global Positioning System

HFO Heavy Fuel Oil

HPP Hydraulic Power Pack

HPU Hydraulic Power Unit

HV High VoltageHVAC Heating, Ventilation and Air Conditioning

HT High Temperature

HTFW High Temperature Fresh Water

ICMS Integrated Control and Monitoring System

IJS Independent Joystick System

IP Internet Protocol

IMCA International Marine Contractors Association

IMO International Maritime Organisation

I/O Input/Output

kVA Kilo Volt AmperekVAr Kilo Volt Ampere Reactive

kW Kilowatt

LAN Local Area Network

LO Lube Oil

LSHFO Low Sulphur Heavy Fuel Oil

LSDO Low Sulphur Diesel Oil

LSMDO Low Sulphur Marine Diesel Oil

LT Low Temperature

LTFW Low Temperature Fresh Water

LV Low VoltagemA Milliamps

MBC Micro Biological Contamination

MCC Motor Control Centre

MDO Marine Diesel Oil

ME Main Engine

MGO Marine Gasoline Oil

MGPS Marine Growth Plant System

MOP Main Operating Panel

MRU Motion Reference Unit

MSB Main SwitchboardMSC Maritime Safety Committee

MV Medium Voltage

MVAr Mega Volt Ampere Reactive

MW Megawatt

NDC Noble Denton Consultants

NDU Network Distribution Unit

NET Network

OS Operator Station

P Port

PA Public Address or Power Available

PC Personal Computer

PCU Propulsion Control Unit





PLC Programmable Logic Controller

PME Position Measuring Equipment

PMS Power Management System

PRS Position Reference System

PSU Power Supply Unit

QC Quick ClosingQCV Quick Closing Valve

RC Remote Control

RCU Remote Controller Unit

RIO Remote Input Output

RPM

RTCM

Revolutions per Minute

Radio Technical Commission for Maritime Services

S Starboard

SAZ Stern Azimuth Thruster

SBC Single Board Computers

ST Stern Tunnel ThrusterSW Sea Water

SWBD Switchboard

T Thruster

TQ Technical Query

UPS Uninterrupted Power Supply

VAr Volt Ampere Reactive

VCB Vacuum Circuit Breakers

VRCS Valve Remote Control Station

VRU Vertical Reference Unit

VT Voltage TransformerWCF Worst Case Failure

WCFDI Worst Case Failure Design Intent





1 INTRODUCTION

1.1 BACKGROUND

1.1.1 Instructions

1.1.1.1 GL Noble Denton was requested by Sungdong Shipbuilding and Marine Engineering Company Ltd toprepare a Failure Modes and Effects Analysis (FMEA) of the DP system for the dynamically position 157KShuttle Tanker. The request was made by Mr. J.G Yi and confirmed with the signing of a contract forFMEA by Chris Richardson of Noble Denton Singapore. The work was carried out under GL Noble Dentonreference number 05-M07-3166.

1.1.2 Scope of work

1.1.2.1 GL Noble Denton scope of work for this project is outlined in its contract with Sungdong Shipbuilding andMarine Engineering Company Ltd .

1.1.3 Conduct of the work

1.1.3.1 The work was carried out by Engineers Satheesh Prabhakaran and Leong Cheong Heng.

1.1.3.2 The analysis work is based on desktop studies of information provided by Sungdong Shipbuilding andMarine Engineering Company Ltd , and by equipment vendors.

1.1.3.3 The vessel’s redundancy concept was assessed against the following rules and guidelines:

1. IMO MSC 645, ‘Guidelines for Vessels with Dynamic Positioning Systems’ 1994.

2. DNV Rules for Classification of Ships July 2010, Part 6, Chapter 7.

3. IMCA document M04/04, “Establishing the Safety and Reliability of Dynamic Positioning Systems”was used as the guide to systems and their boundaries – Appendices D & E in particular.

4. IMO ‘International Code of Safety for High Speed Craft’, Annex 4, ‘Procedures for Failure Modeand Effects Analysis’, 2000 was used for reference.

5. IMCA ‘Guidelines on Failure Modes & Effects Analyses’ – M166, 2002.

1.1.4 FMEA Document history

1.1.4.1 A draft FMEA, Document No 05-M07-3166 Rep-001 Rev A was produced based on documents anddrawings supplied during the build phase and prior to FMEA proving trials.

1.2 ACKNOWLEDGEMENTS

1.2.1.1 Thanks are due to the assistance of the design team for their response to technical queries.





1.3 VESSEL PARTICULARS

1.3.1 General

1.3.1.1 The vessel was built at Sungdong Shipbuilding and Marine Engineering Company Ltd. Figure belowshows the general arrangement of the Shuttle Tanker.

1.3.1.2 The vessel has Class Notation:-

DNV 1 A1, “Tanker for oil ESP”, CSR, E0, DYNPOS-AUTR, OPP-F, BOW LOADING, TMON, NAUT-OC, BIS, BWM-E(S), SPM, VCS-2, COAT-PSPC(B), CLEAN

Figure 1-1 General Arrangement 157K Shuttle Tanker





1.3.2 Principal dimensions:-

Length overall : 278.50 m

Length between perpendiculars : 264.00 m

Breadth moulded : 48.00 m

Depth : 23.10 m

Designed Draught : 16.00 m

1.3.3 Machinery and DP equipment list:-

Main Engine : MAN B&W 6S70ME-C8.2 TIER II

Main Generators (Engine) : Hyundai Himsen 7H32/40 (No.1 and No.4)

: Hyundai Himsen 9H32/40 (No.2 and No.3)

Main Generators : HSJ7 805-10P (No.1 and No.4) - 2 x 3300 kW

: HSJ7 913-10P (No.2 and No.3) - 2 x 4300 kW

Emergency Generator (Engine) : Doosan AD180TI

Emergency Generator : Leroy Somer M 47.2 S4 – 1 x 350 kW

Thrusters : 2 x Bow Tunnel Thrusters Brunvoll FU-100-LTC-2750 2200 kW CPP

: Stern Tunnel Thruster Brunvoll FU-100-LTC-2450 2200 kW CPP

: Bow and Stern Azimuth Thruster Brunvoll AR-100-LNC-2600

2 x2500 kW CPP

Main Propulsion : Berg BCP 2000 CPP

: Steering gear (Rudder Rolls Royce IRV 4200-2)

: Becker Rudder

DP Control System : Kongsberg K Pos DP-22

Vessel Management : K-Chief 600

1.3.4 FMEA proving trials

1.3.4.1 DP FMEA proving trials have not been carried out at this time.





1.4 FMEA ANALYSIS

1.4.1 Objectives of FMEA

1.4.1.1 To identify any single failures of the DP system of the Shuttle Tanker that may lead to a significant loss ofposition by ‘drift off’ or ‘drive off’. Failure criteria are as defined in DNV Rules for Classification of Ships

July 2010, Part 6, Chapter 7.1.4.1.2 The following 9 strategic areas have been addressed in the preparation of this analysis:

1. System description and redundancy concept review:

Description of redundant system type and classification.

Formal definition of the overall DP system redundancy concept.

Determine the nature of the redundancy concept, i.e. high levels of commonality between systemswith dependence on protective functions versus duplication with clear segregation andindependence.

Identify aspects of the design that are common to redundant systems and consider failures at thesecommon points.

2. Single point failures:

Using the FMEA tool as a structured means of identifying failures.

3. Acts of maloperation:

IMO guidance and DNV rules require consideration of a single act of maloperation if such an act isreasonably foreseeable. The FMEA will check that such acts are guarded against.

4. Potential common mode failures that affect seemingly redundant components:

Typically:-

Ventilation and environmental control.

Spikes/voltage excursions/elevated voltage on common primary power supplies.

Failure of common back-up supplies to an elevated voltage or voltage spikes.

Voltage decrement during electrical fault clearance – To be proven by others.

Auxiliary systems which are likely to be subject to common mode failures such as MBC in fuel.

5. Standby redundancy:

Level of availability of offline equipment – high probability that it will operate on demand?

All such required functions identified?

All such functions exercised with suitable frequency?

Identify failure modes associated with switched redundancy – e.g. updating back-up systems with

correct data.6. Protective functions for redundancy concept:

All identified?

All adequately exercised?

Sufficient protection?

Disabled by non – self revealing faults?

Inappropriate protection (may cause DP incident if operates or fails).





7. Hidden failures – non self revealing faults:

Alarms for hidden failures – all relevant practical alarms installed?

Periodic testing in place where alarms are not practical?

8. Investigation into effect of total system failure:

This may not be a DP Class 2 requirement but does give a valuable insight into a system and mayprovide additional confidence if the failure effect is not catastrophic.

Blackout restart is not a DP Class 2 requirement but should be considered as a risk reductionmeasure - Review of equipment required for blackout restart.

9. Specific power plant and control system failure modes

Information and experience from DP incident data.

1.4.2 Limitations of the analysis

1.4.2.1 As with any analysis, certain limitations exist. The structure of the vessel is assumed to have beenassessed by others.

1.4.2.2 Although the FMEA attempts to confirm that the design of systems is compatible with the redundancyconcept, it does not confirm that systems have been properly designed or that they will meet their designexpectations in terms of performance. The sea trials programme and FMEA proving trials may providesome evidence that this is the case but such assessments should be made on the basis of suitable designreviews.

1.4.2.3 It is accepted by Class that a DP system FMEA does not verify the quality or integrity of control systemsoftware. The same exemption is applied to the internal workings of other automation systems such aspower management and Alarm Monitoring and Control System (PMS/ICMS). The analysis also assumesthat the owner has adequate controls in place in relation to management of change of software updatesfor control systems. It also assumes that all changes are adequately tested and that vessel operators andengineers receive adequate training in dealing with the effects of these updates.

1.4.2.4 It is assumed that the vessel is operated by competent personnel and, although acts of maloperation arediscussed as part of the analysis, it will not consider wilful, deliberate or malicious acts.

1.5 FMEA PROCEDURE AND METHODOLOGY

1.5.1 Approach

1.5.1.1 Two different approaches are used within the analysis. Where the number of system components isrelatively small, such as Engine Auxiliary Services, the failures of individual components such as pumps,and coolers are considered within a system. Where the system under investigation is complex or containsa significant software element, the functionality of the system is considered when discussing failuremodes.





1.5.2 Structure of the FMEA narrative

1.5.2.1 The following headings are used in the FMEA narrative. The purpose of these is to ensure that all rulerequirements with respect to fault tolerant systems are adequately addressed:

1. References

2. System description and redundancy concept3. Location

4. Configuration for DP

5. Failure modes of the system – single failures only

6. Failure effects of the system – effects of single failures

7. Hidden system failures

8. Common mode failure

9. System configuration errors that could defeat redundancy – hidden acts of maloperation – only ifreasonably likely

10. Maloperation of the system – only if reasonably foreseeable

11. Worst case failure – Summary

1.6 OPERATIONAL CONFIGURATION OF THE DP SYSTEM

1.6.1 System configuration

1.6.1.1 The vessel normally operates on DP with the following system configuration:

1. All four generators online; Gen1, 2 feed to MV MSB 1; Gen 3, 4 feed to MV MSB 2

2. MV 6.6 kV bus ties No.5 VCB 3P and No.7 VCB 3P open (MV MSB 1 and MV MSB 2 split)

3. 440V busties No.5 ACB 3P Bus Tie open (440V LMSB 1 and 440V LMSB 2 split)

4. Breakers MSB1 and MSB2 are closed and MSB3 and MSB4 are opened so that No.2 AC 220VFeeder Panel and No.1 AC 200V Feeder panel are fed from MSB 2 and MSB 1 respectively.

5. Emergency switchboard to be supplied from MSB1, No. 4 ACB 3P and No. 7 ACB 3P to be keptopen.

6. All the ME essential pumps to be supplied from the 440Vac MSB 1 (Please refer to the words inbold in table 5-1)

7. GE No.1 & 2 essential pumps to be supplied from the 440Vac MSB 1 (Please refer to the words inbold in table 5-1)

8. GE No.3 & 4 essential pumps to be supplied from the 440Vac MSB 2 (Please refer to the words inbold in table 5-1)

9. Thruster 1, 5 and 6 essential pumps to be supplied from 440Vac MSB 1 (Please refer to the words

in bold in table 5-1)10. Thruster 2, 3 and 4 essential pumps to be supplied from 440Vac MSB 2 (Please refer to the words

in bold in table 5-1)

11. MDO Service tank supplies GE No.3 and No.4.

12. MGO Service tank supplies GE No.1 and No.2

13. HFO Service tank to be supplied to ME

14. Normally open valves for the FO system: F209V, F304V, F330V, F353V, F354V

15. Normally closed valves for the FO system F210V, F239V, F303V, F324V

16. The seawater systems are configured as follows. On the aft seawater system, one port high seachest and one starboard low sea chest are in service. The seawater supply manifolds supply

various sub systems which are equipped with a redundant number of pumps on a standby startconfiguration. Forward Sea water system is fault tolerant operated from a single sea chest butoperator intervention may be required in the event of a fault.





17. Aux, No.1 & 2 DG, No.3 & 4 DG, and FWD freshwater cooling systems are operated with their ownsets of circulating pumps configuration.

18. In FWD freshwater cooling systems, there are two fresh water circulating system with isolationvalves is normally close during DP operation. The normally close valves are FW049 & FW048 whilethe normally open valves are FW076 & FW075.

19. Both DGPSs, Fanbeam and Artemis MK5 are selected to DP control system20. All three gyros and MRUs are selected.

21. Wind sensors are selected at operator discretion.

22. Both Steering gears No.1 and No.2 operating

1.6.2 WCFDI

1.6.2.1 No single failure (as defined for Dynpos AUTR) will lead to a failure effect exceeding:

Failure of up to two generators (No.1 DG and No.2 D/G).

Failure of one common 6.6kV bus –MV 6.6kV MSB 1.

Failure of three thrusters – ‘one bow tunnel thruster (T1), one stern tunnel thruster(T5) and onemain CPP (T6).

1.7 REDUNDANCY CONCEPT

1.7.1 Vessel overview

BT1

T1

BT2

T2

BAZ3

T3

SAZ4T4

ST5

T5

CPP6

T6

Figure 1-2 Thruster Arrangement





1.7.1.1 The 157K Shuttle Tanker is a tanker for Oil ESP. The vessel’s power and propulsion system is dieselelectric with four generators and six thrusters which are two bow tunnel thrusters, one BAZ3, one sternazimuth thruster, one stern tunnel and one engine driven CPP.

1.7.2 Power system configuration

1.7.2.1 The redundancy concept at the power generation level is based on the distribution at the 6.6kV MV-level.

During DP operation the thrusters are configured as follows:-

6.6kV MSB 1:- Bow tunnel thruster (T1), stern tunnel thruster (T5) and main propulsion CPP(T6)pumps (hyd pump No.1 and hyd pump No.3).

6.6kV MSB 2:- Bow tunnel thruster (T2), BAZ3 (T3), stern azimuth thruster (T4) and mainpropulsion CPP(T6) pumps (hyd pump No.2 and hyd pump No. 3).

1.7.2.2 The worst case failure for the power system is loss of three thrusters which are one bow tunnel thruster(T1), one stern tunnel thruster (T5) and one main CPP (T6)

1.7.2.3 The main CPP (T6) is considered to fail upon loss of MSB1 as the M/E pumps are supplied from MSB 1.

1.7.2.4 Failure of 6.6Kv MSB No.2 results in loss of BAZ3 (T3). This thruster is also fed from the 6.6kV MSB No.1

and can be manually transferred over in order to improve the position keeping of the vessel.

1.7.3 DP control system

1.7.3.1 The Shuttle Tanker is fitted with a Kongsberg Maritime DP Duplex control system. The DPC-2 controllercabinets are located in the electrical equipment room, with the two DP operator stations (K-Pos OS1 – K-Pos OS2) located in the integrated wheelhouse console. Kongsberg cJoy system (joystick) has anindependent hardwired connection to each thruster field station. Hard wired analogue signals are providedfor thruster torque (command & feedback), azimuth (command & feedback) and thruster system requestand ready. The cJoy cC-1 controller cabinet is located in the Converter Room. The cJoy can be used as amanual joystick with auto heading mode but has no DP capability. The worst case single failure effects ofthe DP control system are limited to loss of redundancy including reduced availability of DP controllers,vessel sensors and reference systems, but no single hardware failure as defined for Dynpos AUTR should

lead to a loss of position or heading.

1.7.4 Redundancy in marine auxiliary systems

1.7.4.1 There are five engines in the engine room. There are two types of fuels used for supplying the engines;these are marine diesel oil (MDO) and Marine Gas Oil MGO or heavy fuel oil (HFO) and low sulphur heavyfuel oil. The service tanks for all types of fuel are located on different decks. The fuel oil service tanks arelocated on the aft 2nd deck.

1.7.4.2 The seawater cooling system is essentially a forward and aft split. The forward system serves the forwardthrusters and other forward machinery fresh water cooling systems. The aft seawater system serves the aftthrusters, main engines coolers and other aft machinery fresh water cooling systems. There is redundancyin the provision of seawater pumps which serve the various sub systems that draw from the common

seawater supply manifold. There is sufficient redundancy in the seawater system to ensure that a singlefailure as defined for Dynpos AUTR will not lead to a loss of thrusters or engines, but will result in a loss offault tolerance.

1.7.4.3 There are four independent fresh water cooling system these are the auxiliary fresh water cooling system,No.1 & 2 DG fresh water cooling system, No.3 & 4 DG fresh water cooling system and Fwd Service freshwater cooling system. Each fresh water cooling system consists of two fresh water cooling pumps. There issufficient redundancy in the fresh water cooling.

1.7.4.4 The compressed air system is used for engine starting, engine remote control valve actuation, fire damperand quick closing valve actuation. In general, failure of any part of the compressed air system to lowpressure (which is the most likely failure mode) will not exceed worst case failure design intent.

1.7.4.5 The starting air system is equipped with two air receivers. The air receivers are supplied with air from twomain air compressors. The compressors are supplied from different 440V switchboards.





DG3 DG2

No.5 VCB 3P(MBT)

NO

NO

ST5

BAT3

BT1

CPP

SAT4

6.6kV MSB 1

DG2DG3DG4

No.2 VCB 3P(D2)

NC

No.1 VCB 3P(D1)

NC

4300kW 3300kW

BT2

6.6kV MSB 2

No.3 VCB 3P(D3)NC

No.4 VCB 3P(D4)NC

4300kW3300kW

Main TR No.2

6.6KV / 450V

Main TR No.1

6.6KV / 450V

440 MSB 1

No.1 AC 220V

Feeder Panel

NO.1 main L/VTransformer

440 V/230VMCCB-1

NC

MCCB-2

NC

No.2 AC 220V

Feeder Panel

NO.2 main L/V

Transformer

440 V/230V

MCCB-4NO

DG1

No.5 ACB 3P(LBT) NO

No.4 ACB 3P(EB1)

NO

No.3 ACB 3P(EB3) NC

No.7 ACB 3P(EB2) NO

No.6 ACB 3P(EB4) NCEM’CY SWBD(440V)

EG 350 kW

No.1Em’Cy

Transformer

430V / 230V

No.2 Em’CyTransformer

430V /230V

EM’CY 220V Feeder Batt. Charger for EG

ELD-1 Panel (Accom.)

ELD-2 Panel (E/R)

No. 2 Steering Gear

No. 2Main Air Comp. (Starter in LGSP-5)

No.1 DC 110V & 24V Batt Ch.

No.2 DC 110V & 24V Batt Ch.Em’cy CPP Hyd. Pump Starter

Em’cy CPP Hyd Filter

Power supply unit for No.1 and No.2 DG

Nav. Light control panel

E.C.C (UPS for No.2 ICMS)

LD-4 panelEngine Control Console

No.1 Accom. AC 220V section Board (LD-1,LD-3)

Power Supply Unit for No 3 & 4 D/G

LD-5 Panel

MSB Bus Tie Panel No.2 section

440 MSB 2

No.2 Thruster HPP Starter (A7)

No.2 Thruster HPP Starter (A8)No.3 Thruster HPP Starter (A8)

No.3 Thruster HPP Starter for Circ.(A9)

No.3 Thruster oil filtration P/P

No.1 Main Air Compressor

No.2 Serv Air Compressor Contrl Air Compressor

PD-3 (E/R 440V Feeder panel)

No.1 Steering Gear Starter

No.2 M/E hyd start-up P/PNo.4 thruster HPP starter (A7)

No.4 thruster HPP starter (A8)

No.4 thruster circ pump (A9)

No.1 Thruster HPP Starter (A7)No.1 Thruster HPP Starter (A8)

No.3 Thruster HPP Starter (A7)

No.3 Thruster HPP Starter for Circ.(A9)

No.5 Thruster HPP Starter for Servo Pump (1)

No.1 Service Air Compressor No.2 Main Air Compressor

PD-1 (E/R 440V Feeder Panel)

PD-2 (E/R 440V Feeder Panel)

No.1 M/E Hyd Start-up P/P Starter No.1 UPS for MVSB

MCCB-3NO

No.2 Group Starter PanelNo.2 Main L.O P/P

No.2 Stern Tube LO P/P

No.2 M/E F.O circ. P/P

No.2 M/E F.O supply P/P

No.3 G/E D.O supply P/PNo.4 G/E D.O supply P/P

No.2 M/E Jacket C.F.W P/P

No.3 G/E C.S.W P/P

No.4 G/E C.S.W P/PNo.2 Central C.F.W P/P

No.3 G/E C.F.W P/P

No.4 G/E C.F.W P/P

Fwd Sec 2 Thruster C.S.W Pump (1)

Fwd Sec 2 Thruster C.S.W Pump (2)Fwd Sec 2 Thruster C.F.W Pump (1)

Fwd Sec 2 Thruster C.F.W Pump (2)

No.1 Group Starter Panel

No.1 Main L.O P/P

No.1 Stern Tube LO P/P

No.1 M/E F.O circ. P/PNo.1 M/E F.O supply P/P

No.1 G/E D.O supply P/P

No.2 G/E D.O supply P/P

No.1 M/E Jacket C.F.W P/P

No.1 G/E C.S.W P/PNo.2 G/E C.S.W P/P

No.1 Central C.F.W P/P

No.1 G/E C.F.W P/P

No.2 G/E C.F.W P/PFwd Sec 1 Thruster C.S.W Pump (1)

Fwd Sec 1 Thruster C.S.W Pump (2)



Electrical interlock

(PD-3)-No.2 Hyd. Pump For CPP

-No.3 Hyd. Pump for CPP

-No.4 Oil Filtration P/P

(PD-2)-No.1 Hyd. Pump For CPP

-No.3 Hyd. Pump for CPP

HR2

LR2

HR1

LR1

Figure 1-3 Power Distribution





2 ENGINES AND AUXILIARY SERVICES

2.1 ENGINES

2.1.1 Reference

A14-405593-3 Specification of main engine

Specification for Emergency diesel generator set- Rev.1

Working Drawing of Diesel Generator Engine (9H32/40 and 7H32/40)

APP-11RAH086-Rev. 2 Specification for Synchronous Generator

Specification of Generator

2.1.2 Location

2.1.2.1 The main engine is located in the engine room between frames 14 and 54. Auxiliary engines, othermachinery and air compressors are largely located in the engine room on the 3 rd deck between frames 14and 54. The HFO / LS HFO service and settling tanks are located on the port side of the 2nd deck level ofthe engine room. The MDO / MGO storage tanks are located at the 3rd deck where MDO storage tank

locate at the port side while MGO storage tank locate at the starboard side. The MDO / MGO service tankis located port side of 2nd deck level of the purifier room.

2.1.3 Engine Configuration

2.1.3.1 The following machinery is installed on this vessel:

Main Engine : MAN B&W 6S70ME-C8.2 TIER II

Diesel Generator Engine : 2 x 3300kW, 720RPM Hyundai Himsen 7H32/40 (No.1 and No.4)

: 2 x 4300kW, 720RPM Hyundai Himsen 9H32/40 (No.2 and No.3)

Alternators : 2 x 4125kVA, 6.6kV, 3ph, 60 Hz, HSJ7 805-10P (No.1 and No.4)

: 2 x 5375kVA, 6.6kV, 3ph, 60Hz, HSJ7 913-10P (No.2 and No.3)Emergency Generator (Engine) : 1 x 350 kW, 1800RPM, Doosan AD180TI

Emergency Alternator : 1 x 437.5kVA, Leroy Somer M 47.2 S4,

2.1.3.2 The normal configuration is to run the required generators connected to the associated switchboard withthe bus tie breakers open.

2.1.3.3 Each 6.6kV bus bar is powered from an associated 5375 kVA diesel generator (DG No.2 or No.3) and a4125kVA diesel generator (DG No.1 or No.4). Diesel generators No.1 and No.2 supply 6.6kV MSB No.1and diesel generators No.3 and No.4 supply 6.6kV MSB No.2.





2.2 MAIN ENGINE SYSTEMS

2.2.1 Main Engine Description and Redundancy Concept

2.2.1.1 There is one main engine located in the engine room to drive the propeller. The MAN B&W 6S70ME-C8.2TIER II is a two stroke, single acting (non-reversible), crosshead type marine diesel engine with constantpressure turbo charging.

2.2.1.2 The main engine drives a Berg BCP 2000 CPP propeller via a hydraulic pressure controlled shaftingsystem to the reduction gearbox. Mechanical or electrical failure of the main engine, would result in theloss of the propulsion CPP, this would reduce the redundancy of the vessel but will not affect the vessel’sposition keeping capability as long as it operates within its environmental capabilities.

2.2.2 Main Engine Freshwater Cooling System Description

Cooling FW EXP.

Tk.

FW Generator

ME Jacket CFWPumps

No.2

ME Jacket CFWPumps

No.1ME Jacket W.

Preheater

Main Engine (B&W 6S70ME-C8.2) W012VM/E Jacket F.WCooler

W001V

W002V

W003V

W004V

De-AerationTank

Figure 2-1 Main Engine Freshwater Cooling System

2.2.2.1 Refer to figure 2-1, the main engine fresh water cooling systems forms a part of the auxiliary FW coolingsystem. Circulation of coolant through the main engine fresh water cooling system is carried out through amotor driven main engine jacket cooling pumps. Only one pump is in operation during passage or on DP.The pumps are configured for standby starts and are monitored on the ICMS. Please refer to table 2-11,for main engine jacket water cooling pump power supplies. Coolant circulated from the de-aeration tank tothe ME Jacket FW pre-heater via the ME Jacket water cooling fresh water pump. Coolant after pre-heat isthen distributed to the main engine auto venting unit, and scavenge air cooler. The outlet is directedthrough the freshwater generator for the production of potable water. Coolant from the water maker isdirected through an electro pneumatic controlled 3 way temperature control valve. This adjusts flow to theME Jacket Fresh Water cooler or to de-aerator before it is circulated back to the jacket water pumps. Theoutlet temperature from the jacket water system is maintained at 90°C. Coolant from the low temperaturefreshwater cooling components like the lube oil cooler and main engine air cooler are cooled separately inthe auxiliary freshwater cooling system.





2.2.3 Main Engine Lubricating Oil System Description

Main LO Sump Tank

Main LO

Pump

No.1

Main LO

Pump

No.2

No.1

Main LO

Cooler

(50%)

No.2

Main LO

Cooler

(50%)

Main LO

Auto

filter

Sludge

Checker

Crosshead

bearing &

Piston

Main

Bearing

Thrust

Bearing

TurbochargerL204V

Figure 2-2 Main Engine Lubrication System

2.2.3.1 Refer to figure 2-2, the main engine lubricating oil system is equipped with a 38.2m3 main LO sump tankand two motor driven 400m3/H main lube oil pumps.

2.2.3.2 The main engine LO pumps draw lubricating oil from the sump tank and is directed to both main lube oilcoolers. Both main engine LO coolers are using 50% cooling capacity. Both main engine LO coolers arecooled by the auxiliary FW cooling system. From the main LO cooler lube oil is passed through the mainLO Auto filter via the electro-pneumatic 3 way temperature control valve where the temperature is set to

45ºC. From the filter the lube oil is directed to the inter thrust bearing, main bearing, crosshead bearingand piston, and turbocharger unit.

2.2.3.3 Refer to the table below for the power sources for Main Engine LO Pumps.

Table 2-1 ME LO pump power sources

Pumps Power supply

ME LO Pump No.1 440Vac GSP No.1

ME LO Pump No.2 440Vac GSP No.2





2.2.4 Main Engine Starting Air and Control Air Description

Air Reduction

unit

Slow Turning

Gear

Main Starting

Valve

Starting Valves

Exhaust Valve

Safety Valve

relief

Connected to

oil mist

detector

Connected tooil filter

40L

Turning Gear

Air reservoir

Starting air

30bar

Control air

7bar

Figure 2-3 Main Engine Compressed Air System

2.2.4.1 The compressed air system comprises of two main air receivers (No.1 and No.2) with a working pressure

of 3.0 Mpa. Starting air for the main engine is supplied from the main air receivers via a common lineconnecting both air receivers.

2.2.4.2 The compressed air from the receivers is fed at 3.0 Mpa directly to the starting air inlet. Refer to figure 2-3,once the starting air solenoid valve has been activated. The 30 bar air from starting air inlet is also directedto the air reduction unit to produce 7 bar control air.

2.2.4.3 Once in operation there is no requirement for starting air for running of the main engines however, controlair is required to control the running speed of the main engine.

2.2.4.4 Control air to the engines is fed from a starting air inlet. The air is then reduced to 0.7 mpa through apressure reducing unit. The air at the outlet of the pressure reducing unit is connected to the oil mistdetector, safety relief valve, oil filter and air reservoir which is for exhaust valve operating mechanism.





2.2.5 Main Engine Fuel Oil System Description

2.2.5.1 Fuel can be drawn from the HFO, LSHFO, or the MDO/MGO service tank by one of the two motor drivenME FO supply pumps which in turn feeds one of the two ME FO circulating pumps. These pumps areassumed to operate on a standby start configuration. FO from the circulating pump is passed through amain engine fuel oil heater to attain the correct viscosity. FO is then directed through the viscorater unit (formeasurement and control of the heaters) and filtered through the bypass filter before it is directed to the

engine.

2.2.5.2 From the engine fuel oil manifold, it is distributed to all the hydraulic cylinder units for supply to the fuelinjectors. Excess fuel from the hydraulic cylinder units, injectors and relief valve on the supply manifold isreturned to the associated HFO service tank through the fuel oil return manifold.

2.2.5.3 During DP operations the main engine normally uses HFO or MDO from the respective service tank.

2.2.6 Failure Modes of the Main Engine

2.2.6.1 The significant failure modes of the main engine are taken to be: -

1. Engine stops during operation (No structural failure of major engine components).

2. Engine runs at lower speed than required during operation.

3. Engine runs at higher speed than required during operation.

4. Unforeseen catastrophic failure of a component part (manufacturer’s component fails within itsexpected lifespan).

5. Blocked Lube Oil Filter

6. Oil Mist Detector Failure

7. Failure of main lube oil pump

8. Viscosity Controller failure (Vicosity controller not required when using MDO)

9. Failure of fuel oil pump

2.2.7 Failure Effects of the Main Engines

2.2.7.1 Engine stops during operation: Loss of propulsion power, leading to loss of CPP. Vessel maintains positionwith remaining thrusters.

2.2.7.2 Engine runs at lower speed than required during operation: Inability to maintain desired output fromengine. Propeller will operate at a lower speed than required. The other thrusters will be required toincrease output to compensate in order to maintain position

2.2.7.3 Engine runs at higher speed than required during operation: Inability to maintain desired output from theengine. Propeller will operate at higher speeds than required. The remaining thrusters will be required toincrease or decrease output to compensate. There is a potential to overload the engine which could causethe engine to trip on over speed. If the engine trips, leading to loss of CPP, vessel still able to maintainposition with remaining thrust.

2.2.7.4 Unforeseen catastrophic failure of a component part: On failure of an external component, the engine maystop, but can usually be restarted when the part has been replaced. On failure of an internal component,the engine may stop due to catastrophic failure of other parts damaged by initial breakage. As above therewill be a sudden step load to surviving thrusters online at the time.

2.2.7.5 Blocked lube oil filter: A blocked main lube oil auto filter will result in a fall in lube oil pressure. Backflushing of the filter is activated on detection of high differential pressure across the filter. A differentialpressure device installed on the back flush filter will trigger an alarm on the ICMS on the onset of a blockedfilter. This filter is also fitted with a manual by pass filter to allow for maintenance on the auto filter.

2.2.7.6 Oil mist detector failure: This is understood to generate an alarm if air pressure fails, or if there is powerfailure to the equipment, but spurious shutdown of engine cannot be ruled out due to some internal fault.

2.2.7.7 Failure of main lube oil pump: The failure of the main lube oil circulating pump would result in a fall in lube

oil pressure; this would initiate a low lubricating oil pressure alarm on the engine control system and ICMS.It would also trigger an automatic start of the standby pump. This should not affect the operation of themain engine.





2.2.7.8 Viscosity Controller Failure: Failure of viscosity will lead the heavy fuel oil viscosity and affect the fuel oilflow rate and may lead the main engine to fail. Proper maintenance has to be in place to ensure correctoperation of the viscosity controllers.

2.2.7.9 Failure of Fuel Oil Pump: Failure of a fuel oil pump will result in reduced or no fuel to the engine, as there isa standby pump for the supply and circulating system this should start and resume fuel supply andgenerate an alarm.

2.2.8 Hidden Main Engine Failures

1. Manufacturing defects in engine components.

2. Contamination of lubricating oil.

3. Fuel oil supply pump automatic start failure when it is required.

4. Fuel oil circulating pump automatic start failure when it is required.

5. Lube oil standby pump automatic start failure.

6. Any pressure switch failure.

7. Any pressure alarm failure.

2.2.9 Common Mode Failures Affecting the Main Engine

2.2.9.1 Most common mode failures affecting the engine would be related to the auxiliary systems that supportthem such as fuel, compressed air, combustion air, lube oil, cooling water and control power supply. Thesesystems are discussed in the appropriate section of the FMEA.

2.2.10 Configuration Errors That Could Defeat Redundancy – Main Engine

2.2.10.1 There are no known alternative configurations that could defeat redundancy as there is one main enginedriving the propulsion CPP.

2.2.11 Maloperation of the Engines

2.2.11.1 There are no known single acts of maloperation that could defeat the redundancy concept.

2.2.12 Worst Case Failure of the Main Engine

2.2.12.1 The worst case failure identified in this analysis will result in the loss of the main engine, leading to failureof the propulsion CPP. Such failures are unlikely in a well maintained plant and should not exceed theworst case failure design intent.





2.3 AUXILIARY DIESEL GENERATOR SYSTEM

2.3.1 Aux. Engine Fuel Oil System Description

2.3.1.1 There are two different auxiliary engines installed on board. These are Hyundai 7H32/40 and 9H32/40. Thedifference between both engines are the number of cylinders and therefore power generated in theauxiliary engines, otherwise the systems in the engines are identical.

2.3.1.2 Hyundai Himsen 7-9H32/40: Fuel oil to the engine is strained through a 34 μ duplex fuel oil filter prior tobeing fed to the engine. Fuel is then directed to the fuel injection pumps. The excessive fuel oil from thefilter will drain to the fuel oil leakage tank. Fuel from the injector pump supplies its associated fuel injectorthrough a high pressure pipe. Excess fuel from the fuel injection system is collected in a fuel oil returnmanifold. From the fuel return manifold the excess fuel is directed to the associated fuel oil tank. Fuel oilleak off from the jacketed high pressure piping collects in a manifold and directed to a drain tank which ismonitored and alarmed for level on the ICMS.

2.3.1.3 During DP operations, the isolation valve F303V has to be normally closed and the auxiliary engines areconfigured to use certain types of fuel oil. These are indicated below:-

Marine Diesel Oil service tank supply GE No.3 and No 4.

Marine Gasoline service tank supply GE No.1 and No.2.

2.3.2 Auxiliary Engine Lubricating Oil System

Lub. Oil

Cooler

Centrifugal

Filter

El. Motor pre-

Lub. Oil Pump

Engine Drive

Lube Oil

Pump

Turbo Charger

Oil Mist Detector

Governor

Drive

Aux.Gear

Timing

Gear

Cam Shaft Bearing

Alternator

Bearing

Alternator

LO Cooler

Lub. Oil Fine

Filter

Figure 2-4 7-9H32/40 Engine Lubricating System

2.3.2.1 Hyundai Himsen 7-9H32/40: Figure 2-4 shows the engine has a self-contained lubricating system with anengine driven pump, an oil cooler, a Lube oil fine filter and cylinder lube oil pump. Oil is drawn from thelube oil sump by the engine driven LO pump. The LO is then fed to the LO cooler, the excess LO will bereturned back to the LO sump tank via the centrifugal filter. The temperature of the inlet oil to the engine isregulated by the 3-way temperature control valve before passing through the filter by adjusting the flow oflube oil to the internal lube oil system and oil cooler. The set point of the lube oil inlet temperature is 60-69°C. After the cooler or TCV, lube oil is strained through duplex 15µ filters. Each filter is equipped with abypass valve which lifts at 0.2Mpa. From the duplex filters, lube oil is supplied to the main lubricating bore.





2.3.2.2 The main lubricating oil bore distributes lube oil to the various engine lubricating points; (the turbocharger,main bearings, fuel oil pumps, piston assembly, rocker arms, and camshafts bearings, cylinder oil pumpetc).

2.3.2.3 Each engine is equipped with a motor driven pre-lube oil pump. No.1 and 3 GE pre-lub oil pump iselectrically supplied from the 440Vac Emergency switchboard while No.2 and No.4 GE –pre-lub pump issupplied from 440Vac No.2 Feeder panel. If the lube oil pressure drops below low level pressure, the

pressure switch will trigger the standby pump. The low lube oil pressure trip will activate if the pressuredrops below the low-low level of pressure.

2.3.3 Auxiliary Engine Fresh Water Cooling System

Fresh

Water

outlet to

coolerCyl.1

Alternator

Cyl.N

Charge Air

Cooler

Elect.

Heater

Engine

Driven HT

Pump

LO Cooler

LT FWOutletLT FWInlet

TCV

7-9H32/40

Figure 2-5 Auxiliary Engine Freshwater Cooling System

2.3.3.1 The 7-9H32/40 engines freshwater cooling systems comprise of a LTFW cooling circuit and HTFW coolingcircuit. Diesel generators No.1 and No.2 form part of the No.1 & No.2 GE freshwater cooling system andDiesel generators No.3 and No.4 form part of the No.3 & No.4 GE Freshwater Cooling System. Bothgenerator fresh water cooling systems are identical.

2.3.3.2 The engine LTFW cooling circuit comprises of the LT charge air cooler (2 nd stage) and engine lube oilcooler. The circulation of coolant through this system is provided by GE freshwater cooling pumps No.1 or

No.2. From the lube oil cooler, coolant is either returned to the GE fresh water cooling system or theengine driven HT cooling pump.

2.3.3.3 The HTFW cooling circuit comprises of the HT charge air cooler (1 st stage) and jacket water system. Theengine driven HT cooling water pump circulates coolant through the HT charge air cooler and engine jacket water cooling systems before it is directed to a 3-way pneumatic temperature control valve. Thetemperature control valve maintains the outlet HT fresh water system temperature at 79/88˚C before it isreturned to the central freshwater cooling system.

2.3.3.4 LTFW coolant supplied through the alternator lube oil cooler, LT air cooler (2nd stage), alternator L.Ocooler and alternator air cooler is also supplied by the GE freshwater cooling pumps.

2.3.3.5 Pre-heating unit is allocated in the HT engine fresh water cooling system before the 3-way temperature

control valve. Please refer to the figure 2-5.





2.3.4 Auxiliary Engine Compressed Air system

Compress Air Inlet

Turbo Charger

Main Starting

Valve

Starting Solenoid

Valve

On-off Valve for DAI System

Air filter

First Fuel

Pump Drive

Last Fuel

Pump Drive

Air Starting

Vavle

Air Starting

Vavle

Turning Gear

Pressure

Reducing

Valve

3/2 Way

solenoid

Valve

To Lambda

Cylinder

Oil Mist

Detector

Emergency Stop

Cylinder

Normal/

Emerg.

Stop

valve

Figure 2-6 7-9H32/40 Engine Compressed Air System

2.3.4.1 All four diesel generator engines are air started and are part of the compressed air system.

2.3.4.2 Please refer to Figure 2-6. The 7-9H32/40 engines are supplied with starting air at 3.0 Mpa from the mainair receivers. From the air inlet, compressed air is directed to the main starting valve, on/off valve for the jet assist system, 3/2 way solenoid valve for the normal stop/ emergency stop, and turning gear.Compressed air at the inlet to the engine is also diverted to an allocated pressure reducing station toprovide control air at 8 bars. Control air for the engines is directed to the pneumatic cooling valve, 3/2 wayvalve for normal stop/emergency stop (pneumatic pressure to assist in pushing the fuel rack to zero), 3/2way solenoid valve for Lambda Cylinder and the oil mist detector.

2.3.4.3 From the compressed air inlet, the air is supplied to Lambda cylinder through a 3/2 way solenoid valve forfuel oil limiting for charging air purpose. The charge air intake is taken from the engineroom through a filter

fitted on the turbocharger for the jet system. A sufficient volume of air has to be supplied to theturbocharger, therefore each turbocharger is installed with an air duct.

2.3.4.4 Emergency shut off fire dampers in the engineroom are air actuated to close the damper therefore loss ofcontrol air will not affect the closure of the fire dampers. Maloperation by activating the closure of the firedamper cannot be ruled out; assumption can be made that adequate protection have been applied to thecontrol station. Failure mode effect for the fire dampers are further described in the section 2.10.

2.3.5 Failure Modes of the Auxiliary Engines

2.3.5.1 The significant failure modes of the engines are taken to be: -


2. Engine runs at higher speed than required during operation.3. Unforeseen catastrophic failure of a component part (manufacturer’s component fails within itsexpected lifespan).





4. Failure of engine pre-lube/ standby pump.

5. Failure of engine driven main lube oil pump.

6. Failure of piping leakage of the compress air system to auxiliary engines.

7. Failure of HT temperature control valve for engine.

8. Restricted or no fuel supply.

2.3.6 Failure Effects of the Auxiliary Engines

2.3.6.1 Engine runs at lower speed than required during operation: Inability to maintain power supply at requiredfrequency (single engine operation only); inability to load share effectively (sheds load). Temporary loss ofspinning reserve, may trip on under frequency or eventually low voltage (single engine operation only).

2.3.6.2 Engine runs at higher speed than required during operation: Inability to maintain power supply at requiredfrequency (single engine operation only); inability to load share (grabs loads in parallel operation) potentialto overload engine, potential to overspeed engine or trip on overspeed protection (single engine operationonly), potential to cause irreversible damage to engine.

2.3.6.3 Unforeseen catastrophic failure of a component part: On failure of an external component, the engine maystop, but can usually be restarted when the part has been replaced. On failure of an internal component,

the engine may stop due to catastrophic failure of other parts damaged by initial breakage. This will resultin a reduction in the available load in the power plant and possibly stopping of associated thrusters, asabove there will be a sudden step load to surviving thrusters online at the time.

2.3.6.4 Failure of engine pre-lube/ standby pump: Failure of pre lube pump will not affect running engine but mayinhibit the starting of an engine on standby.

2.3.6.5 Failure of engine driven main lube oil pump: The failure of the engine driven main lube oil pump wouldresult in a fall in lube oil pressure which would first initiate a low lubricating oil pressure alarm and willtrigger the automatic start of standby pump (pre-lube pump). The standby pump will resume the requiredlube oil pressure or the engine may trip on low lube oil pressure.

2.3.6.6 Failure of piping leakage of the compress air system to auxiliary engine: The pipe leakage of air to theauxiliary engines will not stop the engines but may remove the safety systems required to stop the engine. A low starting air/control air pressure alarm will be initiated at the local engine panel and ICMS.

2.3.6.7 Failure of HT temperature control valve for engine: This may cause the temperature control valve will failas set. If the valve fails to bypass the cooler, it will cause the engine to be tripped in the high temperatureoperating. If the valve fail to full cooling, it will have no effect on the engine

2.3.6.8 Restricted or no fuel supply: Each pair of diesel engines has a common fuel supply with a self-cleaningfilter, a choked filter could restrict fuel supply to the two diesel engines and result in uneven operation orstopping of the engines. This would equal the vessels worst case failure. In mitigation the filter ismonitored and has a bypass that would allow the operator to resume normal supply in the event of arestriction.

2.3.7 Hidden Auxiliary Engine Failures

1. Manufacturing defects in engine components – this would normally be restricted to a single enginebut the resulting effect could impact that section of the power system.

2. Contamination of lubricating oil – this would be restricted to a single engine

3. Fuel oil standby pump automatic start failure when it is required – this could impact two dieselengines

4. Lube oil standby pump automatic start failure - this would be restricted to a single engine

5. Any pressure switch failure - this would be restricted to a single engine

6. Any pressure alarm failure - this would be restricted to a single engine

2.3.8 Common Mode Failures Affecting the Auxiliary Engines

2.3.8.1 Most common mode failures affecting the engines would be related to the auxiliary systems that supportthem such as fuel, compressed air, combustion air, lube oil, cooling water and control power supply.These systems are discussed in the appropriate section of the FMEA.





2.3.1 Configuration Errors That Could Defeat The Redundancy- Engines

2.3.1.1 There are very few user selectable configurations for the engine skids other than those selected duringcommissioning of the control unit. Most opportunities for configuration error lie in the arrangement ofengine auxiliaries and power management system.

2.3.1.2 Running insufficient number of engines to maintain adequate spinning reserve.

2.3.1.3 Operating all the engines from a single fuel oil day tank.

2.3.2 Maloperation of the Engines

2.3.2.1 There are few credible operator actions that could defeat the redundancy concept, other than those thatwould prevent a standby engine if any from starting and connecting, e.g. engine is inadvertently left onmanual instead of automatic standby; however that is not consider for this configuration.

2.3.3 Worst Case Failure of the Engines

2.3.3.1 The worst case failure identified for failure of an auxiliary diesel engine would be a single engine but asDG’s 1 & 2 and DG’s 3 & 4 share common auxiliaries in the form of cooling and fuel oil this could result inloss of up to two diesel engines.

2.4 ENGINE CONTROL SYSTEM AND SAFETY SHUTDOWNS

2.4.1 Drawing reference

Man B&W 6S70ME-C8.2 – electric connection diagram – A14-436372-3

2.4.2 Main Engine Controls

2.4.2.1 The engine control system manages the operation of the engine. It controls the starting, stopping andspeed setting of the main engine. This system is provided with a safety system which may automaticallyslow down or trip the engine if abnormal conditions and engine parameters are detected. A manualemergency stop is provided at the engine as a backup in case of failure of the remote control system.

2.4.2.2 The Man B&W engine 6S60ME-C8 two stroke marine diesel engines incorporates an electronically

controlled hydraulic system which provides the required flexibility to form the core of the ME “EngineControl System”. The system has dual power supply fed from two UPS then is converted to 24Vdc at thepower supply unit. The both supplies also have battery backup supplies. The system consists of:-

1. Auxiliary Control Unit (ACU)

2. Cylinder Control Unit (CCU)

3. Engine control unit (ECU)

4. Engine interface control unit (EICU)

5. Main operating panel (MOP)

2.4.2.3 The ECS performs all the control functions; it receives control signals from the controller through the

interface panel. It is through the interface panel that the 24Vdc is supplied. This 24Vdc is supplied by GE1/2 PSU (for engines 1 and 2) and GE 3/4 PSU’s (for engines 3 and 4). These are powered from220VacMSB/ESB and there is a built in UPS and batteries inside the PSU for providing the backup powersupply in the event of failure of main input supplies. Various sensors are allocated to the ECS to monitorengine performance and protective data.

2.4.3 Engine shutdowns and alarms

2.4.3.1 The engine shutdowns and alarms which protect the engine are listed below.

Table 2-2 Main Engine Shutdown

Engine Shutdowns Settings

Engine overspeed 89.4rpm (109% of MCR)ME LO low pressure 1.4 kg/cm2

Non- cancellable signal from ECS-A/B





Pump inlet oil pressure lowHydraulic low pressure sensors failed

Hydraulic high pressure fails during runningengine

Cancellable signal from ECS – A/BLeakage from hydraulic unit, high level

Thrust bearing segment high temperature 90 ºCT/C LO low pressure 0.4 kg/cm2

2.4.3.2 The following abnormal conditions will initiate an alarm at the ECR and ICMS, it will also activate anautomatic main engine slow down to a pre-set speed.

Table 2-3 Main Engine Alarms and slowdown setting

Engine Alarms Slowdown Settings

Cylinder Exh. Gas Aft Exh. V/V high temp. Alarm:430 °C Slowdown:450°CCylinder Exh. Gas Aft Exh. V/V Deviation high temp. Alarm: Mean value±50°C Slowdown: Mean

value ±60°CScavenge air box - fire detection high temp. Alarm:80°C Slowdown:120°CT/C L.O outlet high temp. Alarm:85°C Slowdown:85°CT/C L.O inlet low pressure Alarm:0.6kg/ cm2Slowdown:0.6kg/ cm2

Cylinder Jacket CFW outlet high temp. Alarm:90°C Slowdown:95°CL.O inlet high temp. Alarm:55°C Slowdown:60°CJacket CFW inlet low pressure Alarm:4.0kg/ cm2 Slowdown:3.5kg/ cm2

Jacket CFW inlet low temp. Alarm:57°C Slowdown:50°CJacket CFW inlet high temp. Slowdown:98°CPiston C.O. high temp. Alarm:70°C Slowdown:75°C

Piston C.O. non flow Alarm & Slowdown

Thrust bearing segment high temp. Alarm:75°C Slowdown:80°CL.O inlet low pressure Alarm:1.8kg/ cm2 Slowdown:1.6kg/ cm2

Axial vibration high Alarm & SlowdownCrankcase oil mist high density Alarm & SlowdownBearing Wear Monitoring Sys. Abnormal Slowdown

ECS A&B Slowdown SlowdownStern Tube Bearing high temp. Alarm:60°C Slowdown:60°CInterm. Shaft Bearing high temp. Alarm:65°C Slowdown:65°C

Exh. Gas Econ. feed pump low pressure Alarm:1.8kg/ cm2 Slowdown:1.6kg/ cm2 Main Bearing high temp. Slowdown:70°C

Crankpin Bearing hight temp. Slowdown:70°CT/C Exh. Gas outlet high temp. Alarm:350°CT/C Exh. Gas intlet high temp. Alarm:520°C

F.O inlet high low&high temp. Alarm:120°C(Low) / 150°C(High)Scavinge Air Receiver high temp. Alarm:55°CWater mist catcher water high level

L.O inlet high waterCylinder lubrication high temp. Alarm:70°CF.O inlet low pressure Alarm:6.5kg/ cm2

Air Cylinder for Exh. V/V low pressure Alarm:5.5kg/ cm2 Starting Air inlet low pressure Alarm:15kg/ cm2 Control Air inlet low pressure Alarm:5.5kg/ cm2

Air Cooler C.W outlet high temp. Alarm:70°C

Air Cooler C.W inlet low&high pressure Alarm:1.0kg/ cm2 (Low) / 5.5kg/ cm2 (High)Leakage From high pressure pipes

Leakage oil from hyd. Cyl. Unit





Engine Alarms Slowdown Settings

Vibration system/power failPower supply A&B failHyd. Oil filter Diff. high pressure.

T/C RPM highEICU A & B fail

Cylinder Heat. Unit L.O low levelHyd. Pump starter abnormal Aux. Blower abnormal

2.4.3.3 The main engine safety monitoring system will initiate a “Safety System Abnormal” alarm on the ECRPanel in the event of the following conditions:-

1. Micro computer CPU hard abnormal.

2. 15V line electric source failure.

3. Communication abnormal.

4. Revolution signal (For safety system) Abnormal.

5. Manual emergency shutdown switch circuit disconnection.

6. Emergency shutdown override switch circuit disconnection.

7. Emergency slow down override switch circuit disconnection.

8. Automatic emergency shutdown sensor circuit disconnection.

9. Automatic emergency slow down sensor circuit disconnection.

10. Emergency shutdown reset signal circuit disconnection.

2.4.4 Failure modes of the main engine control system and safety shutdowns

1. Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and thrust

pad high temperature sensors.2. Failure of the 24Vdc supply from the power supply unit.

3. Failure of the Engine interfase control unit panel.

4. Failure of Auxiliary Control Unit.

5. Failure of Engine Control Unit.

6. Failure of Cylinder Control Unit.

7. Failure of Main operating panel.

2.4.5 Failure effect of the engine control system and safety shutdowns

2.4.5.1 Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and thrust padhigh temperature sensors: Generally the same as for performance sensors. However, if the sensor fails toa voltage / current corresponding to a value which initiates the shutdown, an engine shutdown will occur.

2.4.5.2 Failure of one of the 24Vdc supply from the power supply unit to ECS: The engine control system has adual 220Vac power supply from the UPS. It is through the power supply unit that it is converted to 24Vdc.Failure of the main 24Vdc supply would result in a bumpless transfer to the backup power supply, this willbe initiated as an alarm at the ICMS or ECR panel.

2.4.5.3 Failure of the one of the Engine interface control unit panel: The failure will not affect the main engine as itis backed up by the second engine interface control unit panel.

2.4.5.4 Failure of one of the Auxiliary Control Unit: The failure will not affect the main engine as it is backed up bythe second Auxiliary control unit.

2.4.5.5 Failure of one of the Engine Control Unit: The failure will not affect the main engine as it is backed up bythe second engine control unit.





2.4.5.6 Failure of Cylinder Control Unit: This failure will results loss of data for the particular cylinder as eachcylinder has its own cylinder control unit. This will not have a direct effect on the main engine.

2.4.5.7 Failure of one of the Main operating panel: This will result loss of control from the main operating panel,however the main engine still continue to run.

2.4.6 Hidden failures of the engine control system and safety shutdowns

2.4.6.1 All protection systems are potential hidden failures. It is acceptable to mitigate the risk by testing suchfunctions periodically.

2.4.7 Maloperation of the engine control system and safety shutdowns

2.4.7.1 All such acts should lead to loss of main engine resulting in the loss of the CPP (T6). Vessel still maintainsposition with remaining thrusters.

2.4.8 Common mode failure associated with the engine control system and safety shutdowns

2.4.8.1 There are no known common mode failures as there is only one main engine driving the CPP.

2.4.9 Engine control system and safety shutdowns configuration errors that could defeat redundancy

2.4.9.1 There are no known opportunities for alternative configurations in the set up for a single engine.

2.4.10 Worst case failure

2.4.10.1 The worst case failure of the engine control system will be failure of the protective sensors which maycause the engine to shutdown. However this will only affect one engine.





2.4.11 Auxiliary Engine Management system

2.4.11.1 Drawing Reference

B94-082252-0 Technical Engine Specification for Diesel Generator engine

2.4.11.2 Description: The diesel generator engine control is initiated in both the 7-9H32/40 engine control system.The engines are equipped with temperature sensors and pressure sensors on an engine monitoring panel

and remote reading on ship’s system.

2.4.11.3 Transmission of the data to the alarm system is via MODBUS communication. The following section looks atthe engine auxiliary systems which may affect power generation of an engine and their ability to sustain DPoperations. The following sections considers failures of the engine auxiliary systems that would:

1. Initiate a diesel generator safety stop.

2. Inhibit a standby engine start.

3. Initiate an alarm on a running engine such that a standby machine is started.

4. In the event of a blackout, initiate restart of engines.2.4.11.4 Diesel generator safety stops: There are alarm conditions which could lead to the initiation of a diesel

generator safety stop. Please refer to Table 2-4 and Table 2-5

Table 2-4 Auxiliary Engine Shutdowns Alarm setting

Auxiliary Engine Shutdowns Alarm Setting

Low-Low lubrication oil pressure inlet. 3 kg/cm3

High-high HTFW cooling water temperature

outlet.

95ºC

High-high oil mist in crankcase. -

High-high engine overspeed Shutdown: 828 rpm

2.4.11.5 The following abnormal condition will initiate an alarm at the ECR.

Table 2-5 Auxiliary Engine Alarm setting

Auxiliary Engine Alarms Alarm Setting

Pickup for turbocharger RPM 7H: 29520 RPM

9H 28500 RPM

HT Water low pressure, engine inlet 0.4 kg/cm3

LT Water low pressure, engine inlet 0.4 kg/cm3

LO low pressure, engine inlet 3.5kg/cm3

FO low pressure, engine inlet HFO: 6kg/cm3

MDO: 1kg/cm3

Starting air low pressure, engine inlet 15kg/cm3





Diff. Pressure high for LO filter 1.5kg/cm3

Diff. Pressure low for FO filter 1.5kg/cm3

LO low pressure T/C inlet low 1.1kg/cm3

Pre-lub pressure engine inlet low 0.08kg/cm3

Cylinder Exhaust Gas temperature 530ºC

High HTFW cooling water temperatureoutlet.

90ºC

LT water temperature Air cooler inlet 45ºC

FO temperature Engine inlet HFO: 150 ºC

High engine overspeed No Alarm

2.4.12 Failure modes of the auxiliary engine management system and safety shutdowns

1. Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and freshwater high temperature sensors.

2. Failure of one of the 24Vdc power supply to DG control and safety system

3. Failure of the 24Vdc power supply safety system

4. Failure of the 24Vdc power supply alarm system.

2.4.13 Failure effect of the engine control system and safety shutdowns

2.4.13.1 Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and fresh waterhigh temperature sensors: Generally the same as for performance sensors. However, if the sensor fails to avoltage / current corresponding to a value which initiates the shutdown, an engine shutdown will occur.

2.4.13.2 Failure of one of the 24Vdc power supply to DG control and safety system: There are dual 24Vdc powersupplies. These are supplied to the control and monitoring system and safety system. Both 24Vdc powersupplies are supplied from the ship’s supply. Both 24Vdc power supplies are redundant to each other. Afterthe power supply is rectified, the 24Vdc is supplied to No.1 & No.2 DG control and safety system as well asNo.3 & No. 4 DG control and safety system which have same systems. Failure of one of the power supplieswill generate an alarm in the ICMS and will not affect the DP operation.

2.4.13.3 Failure of the 24Vdc power supply safety system: Failure of 24Vdc power supply to safety system will leadto loss of safety shutdown to the engine and it may lead to loss of particular engine. This to be proven

during the sea trial.2.4.13.4 Failure of the 24Vdc power supply alarm system from the ship supply: Failure of 24Vdc power supply to

alarm system will not lead to loss of engine just the monitoring system.

2.4.14 Hidden failures of the engine control system and safety shutdowns

2.4.14.1 All protection systems are potential hidden failures. It is acceptable to mitigate the risk by testing suchfunctions periodically.

2.4.15 Maloperation of the engine control system and safety shutdowns

2.4.15.1 All such acts should lead to loss of one auxiliary engine resulting in reduced power available to theswitchboard.

2.4.16 Common mode failure associated with the engine control system and safety shutdowns2.4.16.1 Two generators control power supply are connected to the same power sources. Failure of the supply may

lead to loss of two generators and loss of that particular switchboard.





2.4.17 Engine control system and safety shutdowns configuration errors that could defeat redundancy

2.4.17.1 There are no known opportunities for alternative configurations in the set up for a single engine.


2.4.18.1 The worst case failure would be loss of two associated diesel engines DG 1 & 2 or DG 3 & 4 that sharecommon control power supplies. .

2.5 FUEL OIL SYSTEM

2.5.1 Fuel Oil Storage, Transfer and Distribution System


1. 200M241001MB - FO System (Filling and Transfer System)

2. 200M241001MB - HFO System Purifying System

3. 200M241001MB – ME FO Service System

4. 200M241001MB – GE FO Service System

2.5.3 Configuration for DP

2.5.3.1 In normal operations, only fuel that has been sampled and tested is considered for transfer into the settlingtanks.

2.5.4 Fuel Oil Storage and Transfer System

2.5.5 Location

2.5.5.1 Please refer to table 2-7, for the locations of the storage tanks.

2.5.6 Description

No.2 HFO

Bunker Tank

(P)

No.1 HFO

Bunker Tank

(P)

No.1 LS HFO

Bunker Tank

(S)

No.2 LS HFO

Bunker Tank

(S)MDO Storage

Tank

MGO Storage

Tank

HFO Sett.

TankHFO Serv.

Tank

LS HFO Serv.

Tank

LS HFO Sett.

Tank

MDO Serv.

Tank

MGO Serv.

Tank

MDO

Transfer

Pump

HFO Transfer

Pump

Figure 2-7 Fuel Oil Transfer System





2.5.6.1 Station keeping integrity depends heavily on assuring a clean supply of fuel to the engines. This sectiondiscusses the arrangement of storage tanks and fuel purification equipment which provides fuel to theservice tanks. There are four types of fuel oil used on board which are Marine Diesel Oil (MDO), MarineGasoline Oil (MGO), Heavy Fuel Oil (HFO) and Low Sulphur Heavy Fuel Oil (LSHFO).

2.5.6.2 Refer to figure 2-7, the vessel has four heavy FO bunker tanks installed two Port and two Starboard, onemarine gasoline oil storage tank and one marine diesel oil storage tank. Fuel can be loaded into any of

these tanks from the port or starboard bunker station. In normal operations, fuel is transferred to the port orstarboard heavy fuel oil settling tanks from the bunker tanks.

2.5.6.3 The fuel oil system has one HFO Transfer Pump and one MDO Transfer pump. Both pumps have a flowrate of 40m3/h x 3KPa. The MDO and HFO Transfer Pump are fed from the 440Vac LGSP No.3.

Table 2-6 FO Storage Tank Volumes

Storage Tanks Volume Location

MGO service tank 49.5 Fr 49 – Fr 53

MDO Service tank 46.4m3 Fr 49 – Fr 54

HFO Service tank 111.6m3 Fr 36 – Fr 42

LS HFO Service tank 73.8m3 Fr 27 – Fr 33

MDO Storage Tank 235.8m3 Fr 49 – Fr 54

MGO Storage Tank 191.6m3 Fr 49 – Fr 54

No.1 LS HFO Bunker tank (S) 950.8m3 Fr 54 – Fr 60

No.2 LS HFO Bunker tank (S) 818.7m3 Fr 27 – Fr 54

No.1 HFO Bunker tank (P) 950.8 m3 Fr 54 – Fr 60

No.2 HFO Bunker tank (P) 636.2 m3 Fr 27 – Fr 54





2.5.7 Fuel Oil Purification System

LS HFO Sett.

TankLS HFO Serv.

TankHFO Sett.

Tank

HFO Serv.

Tank

No.1 HFO

Purifier

Supply

Pump

No.2 HFO

Purifier

Supply

Pump

No.1

HFO

Purifier

Heater

No.2

HFO

Purifier

Heater

No.1

HFOPurifier

No.2

HFOPurifier

MDO Serv.

Tank

MGO Serv.

Tank

NC

F117V

F118V

NC

Figure 2-8 Fuel Oil Purification System and Settling System





2.5.7.1 Fuel Oil Purification and Settling System: Refer to figure 2-8 FO purification and settling system, the fuel oilsystem consists of a MDO service tank, MGO service tank, LS HFO settling tank & Service tank and HFOsettling tank & Service tank. These are located between frames 27 to 54 and are equipped with pneumaticactuated quick closing valves. The settling tanks are equipped with a level transmitter and are monitoredand alarmed on the ICMS.

2.5.7.2 There are a total of two HFO purifiers and two HFO purifier heaters in the fuel oil systems. HFO purifiers

No.1 and No.2 are supplied from 440Vac LGSP No.4 (Section 1) and 440Vac LGSP No.4 (Section 2)respectively. In normal operations, one purifier is running to supply both HFO Service tanks. Fuel oil isdrawn from a settling tank by the attached feed pump and passed through a heater before feeding thepurifier. Each HFO purifier has a flow rate of 4600L/H.

2.5.7.3 As for the MDO and MGO FO, both service tanks use the common purifying system with the HFO purifiers.MGO or MDO is drawn from the service tank by the attached feed pump no.2 and by passes the heaterbefore feeding the purifier. After purif ication the FO is returned to the MDO / MGO service tanks.

2.5.8 Fuel Oil Distribution System

2.5.9 Location

2.5.9.1 The fuel oil service tanks are located in the Port side of the engine room between frames 27 to 54.


2.5.10.1 Please refer to figure 2-8 for the crossover valve configuration.:-

1. MDO service tank supply to Diesel generator no.3 and no.4.

2. MGO service tank supply to diesel generator no.1 and no.2.

3. HFO service tank supply to the main engine.

2.5.10.2 The maintenance crossover between the supply and return lines are normally closed. Refer to table belowfor the crossover valve configuration during DP Operations:-

Table 2-7 FO Crossover Valve Configuration During DP

Engines Valve Tag Normally Close Normally Open

ME

F256V From MDO & MGO From HFO

GE No.1, GE No.2, GE No.3 and GE No.4

F303V √

F304V √

F330V √

F324V √

F353V √

F354V √





LS HFO

Serv.

Tank

HFO

Serv.

Tank

MDO

Serv.

Tank

MGO

Serv.

Tank

Main Engine

Diesel Switch To Main Engine

F201VF202VF203V F204V

F255V

F208V F207V

F301V

F302V

To No.1 & No.2 DG

To No.3 & No.4 DGF303V NC

Return oil from No.1 & No.2 DG

Return oil from No.3 & No.4 DGF324V

NC

F354V F353V

F304V

F330V

F256V

Figure 2-9 Fuel Oil Distribution System

2.5.10.3 Refer to figure 2-9; the fuel distribution system essentially consists of four different types of fuel oil with apiping system that would allow access of these fuels to the five engines. In normal DP operations, the mainengine will be supplied from the HFO service tank but can be supplied from the MDO service tank ifrequired. The distribution of MDO whilst on DP is split into two separate systems; MDO service tanksupplies generator no.3 and no.4 whilst the MGO service tank supply generator no.1 and no.2. This splitaligns with the redundancy concept. There is a cross over between the two sides which is normally closed.Fuel is supplied to the engines by the electrical driven FO supply pumps. Each side of the engines has twopumps. The setting of the crossover valves can be referred to in figure 2-9.

2.5.10.4 This fuel oil distribution system consists of one MDO service tank 46.4m 3, one MGO service tank 49.5m3,

one HFO service tank 111.6m3

and one LS HFO service tank 73.8m3

. All the tanks are installed withpneumatic quick closing valves. The service tanks are located port side of the engine room between frames27 to 54. Auxiliary engines No.1 and No.2 run on Marine Gasoline Oil, auxiliary engines No.3 and No.4 runon marine diesel fuel and the main engine runs on heavy fuel oil. The fuel oil service tanks are eachmonitored by a single level transducer which provides a signal used to initiate a low level alarm and a highlevel alarm on the ICMS. The HFO settling tanks are also monitored with a single level transducer for thesame values as the service tank, which also initiates a low level and high level alarm on the ICMS.

2.5.10.5 The fuel oil supply and return manifolds each have a selection of maintenance cross valves which arenormally closed to prevent cross contamination. Fuel oil contamination is controlled by daily drainagechecks at the settling and service tanks; early detection of contamination allows it to be controlled by dosing.





2.5.11 Fuel oil QCVs for DO Service Tanks, Settling Tanks and Storage Tanks

Group 1

Group 2

Incinerator

DO Tank

Incinerator

WO Serv.

Tank

Incinerator

Sett. Tank

No.1 HFO

Tk (P)

No.1 LS

HFO Tk (S)

No.2 HFO

Tk (P)

No.2 LS

HFO Tk (S)

LS HFO

Serv. Tk.

HFO Serv.

Tk.

LS HFO

Sett. Tk.

HFO Sett.

Tk.

MDO Stor.

Tk.

MGO Serv.

Tank

MGO Stor.

Tank

Main LO

Sett. Tank

LS. Cyl. Oil

Meas. Tk.

Cyl. Oil

Meas. Tk.

MDO Serv.

Tank

NC

NC

ER Fan

DamperCont. Panel

To Fire Damper For ER No.1 Fan




To Fire Damper For Puri. Room Fan

To Funnel Fire Damper

To Funnel Fire DamperFrom

Compress

Air system

Figure 2-10 Pneumatic Fuel Oil Quick Closing Valve System

2.5.11.1 The pneumatic fuel oil quick closing valve system consists of an air receiver with a relief valve and lowpressure alarm. Refer to Figure 2-10 Compressed air at 0.7mPa is supplied to the Fire Control Station airreceiver from the Deck Service air reservoir. In the event the air pressure reaches the low level pressure,alarm will be initiated on the ICMS. The quick closing valves require a supply of compressed air to close.

2.5.11.2 The pneumatic QCV’s are operated manually through an isolating valve in the fire control station. Whenopened, compressed air is directed to the quick closing valves for 12 FO storage tanks, main LO settlingtanks, LS cylinder oil measure tanks, cylinder oil measure tanks, incinerator DO tank, incinerator settlingtank and incinerator waste oil service tank. The 12 fuel oil tanks include the MDO Storage tank, MGOstorage tank, HFO storage tank, LS HFO storage tank, MDO Service Tank, MGO Service tank, HFO Servicetank and LS HFO Service tank. The distribution of the compress air from the fire control station is dividedinto two groups. The grouping of the tanks are as follows:

Table 2-8 Quick Closing Valves Grouping

Group Tanks

1 Incinerator DO tank, Incinerator Waste Oil service tank, Incinerator Settling tank, No.1HFO Tank(P), No.2 HFO Tank (P), LS HFO Serv. Tank, HFO Serv. Tank, LSHFOSettling tank, HFO Settling Tank, MDO Storage Tank, MGO Service tank.

2 Main LO Settling tank, LS Cyl. Oil Measure Tank, Cyl. Oil Meas. Tank, MDO Servicetank, No.2 LS HFO Tank (S), MGO Storage tank, No.1 LS HFO Tank (S),

2.5.11.3 These service tanks can be inadvertently closed through one control valve causing the running generatorsand the main engine to shut down from fuel starvation. Adequate protection has to be applied to the system

to prevent inadvertently closing of two valves. The valves are set as normally close at the initial stage. Whenthere is emergency and need to shutdown all the engines, two valves has to be manually open beforeactivate the quick closing valves.





2.5.12 Main Engine Fuel Oil Service System Description

From Diesel

Switch

ME FO Supply

P/p 1

ME FO Supply

P/p 2ME FO

Venti.

Box

NC

F239V

F238V

ME/MGO

Chiller

ME FO Circ. P/p

1

ME FO Circ. P/p

2

No.1 ME HFO

Heater

No.2 ME HFO

Heater

Vicosity Sensor

ME FO Auto

FilterME MAN B&W

6S70ME-C8.2

To LS HFO/HFO

Serv. Tank

To Overflow

Tank

From HFO& MDO

Serv Tk

Figure 2-11 Main Engine Fuel Oil System

2.5.12.1 Please refer to figure 2-11. Fuel can be drawn from the, MGO, MDO, HFO or LSHFO service tanks to thediesel switch which can choose which fuel to be used for the main engine. If the diesel switch has beenblocked or failed the FO will by-pass the diesel switch and be directed to the main engine.

2.5.12.2 The FO is drawn by one of the two electrically driven ME FO supply pumps. Please refer to table 2-9 for the

power supplies. The fuel oil supply pumps and FO circulation pumps are configured for standby starts andare monitored on the ICMS.

2.5.12.3 From the main engine fuel oil supply pumps, fuel oil is directed to the electrically driven ME FO circulationpumps. There are two ME FO circulation pumps, these are configured for standby starts and are monitoredon the ICMS. From the circulation pump, fuel oil is passed through the fuel oil pre-heater and viscorator.Regulation of the temperature and viscosity of the fuel oil, is monitored and controlled through theviscorator. Fuel is then directed at low pressure through the ME FO auto fuel oil filter. From the filter, fuel isdirected to the left and right bank fuel injectors. The excess fuel from the injectors will be directed back tothe M/E fuel oil venting box through the FO return line.

2.5.12.4 During the DP operation, HFO or LS HFO can be used to supply to the main engine and the crossoverconfiguration can be refer to table 2-9.

Table 2-9 ME FO pump power sources

Pumps Power supplyME FO Supply Pump No.1 440Vac No.1 GSP

ME FO Supply Pump No.2 440Vac No.2 GSP

ME FO Circulation Pump No.1 440Vac No.1 GSP

ME FO Circulation Pump No.2 440Vac No.2 GSP





2.5.13 Diesel Generators Fuel Oil Service System Descriptions

From

MGO

Serv.

Tank

No.1 / 2GE MGO

Supply P/P 1

No.1/2 GE MGO

Supply P/P 2

GE MGO

Flushing P/P 1

No.1 GE

MGO

ChillerNo.1 GE Auto

FilterNo.1 GE

No.2 GE

Return to

MGO Serv.

Tank

From

MDO

Serv.

Tank

No.3 /4 GE MDO

Supply P/P 1

No.3/4 GE MDO

Supply P/P 2

GE MDO

Flushing P/P 2

No.2 GE

MDO

ChillerNo.2 GE Auto

FilterNo.3 GE

No.4 GE

Return toMDO Serv.

Tank

Figure 2-12 Diesel Generator Fuel Oil System

2.5.13.1 Refer to Figure 2-12, MDO and MGO fuels are used to feed the four auxiliary generators. However duringDP operations, the following fuels are used for the auxiliary engines and the FO supply crossover valveF303V and return crossover valve F324V will be normally closed. The configuration can be found in table 2-8.

Marine Diesel Oil service tank supplies GE No.3 and No.4.

Marine Gasoline Oil service tank supplies GE No.1 and No.2.

2.5.13.2 GE No.1 and No.2: The MGO is drawn by the GE MDO supply pumps no.1 or no.2. From the supply pumps,

MGO is circulated through the associated MGO cooler and strained through the GE 1 FO Auto filter. Fromthe auto filter, fuel oil is directed to both engines. The return fuel from the engines is circulated back to therespective FO tanks through the flow meter. There is a crossover valve F324V at the return line, the valvewill be set to normally close.

2.5.13.3 GE No.3 and No.4:- The fuel oil supply pumps draw MDO from the respective service tank to supply to theassociated MGO cooler and circulating the FO strained through the GE 2 FO Auto filter. From the auto filter,fuel oil is directed to both engines. The return fuel from the engines is re-circulated back to the MDO servicetank.

2.5.13.4 Each engine FO inlet is fitted with the quick closing valve; this valve is using air to activate. Therefore in theevent low air pressure to the QCV will not cause the quick closing valve to close position.

2.5.13.5 Please refer to table 2-10 for the pump power supplies.





Table 2-10 GE FO pump power sources

Pumps Power supplyNo.1/2 GE FO supply pump no.1 440Vac No.1 GSP

No.1/2 GE FO supply pump no.2 440Vac No.1 GSP

No. 3/4 GE FO supply pump no.1 440Vac No.2 GSP

No. 3/4 GE FO supply pump no.2 440Vac No.2 GSP

GE No. 1/2 FO Auto filter 440Vac LGSP No.4 – section 1

GE No. 3/4 FO Auto filter 440Vac LGSP No.4 – section 2

2.5.14 Failure modes of the fuel system

1. MDO/HFO transfer pump failure.

2. HFO Purifier failure.

3. Pipe work leakages, leakage from filters and ruptured service tank.

4. Blocked auto back flush fuel oil filter for the diesel generators.

5. Low air pressure to QCV

6. QCV fails to the closed position.

7. Failure of one of the GE No.1/2 FO supply pump.

8. Failure of one of the GE No. 3/4 FO supply pump.

9. Failure of Diesel Switch to Main Engine

10. Blocked auto back flush fuel oil filter for the main engine.

11. Failure of electric driven main engine fuel oil circulation pump.

12. Failure of electric driven main engine fuel oil supply pump.

2.5.15 Failure effects of the fuel system

2.5.15.1 MDO / HFO transfer pump failure: The failure of one fuel oil transfer pump would remove redundancy andthe fuel oil transfer system will no longer be fault tolerant as there is only one fuel pump left available. Thiswill not affect the engines and DP operation.

2.5.15.2 HFO Purifier failure: The failure of a single HFO purifier would leave the HFO system with no redundancy asthere are only two units available for service. No effect on DP.

2.5.15.3 Pipe work leakages, leakage from filters and ruptured service tank: Failure of fuel oil system pipe work isconsidered for DNV Dynpos AUTR. Pipe work leakages from filters and a ruptured fuel oil service tank is anunusual occurrence given that the medium being transported is not corrosive in nature. It generally occursas a result of mechanical damage and thus can be controlled by proper workplace management. Dependingon where the failure is located, two generators on the same power system could shed load and trip on underfrequency. It may be possible in some circumstances to recover operation by use of the maintenance cross

over. However, it is important to establish the reason for engine failure before cross connecting the fuelsystems.

2.5.15.4 Blocked auto fuel oil filter for the diesel generators: A pressure transmitter and pressure switch is installedon the GE FO Auto filters to monitor the differential pressure across the filter. High differential pressure fromthe onset of a blocked filter will trigger an alarm on the ICMS and initiate back flushing of the FO filter.

2.5.15.5 Low air pressure to QCV: Low air pressure to the QCV will not affect the QCV to close position. This is dueto QCVs using air to activate the valves, without the air the valve will remain as set.

2.5.15.6 QCV fails to the closed position: Failure of a QCV to the closed position could lead to the rapid loss of twoengines or main engine. A low fuel oil pressure alarm for each engine would precede an engine shutdown.The QCV is held open by a spring and closed by the application of pneumatic pressure. It is unlikely for this

type of valve to fail to the closed position, but Dynpos AUTR requires consideration of the failure of remotelycontrolled valves and some faults cannot be ruled out. Failure of QCV does not exceed the worst casefailure intent.





2.5.15.7 Failure of one of the GE No.1/2 fuel oil supply pump: The failure of the one of the GE No.1/2 fuel oil supplypumps would result in a fall in fuel oil pressure which would first initiate a low fuel oil pressure alarm and willtrigger the automatic start of the standby pump. The standby pump will resume with the required fuel oilpressure.

2.5.15.8 Failure of one of the GE No.3/4 fuel oil supply pump: Same as for Failure of GE No. 1/2 fuel oil supplypump.

2.5.15.9 Failure of Diesel Switch to Main Engine: normal operation is for use of HFO during DP Operations withsupply from the MDO or MGO service tanks isolated. Failure of the switch could result in loss of fuel supplyto the main engine and loss of the main CPP; this is within the worst case failure concept. It is possible thatthe HFO could be bypassed following a failure and return supply to the main engine.

2.5.15.10 Blocked auto fuel oil filter for the main engine: A pressure transmitter and pressure switch is installed on theME FO Auto flush filter to monitor the differential pressure across the filter. High differential pressure fromthe onset of a blocked filter will trigger an alarm on the ICMS and initiate back flushing of the FO filter.

2.5.15.11 Failure of electric driven main engine fuel oil circulation pump: The failure of the electrical driven fuel oilpump would result in a fall in fuel oil pressure; this would initiate a low fuel oil pressure alarm on the enginecontrol system and ICMS. It would also trigger an automatic start of the standby pump. This should not

affect the operation of the main engine.2.5.15.12 Failure of electric driven main engine fuel oil supply pump: The failure of the electrical driven fuel oil supply

pump would result in a fall in fuel oil pressure to the fuel oil circulating pumps; this would initiate a low fuel oilpressure alarm on the engine control system and ICMS. It will also trigger the automatic start of the standbypump. This should not affect the operation of the main engine.

2.5.16 Hidden engine fuel system failures

2.5.16.1 Hidden failure of the standby FO supply pump would result a fall in fuel oil pressure and lead to loss of twoengines due to fuel starvation.

2.5.16.2 This is mitigated if the pumps are rotated regularly to reduce the possibility of a hidden failure resulting froma breakdown of a standby pump.

2.5.16.3 ME Fuel oil supply pump automatic start failure when it is required.

2.5.16.4 ME Fuel oil circulating pump automatic start failure when it is required.

2.5.17 Common mode failures affecting the fuel system

2.5.17.1 Water Contamination: This can, in severe cases, result in water carry over to the service tanks andsubsequent engine problems as a result. Commonly, water in the settling tanks can be removed by regularoperation of the tank sludge cocks and separation through the purifiers. High water content is monitored andalarmed at the purifier discharge by a water detection unit. The water in the service tanks would be regularlymonitored and drained through the tank sludge cocks. Water can also greatly increase the possibility ofmicrobe contamination of the fuel. There is a possibility of affecting of five engines if the fuel oil systemcrossover valves are in the open position; however, these occurrences can be controlled if proper fuel

management procedures are being followed.

2.5.17.2 Bacterial Contamination: This condition develops because of waterborne microbes multiplying in fuelwhen stored within the correct temperature range. Generally, the warmer the storage conditions the greaterthe reproductive rate. The sludge produced by the microbes can easily block fuel filters and, if not promptlytreated, will stop engines due to fuel starvation. This condition can be controlled by proper biocide dosing.

2.5.17.3 In mitigation, identification of particle contamination should occur before it reaches the engines through aplanned maintenance procedure which requires regular sampling and visual checks through draining of thesettling and service tanks and cleaning of fuel oil filters. In the current configuration, there is a possibility ofaffecting up to two generators, if MDO service tank or MGO tank were contaminated, however these failuresare equal or less than the worst case design failure intent. There is also a possibility of affecting the mainengine if the LS HFO or HFO service tank were contaminated.





2.5.17.4 The pneumatic quick closing valves (QCV) are operated through a control valve in the fire control station.When opened compressed air is directed to the quick closing valves for 12 FO tanks, main LO settlingtanks, cylinder oil storage tanks, LS cylinder oil storage tanks, incinerator DO tank, incinerator settling tankand incinerator waste oil service tank. The 12 fuel oil tanks include the MDO Service Tank, MGO Servicetank, HFO Service tank and LS HFO Service tank. These service tanks can be inadvertently closed throughone control valve causing the running generators and the main engine to shut down from fuel starvation. It

was found during the proving trials that he control valves are placed in a cabinet where inadvertentoperation of the valves is not possible.

2.5.18 Fuel system configuration errors that could defeat redundancy

2.5.18.1 Loading new fuel into all main storage tanks simultaneously (danger of microbe contamination in all tanks).

2.5.18.2 The operation of all engines from one fuel oil service tank with the fuel cross over valves open could result inblackout if the supply from the tank is inadvertently stopped or if the fuel oil in that service tank becomescontaminated. It is a DNV requirement that these valves are closed and fuel oil should be supplied to thetwo sets of two diesel generator engines and the main propulsion engine from the associated fuel oil servicetanks.

2.5.18.3 Using HFO Purifier No.2 to supply the MDO service tank and MGO service tank simultaneously from a MDO

service tank could contaminate the MGO service tank and vice versa if the MGO service tank is used. In theworst case contaminated fuel could be introduced to both service tanks.

2.5.19 Maloperation of the fuel system

2.5.19.1 Operating all diesel engines from a common fuel service tank. Set up to be followed as per the vesselconfiguration.

2.5.19.2 Irregular or non-operation of settling tank and service tank sludge cocks for the main engine HFO system.

2.5.19.3 Irregular or non-operation of the service tank sludge cocks for the generator diesel oil system.

2.5.20 Worst case failure - Fuel system

2.5.20.1 The worst case failure in the FO system will be loss of 6.6KV MSB 1 which affected by loss of two

generators DG1 and DG2 due to FO contamination. In mitigation, identification of particle contaminationshould occur before it reaches the engines through a planned maintenance procedure which requiresregular sampling and visual checks through draining of the settling and service tanks and cleaning of fuel oilfilters. In the current configuration, there is a possibility of affecting up to two generators, if MDO servicetank or MGO tank were contaminated, however these failures are equal or less than the worst case designfailure intent. There is also a possibility of affecting the main engine if the HFO or LS HFO service tank werecontaminated.





2.6 LUBRICATION SYSTEM

2.6.1 Drawing reference:

200M241001MB LO Filling & Transfer System

200M241001MB LO Purifying system

200M241001MB ME LO Service System2.6.2 Redundancy concept

2.6.2.1 As far as the redundancy concept is concerned, it is the lubrication of the engine and alternator bearingsthat are critical. Loss of lubrication pressure or flow through failure of a pump or loss of lubricating qualitythrough contamination of the oil can lead to an engine seizing in extreme circumstances. Alarms, shutdownsand monitoring of oil quality must be in place and tested periodically to ensure the probability of this type offailure is acceptably low.

2.6.3 Location

2.6.3.1 The generator lubricating storage tank and the main LO storage tank are located in the engine room.


2.6.4.1 A clean oil distribution system and dirty lube oil system for the engines exists to ease oil changing andpollution control but each system is normally isolated during DP operation.

ME LO

Storage

Tank

ME LO

Sett.

Tank

No.1 DG

GE LO

Storage

Tank

No.2 DG

No.3 DG

No.4 DGME LO Sump

Tank

ME LO

Puri.

Supply

P/P 1

ME LO

Puri.

Supply

P/P 2

No.1 Main LO

Puri. Heater

No.2 Main LO

Puri. Heater

No.2 Main

LO Purifier

No.1 Main

LO Purifier

GE LOPuri.

Supply

P/P 1

GE LOPuri.

Supply

P/P 2

No.1 GE LO Puri.

Heater

No.2 GE LO Puri.

Heater

No.2 Main

LO Purifier

No.1 Main

LO Purifier

L123V

L122V L121V

L120V

B

A

B

A

Figure 2-13 Lubricating Oil System





2.6.5 Lubricating Oil Storage and Purification System

2.6.5.1 Please refer to figure 2-13 LO system. The Lubricating system comprises of the main LO storage tank, mainLO settling tank, GE LO storage tank, Turb. Oil storage tank, LS Cyl. Oil Storage tank, and Cyl. Oil Storagetank.

2.6.5.2 Generator Engine Lubricating Oil Storage System: The clean oil distribution system for the generators

consists of GE lube oil storage tanks with a volume of 32.9 m3

. The content in these tanks is used toreplenish or replace the lubricating oil for the four of engines by gravity from a common lube oil pipeline. Thesump tanks for the generator engine is fitted with a low level and high level switch and a dip stick.

2.6.5.3 Generator Engine Lube Oil Purification System: The generator engines are equipped with their ownlubricating oil purification system which consists of a lubricating oil purifier and a Generator LO Purifier FeedPump. The No.1 GE Lubricating Oil Purifier; is powered from the 440Vac LGSP No.4 Section 1 and No.2GE Lubricating Oil Purifier is powered from 440Vac LGSP No.4 Section 2.

2.6.5.4 The No.1 Generator Lubricating Oil Purifier feed pump is powered from 440Vac LGSP No.4 Section 1 andNo.2 Generator Lubricating Oil Purifier feed pump is powered from 440Vac LGSP No.4 Section 2. Theengine lubricating oil purifier is operational when the engines are running; however, only one engine isprocessed at any time. Lubricating oil is drawn from the engine sump to the lubricating oil purifier feed

pump; where it is fed to the purifiers before being returned to the engine. It is important only one set of inletand outlet valves to a generator sump is opened to avoid cross contamination.

2.6.5.5 Main Engine Lubricating Oil Storage System: The clean oil distribution system for the main engine consistsof the main lube oil storage tank with a volume of 68.8 m 3. The content of this tank is used to replenish orreplace the lube oil for the main engine. The main lube oil storage tanks supplies the main engine LO sumptank via gravity through a separate line from the generators. The sump tank is fitted with a level indicatorand low level switch.

2.6.5.6 Main Engine Lubricating Oil Purification System: There are two main LO purifier systems each consisting ofa main lube oil purifier and the associated feed pump allocated to the main engine. Main lube oil purifierNo.1 and No.2 are powered from (440Vac LGSP No. 4 Section1) and (440Vac LGSP No. 4 Section2) respectively. The No.1 and No.2 main lube oil purifiers feed pumps are powered from (440Vac LGSP No. 4

Section1) and (440Vac LGSP No. 4 Section 2) respectively. In normal operations, one main lube oil purifierfeed pump/purifier would process lube oil from main engine sump tank. If contaminated oil from the mainengine sump is transferred to the main lube oil settling tank, the second purifier can be allocated to clean thecontents of that tank. No.2 main lube oil purifier and feed pump is also configured through a series ofisolation valves to process lube oil from the generator engines sumps.

2.6.5.7 Cylinder Lubricating Oil for the Main Engine: Cylinder oil is supplied by gravity from the cylinder oil storagetank (80 m3) or the LS cylinder oil storage tank (51.2m3) to a cylinder oil day tank via duplex filters. The typeof cylinder oil used is dependent on the type of fuel oil used.

2.6.6 Main Engine and Generator Oil Mist Ventilation System

2.6.6.1 Generator Engine Crankcase Ventilation System: The crankcase oil mist ventilation system for the diesel

generator engines is individually piped from the engine to oil mist manifold located in the engine roomcasing. There are two sections in the oil mist manifold and is found that each section is 300A and fitted withflame screen to prevent the flame spreading. GE No.1 and GE No.2 oil mist piping are connected in the oilmist manifold section 1 while GE No.3 and GE No.4 oil mist piping are connected to the oil mist manifoldsection 2.

2.6.6.2 Main Engine Oil Mist Ventilation System: The three oil mist ventilation lines for the main engine crankcase,turbocharger and scavenge space is individually piped to the exhaust funnel. Each line is fitted with a flamescreen in the funnel.





2.6.7 Failure modes of the lubricating oil system

1. Failure of main LO purifier

2. Failure of generator LO Purifier

3. Failure of Main LO purifier feed pump

4. Failure of GE LO purifier feed pump5. Rupture of the supply line to the engine

6. Leakage from the dirty oil transfer line from the engines

7. Blockage of the filter screen on the vent piping from a diesel generator to the oil mist vent box

8. Blockage of the filter screen for the single vent from the oil mist vent box at the funnel top

2.6.8 Failure effects of the lubricating oil system

2.6.8.1 Failure of main LO purifier: As there are only two main LO purifiers, loss of one purifier means the enginelube oil purification system is no longer fully fault tolerant. No effect on DP.

2.6.8.2 Failure of generator LO purifier: There is only one dedicated generator lube oil purifier, however, loss of this

purifier means the generator lube oil purification system is no longer in service. This will have no immediateeffect on the generators or DP.

2.6.8.3 Failure of Main LO purifier feed pump: There are two main LO purifier feed pumps which are allocated tospecific main lube oil purifiers. The failure of the running feed pump will stop the supply of lube oil to theassociated main lube oil purifier. However, the second feed pump and associated heater can be configuredto feed the running purifier through a cross-over valve between both purifier inlets. It is more likely, that thefailed feed pump and associated purifier would be swapped over to the standby units. This will have noimmediate effect on the main engine or DP.

2.6.8.4 Failure of GE LO purifier feed pump: There is one dedicated GE LO purifier and feed pump for the generatorlubrication system. Loss of the feed pump will stop flow of lube oil to the purifier. This will have no immediateeffect on the generators or DP.

2.6.8.5 Rupture of the lube oil supply line to the engines: This would not affect the DP system directly. It wouldhowever, limit the ability to replenish engine lube oil when required. Failure of lube oil pipe work is generallyexempted from consideration for DYNPOS-AUTR.

2.6.8.6 Leakage from the dirty oil transfer line from the engines: This would not affect the DP system directly. Itwould however, limit the ability to remove used lube oil from the engines. The usual exemption for pipework is applicable under DYNPOS-AUTR.

2.6.8.7 Blockage of the filter screen on the vent piping from a diesel generator to the oil mist vent box. Blockage ofthe filter screen on the vent piping from a diesel generator to the oil mist vent box, could induce an oil mistdetection alarm. If not rectified would cause the affected generator to trip from a high oil mist detectionshutdown. This failure will lead to loss of two generators and is within the WCFDI.

2.6.9 Hidden lubricating oil system failures

2.6.9.1 Gradual blockage of the filter screen for the individual vent piping for the engines.

2.6.9.2 Contamination of the diesel generator sumps and main engine sumps. This is avoided by regular samplingof the sump tanks to observe contamination and / or emulsification in the lube oil. Samples of the lubricatingoil should be sent away for analysis to verify for any contamination as part of the ships PlannedMaintenance System

2.6.10 Common mode failures affecting the lubrication oil system

2.6.10.1 The loading of contaminated lubricating oil or the wrong grade of oil into the generator lube oil storage tankcould potentially contaminate all the engines when periodic replenishing of the sump is required. This is

avoided by regular sampling of the storage tank to observe for contamination, emulsification of the lube oiland for water removal. A sample of the batch of lubricating oil should be sent for analysis to verify the gradeand quality of the oil.





2.6.11 Lubricating oil system configuration errors that could defeat redundancy

2.6.11.1 Leaving an engine filling line open. If unchecked this could result in the simultaneous filling of more than oneengine sump when lube oil is replenished in another engine. This should be monitored by the high levelalarm on the engine sump.

2.6.11.2 Leaving more than one engine filling line open whiles purifying lube from one engine could introduce cross

contamination of lube oil and eventually reduce the quantity of lube oil returned to the engine sump. Thereverse would apply if more than one outlet valve is opened.

2.6.12 Maloperation of the lubricating oil system

2.6.12.1 Failure to take regular samples of the engine sump tanks to observe for contamination, emulsification of thelube oil and for water removal.

2.6.13 Worst case failure - Lubricating oil system

2.6.13.1 The loading of contaminated lubricating oil or the wrong grade of oil into the generator and main lube oilstorage tanks could potentially contaminate all the engines when periodic replenishing of the sump is carriedout. It is unlikely that the effects would affect all engines simultaneously.

2.7 SEAWATER COOLING SYSTEM

2.7.1 Reference

200M241001MB Main Cooling SW System

2.7.2 Redundancy concept

2.7.2.1 The sea water system is a forward and aft split. This arrangement introduces commonality betweenthrusters at the same end of the vessel which are otherwise separate and redundant with respect to eachother.

2.7.2.2 The forward sea water cooling systems cools the forward thrusters and deck machinery systems while aftseawater system cools the aft thrusters, all five engines, and other machinery.

2.7.3 Location2.7.3.1 There is one sea chest suctions for the forward seawater cooling system. These are located in the bow

thruster room. The aft sea water cooling system has two sea chest suctions. The high and low sea chestsuctions are located outboard port and starboard.

2.7.4 Description

Low Sea

Chest

High

Sea

Chest

No.1 GE FW CoolerNo.2 GE FW CoolerNo.1 Central FW

Cooler 75%No.2 Central FW

Cooler 50%

Air Ejector

Cond. For

Copt

Copt

Vacuum

Condenser

Main /

Vacuum

Condenser

Cool. SW

Pump 1

Main /

Vacuum

Condenser

Cool. SW

Pump 2

Aux. CSW

Pump

GE. CSW

Pump

1234

Overboard

Figure 2-14 Aft Seawater Cooling System





2.7.4.1 Aft Sea Water Cooling System: The aft seawater cooling system is located in the engine room. In terms ofthe redundancy concept and sources of supply for pumps, this is still essentially a common system with aport and starboard split in electrical supply.

2.7.4.2 In normal operations seawater is supplied from either the port or starboard sea chests. The port suction is ahigh sea chest while the starboard suction is a low sea chest. Each sea chest has a suction strainer which isassumed to be regularly cleaned and maintained. Local pressure indicator monitors the condition of the

suction strainers.

2.7.4.3 There is only one overboard discharge valve for the Aft seawater cooling system and has a manual valvewith extended spindle located above the damage waterline. This is fitted with a pressure transducer toindicate discharge pressure on the ICMS.

2.7.4.4 The aft sea water supply manifold supplies sea water cooling for a number of systems. These include:

1. The sea water cooling system for the No.1 & No.2 central FW coolers.

2. The sea water cooling system for the No.1 and No.2 GE FW coolers.

3. The sea water cooling system for the Copt Vacuum Condenser and Air Ejector Conditioning for Copt.

2.7.4.5 Main/Vacuum Cool S.W. Pumps No.1 and No.2 are used to circulate coolant through both central FW

coolers; these pumps are powered from 440Vac GSP No.1 and 440Vac GSP No.2 respectively. In normaloperations, only one pump is kept on duty while the other pump remains on standby. Each pump has acapacity of 1120m3/hr.

2.7.4.6 The primary roles for four GE cooling SW pumps are to circulate coolant through the GE FW Coolers. No.1GE FW Cooler is fed by No.1 and No.2 GE CSW pump while No.2 GE FW Cooler is fed by No.3 and No.4GE CSW pump. GE cooling seawater pumps No.1 and No.2 are fed from 440Vac GSP No.1 and 440VacGSP No.2 respectively. In normal operations, only one pump is kept on duty while the other remains onstandby. Each pump has a capacity of 380m3/hr.

Sec. 2 Fwd Thruster FW

Cooler

Sec. 1 Fwd Thruster FW

Cooler

Sea Chest

Sec.2 SW Pump No.1

Sec.2 SW Pump No.2

Sec.1 SW Pump No.1

Sec.1 SW Pump No.2

Overboard

Figure 2-15 Forward Seawater Cooling System

2.7.4.7 Forward Sea Water Cooling System: The forward seawater cooling system is located in the bow thrusterroom. There are four CSW pumps that supply both FWD thruster FW Coolers where two pumps are used foreach cooler. At each CSW section only one of the CSW pump will be operational at a time. This is due tothe FWD fresh water cooling system is running in two cooling loops.

2.7.4.8 Seawater is supplied from one sea chest. The sea chest is located at the lower bottom level in bow thrusterroom. The system is designed with two sea strainers, one in service and one on standby. Each strainer haslocal pressure gauges to monitor the condition of the strainer.

2.7.4.9 The forward section 1 sea water cooling pumps circulates coolant through No.1 Forward fresh watercoolers; while section 2 sea water cooling pumps circulates coolant through No.2 Forward fresh watercoolers. Both coolers support a number of freshwater cooling systems. These include:





1. The No.1 and No.2 forward tunnel thrusters’ coolers.

2. The forward azimuth thruster coolers.

3. Power pack oil cooler for deck machinery.

2.7.4.10 Sec 1 CSW Pumps No.1 and No.2 are supplied from 440Vac GSP No.1 a while Sec 2 CSW Pumps No.1and No.2 are supplied from 440Vac GSP No.2.

2.7.4.11 There are two overboard discharge valves for the Forward thruster sea water cooling system. The manualvalves have an extended spindle that is located above the damage waterline.

2.7.5 Freshwater generator

2.7.5.1 The fresh water generator is used to make potable water. The capacity of the water maker is 35 tons a day.Seawater from the aft seawater cooling system is supplied to the water maker by an FW Gen.

2.7.6 Failure modes of the seawater cooling system

2.7.6.1 Only the GE Seawater Cooling Pumps, Main Seawater Cooling Pumps and Aux. Seawater cooling pumpare considered in the aft seawater cooling system while only Sec1 and Sec 2 FWD Cooling Seawaterpumps are considered in the FWD seawater cooling system.

1. Blocked FWD seawater cooling system overboard

2. Blocked forward seawater cooling system sea strainer.

3. Failure of one of the Section 2 forward SW cooling pump

4. Failure of one of the section 1 forward SW cooling pump

5. System pipe work failure, leaking sea strainer.

6. Blocked aft seawater cooling system sea strainer.

7. Blocked aft seawater cooling system overboard.

8. Failure of one aft main cooling seawater cooling pump.

9. Failure of one GE Cooling Seawater pump for No.1 GE FW Cooler

10. Failure of one GE Cooling Seawater pump for No.2 GE FW Cooler.

11. Failure of the FW Generator SW ejector pump.

12. Failure of the vacuum in the water maker.

2.7.7 Failure effects of the sea water cooling system

2.7.7.1 Blocked FWD seawater cooling system overboard: This would effectively reduce the flow to the runningforward seawater cooling pump suction and associated heat exchangers. If not corrected, this would overtime be indicated as a high hydraulic oil temperature alarm for the forward thrusters and/or high operatingtemperature alarm for the forward thruster drive motors. This may be due to maloperation or lack of

maintenance for the fwd seawater cooling system. Therefore proper maintenance requires to be in place tomake sure the overboard valve and the piping system is operating well.

2.7.7.2 Blocked forward seawater cooling system sea strainer: This would effectively reduce the flow to the runningforward seawater cooling pump suction and associated heat exchangers. The standby pump would start tocompensate for the loss in pressure; this fall in pressure and starting of the standby pump is alarmed on theICMS. If not corrected, this would over time be indicated as a high hydraulic oil temperature alarm for theforward thrusters and/or high operating temperature alarm for the forward thruster drive motors. The worstcase of this failure could lead to the loss of the three forward thrusters. There are local pressure gaugesinstalled on the sea suction strainers to indicate fouling of a strainer and if these are regularly checked itwould allow the operator to change over to the standby strainer prior to any reduction in performance.

2.7.7.3 Failure of one of the Section 2 forward SW cooling pumps: The loss of a single sea water cooling pump

should not inhibit the cooling capability of the system as there is a standby pump available. As there are onlytwo Sec 2 forward cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.





2.7.7.4 Failure of one of the Section 1 forward SW cooling pumps: The loss of a single sea water cooling pumpshould not inhibit the cooling capability of the system as there is a standby pump available. As there are onlytwo Sec 1 forward cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.

2.7.7.5 System pipe work failure, leaking sea strainer in the forward seawater cooling system: Failure of wellprotected seawater pipework is not considered for Dynpos AUTR. Pipework failure and damage to strainerswould generally occur as a result of mechanical damage and thus can be controlled by proper workplace

management. Pipework failure would cause flooding of the affected compartment and require rapid shutdown of the system in the space to contain and repair any breach of the system prior to restarting.

2.7.7.6 Blocked aft seawater cooling system sea strainer: This would effectively reduce the flow to the variouspump suctions. A blocked strainer would be indicated on the local pressure gauges located on each strainer.If the pressure were to fall; the standby pumps and running pumps would alternate between starting andstopping. The automatic start of the standby pumps and low system pressure alarms would be alerted onthe ICMS as an indication to the operator to swap over sea chests.

2.7.7.7 Blocked aft seawater cooling system overboard: This would effectively reduce the flow to the running aftseawater cooling pump suction and associated heat exchangers. If not corrected, this would over time beindicated as a high hydraulic oil temperature alarm for the thrusters and/or high operating temperature alarmfor all the engines. This may be due to maloperation or lack of maintenance for the aft seawater coolingsystem. The overboard system is fitted with a flow indicator monitored on the ICMS that will alarm if the ratereduces.

2.7.7.8 Failure of one aft seawater pump: The loss of a single sea water cooling pump should not inhibit the coolingcapability of the system as there is a standby pump available. As there are only two aft main cool seawaterpumps, loss of one pump means the system is no longer fully fault tolerant.

2.7.7.9 Failure of one GE cool seawater pump for No.1 GE FW Cooler: The loss of a single sea water cooling pumpshould not inhibit the cooling capability of the system as there is a standby pump available. As there are onlytwo aft main cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.

2.7.7.10 Failure of one GE cool seawater pump for No.2 GE FW Cooler: The loss of a single sea water cooling pumpshould not inhibit the cooling capability of the system as there is a standby pump available. As there are only

two aft main cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.

2.7.7.11 Failure of the FW Generator SW ejector pump: The failure of the ejector pump would stop seawatercirculation through the water maker and thus limit the ability to maintain a vacuum. This would not affect themain engine cooling systems.

2.7.7.12 Failure of the vacuum in the water maker: A failure of the vacuum in the water maker would result inreduced production of potable water depending on the severity of the breach. This would have no effect onthe engine cooling systems. A loss of vacuum is alarmed on the water maker panel.

2.7.8 Hidden seawater cooling system failures

2.7.8.1 Excessive corrosion of SW strainers; seizure of pumps due to lack of maintenance or rotation of standbyduty. Failure of Non Return Valves such that they allow back flow could result in reduced efficiency and

redundancy in the system

2.7.9 Common mode failures affecting the seawater cooling system

2.7.9.1 Sudden blockage of system by plankton shoals or schools of small fish: As the sea chests at the forwardand aft sea water cooling systems are in continuous use there is a possibility that both sea strainers couldbecome blocked simultaneously. With this in mind, the sea strainers should be monitored and maintainedfrequently by the ship’s crew.

2.7.9.2 Sudden blockage / maloperation of the FWD overboard valve: As there are two overboard valves for the foreseawater cooling system, there is a very limited possibility that the overboard valves could become blockedsimultaneously and could affect all and the FWD thrusters at the same time. Therefore the overboard valvesshould be frequently monitored and maintained by the ship’s crew.





2.7.9.3 Sudden blockage / maloperation of the AFT overboard valve: As there is only one overboard valve for theaft seawater cooling systems, there is a possibility that the overboard valve could become blocked andcould affect all engines and aft thrusters at the same time. Therefore the overboard valve should befrequently monitored and maintained by the ship’s crew. The differential pressure sensors will indicate areduction in flow and allow the operators to take appropriate action.

2.7.9.4 Although the failure modes identified above are not common, they have occurred regularly enough in the

past to be worthy of mention, and has been known to cause severe operational problems in relation tomaintaining plant stability.

2.7.9.5 The forward seawater cooling system is supplied from the forward sea chest. Thrusters No.1, No.2 and No.3are part of the forward freshwater cooling system associated with the forward seawater cooling system.

2.7.10 Seawater cooling system configuration errors that could defeat redundancy

2.7.10.1 Leaving the seawater pumps set for manual operation instead of auto standby. In mitigation, the ICMS doesindicate that standby consumers are not ready or in local control.

2.7.10.2 The use of both upper and lower sea chests for the aft sea water cooling system simultaneously, couldincrease the probability of a sudden blockage of both sea chests at the same time, leaving the systemwithout a back up. The situation is more critical for the forward seawater cooling system as there is only one

sea chest intake.

2.7.11 Maloperation of the seawater cooling system

2.7.11.1 As most of the seawater systems are equipped with two or more seawater pumps; the pumps should berotated regularly to reduce the possibility of a hidden failure resulting from a breakdown of a standby pump.This normally is an automatic function maintained by the ICMS.

2.7.12 Worst case failure – Seawater cooling system

2.7.12.1 Blocked forward seawater cooling system sea chest:: This would effectively reduce the flow to the runningforward seawater cooling pump suction and associated heat exchangers. The standby pump would start tocompensate for the loss in pressure; this fall in pressure and starting of the standby pump is alarmed on theICMS. If not corrected, this would over time be indicated as a high hydraulic oil temperature alarm for theforward thrusters and/or high operating temperature alarm for the forward thruster drive motors. In the worstcase, this could lead to the loss of three forward thrusters. As the sea chest is considered a staticcomponent DNV do not require to consider failure of this.

2.7.12.2 Sudden blockage / maloperation of the AFT overboard valve: As there is only one overboard valve for theaft seawater cooling systems, there is a possibility that the overboard valve could become blockedsimultaneously and could affect all engines and aft thrusters at the same time.

2.8 FRESH WATER COOLING SYSTEMS

2.8.1 Drawing Reference:

200M241001MB Main Cooling FW system

200M241001MB Auxiliary Cooling FW system

200M241001MB No.1 & No.2 GE Cooling FW system

200M241001MB No.3 & No.4 GE Cooling FW system


2.8.2.1 There are five different fresh water cooling systems on the shuttle tanker. These are the:

1. Aux. Cooling FW system.

2. ME Cooling FW System

3. No.1/2 GE FW Cooling system

4. No.3/4 GE FW Cooling system

5. Fwd Fresh Water service cooling system





2.8.2.2 The DP equipment that requires fresh water cooling are:

1. Thrusters No.1, No.2 and No.3 from the Fwd Fresh Water service cooling system.

2. Thruster No.5 from the No.1/2 GE FW Cooling system

3. Thruster No.4 from the No.3/4 GE FW Cooling system

4. Aux Engine No.1 and No.2 from the No.1/2 GE freshwater cooling system5. Aux Engine No.3 and No.4 from the No.3/4 GE freshwater cooling system

6. Main engine (T6) from the Aux. cooling FW system and ME Cooling FW system

7. Packaged A/C units for the switchboard room, ECR and accommodation A/C unit from the Aux.Cooling fresh water system

2.8.2.3 Each fresh water system operates independently supplying the associated engines and thruster units.

2.8.2.4 The main cooling fresh water expansion tank distributes the coolant to main cooling FW system, Auxiliarycooling FW system, No.1 & No.2 GE FW cooling system, No.3 & No.4 GE FW cooling system. The 3.1m3

volume expansion tank is separated into three divisions by the plate separators to distribute to therespective cooling fresh water systems. The separation for fresh water distribution are as follows:

Section 1: Main cooling FW system & Auxiliary cooling FW system

Section 2: No1 & No.2 GE FW Cooling system

Section 3: No.3 & No.4 GE FW Cooling system


2.8.3.1 The fresh water systems operate independently, where one fresh water pump is in use at all times with thesecond pump configured to be on standby for an immediate start.





2.8.4 Aux Cooling FW System

W107V

No.2 ECR Air Cond. Unit

No.1 ECR Air Cond. Unit

No.1 Swbd air-con Unit

No.2 Swbd air-con Unit

No.1 S/Gear P. Pack

No.2 S/Gear P. Pack

ST LO

Cooler

ME Air

Cooler

ME AirCooler

No.1

Main LO

Cooler

No.2

Main LO

Cooler

ME

Jacket

Water

Cooler

CPP Hyd. Oil

Cooler



No.1 Service Air

Compressor

No.2 Service Air

Compressor

From

FW Exp.

Tank

No.1 Central

FW Cooler

75%

No.2 Central

FW Cooler

50%

Figure 2-16 Auxiliary Freshwater Cooling System

2.8.4.1 Auxiliary fresh water cooling system Refer to Figure 2-16 . This system serves the main engine (T6),

steering gear power pack, CPP Hyd. Oil, packaged A/C units for the switchboard room, ECR, andaccommodation A/C condensers.

2.8.4.2 Coolant for the Auxiliary FW cooling system is circulated by central FW pump No.1 and No.2. These pumpshave separate sources of power and are operated on a duty/standby configuration. Please refer to table 2-11 for power supplies. The flow rate for the system is maintained at 850 M 3/H. In the event that the runningpump is unable to maintain the required pressure in the system, the system will automatically start thestandby pump.

2.8.4.3 The Auxiliary Fresh water cooling system receives coolant from main cooling fresh water expansion tankwith a volume of 3.1m3. The tank level is monitored by a level switch and alarmed on the ICMS. The Auxiliary freshwater cooling system is equipped with two plate type central freshwater coolers. In normaloperations both coolers are placed online with No.1 cooler with the capacity of 75% while No.2 cooler withthe capacity of 50%. Coolant temperature is supplied to the various consumers and is maintained by anelectro-pneumatic 3-way temperature control valve. The TCV unit is pneumatic control valve where thecontrol air is fed from the control air system with the air flow rate of 100m 3/H. The loss of control air unitwould cause the 3-way valve to fail to operate effectively and allow full cooling as verified during the provingtrials,





2.8.5 Main Engine Freshwater Cooling System Description

Cooling FW

Expansion tank

ME Jacket FW

Preheater

ME Jacket cooling

FW Pump 1

ME Jacket cooling

FW Pump 2

ME B&W

6S70ME-C8.2

FW Generator

ME Jacket FW

Cooler

From

No.1/2

GE

CFW

Syst

To

Aux

CFW

Syst

To

No.1/2

GE

CFW

Syst

From

No.3/4

GE

CFW

Syst

To

No.3/4

GE

CFW

Syst

De-

Aeration

Tank

Figure 2-17 Main Engine Freshwater Cooling System

2.8.5.1 The main engine fresh water coolant is fed from a 3.1 m3 main cooling freshwater expansion tank. Refer tofigure 2-17, The water level in the expansion tank is monitored through a level gauge and low level alarm onthe ICMS.

2.8.5.2 Coolant is circulated through the main engine by two electrically driven jacket water pumps. Coolant fromthe main engine is circulated through the FW generator where it is directed to the engine jacket watercooling system by an electro-pneumatic controlled 3-way temperature control valve (W012V). From thetemperature control valve, coolant is passed through the main engine aeration tank before it is directed tothe jacket water pumps for circulation. The main engine circulating system is equipped with two motor driven

jacket water pumps; only one pump is in operation on DP. The pumps are configured for standby starts andare monitored on the ICMS. Refer to table 2-11, for main engine jacket water cooling pump power supplies

2.8.5.3 The main engine air cooler and LO cooler are cooled separately by the Auxiliary FW cooling system.

Table 2-11 Central FW & ME CFW pump power sources

Pumps Power supply

Central CFW Pump No.1 440Vac GSP No.1Central CFW Pump No.2 440Vac GSP No.2ME Jacket CFW Pump No.1 440Vac GSP No.1

ME Jacket CFW Pump No.2 440Vac GSP No.2





2.8.6 Failure modes of the main / auxiliary fresh water cooling system

1. Central cooling freshwater pump failure.

2. Spurious start of the stand by pump.

3. Failure of the main engine jacket cooling freshwater pump

4. By failure of power supply or loss of pneumatic control or mechanical failure of the 3- waythermostatic control valve (W107V) for the central freshwater cooler by

5. Failure of the 3-way thermostatic valve (W107V) to full cooling for the central freshwater cooler

6. Failure of the 3-way thermostatic valve (W107V) to bypass the coolers for the central freshwatercooler

7. By failure of power supply or loss of pneumatic control or mechanical failure of the 3- waythermostatic control valve (W012V) for the main engine Jacket CFW system.

8. Failure of the 3-way thermostatic valve (W012V) to full cooling for the main engine Jacket CFWsystem

9. Failure of the 3-way thermostatic valve (W012V) to bypass the coolers for the main engine JacketCFW system

10. Fouled central freshwater cooler

11. Pipe work leaks in the central fresh water cooling system.

12. Burst central freshwater cooler

13. Jacket water leakage on the high temperature fresh water circuit in the water maker

2.8.7 Failure effects of main / auxiliary fresh water cooling system faults

2.8.7.1 Central cooling freshwater cooling pump failure: Failure of one pump in the central fresh water coolingsystem would reduce the redundancy, but should not affect DP as the standby pump starts on low system

pressure.2.8.7.2 Spurious start of the stand-by pump: The flow rate for the system is 850m 3/h. A spurious start of the standby

pump should have no effect on the heat exchangers.

2.8.7.3 Failure of one of the engine jacket cooling freshwater pump: Failure of one main engine jacket cooling waterpump in the main engine fresh water cooling system would reduce the redundancy, but should not affect therunning of the engine as the standby pump starts on low system pressure. This would be alarmed on theICMS.

2.8.7.4 By failure of power supply or loss of pneumatic control or mechanical failure of the 3-way thermostatic controlvalve (W107V) for the central freshwater cooler: In the event of power supply failure / loss of pneumaticcontrol / mechanical failure to the electro-pneumatic unit, the 3-way temperature control valve will fail safe tofull cooling. This will have no effect on the equipment it supplies.

2.8.7.5 Failure of the 3-way thermostatic valve (W107V) to full cooling for the central freshwater cooler: Failure of the3-way thermostatic valve to full cooling, would have no effect on the central fresh water cooling system.

2.8.7.6 Failure of the 3-way thermostatic valve (W107V) to bypass the coolers for the central freshwater cooler :Failure of the 3-way temperature control valve to bypass the cooler would initiate a rapid rise in coolanttemperature; this is indicated as a central fresh water cooling system high water temperature alarm on theICMS. If it is set up as per the configuration during trials, it is not expected to be an issue.

2.8.7.7 By failure of power supply or loss of pneumatic control or mechanical failure of the 3-way thermostatic controlvalve (W012V) for the main engine Jacket CFW system: In the event of power supply failure / loss ofpneumatic control / mechanical failure to the electro-pneumatic unit, the 3-way temperature control valve willfail to full cooling. This will have no effect on the main engine jacket CFW system.

2.8.7.8 Failure of the 3-way thermostatic valve (W012V) to full cooling for the main engine Jacket CFW System:Failure of the 3-way thermostatic valve to full cooling would have no effect on the main engine.





2.8.7.9 Failure of the 3-way thermostatic valve (W012V) to bypass the coolers for the main engine Jacket CFWSystem: Failure of the 3-way temperature control valve to bypass the cooler would initiate a rapid rise incoolant temperature; this is indicated as a main engine FW high temperature alarm on the ICMS. If notcorrected it could result in the shutdown of the main engine and eventually will lead to loss of T6. As long asthe coolers are not bypassed and configured as per the trials configuration, this is not expected to be anissue.

2.8.7.10 Fouled central freshwater cooler: The fouling of the operating plate cooler would reduce the efficiency of theseawater cooling system and thus affect the freshwater cooling system. The high differential pressuresacross the inlet and outlet on the seawater side of the coolers would be noted by the engineers. The coolingsystem has the back flushing arrangement therefore maintenance of these coolers, would require that one isbypassed from the auxiliary freshwater cooling system. However, with both coolers normally online, thecooling of the plant no.1 central cooler would be using up to 75% capacity, whilst no.2 central cooler will beusing 50% capacity .

2.8.7.11 Pipe work leaks in the auxiliary fresh water cooling system: Pipework failure and damage to strainers wouldgenerally occur as a result of mechanical damage and thus can be controlled by proper workplacemanagement. Minor leaks in the system can be revealed by the need to regularly top up the expansion tankand should be rectified when possible. Adequate pipework protection will reduce the risk of pipework leaks

in the fresh water cooling system. The final effect for pipe work leaks in the Auxiliary fresh water coolingsystem will be loss of T6 which is not exceeding WCFDI.

2.8.7.12 Burst central freshwater cooler: The central fresh water coolers provide cooling for the following equipmentas part of the central fresh water cooling system. Please refer to the table 2-12

2.8.7.13 Jacket water leakage on the high temperature fresh water circuit in the water maker: There would beleakage in the engine jacket water circulating side of the water maker from damaged seals which wouldresult in a fall of coolant levels for the main engine expansion tank. This over time would be observed as anexpansion tank low level alarm for the main engine, as the leaked coolant will be removed from the watermaker by the ejector pump. If the leaks are more severe this could result in the filling of the void space inthe water maker, however, this is not a large volume and thus would not result in tripping of the main enginedue to jacket water temperatures.

Table 2-12 Auxiliary Freshwater Cooling System DP Associated Equipment

Central Freshwater Cooling System DP Associated Equipment

M/E air cooler Packaged air con unit for the switchboard room

M/E lube oil cooler Packaged air con for the ECR

ME Jacket Water cooler No.1 & No.2 Main Air Compressors

CPP Hydraulic Cooler (T6) No.1 & No.2 Service Air Compressors

Stern Tube Cooler (T6) Control Air Compressor

No.1 & No.2 S/Gear Power Pack

2.8.7.14 A ruptured central fresh water cooler resulting in the loss of water from the system, there will be limitedcirculation of coolant for the above listed components in Table 2-12, it could result in the tripping of the mainengine T6. However, proper maintenance has to be in place in order to make sure the system well maintain,fresh water pressure and level alarms should appear on the local panel or ICMS

2.8.8 Hidden failures of the Main / Auxiliary Freshwater Cooling System

2.8.8.1 Fouling of the seawater side of the central fresh water coolers.

2.8.8.2 Seizure of the standby pumps due to lack of maintenance. This is easily avoided by rotating the pumps forduty and regular PMS.





2.8.9 Common mode failures affecting redundancy of the Main / Auxiliary Fresh Water Cooling System

2.8.9.1 Chemical overdose: Chemical dosing of the system in the correct quantities is beneficial as it preventscorrosion of the metal components in the system. However, overdosing can in some cases cause chemicalattack in the system requiring regular monitoring of the system is essential to ensure that the correct levelsof chemical dosing is maintained.

2.8.10 Configuration errors affecting the redundancy of the Main / Auxiliary Fresh Water Cooling System2.8.10.1 Inadvertently leaving the central freshwater cooling pumps on manual after maintenance.

2.8.11 Maloperation of Main / Auxiliary Fresh Water Cooling System

2.8.11.1 If chemical sampling and dosing are not carried out as required on the various fresh water cooling systems,it could result in failure to detect an imbalance in the alkalinity/acidity of the coolant eventually resulting inscale build up and / or corrosion within the system.

2.8.12 Worst case failure – Main / Auxiliary Freshwater Cooling System –

2.8.12.1 A ruptured central fresh water cooler resulting in the loss of water from the system, there will be limitedcirculation of coolant for the above listed components in Table 2-12; it could result in the tripping of the mainengine (T6) and eventually will lead to loss of T6; this does not exceed the WCF. However, proper

maintenance is required to be in place, in order to make sure the system is well maintained, the fresh waterpressure and level alarms should activate the local panel or ICMS,





2.8.13 Forward FW Service Cooling System

FW Exp. Tank

Sec.2 FW

Pump 1

Sec.2 FW

Pump 2

Sec.1 FW

Pump 1

Sec.1 FWPump 2

Sec.1 FWD

Thruster FW

Cooler

Sec.2 FWD

Thruster FW

Cooler

No.2 Bow TunnelThruster Elec. Motor

Bow Azimuth

Thruster Hyd. Pack

Bow AzimuthThruster Elec. Motor

No.1 Bow Tunnel

Thruster Elec. Motor

NO

FW075

NC

FW048

Deck Mach. Hyd.

Pump

NC

FW049

NO

FW076

FW045

FW046

Figure 2-18 Forward FW cooling System

2.8.13.1 Forward fresh water cooling system refers to Figure 2-18. This cooling water system serves thrusters 1, 2and 3 motor cooler, T3 and Deck machinery hydraulic power packs.

2.8.13.2 The forward fresh water service cooling system consists of two cooling loops with isolating valves FW049

and FW048 in normally close during DP operation. Section 2 cooling loop is to cool No.2 Bow thrusterelectric motor, BAZ3 hydraulic power pack, and BAZ3 electric motor while section 1 cooling loops will coolBT1 electric motor.





2.8.13.3 Coolant in the Forward FW Service cooling systems is circulated through the cooling loops by two freshwater cooling pumps No.1 and No.2. These pumps have separate sources of power and are in operation atall times. Please refer to Table 5-3 for power supplies. Both pumps are in operation at all times.

2.8.13.4 The Forward FW service cooling system has one expansion tank with a volume of 1.0m3 and there ispartition which separates the tank into two cooling loops. The tank level is monitored by a level transducer.The forward freshwater cooling system is equipped with two plate type freshwater coolers with a capacity of

100%. In normal operations both coolers are placed online, temperature of the coolant supplied to variousconsumers is maintained by an allocated electro pneumatic 3-way temperature control valve allocated toeach cooler. The loss of power or control air supply to the 3-way valve unit would cause the 3-way valve tofail to the full cooling delivery, and this in turn would not have any effect on the thrusters.

2.8.14 Failure modes of the forward fresh water service cooling system

1. Failure of one of the section 1 freshwater cooling pump

2. Failure of one of the section 2 freshwater cooling pump

3. Failure of the 3- way thermostatic control valve (FW045)

4. Failure of the 3-way thermostatic valve (FW045) to full cooling

5. Failure of the 3-way thermostatic valve (FW045) to bypass the coolers

6. Failure of the 3- way thermostatic control valve (FW046)

7. Failure of the 3-way thermostatic valve (FW046) to full cooling

8. Failure of the 3-way thermostatic valve (FW046) to bypass the coolers

9. Fouled forward freshwater cooler

10. Pipe works leaks in the Forward FW cooling system

11. Burst forward fresh water cooler

2.8.15 Failure effects of forward fresh water service cooling system faults

2.8.15.1 Failure one of the section 1 freshwater cooling pump: Depending on which pump in the section 1 forwardfresh water cooling system fails, it in turn will remove the redundancy. Failure of either pump would notaffect the DP system because the standby pump would be initiated once the system detects low pressure ofthe fresh water system.

2.8.15.2 Failure one of the section 2 freshwater cooling pump: The effects are same in the section 2.8.15.1.

2.8.15.3 Failure of the 3-way thermostatic control valve (FW045): In the event of power supply or control air failure tothe electro-pneumatic unit, the 3-way temperature control valve will fail to the full cooling delivery. This willhave no effect to the BT1 system.

2.8.15.4 Failure of the 3-way thermostatic valve (FW045) to full cooling: Failure of the 3-way thermostatic valve(FW045) to full cooling would have no effect on the BT1 system.

2.8.15.5 Failure of the 3-way thermostatic valve (FW045) to bypass the coolers: Failure of the 3-way temperaturecontrol valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated ashigher operating temperature for the associated machinery. If not corrected it could result in the shutdown ofthe BT1 system.

2.8.15.6 Failure of the 3-way thermostatic control valve (FW046) : In the event of power supply or control air failure tothe electro-pneumatic unit, the 3-way temperature control valve will fail to full cooling. This will have noeffect on the Bow Azimuth and BT2s.

2.8.15.7 Failure of the 3-way thermostatic valve (FW046) to full cooling: Failure of the 3-way thermostatic valve to fullcooling would have no effect on the bow azimuth and BT2s system.

2.8.15.8 Failure of the 3-way thermostatic valve (FW046) to bypass the coolers: Failure of the 3-way temperature

control valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated ashigher operating temperature for the associated machinery. If not corrected it could result in the shutdown ofthe bow azimuth and BT2s system.





2.8.15.9 Fouled forward freshwater cooler: The fouling of both plate coolers would reduce the efficiency of theseawater cooling system and thus affect both freshwater cooling systems separately. The high differentialpressures across the inlet and outlet on the seawater side of the coolers would be noted by the engineers.This is remedied by cleaning one fouled cooler at a time. In mitigation the seawater cooling system isequipped with an MGPS system.

2.8.15.10 Pipe work leaks in the forward fresh water cooler: Failure of well protected freshwater pipework is not

considered for Dynpos AUTR. Pipework failure and damage to strainers would generally occur as a result ofmechanical damage and thus can be controlled by proper Planned Maintenance System. Minor leaks in thesystem can be realised by the need to regularly top up the expansion tank and should be rectified whenpossible.

2.8.15.11 Burst forward fresh water cooler: The forward fresh water coolers provide cooling for the followingequipment as part of the forward fresh water cooling system. The fresh water circulation loop is separatedindependently by the isolation valve (FW049/FW048).

Table 2-13 Forward Freshwater Cooling System DP Related Equipment

Forward Freshwater Cooling System DP Related Equipment

Freshwater Cooler No.1 Freshwater Cooler No.2

BT1 electric motor BT2 electric motor

Bow Azimutht thruster Hyd. Power pack

BAZ3 Electric Motor

2.8.15.12 A ruptured No.2 forward fresh water cooler would result in the loss of water from the system, where limitedcirculation of coolant for the above listed components in Table 2-13, could result in the tripping of BT2 andBAZ3 T3. This would not affect the operation of forward freshwater circuit No.1. However, proper

maintenance has to be in place in order to make sure the system well maintain, the fresh water pressureand level alarms should appear in the local panel or ICMS

2.8.15.13 A rupture in the No.1 forward fresh water cooler would result in the loss of water from the system, wherelimited circulation of coolant for the above listed components in Table 2-13; could result in the tripping ofazimuth thruster T1 from high operating temperatures. This would not affect the operation of forwardfreshwater circuit No.2. However, proper maintenance has to be in place in order to make sure the systemwell maintain, the fresh water low level and low-low level alarms should appear in the local panel or ICMS

2.8.16 Hidden failures of the Forward Freshwater Cooling System

2.8.16.1 Fouling of the seawater side of the forward fresh water coolers

2.8.17 Common mode failures affecting redundancy of the Forward Fresh Water Cooling System


2.8.18 Configuration errors affecting the redundancy of the Forward Fresh Water Cooling System

2.8.18.1 Operating the forward freshwater cooling system with isolating valves FW049/FW048 in the normally openposition would result in a more severe failure mode compared to the WCFDI should a ruptured forward freshwater cooler occur.

2.8.19 Maloperation of Forward Fresh Water Cooling System

2.8.19.1 If chemical sampling and dosing are not carried out on the various fresh water cooling systems, this couldresult in failure to detect an imbalance in the alkalinity/acidity of the coolant eventually resulting in scalebuild up or corrosion in the system





2.8.20 Worst case failure – Fwd Fresh water service cooling system –

2.8.20.1 The worst case failure will be loss of the forward fresh water service cooling system No.2 forward freshwater cooler would result in the loss of water from the system, where limited circulation of coolant for theabove listed components in Table 2-13, could result in the tripping of BT2 and BAZ3. This would not affectthe operation of forward freshwater circuit No.1. However, proper maintenance has to be in place in order tomake sure the system is well maintain, the fresh water pressure and level alarms should appear on the local

panel or ICMS once there is any leakage or rupturing of the cooler in the central fresh water cooling system.

2.8.21 No.1/2 GE FW Cooling System

From FW

Expansion tank

No.1 GE 7H32/40

Alternator

Air Cooler

LO

Cooler

No.2 GE 9H32/40

Alternator

Air Cooler

LO

Cooler

SternTunnel

ThrusterElec.Motor

No.1 GE

MGO

Cooler

No.1 GE

FW Cooler

No.1/2

GE CFW

Pump

No.1

No.1/2

GE CFW

Pump

No.2

W205V

Figure 2-19 No. 1/2 GE FW cooling system

2.8.21.1 No.1/2 GE FW cooling system refer to Figure 2-19. This cooling water system serves the stern tunnelthruster T5plus generators No.1 and No.2.

2.8.21.2 Coolant for the No.1/2 GE FW cooling systems is circulated by No.1/2 GE cooling FW pumps No.1 andNo.2. These pumps have separate sources of power and are operated on a duty/standby configuration.Refer to Table 5-3 for power supplies. The flow rate for the system is maintained at 300m 3/H In the eventthe running pump is unable to maintain the required pressure in the system the standby pump should autostart.

2.8.21.3 The No.1/2 GE FW cooling system coolant is delivered from the main cooling FW expansion tank. TheNo.1/2 GE freshwater cooling system is equipped with plate type freshwater cooler with a capacity of 100%.The coolant is supplied to various consumers and is maintained by an electro-pneumatic 3 way temperature

controlled valve. The loss of power supply or control air supply to the electro-pneumatic unit would causethe 3-way valve to fail to the full cooling delivery.

2.8.22 Failure modes of the No.1/2 GE FW cooling system

1. No.1/2 GE cooling freshwater pump failure.


3. Failure of the 3- way thermostatic control valve (W205V).

4. Failure of the 3-way thermostatic valve (W205V) to full cooling delivery

5. Failure of the 3-way thermostatic valve (W205V) to bypass the coolers

6. Fouled No.1 GE freshwater cooler

7. Pipe works leaks in the No.1/2 G/ E fresh water cooling system.

8. RupturedNo.1 GE freshwater cooler.





2.8.23 Failure effects of No.1/2 GE FW cooling system faults

2.8.23.1 No.1/2 GE cooling freshwater pump failure: Failure of one pump in the No.1/2 GE fresh water coolingsystem would remove the redundancy, but should not affect DP assuming the standby pump starts whenthere is a low system pressure alarm.

2.8.23.2 Spurious start of the stand-by pump: A spurious start of the standby pump should have no effect on the heat

exchangers.2.8.23.3 Failure of the 3-way thermostatic control valve (W205V): In the event of power supply or control air failure to

the electro-pneumatic unit, the 3-way temperature control valve will fail to full cooling. This will have noeffect on the generator no.1 & no.2 and the stern tunnel thruster.

2.8.23.4 Failure of the 3-way thermostatic valve (W205V) to full cooling: Failure of the 3-way thermostatic valve to fullcooling would have no effect on the No.1/2 GE fresh water cooling system as the valve will fail as set .

2.8.23.5 Failure of the 3-way thermostatic valve (W205V) to bypass the coolers: Failure of the 3-way temperaturecontrol valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated as No.1/2 GE fresh water cooling system high water temperature alarm on the ICMS. If not corrected it couldresult in the shutdown of Generators No.1 / 2 and the stern tunnel thruster. This resulting t loss of thrusterNo.1 and No.5 which is equal to WCFDI.

2.8.23.6 Fouled No.1 GE freshwater cooler: The fouling of the operating plate cooler would reduce the efficiency ofthe seawater cooling system and thus affect the freshwater cooling system. The high differential pressuresacross the inlet and outlet on the seawater side of the coolers would be noted by the engineers. This iseasily remedied by switching over to the cooler on standby whilst the fouled cooler is bypassed and cleaned.In mitigation the seawater cooling system is equipped with an MGPS system.

2.8.23.7 Pipe work leaks in the forward fresh water cooler: Failure of well protected freshwater pipework is notconsidered for Dynpos AUTR. Pipework failure and damage to strainers would generally occur as a result ofmechanical damage and thus can be controlled by proper workplace management. Minor leaks in thesystem can be revealed by the need to regularly top up the expansion tank and should be rectified whenpossible.

2.8.23.8 Burst No.1 GE freshwater cooler: The No.1 GE fresh water cooler provide cooling for the followingequipment as part of the No.1/2 GE fresh water cooling system.

Table 2-14 GE 1/2 Freshwater Cooling System DP Related Equipment

No.1/2 GE Fresh Water Cooling System DP Related Equipment

Generator No.1 freshwater cooling system Stern Tunnel Thruster Electric Motor

Generator No.2 freshwater cooling system

2.8.23.9 A ruptured or burst fresh water cooler for No.1 GE would result in the loss of water from the system, therewill be limited circulation of coolant for the above listed components in Table 2-14; it could result in thetripping of stern tunnel thruster T5. It would also result in failure of generators No. 1 and No. 2 due to highoperating temperatures. Reportedly MSB 1 supplies T1 and T5. With the loss of T1 and T5, this is equal tothe WCFDI. However, proper maintenance has to be in place in order to make sure the system wellmaintain, the fresh water pressure and level alarms should appear on the local panel or ICMS

2.8.24 Hidden failures of the No.1/2 G/E Freshwater Cooling System

2.8.24.1 Fouling of the seawater side of the No.1/2 G/E fresh water coolers.

2.8.24.2 Seizure of the standby pumps due to lack of maintenance. This is easily avoided by rotating the pumps forduty and regular Planned Maintenance System.





2.8.25 Common mode failures affecting redundancy of the No.1/2 G/E Fresh Water Cooling System


2.8.26 Configuration errors affecting the redundancy of the No.1/2 G/E Fresh Water Cooling System2.8.26.1 Inadvertently leaving the No.1/2 GE cooling pumps on manual after maintenance.

2.8.27 Maloperation of No.1/2 G/E Fresh Water Cooling System

2.8.27.1 If chemical sampling and dosing are not carried out on the various fresh water cooling systems, this couldresult in failure to detect an imbalance in the alkalinity/acidity of the coolant eventually resulting in scalebuild up and / or corrosion in the system.

2.8.28 Worst case failure – No.1/2 GE Fresh water cooling system

2.8.28.1 A ruptured fresh water cooler forNo.1 GE would result in the loss of water from the system, there will belimited circulation of coolant for the above listed components in Table 2-14, it could result in the tripping ofstern tunnel thruster T5. It would also result in failure of generators No. 1 and No. 2 due to high operating

temperatures. Reportedly MSB 1 supplies T1 and T5. With the loss of T1 and T5, this is equal to theWCFDI. However, proper maintenance has to be in place in order to make sure the system well maintain,the fresh water pressure and level alarms should appear on the local panel or ICMS

2.8.29 No.3/4 G/E F.W Cooling System

From FW

Expansion tank

No.4 GE 7H32/40

Alternator

Air Cooler

LO

Cooler

No.3 GE 9H32/40

Alternator

Air Cooler

LO

Cooler

SternAzimuth

ThrusterElec.Motor

No.2 GE

MGO

Cooler

No.2 GE

FW Cooler

No.3/4

GE CFW

Pump

No.3

No.3/4

GE CFW

Pump

No.4

W305V

SternAzimuthHyd.

PowerPck

Figure 2-20 No.3/4 GE FW cooling System

2.8.29.1 No.3/4 GE FW cooling system refer to Figure 2-20 for the simplified drawing. This cooling water systemserves the stern azimuth thruster plus generators No.3 and No.4.

2.8.29.2 Coolant for the No.3/4 GE FW cooling systems is circulated by No.3/4 GE cooling FW pumps No.1 andNo.2. These pumps have separate sources of power and are operated on a duty/standby configuration.Refer to Table 5-5 for power supplies. The working pressure for the system is maintained at 300m 3/H. In theevent the running pump is unable to maintain the required pressure in the system the standby pump willauto start.

2.8.29.3 The No.3/4 GE FW cooling system’s coolant is delivered from the cooling main FW tank. The GE No.3/4freshwater cooling system is equipped with plate type freshwater cooler with a capacity of 100%. In normal

operations one cooler is placed online, coolant temperature supplied to various consumers and ismaintained by an electro – pneumatic 3-way temperature controlled valve.





2.8.30 Failure modes of the No.3/4 GE FW cooling system

1. No.3/4 GE cooling freshwater pump failure.


3. Failure of the 3- way thermostatic control valve (W305V).

4. Failure of the 3-way thermostatic valve (W305V) to full cooling delivery5. Failure of the 3-way thermostatic valve (W305V) to bypass the coolers

6. Fouled No.2 GE freshwater cooler

7. Pipe works leaks in the No.3/4 G/ E fresh water cooling system.

8. Ruptured No.2 GE freshwater cooler.

2.8.31 Failure effects of No.3/4 GE FW cooling system faults

2.8.31.1 No.3/4 GE cooling freshwater pump failure: Failure of one pump in the GE 3/4 fresh water cooling systemwould remove the redundancy, but should not affect DP if the standby pump starts on low system pressure.

2.8.31.2 Spurious start of the stand-by pump: A spurious start of the standby pump should have no effect on the heat

exchangers.

2.8.31.3 Failure of the 3-way thermostatic control valve (W305V): In the event of power supply or control air failure tothe electro-pneumatic unit, the 3-way temperature control valve will fail to the full cooling delivery. This willhave no effect on Generator No.3 & No.4 plus the Stern Azimuth Thruster.

2.8.31.4 Failure of the 3-way thermostatic valve (W305V) to full cooling delivery: Failure of the 3-way thermostaticvalve to full cooling would have no effect on the GE No.3/4 fresh water cooling system as the valve will failto the way it is set.

2.8.31.5 Failure of the 3-way thermostatic valve (W305V) to bypass the coolers: Failure of the 3-way temperaturecontrol valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated as a GE3/4 fresh water cooling system high water temperature alarm on the ICMS. If not corrected it could result in

the shutdown of the Generator No.3 / 4 and the stern azimuth thruster. This would result to a loss ofthrusters No.2, No.3 and No.4.

2.8.31.6 Fouled No.2 GE freshwater cooler: The fouling of the operating plate cooler would reduce the efficiency ofthe seawater cooling system and thus affect the freshwater cooling system. The high differential pressuresacross the inlet and outlet on the seawater side of the coolers would be noted by the Duty Engineers. Thiscan be easily remedied by switching over to the cooler on standby so the fouled cooler is bypassed and thencan be cleaned. Be advised the seawater cooling system is equipped with an MGPS system.

2.8.31.7 Pipe work leaks in the forward fresh water cooler: Failure of well protected freshwater pipe work is notconsidered for Dynpos AUTR. Pipework failure and damage to the strainers would generally occur as aresult of mechanical damage and thus can be controlled by Planned Maintenance System. Minor leaks inthe system are revealed by the need to regularly top up the expansion tank and should be rectified when

possible.

2.8.31.8 Ruptured No.2 GE freshwater cooler: The No.2 GE fresh water cooler provide cooling for the followingequipment as part of the No.3/4 GE fresh water cooling system.

Table 2-15 No.3/4 GE Freshwater Cooling System DP Related Equipment

No.3/4 GE Fresh Water Cooling System DP Related Equipment

Generator No.3 freshwater cooling system Stern Azimuth Thruster (T4) Hydraulic Power Pack

Generator No.4 freshwater cooling system Stern Azimuth Thruster (T4) Motor Cooler





2.8.31.9 A ruptured fresh water cooler for No.2 GE would result in the loss of water from the system, there will belimited circulation of coolant for the above listed components in Table 2-15, it could result in the tripping ofthruster T4. It would also result in failure of generators No. 3 and No. 4 due to high operating temperatures.Reportedly MSB 2 supplies T2, T3 and T4. With the loss of T2, T3 and T4, this is still equal to the WCFDI.However, proper maintenance has to be in place in order to make sure the system is well maintained, thefresh water pressure alarm and water level alarms should appear on the local panel or ICMS

2.8.32 Hidden failures of the No.3/4 G/E Freshwater Cooling System

2.8.32.1 Fouling of the seawater side of the No.2 G/E fresh water coolers.

2.8.32.2 Seizure of the standby pumps due to lack of maintenance. This is easily avoided by rotating the pumps forduty and regular PMS.

2.8.33 Common mode failures affecting redundancy of the No3/4 G/E Fresh Water Cooling System


2.8.34 Configuration errors affecting the redundancy of the No.3/4 G/E Fresh Water Cooling System2.8.34.1 Inadvertently leaving the No.3/4 GE cooling pumps on manual after maintenance.

2.8.35 Maloperation of No.3/4 GE Fresh Water Cooling System

2.8.35.1 If chemical sampling and dosing are not carried out on the various fresh water cooling systems, this couldresult in failure to detect an imbalance in the alkalinity/acidity of the coolant eventually resulting in scalebuild up and / or corrosion in the system.

2.8.36 Worst case failure – No.3/4 GE Fresh water cooling system

2.8.36.1 A ruptured water cooler for No.2 GE would result in the loss of water from the system, there will be limitedcirculation of coolant for the above listed components in Table 2-15, it could result in the tripping of thrusterT4. It would also result in failure of generators No. 3 and No. 4 due to high operating temperatures.Reportedly MSB 2 supplies T2, T3 and T4. With the loss of T2, T3 and T4, this is still equal to the WCFDI.However, proper maintenance has to be in place in order to make sure the system is well maintained, thefresh water pressure and level alarms should appear on the local panel or ICMS.

2.9 COMPRESSED AIR SYSTEM


200M241001MB Compress Air system


2.9.2.1 Two compressors supply the starting air system and backup for the control air system in the engine room.

2.9.2.2 Two service air compressors supply the control air where one is operational and the other acts as standby2.9.3 Configuration for DP

2.9.3.1 Both air receivers supply the main engine and four generators. The Main engine has an independent linewhilst four generators share a common aux. air reservoir. Two set generators will be sharing the commonstarting air line from the aux. air receiver.





2.9.4 Compressed air system

No.1 Main Air

Compressor

No.2 Main Air

Compressor

N o . 1 M

a i n A i r

R e s e r v o i r

N o . 2 M

a i n A i r

R e s e r v o i r

A u x .

A i r

R e s e r v o i r

No.1 GE

7H32/40

No.4 GE

7H32/40

No.3 GE

9H32/40

No.2 GE

9H32/40

ME B&W

6S70ME – C8.2

S e r v i c e A i r

R e s e r v o i r

C

o n t r o l A i r

R e s e r v o i r

No.1 Service

Air

Compressor

No.2 Service

Air

Compressor

N o

. 2 C t r l A i r

D r y e r

N o

. 1 G E F O S h u t o

f f V

/ V

N o


f f V

/ V

N o


f f V

/ V

N o


f f V

/ V

Control Air

Compressor

A018V

NC

N o .1 C t r l A i r

D r y e r

M E J C F W

T C V

M a i n C F W

T C V

M a i n L O C W

T C V

N o

. 1 , 2

G E C F W

T C V

N o

. 3 , 4

G E C F W

T C V

M E L O A u t o F i l t e r

N o

. 1 G E M D O A u t o

f i l t e r

N o

. 2 G E M D O A u t o

f i l t e r

M E F O A u t o

f i l t e r

A019V

NC

D e

c k S e r v i c e

A i r R e s e r v o i r

Deck Service air

Compressor

T o F i r e C o n t r o

l S t a t i o n

30bar – 7bar

Figure 2-21 Compressed Air System

2.9.4.1 The compressed air system is equipped with two main air compressors with a capacity of 200m3/h at 30 bar.Refer to Figure 2-21.

2.9.4.2 Main air compressor No.1 is fed from 440Vac LGSP -5 section 2 whilst main air compressor No.2 is fed fromthe 440Vac emergency switchboard.

2.9.4.3 The main air compressors supply two main air receivers and an auxiliary air receiver with a workingpressure of 3.0MPa. The main air receivers have a volume of 4.5m3 respectively whilst the aux air receiverhas a volume of 0.5m3. Only the main air receivers are monitored and alarmed for low starting air pressureat the ICMS. The air receivers are protected from over pressure with relief valves set at 3.3 mPa.

2.9.4.4 Compressed air from the main air receivers feed the main engine and generators. The aux. air receiver isdedicated for four generators while the main engine starting air is delivered from the main air receivers. Thegenerators and main engines primarily use compressed air for starting and control air purposes.

2.9.5 Service air / Control air system

2.9.5.1 The service air system for the vessel can be supplied either from the main air reservoirs or from the No.1 &No.2 Service air compressor. The No.1 & No.2 Service air compressors are fed through the service airreservoir. The service air system air pressure from the main air receivers is reduced from 3.0MPa to 0.7MPathrough a pressure reducing unit. The pressure reducing unit is equipped with two sets of pressure reducingvalves and relief valves for redundancy purpose.





2.9.5.2 Service air from the service air compressors is stored in a service air reservoir with a volume of 2.0m 3. Theservice air reservoir is protected from overpressure through a relief valve, set at 0.77mPa. Pressure in theservice air reservoir is monitored and alarmed on the ICMS. The compressed air from the service airreservoir is distributed to other machinery equipment and to the control air system which is passed throughNo.1 control air dryer.

2.9.5.3 There is a backup control air system supplied from the control air compressor. The air from the control air

compressor is stored in the control air reservoir and is distributed mainly to the control air system. Thecompress air from the control air reservoir is passed through the No.2 control air dryer.

2.9.5.4 For DP related equipment supplied from the service and control air system refer to Table 2-16 Failure modefor all the listed systems below to be identified.

Table 2-16 DP Related Equipment supplied from the Control and GS Air System

DP Related Equipment supplied from the Service / Control Air System

GE No.1 F.O Inlet shutoff Valve ME F.O Auto Filter

GE No.2 F.O Inlet shutoff Valve ME Jkt Water CFW Temp Control Valve

GE No.3 F.O Inlet shutoff Valve M/E LO CW Temp Control Valve

GE No.4 F.O Inlet shutoff Valve M/E CFW CLR Temp Control Valve

No.1 GE MDO Auto Filter No.3 & 4 GE CFW CLR TCV

No.2 GE MDO Auto Filter ME LO Auto. Filter

2.9.6 Deck Service Air System

2.9.6.1 The deck service air system is supplied from the Deck service air compressor. The air compressor is fed tothe deck service air reservoir where the air pressure is 0.7MPa. There is an isolation valve (A019V) which isnormally set in the closed position, is used to separate between the service / control air system and deckservice air system.

2.9.6.2 The air from the deck service air compressor is stored in a deck service air reservoir with a volume of 2.0m 3.The service air reservoir is protected from overpressure through a relief valve, set at 0.77MPa. Pressure inthe service air reservoir is monitored and alarmed to the ICMS. The compressed air from the deck serviceair reservoir is distributed to the deck machinery equipment and the emergency shutoff valves.

2.9.6.3 It can also be backed-up by the service / control air system which is supplied from the service aircompressors.

2.9.7 Emergency Shut off Valve and Fire Damper Compressed Air System

2.9.7.1 The emergency shut off valve and fire damper control system consists of an air receiver located at the firecontrol station. The air receiver is supplied from the deck service compressor at 0.7mPa from the deckservice compressed air system. The content in the fire control station air receiver is protected by a non-return valve at the compressed air inlet. The air receiver is protected from over pressure by a relief valve setat 0.77MPa. The pressure in the air receiver is monitored and alarmed to the ICMS.

2.9.7.2 From the fire control station air receiver, there are two valves at the air receiver outlet supplied to two groupsof fire dampers which in normal operations are set to the closed position Refer back to figure 2-10

2.9.7.3 The fire control station air receiver supplies to the pneumatic quick closing valve system with the actuatingair to close the quick closing valves and actuating air to close the engine room fire dampers. Activation of allthe quick closing valves is achieved via a marked control lever located at the fire control station. For more

information refer to section 2.5.11. There is E/R fan damper control panel to manage all the fire dampers.Therefore the control panel requires to be well indentified to inadvertently shutting down the wrong firedamper at the same time.





2.9.8 Failure modes of the compressed air system

1. Main air compressor failure.

2. Failure of the Control and GS Compressor.

3. Failure of pipe work in the starting air system.

4. Failure of pipework in the control and service air system5. Failure of pipework in control air system in main engine

6. Failure of pipework in control air system in aux. engine

7. Overpressure on the compress air system.

8. Failure of pipework or leakage in the quick closing valve system

9. Failure of pipework or leakage in the fire damper system

2.9.9 Failure effects of the compressed air system

2.9.9.1 Failure of one of the main air compressor: Main compressor failure will remove the redundancy but will notaffect the system completely as the compressed air system comes equipped with two main air compressors.

Failure of the air compressors is monitored and alarmed to the ICMS.

2.9.9.2 Failure of one of the service air compressors: Failure one of the service air compressors should not affectthe supply of compressed air to the service and control air system as the supply from the main compressedair system through the pressure reducing stations would still be available.

2.9.9.3 Failure of pipe work in the starting air system: Pipe work failure is considered for Dynpos AUTR notation(Pt.6 Ch.7 Sec.5 C301) if well protected, however leaks in the air system are relatively common. Majorpipework failure would remove the ability to start the main engine (if on standby) and reduce compressed airpressure to the service and control air system. Starting air for the generators is supplied through theauxiliary air receiver. Pipework damage on the supply to the air reservoirs would affect the air available inthe main and auxiliary air reservoirs; however, it should not affect the pressure in the auxiliary air receiver asit is protected by a non-return valve. Pipework damage generally occurs as a result of mechanical damageand thus can be controlled by proper workplace management. In mitigation, the low start air pressure alarmat the main air reservoirs is set at 15 Kg/cm 2 pressure to alert the ECR operators through the ICMS.Consideration should be given to monitor the air pressure in the auxiliary air receiver.

2.9.9.4 Failure of pipework in the control and service air system: In the event pipe work failure or air leakage will notaffect the engines. The electro-pneumatic valves will fail to full cooling. Loss of service air will not have anyeffect on any engine.

2.9.9.5 Failure of pipework in control air system to main engine : These will results main engine run in idle speedand the CPP deselect from the DP system. The failure will not have effect on the engine upon loss of controlair.

2.9.9.6 Failure of control air pipework to the auxiliary engines : Loss of control air will not have any effect on the

running of all Auxiliary Engines. To be proven during the proving trials.

2.9.9.7 Overpressure on the compressed air system: The compressed air system is protected from over pressureby a series of relief valves on the air receivers and pressure reducing stations.

2.9.9.8 Failure of pipe work or leakage in the quick closing valve system: Pipe work failure is well protected, buthowever leaks in the air system are relatively common. Major pipe work failure would have no effect on thequick closing valves as compressed air is required to activate closure of the valves. Pipe work damagegenerally occurs as a result of mechanical damage and thus can be controlled by proper workplacemanagement. In mitigation, the low air pressure alarm for the fire control station reservoir is to alert the ECRoperators through the ICMS.

2.9.9.9 Failure of pipe work or leakage in the fire damper system: Pipe work failure is not to be considered for

Dynpos AUTR notation if well protected, however leaks in the air system are relatively common. Major pipework failure would stop air to the Engineroom fire dampers preventing them from closing. The fire damperswould remain open and could not be closed from the fire control station.





2.9.10 Hidden compressed air system failures

2.9.10.1 Deterioration of FAD may occur as a result of wear and tear in the mechanical components in thecompressors. This may only be noticed during the periods of high demand where the system may not beable to sustain required pressure. The compressor coupling can fail on one unit but may still indicate that itis running.

2.9.10.2 Blockage or failure of the operating pressure reducing unit is not indicated as an alarm, however it can beobserved through frequent running of the service compressor/s.

2.9.11 Common mode failure affecting the compressed air system

2.9.11.1 There is no common mode failure affecting the compress air system.

2.9.12 Compressed air system configuration errors that could remove the backup redundancy

2.9.12.1 As the air compressor system is an auto standby system, failure to switch the backup compressor tostandby start would reduce the number of available compressors to one.

2.9.13 Maloperation of the compressed air system

2.9.13.1 Inadvertent operation of closure control air lever to the quick closing valve would shut off one group of

valves to the respective fuel oil tanks. The QCV system is divided into two groups which has described inthe table 2-8.

2.9.13.2 Inadvertent operation of closure of group 1 valves will lead to loss of ME, No.1 & No.2 Diesel Generators.The vessel would lose T1, T5 and T6.

2.9.13.3 Inadvertent operation of closure of group 2 valves will lead to loseNo.3 & No.4 Diesel Generators. Thevessel would lose T2, T3 and T4.

2.9.13.4 However if there is adequate identification and security to the valves at the fire control station, the risk canbe mitigated.

2.9.14 Worst case failure - Compressed air system

2.9.14.1 The worst case failure of compressed air system would be to lose control air to the main engine and thiswould result in the main engine running at idle speed.

2.10 VENTILATION SYSTEM


200F24100PB Air Venting / Sounding System

200F24100PB Compress Air System

2.10.2 Machinery space ventilation

2.10.2.1 The ventilation system includes ventilation of the engine room, bow thrusters room, steering gear room andother machinery spaces.

2.10.2.2 Loss of ventilation to machinery spaces other than the engine room is less critical and will only result intemperature rise in the affected compartment.

Table 2-17 Ventilation system power sources





Ventilation Fans Power Source Space Ventilated

ER Supply Fan No.1 (Rev. Type) 440Vac ESB Engine Room

ER Supply Fan No.2 (Rev. Type) 440Vac GSP No.1 Engine Room

ER Supply Fan No.3 ( Non- Rev. Type) 440Vac GSP No.1 Engine Room

E/R Supply Fan No. 4 (Non-Rev. Type) 440Vac GSP No.2 Engine Room

Steering Gear Supply Fan 440Vac ESB Steering Gear Room

Bow Thruster Supply Fan 440Vac ESB Bow Thruster Room

No.1 Pump room exhaust fan (Non-Rev.) No.1 440Vac Feeder panel Pump Room

No.2 Pump room exhaust fan (Non-Rev.) No.2 440Vac Feeder panel Pump Room

2.10.3 Engineroom ventilation

2.10.3.1 There are four single speed engine room supply fans allocated to the engine room. These fans are supplied

from the appropriate sides of the power distribution system as shown in Table 2-17.

2.10.3.2 Each duct is equipped with engine room surplus air exhaust through a pneumatic operated damper. Themain engine room is naturally vented through exhaust air outlets located on the port and starboard side ofthe engine room. Exhaust air is directed to the E/R funnel dampers which are located in the funnel.

2.10.4 Steering Gear Room Ventilation system

2.10.4.1 The steering gear room ventilation system consists of single speed ventilation supply fan and naturalventilator. The steering gear room supply fan is supplied from the power distribution system as shown inTable 2-18. The supply fan is housed in the steering gear room mechanical supply air fan housing.

2.10.5 Bow thrusters room Ventilation system

2.10.5.1 The bow thrusters room ventilation system consists of a single speed ventilation supply fan and naturalventilator. These fans are supplied from the appropriate sides of the power distribution system as shown inTable 2-18. The supply fan is housed in the forward compartment mechanical supply air fan housing.

2.10.6 Engine Room Fire Dampers

2.10.6.1 The emergency shut off valve and fire damper control system consists of an air receiver located at the firecontrol station. The air receiver is supplied with compressed air at 0.7mPa from the deck service air system.The content in the fire control station air receiver is protected by a non-return valve at the compressed airinlet. The fire control station air receiver supplies the engine room fire dampers through a manually operateddirectional control valve. The directional control valves are located in the fire damper control panel at the firecontrol station. The engine room fire dampers require compressed air to close the fire dampers. Refer toTable 2-18 for the air distribution to the fire dampers.

Table 2-18 Engine Room Fire Dampers

Location of fire dampersDamper for E/R supply fan No.1 Damper for E/R Supply Fan No.4

Damper for E/R supply fan No.3 Damper for E/R Supply Fan No.2

Damper for Purifier Rm Exh fan Funnel Fire Damper

Damper for E/R surplus air Funnel Fire Damper

2.10.7 Failure modes of the ventilation system

1. Failure of one engine room supply fan (Non-Reversible Type).

2. Failure of one engine room supply fan (Reversible Type).

3. Failure of the steering gear room supply fan.

4. Failure of the bow thruster’s room supply fan.





Table 2-19 HVAC Unit Power Supplies

Air conditioning unit Power Source Location

No.1 Air conditioner plant No.1 440Vac Feeder Panel

No.2 Air conditioner plant No.2 440Vac Feeder Panel

Package A/C for W/H No.1 No.1 440Vac Feeder Panel LGSP -6A Wheel house

Package A/C for W/H No.2 No.2 440Vac Feeder Panel LGSP -6B Wheel house

Package A/C for ECR No.1 No.1 440Vac Feeder Panel ECR

Package A/C for ECR No.2 No.2 440Vac Feeder Panel ECR

Package A/C No.1 for swbd room No.1 440Vac Feeder Panel Main switchboard room

Package A/C No.2 for swbd room No.2 440Vac Feeder Panel Main switchboard room

2.10.11.2 Wheelhouse and DP Control station: The wheelhouse is an air conditioned space cooled by one 440Vacpackaged air conditioning unit. .

2.10.11.3 Main Switchboard Room: The main switchboard room is an air conditioned space which is cooled by two440Vac packaged air conditioning units. Both A/C units are running at all times. The A/C units are watercooled condensing units fed from the central fresh water cooling system.

2.10.11.4 Engine Control Room: The ECR is an air conditioned space which is cooled by two 440Vac packaged airconditioning units. The A/C units are water cooled condensing units fed from the central fresh water coolingsystem.

2.10.12 Failure modes of the HVAC system

2.10.12.1 The resultant loss of A/C units for the various DP related spaces due to mechanical or electrical failures

could lead to higher compartment temperatures and related effects such as condensation on the equipmentin the space. It should be well noted that the equipment in these compartments is required by Class tooperate at the ambient conditions stated in DNV Rules for Classification of Ships, NewbuildingsMachinery Systems, General-January 2005 The below stated limits are well above the temperatures thatthis equipment would normally be maintained.

Pt4 Ch.1 Sec.3, B 200 Environnemental conditionsPt4. Ch.8.Sec.3 B300 Temperatures and humidityPt4. Ch.9 Sec.5B Environmental conditions, InstrumentationPt4 Ch.1 Sec.3 B 201 - All machinery, components and systems covered by the rules are to be designed tooperate under the following environmental conditions if not otherwise specified in the detailed requirementsfor the machinery, component or system:

–– ambient air temperature in the machinery space between 0°C and 55°C, –– relative humidity of air in the machinery space up to 96%, –– sea water temperature up to 32°C, –– list, rolling, trim and pitch according to Table B1.

The Society may consider deviations from the angles of inclination given in the table, taking intoconsideration the type, size and service conditions of the ship.

1. Failure of one wheelhouse HVAC unit

2. Failure of one water cooled condensing unit for the ECR / Main switchboard Room

3. Failure of one main switchboard HVAC unit





2.10.13 Failure effects of the HVAC system

2.10.13.1 Failure of wheelhouse HVAC unit: The loss of packaged unit for the wheelhouse should have no effect on theequipment on the bridge as they are rated to operate in ambient temperature in excess of 55ºC. Failure ofone packaged unit would be alarmed on the ICMS and the local panel. The equipment in the space isunderstood to be rated to operate in accordance with the DNV rules quoted above

2.10.13.2 Failure of one water cooled condensing unit for the ECR room: The failure of the water cooled condensingunit for the ECR would not affect the equipment in the space. Failure of the packaged unit would be alarmedon the ICMS and local panel. In addition the temperature in the space is also monitored on the local Tempcontroller. The equipment in the space is understood to be rated to operate in accordance with the DNVrules quoted above In the event failure of the package unit in the engine room, the ambient temperaturefrom the reference will be kept below 45 ºC.

2.10.13.3 Failure of one water cooled condensing unit for the main switchboard room: The failure of a water cooledpackaged unit for the main switchboard room would have no immediate effect on the equipment in thespace. Failure of one unit will be alarmed but there will be no effect as there is a secondary unit that iscooling the switch board room. The A/C unit on the No. 1 GSP side is supplied by MSB 1 P-M1-17 whereasthe No. 2 A/C (closer to the No. 2 GSP) is supplied from MSB 2, P-M2-17. Each unit is capable of coolingthe entire room. Failure of either packaged unit would be alarmed on the ICMS and local panel. In additionthe temperature in the space is also monitored on the local Temp Controller. The equipment in the space isunderstood to be rated to operate in accordance with the DNV rules quoted above. Likewise the M.Vtransformers are also supplied by individual supply fans that are powered off the respective switchboards(No. 1 M.V transformer supply fan supplied from MSB 1 and No. 2 M.V transformer supply fan suppliedfrom MSB 2).

2.10.14 Hidden failures of the HVAC

2.10.14.1 Failure of the standby unit for the main switchboard room would not be detected until there is a failure of thepackaged unit in operation. This is easily corrected by rotating the package units on duty. In mitigationfailure of both units in this case is not immediately critical.

2.10.15 Maloperation and configuration errors associated with HVAC

2.10.15.1 The circulation of coolant to the HVAC units for the main switchboard rooms and ECR is carried out by the Auxiliary fresh water cooling system. Maloperation of these systems would include setting the auxiliary freshwater cooling pumps to manual instead of auto/standby.

2.10.16 Common mode failures associated with ventilation

2.10.16.1 There is no common mode failure that has been identified during the analysis.

2.10.17 Ventilation or HVAC configuration errors that could defeat redundancy

2.10.17.1 Running both main switchboard packaged units at the same time should not be necessary as both unitscover 100% capacity.


2.10.18.1 The worst case failure will be loss of No.1 440Vac feeder panel this would result in loss of one mainswitchboard room air conditioning, ECR air conditioning units and accommodation condensing units. Losingof single air conditioning units in the in the main switchboard room and ECR will have no noticeable effecton the temperature as the second air conditioning unit is still running, this will not have immediate effect tothe relevant equipment or machinery and the ambient condition is fulfilled as stated in DNV class rules.





2.11 EMERGENCY GENERATOR


1. Specification for Emergency Diesel Generator Set.


2.11.2.1 The vessel is installed with Doosan AD180TI engine and Leroy Somer M47.2 S4 alternator. The EmergencyGenerator provides the usual services required by SOLAS but does not have a significant role to play in theredundancy concept. Blackout recovery is possible without it provided that recovery takes place within theexpected time.

2.11.3 Location

2.11.3.1 The emergency generator room is located on the main deck. The auxiliary support systems such as the fueloil day tank are located in the emergency generator room.


2.11.4.1 The emergency generator would be placed on standby during normal operations as its purpose is assist inthe event blackout recovery does not work.

2.11.5 Description

2.11.5.1 This is a 4 stroke, in-line, water cooled direct injection diesel engine. There is an engine driven water pumpto direct the coolant to LO cooler, and Turbo charger exhaust manifold. After that the coolant will pass returnback to the cooling system or back to the top tank via the thermostat.

2.11.5.2 The coolant at the top tank will then be cooled through the radiator before it returns to the engine coolingsystem.

2.11.5.3 There is fuel oil tank mounted with the engine. The fuel is filled manually. Therefore the EmergencyGenerator fuel tank requires to be part of regular inspections when it is in use

2.11.5.4 The Emergency engine has its own Lubricating system which comprises with engine driven LO pump, oil

cooler, oil filter and oil strainer. The LO is drawn by the engine drive LO pump from the oil pan pass throughthe oil strainer. The LO is then directed to the oil cooler and lube oil filter before entering cylinder block

2.11.5.5 From the cylinder block, the LO is then distributed to turbo charger, PTO, air compressor, crank journal, Rockarm bush and oil spray nozzles.

2.11.5.6 The engine is electric start from a battery. The battery is charged from the 220Vac ESB.

2.11.6 Failure mode of the emergency generator engine

1. Engine stops during operation. (No failure of engine components)


3. Engine runs at higher speed than required during operation.

4. Engine fails to start on demand.


2.11.7 Failure effects of the emergency generator engine

2.11.7.1 Engine stops during operation (no failure of engine components): Loss of generation capacity leading tobreaker tripping on under frequency possibly leading to a blackout situation if the main generators have notrestarted.

2.11.7.2 Engine runs at lower speed than required during operation: Inability to maintain power supply at requiredfrequency; may trip on under frequency or eventually low voltage possibly leading to a blackout situation ifthe main generators have not restarted.





2.11.7.3 Engine runs at higher speed than required during operation: Inability to maintain power supply at requiredfrequency; potential to over speed engine possibly leading to a blackout situation if the main generatorshave not restarted.

2.11.7.4 Engine fails to start on demand: Inability to power up emergency switchboard in a blackout situation.

2.11.7.5 Unforeseen catastrophic failure of a component part (Manufacturer’s component fails within its expected

lifespan): External component - engine may stop but can usually be restarted when the faulty part has beenreplaced; internal component- engine may stop commonly due to catastrophic failure of other partsdamaged by the initial breakage.

2.11.8 Hidden emergency generator failures

2.11.8.1 Failure to start - Manufacturing defects in engine components.

2.11.8.2 Fuel contamination of lubricating oil. Mitigated by the fact that oil sampling is carried out regularly

2.11.9 Common mode failure affecting the E-Gen fuel system

2.11.9.1 There are no known common mode failures.

2.11.10 Maloperation of the emergency generator

2.11.10.1 There are interlocks such as check sync relays to prevent all obvious acts that could affect the main powersystem.

2.11.11 Emergency generator configuration errors that could defeat redundancy

2.11.11.1 Leaving the system in manual control could prevent the start of the engine following a failure although thiswould not have an immediate impact on the station keeping capability of the vessel if all systems wereoperational and configured correctly.

2.11.12 Worst case failure - Emergency generator

2.11.12.1 As the emergency generator is normally in standby during DP operations there is little opportunity for failuresto occur in such a way that they affect DP operations. There is a possibility of causing disruption ofconsumers on the emergency switchboard during load testing





3 POWER GENERATION

3.1 GENERATORS

3.1.1 References

Specification for Synchronous Generator:- APP-11RAH086-Rev.2

Specification of Generator

Working Drawing of Diesel Generator Engine

UG-25+ Governor Manual 26330 (Rev G)

K-Chief 600 Power Management System 1221635 Rev A

HDEC 1000 User’s Manual


DG3 DG2

No.5 VCB 3P

(MBT)

NO

NO

ST5

BAZ3

BT1

CPP

SAZ4

6.6kV MSB 1

DG2DG3DG4

No.2 VCB 3P

D2

NC

No.1 VCB 3P

D1

NC

4300kW 3300kW

BT2

6.6kV MSB 2

No.3 VCB 3P

D3

NC

No.4 VCB 3P

D4

NC

4300kW3300kW

DG1

Figure 3-1 Single Line Diagram for 6.6kV





3.1.2.1 The 6.6kV switchboard layout is illustrated in the simplified drawing in figure 3-1.

3.1.2.2 The normal configuration while in DP is to run the vessel with a two-way split. Please refer to thesimplified diagram above. The position of breakers is given below:

1. All the generators online.

2. Breaker No.5 VCB 3P is opened so that 6.6kV switchboard 1 and 2 are disconnected.

3. Breaker No.7 VCB 3P is opened and No.10 VCB 3P is closed such that BAZ 3 is supplied fromMSB No.2

4. Breaker No.1 VCB 3P is closed.




8. BAZ3 is supplied from 6.6KV MSB No.2.


3.1.3.1 The redundancy concept at the power generation level is based on the distribution of 6.6kV level.

3.1.3.2 The thruster groups are:-

6.6kV MSB No.1: Bow Tunnel thruster (T1), Stern tunnel thruster (T5) and main CPP (T6)

6.6kV MSB No.2: Bow Tunnel Thrusters (T2), Bow and Stern Azimuth thrusters (T 3 and T4)

3.1.3.3 In the event of failure of the 6.6kV MSB 2, BAZ3 can be manually changed over to 6.6kV MSB 1 tocontinue DP operation, and to increase DP capability. However, during the period of changeover, thevessel will stay in position with the remaining thrusters should the vessel be operated within itsenvironmental limits as specified by its capability plots.

3.1.3.4 Worst Case Failure Design Intent:- The WCFDI due to a fault on the main switchboard will be loss of:-

6.6kV MSB 1: One Bow Tunel thruster (T1), Stern tunnel thruster (T5) plus the main CPP (T6).

Although the hydraulic pumps for the CPP (T6) are distributed between the 440VAC MSB 2 and 440VACMSB 1, it would not be possible to changeover the supply for this thruster as the pumps for the MainEngine are supplied from MSB 1.

3.1.4 Description

3.1.4.1 The vessel has four diesel generators rated at 6.6kV, 60Hz:-

Aux. Diesel Generators: 2 x 5375KVA, 6.6kV, 3ph, 60Hz, HSJ7 913-10P driven by Hyundai Himsen9H32/40 engine.

Aux. Diesel Generators: 2 x 4125KVA, 6.6kV, 3ph, 60Hz, HSJ 805-10P driven by Hyundai Himsen

7H32/40engine. 3.1.4.2 The generators are operated in adjustable droop mode for stability in speed control and active load

sharing. Droop mode is used for voltage regulation, which controls the reactive load power sharing.

3.1.4.3 In its operating mode, the alternator converts mechanical energy from the diesel engine into electricalenergy and supplies alternating current to the power distribution system at a constant voltage andfrequency. Active and reactive power demand is shared with other online generators through the enginegovernors and AVRs. In most cases, the alternator operates in synchronisation with other onlinegenerators. This synchronisation is maintained by the synchronising torque experienced by eachgenerator rotor though the interaction of stator and rotor field which is dependent upon the voltage at thealternator terminals.

3.1.4.4 In normal operations, the generator incomer section will be selected to ‘remote’ control and thesynchronising function will be initiated by the ICMS.





3.2 AUTOMATIC VOLTAGE REGULATOR

3.2.1.1 The Automatic Voltage Regulators (AVR) are responsible for maintaining system voltage at nominal 6.6kVand ensuring that each generator carries an equal share of the reactive power.

3.2.1.2 Each generator is fitted with a HDEC-1000 AVR which is used to regulate the level of excitation suppliedto the field of a conventional, brushless, synchronous generator. Regulation is achieved by sensing the

generator output voltage, converting it to a dc signal, and comparing the signal to a reference voltage. Anerror signal is developed and used to control the dc field power in order to maintain a constant generatoroutput.

3.2.1.3 Each regulator includes frequency compensation with selectable slope, inverse-time over excitationshutdown, build up circuitry, three phase voltage sensing, three phase shunt or permanent magnetgenerator power input, parallel droop compensation and an accessory input.

3.3 ENGINE GOVERNOR

3.3.1.1 The vessel is installed with four generators and each generator is fitted with the Woodward UG-25+

Governor which is used to convert electrical input signal to a proportional hydraulic output shaft position tocontrol engine fuel flow.

3.3.2 Generator Protection

3.3.3 Reference

1. 20114235MHS067-8 –6.6kV Switchboard

2. Protective Relay Setting Report

3.3.4 Description

3.3.4.1 Electrical protection for the 6.6kW switchboards uses microprocessor-based multifunction digital protectionrelay, the Hyundai – HIMAP-BCG.

3.3.4.2 The HIMAP - BC provides a number of protective functions that are self-resetting once the fault hascleared. These functions include:

1. ANSI-25/25A – Synchronizing check relay

2. ANSI-27/59 - Under/over Voltage

3. ANSI-32 - Reverse Power

4. ANSI-40 - Loss of excitation relay

5. ANSI-46 - Negative sequence relay

6. ANSI-47 - Phase sequence voltage relay

7. ANSI-50/51 - Overcurrent Protection Relay (Time Delayed)

8. ANSI 67G - Directional ground relay

9. ANSI-81 - Frequency relay

10. ANSI 87 – Generator differential protection relay

11. ANSI-95i - Inrush blocking relay

12. ANSI-64 – Overvoltage ground relay

3.4 6.6KV SWITCHGEAR

3.4.1 Configuration

3.4.1.1 The 6.6kV switchgear can be configured for remote auto or local manual operation.

3.4.2 Description

3.4.2.1 There are two 6.6kV switchboards and is separated by a bus tie and are equipped with withdrawable typevacuum circuit breakers (VCBs) 12kV 1250A, HVF2042, Hyundai.





3.4.2.2 The spring loading mechanism of the VCBs requires a 110Vdc supply. The 110Vdc are also used forswitchgear control logic, protection relays and indication.

3.4.2.3 Generator controls can be set to ‘LOCAL’ / ‘REMOTE’ by a push button on the local D/G control panels,where engine ‘ENG RUN’ / ‘ENG SHUTDOWN’ facilities, voltage / frequency ‘RAISE’ / ‘LOWER’ switchesand a protection ‘alarm reset’ push buttons will be available.

3.4.2.4 Voltage and current transformers will be equipped for protection, instrumentation and control.3.4.2.5 For indication to the operator, the following interface signals are received by the ICMS via RS-485 serial

communication from the MV MSB:

1. Generator voltage

2. Generator frequency

3. Power factor

4. Generator current

3.4.2.6 Each switchboard (MSB 1 and MSB 2) has two generator sections and one synchronising section with allthe necessary controls and instrumentation within the switchboard.

3.4.2.7 Generator circuit breakers can be operated in ‘remote’ and ‘local’ modes. The ‘remote/local’ selectorswitch is located on the generator section of the switchboard.

1. Remote (Automatic): The generator circuit breaker is controlled (opened / closed) by the ICMS andsynchronisation is carried out automatically be the HIMAP-BC for the respective generator.

2. Local (Manual): The generator speed and volts are controlled by local operation in front of theswitchboard by using the frequency meter, voltage meter, synchroscope and ‘RAISE / LOWER’ pushbuttons. When the volts and frequency are within tolerance to the bus and the check syncrelay in the synchronising section confirms synchronisation, the generator ‘CLOSE’ pushbutton canbe operated to close the breaker.

3.4.3 Failure Modes of the Generator and Switchboard

3.4.3.1 The significant failure modes of the generator are taken to be:

1. Severe line and or phase voltage imbalance.

2. Severe line current imbalance.

3. Under voltage.

4. Over voltage.

5. Under frequency.

6. Over frequency.

7. Earth fault.

8. Loss of synchronisation – pole slipping.

9. Spurious operation

10. Failure to open the breaker under remote or manual control

11. Failure to zero or insufficient excitation

12. Failure to full or excess excitation

13. Failure of governor to zero or insufficient fuel

14. Failure of governor to full or excess fuel





3.4.4 Failure Effects of the Generator and the switchboard

3.4.4.1 Severe line / phase voltage imbalance: This failure mode could be caused by a severe phase to phaseshort circuit within the stator winding or similar electrical fault. The generator should be tripped by the over-current protection but the remaining generator on the main switchboard (operating open bus) willexperience a very severe voltage dip. There is possibility of tripping on the remaining generator and mightblackout one main switchboard

3.4.4.2 Severe line current imbalance: This could occur as a result of a broken terminal within the generatorterminal box. Such a fault will cause an imbalance in the line currents supplied by any generatorsoperating in parallel with the faulty set. Broken conductors are an unlikely failure mode in a MV powersystem and when they do occur they may well cause other failure effects which would lead to tripping ofgenerators and loads.

3.4.4.3 Under voltage: A sustained under-voltage should not occur as the result of a fault within a single generatorwhen generators are operating in parallel but may occur when only one generator is operating on onemain switchboard. The generator automatic voltage regulators (AVRs) should maintain the power plant ata constant voltage and have their own in-built protection. Should a prolonged under voltage occur,generators connected to that switchboard section will be tripped by their under voltage protection.

3.4.4.4 Over voltage: This condition may occur in extreme cases even when the generators are operating inparallel. It will usually be associated with a failure of the automatic voltage regulator. Generators areequipped with over-voltage protection. This may blackout one switchboard section.

3.4.4.5 Under frequency: This condition should not occur as the result of a fault within a single generator when theset is operating in parallel with others but may occur when the generator is operating on its own. If aprolonged under frequency event occurs when generators are operating in parallel, all generatorsconnected to that switchboard will be tripped.

3.4.4.6 Over frequency: This condition could occur in very severe cases if the governor on one engine failed tothe ‘excess fuel’ condition. This may result in blackout of the switchboard section.

3.4.4.7 Earth fault: This could occur as the result of an electrical fault within the generator and / or its cables. Thefaulty generator should be tripped offline by its directional earth fault protection.

3.4.4.8 Loss of synchronism – Pole slipping: This failure effect normally occurs in machines with weak excitationwhich would be detected by the generator protection. However, it may also occur as the result of a severemechanical problem in the alternator or engine which causes the rotor to lose synchronism with the statorfield. The effect would be large voltage and current fluctuations. Loss of more than one generator orblackout of one main switchboard cannot be ruled out without more detailed study but the probability ofthis type of failure is generally considered to be remote in a well maintained plant.

3.4.4.9 Spurious operation: The effect of spurious operation of protection depends on the protective function. Ifprotection spuriously trips a generator offline, the effect should not affect station keeping. If only one DG isconnected this could blackout one switchboard section.

3.4.4.10 Failure to open under remote or manual control could occur due to bad connection, but would not lead

immediately to a loss of position. There is a monitoring relay on the closing coil, which reduces theprobability of this occurring but a mechanical/trip circuit problem cannot be ruled out.

3.4.4.11 Failure to zero or insufficient excitation: This would generally cause the alternator to shed VARs or drawVARs from the network with the potential to trip other generators on over current. The AVR and thegenerator control and protection relay have facilities to trip the CB when the failures are detected. Thisprotection will trip the generator off line in the event that the excitation system fails to low output. Anynumber of faults can lead to this failure mode. Imbalance faults will be detected by VMS and cause theengine to be taken off line manually after another set has been started.

3.4.4.12 Failure to full or excess excitation: would generally cause the generator to take reactive power from theother generators and has the potential to force healthy generators to trip on loss of excitation protectiondepending on the level of reactive load present at the time of failure. Whether the faulty generator actually

has the capacity to acquire the total system reactive power and force the healthy generators to theoperating point of their loss of excitation, protection depends on the operating power factor of the plant.





3.4.4.13 Failure of governor to zero or insufficient fuel: This would require the electronic governor to fail to minimumoutput signal to shut down fuel admission. Such a failure could potentially occur in the actuator drivecircuit. This will result the generator would trip off line and initiate the PMS connection of a standbygenerator. Provided the vessel was operating with adequate spinning reserve, the loss of one generatorshould not lead to loss of position although it could lead to high loading on the other online generatorresulting in load shedding functions.

3.4.4.14 Failure of governor to full or excess fuel: This would require the electronic controller to fail to maximumoutput or for engine fuel system to fail high. However this will be unlikely happen. If the controller failed insuch a way that the faulty generator was carrying more load than others but still responding to low loadchanges then the faulty engine may overload before the full capacity of other generators is reached. Thismay cause imbalance load sharing and would lead the healthy generator to shed load and cascade failtherefore a blackout cannot be ruled out.

3.4.5 Common Mode Failures Affecting Generators and switchboard

3.4.5.1 For all the generators connected to a common bus, there is the potential for them to be affected by way ofthat common bus. For example: short circuit, load sharing failure or overload. The vessel’s power plant isconfigured with a two-way split while operating in DP. Therefore in the event of common mode failure ofthe protection system, the effect could not exceed loss of half of the power plant.

3.4.5.2 All generators are in a common engine room so they share ventilation and the maximum power capabilitymay be affected by air pressure reduction due to ventilation shutdown. Refer to section 2.10 for moredetails.

3.4.6 Hidden failure affecting Generators and switchboard

3.4.6.1 This section considers the potential effect of failure of the protection to operate. The effect will depend onthe protective function that fails to operate and the nature of the failure. Routine testing of protectionequipment is acceptable mitigation for all the failures.

3.4.6.2 As circuit breakers operate infrequently, faults may only be revealed when the circuit breaker is ordered toopen/close or trip. The following failure modes could remain hidden until the switchgear is required to beoperated:

1. Failure to open under remote or manual control.

2. Failure to close under remote or manual control.

3. Failure to trip under protection control.

3.4.7 Configuration Errors That Could Defeat Redundancy

3.4.7.1 Putting the 6.6KV bus tie in close position will be a configuration error that could defeat the redundancyconcept.

3.4.8 Maloperation of the Generator Protection and Controls

3.4.8.1 The correct operation of the generator protection depends on correct design and periodic checking.

Provided the protection devices are programmed correctly there are few possibilities for maloperation. It isassumed that the vessel is being operated by competent engineers and will be tested with sufficientregularity to provide confidence that they will work when required.

3.4.9 Worst Case Failure

3.4.9.1 Generator failure may cause severe disruption to the power supply to the thrusters on individual bussection. The worst case failure will be the alternator failure which will not exceed loss of more than oneindividual 6.6kV switchboard as the switchboard is configured to operate in split bus bar.





4 POWER MANAGEMENT

4.1 INTRODUCTION

4.1.1 Reference

4.1.1.1 1221635 Rev A - Functional Description K-Chief 600 Power Management System

4.1.2 Description

4.1.2.1 The Power Management System (PMS) is a programmable hardware module integrated within the systemICMS –Integrated Control and Monitoring System. The C4 modules are programmable units for controllinggenerator plants with various switchboard configurations.

4.1.2.2 It is designed for remote operation of auxiliary engines with generators, breakers in the MSB, shaftgenerators and heavy consumers to control the power plant in such a way that there is sufficient poweravailable for consumers while at the same time making adequate contingency for increasing load or loss ofgenerating capacity.

4.1.2.3 In the event that the vessel blacks out, the PMS is programmed to restore the power supply as rapidly aspossible so that any loss of position as a result of the full or partial blackout is minimised.

4.1.3 Power management system functionality

4.1.3.1 The PMS has the following functions:

1. Remote start/stop of auxiliary engine, both in auto and semi-auto modes.

2. Remote and automatic control of generator breakers; connect, unload and disconnect, as well assynchronizing

3. Remote and automatic control of bus tie breakers; connect, disconnect and synchronizing.

4. Frequency and load control (increase/decrease) of generators in auto mode.

5. Symmetric and asymmetric load sharing between generators in auto mode.

6. Load dependent start and stop of stand-by generators.

7. Automatic stop after cooling down time of DGs.

8. Changeover function from a faulty DG to a stand-by DG by change over alarms.

9. Automatic start and connect at blackout.

10. Control of heavy consumers, start request and start granted.

11. Stand-by selection and auto-start/connection of DGs.

12. Calculation of generator values (kW, kVA, kVAr, cosφ).

4.1.4 Interlocks

4.1.4.1 If the breaker has a local/remote signal, the CB will be interlocked to connect and disconnect when the CBis set to local.

4.1.4.2 If the CB does not have local/remote switch, PMS will consider the CB as remote.

4.1.4.3 The table below shows the interlocks included in the PMS software (with reference to Figure 1-3):

Table 4-1 PMS software Interlock functionality

“O” Interlock with 10sec delay, to connect all bus ties andtransformers breakers in close loop. It is possible toconnect all CBs. However, the system will disconnect the

last connected CB within 10sec, if another CB is notdisconnected before.

MBT, HR1, LR1, LBT, HR2, LR2





LR1 Interlocked when HR1 opened

LR2 Interlocked when HR2 opened

LBT Interlocked when bus synchronisation necessary

CB notready

In case CB is in test position or has tripped, MSB sets CBNot ready signal to true and PMS uses that status for CBinterlock

MTB, HR1, HR2, STERN A,BOWT1, BOWT2, BOW A1,BOW A2, STERN T

4.1.4.4 The starting of an Auxiliary Engine (AE) is blocked if local control is selected for the engine, if a shut downcondition is detected for the actual generator engine or other start interlocks are included.

4.1.5 Load Dependent Start / Stop

4.1.5.1 In general, this vessel is configured that all the generators are running during DP operation.

4.1.5.2 Therefore load dependent start/stop function is not applicable.

4.1.6 Balanced / Unbalanced Load Sharing

4.1.6.1 The power management system can be operated in three modes of load distribution between thegenerators.

1. Balanced load sharing. (Symmetric load sharing)

2. Unbalanced mode. (Asymmetrical load sharing)

4.1.6.2 Balanced load sharing is the mode that both generators have the same percentage load set point. Whenin this mode, the load of each generator in parallel running has the same power ratio. Symmetric loadsharing is the default setting in the PMS.

4.1.6.3 Unbalanced Mode (Asymmetrical load sharing) is the mode when only two generators are connected tothe network. This function will run one generator at high load (70%) for 20 minutes, while the secondgenerator is operating at low load (minimum 20%, adjustable limits). After 20 minutes the generatorsswitch load set-point.

4.1.6.4 During DP operation, the MV switchboard bus tie is open and each bus bar is powered by two generators.Therefore balanced load sharing mode could be chosen so that both generators share the same load.

4.1.7 Frequency Control

4.1.7.1 The governors are usually set to droop mode. PMS sends increase or decrease signals to the governor tocontrol frequency and load for the DGs. Outputs from PMS can be connected to the motor potentiometerin the MSB or directly to the digital input on the electronic speed governor. All governors must have thesame droop settings.

4.1.8 Blackout Prevention

4.1.8.1 A blackout condition is defined as no voltage (‹ 10%) being measured on the bus bars in the MSB with allgenerator breakers disconnected.

4.1.8.2 The main purpose of any power management system is to ensure that the operation of the power plant issafe and reliable. Maintaining a stable source of power for the electrically driven thrusters is of particularconcern for a DP vessel. Prevention of blackouts is the main objective of any PMS on a DP vessel

4.1.8.3 The ICMS PMS system offers a number of functions to achieve this objective, including:

1. Non essential trip by the PMS.

2. Load reduction / limitation by the DP system.

3. Heavy consumer start blocking.





4.1.9 Non essential trip

4.1.9.1 Trip of non essential consumers will be executed if one of the below conditions are true:

1. If the bus bar frequency is below 55 Hz (delay 10sec).

2. If generator load (kW or current) is above 100% of nominal load/current (delay 20 sec).

3. If generator load (kW or current) is above 107% of nominal load/current (instantaneous trip).4. If a generator trips during parallel run and the remaining gets overloaded.

4.1.10 DP System Power Limitation

4.1.10.1 The DP system will limit the thruster speed orders in case the load on the corresponding bus sectionexceeds the user-defined setpoint. This function uses the status of all the switchboard tie-breakers andgenerator power readings to determine power available for each thruster. It is set up to limit thrusters whenreaching 100% of the maximum available load on a power bus.

4.1.10.2 Note that this function will not be able to handle very quick load variations; the PMS is designed to limit thepower in the ship load faster. This system will work in both the dynamic position automatic control modeas well as the DP manual thruster control mode (joystick control). An event alarm on the DP system will

be given when the load limitation has been activated.4.1.11 Heavy Consumer Start Blocking

4.1.11.1 Upon a start request from the ICMS system, the PMS will check whether the available power is sufficient toallow starting of an electric motor. If not, a standby generator start request is given. When the capacity ofthe power plant is sufficient and other start conditions are fulfilled, electric motor start order is given. Ifsufficient capacity is not reached within time out specified time, the motor start order is timed out.

4.1.11.2 The heavy consumer start block function is included in PMS function fundamentally therefore there is noselection for this.

4.1.12 Blackout Restart

4.1.12.1 In the event of a blackout on either MV MSB No.1 or MV MSB No.2, all outgoing feeders to thruster,distribution transformers will trip by under voltage protection. The bustie breakers of the 6.6kVswitchboards remain opened as DP configuration.

4.1.12.2 6.6kV switchboard reconnection: The PMS system will restore power after a blackout situation in apredetermined sequence. All available diesel generators will be started in a sequence. The first generatorto start will be the first to connect, independent of standby number. After the switchboards are powered upagain, the reconnection of 6.6kW feeder breakers will be automatically initiated.

4.1.12.3 Theoretically, a blackout exceeds the WCFDI and consideration of this scenario is out with the scope of aDP system FMEA. Blackout recovery should only ever need to operate on one switchboard section.

4.1.13 Failure Modes of the PMS

1. Failure of load sharing function

2. Failure of PMS

3. Spurious disconnection of a running generator.

4.1.14 Failure Effects of the PMS

4.1.14.1 Failure of load sharing function: Failure of load sharing function might result unbalanced load and haspossibility that the generator will operate in reverse power and trip the breaker. This could lead to loss ofone of the MV MSB’s, either No.1 or No.2 which would not exceed the worst case failure design intent.

4.1.14.2 Failure of PMS: In the event of failure of the PMS this will not result in any breaker tripping and it will notblackout the switchboard or bring any effect to the vessel. An alarm will be initiated upon failure of thePMS.

4.1.14.3 Spurious disconnection of a running generator or thruster: Choosing a different mode during DPoperations could cause spurious disconnect of an online generator or thruster. This could lead to loss ofone of the MV MSB either No.1 or No.2 which would not exceed the WCFDI





4.1.15 Hidden Failures of PMS

4.1.15.1 As with any protective function there may be no warning that anything is wrong until the function fails tooperate on demand.

4.1.16 Maloperation and Configuration Errors of the PMS

4.1.16.1 PMS control mode is chosen based on the operation. Spuriously choosing the mode may cause to tripping

of the breakers

4.1.17 Worst Case Failure - Power Management System

4.1.17.1 Most failures associated with the power management functions of the ICMS are failure to perform itsfunction or having a counter-productive interaction with the functions of other equipment.

4.1.17.2 The worst case failure identified in this analysis would not affect position keeping if the vessel is operatedwithin its environmental limitations.





5 POWER DISTRIBUTION

DG3 DG2

No.5 VCB 3P(MBT)

NO

NO

ST5

BAT3

BT1

CPP

SAT4

6.6kV MSB 1

DG2DG3DG4

No.2 VCB 3P(D2)NC

No.1 VCB 3P(D1)NC

4300kW 3300kW

BT2

6.6kV MSB 2

No.3 VCB 3P(D3)NC

No.4 VCB 3P(D4)NC

4300kW3300kW

Main TR No.26.6KV / 450V

Main TR No.16.6KV / 450V

440 MSB 1

No.1 AC 220VFeeder Panel

NO.1 main L/VTransformer

440 V/230VMCCB-1

NC

MCCB-2NC

No.2 AC 220VFeeder Panel

NO.2 main L/VTransformer440 V/230V

MCCB-4NO

DG1

No.5 ACB 3P(LBT) NO

No.4 ACB 3P(EB1) NO

No.3 ACB 3P(EB3) NC

No.7 ACB 3P(EB2) NO

No.6 ACB 3P(EB4) NCEM’CY SWBD(440V)

EG 350 kW

No.1Em’CyTransformer 430V / 230V

No.2 Em’CyTransformer

430V /230V

EM’CY 220V Feeder Batt. Charger for EGELD-1 Panel (Accom.)ELD-2 Panel (E/R)

No. 2 Steering Gear No. 2Main Air Comp. (Starter in LGSP-5)No.1 DC 110V & 24V Batt Ch.No.2 DC 110V & 24V Batt Ch.Em’cy CPP Hyd. Pump Starter Em’cy CPP Hyd Filter

Power supply unit for No.1 and No.2 DGNav. Light control panelE.C.C (UPS for No.2 ICMS)LD-4 panelEngine Control ConsoleNo.1 Accom. AC 220V section Board (LD-1,LD-3)No,1 NID

Power Supply Unit for No 3 & 4 D/G

LD-5 PanelMSB Bus Tie Panel No.2 sectionNo.2 NID

440 MSB 2

No.2 Thruster HPP Starter (A7)No.2 Thruster HPP Starter (A8)No.3 Thruster HPP Starter (A8)No.3 Thruster HPP Starter for Circ.(A9)No.3 Thruster oil filtration P/PNo.1 Main Air Compressor No.2 Serv Air Compressor Contrl Air Compressor PD-3 (E/R 440V Feeder panel)No.1 Steering Gear Starter No.2 M/E hyd start-up P/PNo.4 thruster HPP starter (A7)No.4 thruster HPP starter (A8)

No.4 thruster circ pump (A9)No.2 UPS for MVSB

No.1 Thruster HPP Starter (A7)No.1 Thruster HPP Starter (A8)No.3 Thruster HPP Starter (A7)No.3 Thruster HPP Starter for Circ.(A9)No.5 Thruster HPP Starter for Servo Pump (1)No.1 Service Air Compressor No.2 Main Air Compressor PD-1 (E/R 440V Feeder Panel)PD-2 (E/R 440V Feeder Panel)No.1 M/E Hyd Start-up P/P Starter No.1 UPS for MVSB

MCCB-3NO

No.2 Group Starter PanelNo.2 Main L.O P/PNo.2 Stern Tube LO P/PNo.2 M/E F.O circ. P/PNo.2 M/E F.O supply P/PNo.3 G/E D.O supply P/PNo.4 G/E D.O supply P/PNo.2 M/E Jacket C.F.W P/PNo.3 G/E C.S.W P/PNo.4 G/E C.S.W P/PNo.2 Central C.F.W P/PNo.3 G/E C.F.W P/PNo.4 G/E C.F.W P/P

Fwd Sec 2 Thruster C.S.W Pump (1)Fwd Sec 2 Thruster C.S.W Pump (2)Fwd Sec 2 Thruster C.F.W Pump (1)Fwd Sec 2 Thruster C.F.W Pump (2)

No.1 Group Starter PanelNo.1 Main L.O P/PNo.1 Stern Tube LO P/PNo.1 M/E F.O circ. P/PNo.1 M/E F.O supply P/PNo.1 G/E D.O supply P/PNo.2 G/E D.O supply P/PNo.1 M/E Jacket C.F.W P/PNo.1 G/E C.S.W P/PNo.2 G/E C.S.W P/PNo.1 Central C.F.W P/PNo.1 G/E C.F.W P/PNo.2 G/E C.F.W P/P

Fwd Sec 1 Thruster C.S.W Pump (1)Fwd Sec 1 Thruster C.S.W Pump (2)Fwd Sec 1 Thruster C.F.W Pump (1)Fwd Sec 1 Thruster C.F.W Pump (2)

Electrical interlock

(PD-3)-No.2 Hyd. Pump For CPP-No.3 Hyd. Pump for CPP-No.4 Oil Filtration P/P

(PD-2)-No.1 Hyd. Pump For CPP-No.3 Hyd. Pump for CPP

HR2

LR2

HR1

LR1

Figure 5-1 Simplified Single Line Drawing of Power Distribution





5.1 OVERVIEW OF THE POWER DISTRIBUTION SYSTEM

5.1.1 References

1. One Line Diagram, DWG No: 200E163040EB

2. Electric Load Analysis DWG No: 200E163020EB

3. Wiring Diagram Of Power System. DWG No: 200E163010EB4. High Voltage Switchboard DWG: 20114235 MHSO67-8

5. Low Voltage Switchboard. DWG: 200114235MMS149-5

6. Emergency Switch Board. DWG: 14235MEO158-9

5.1.2 Description:

5.1.2.1 Refer to figure 5-1, the 6.6kV bus consists of two main switchboard section, MV 6.6kV No. 1 and MV6.6kV No.2, and is operated in split bus bar during DP operation. The power distribution configuration forthe thrusters are as follows:-

i. 6.6kV MSB No: 1:- Bow Tunnel thruster (BT1), Stern tunnel thruster (ST5)

ii. 6.6kV MSB No: 2:- Bow tunnel thruster (BT2), Bow Azimuth Thruster 3 (BAZ3, Stern azimuththruster (SAT4)

5.1.2.2 In the 440V LV switchboard a 2-way split exists, separated by a single bus tie into LV 440V No.1 and LV440V No.2. LV 440V No.1 and No.2 are fed from their respective MV switchboard. The emergencyswitchboard is fed from LV 440V No.1 or from LV 440V No.2.

5.1.3 Worst Case Failure Design Intent

5.1.3.1 The worst case failure will be the fault on the 6.6 KV main switchboards No.1 that will be loss of threethrusters, which are one bow tunnel thruster, one stern tunnel thruster and the main propeller.


5.1.4.1 The normal configuration while in DP is to run the vessel with a two-way split. Please refer to thesimplified diagram in Figure 5-1 and the position of breakers is given as below:

1. Bus tie MBT is opened so that switchboards 6.6kV MSB No.1 and 6.6kV MSB No.2 isdisconnected.

2. Bus tie LBT is opened so that switchboards 440V MSB No.1 and 440V MSB No.2 is disconnected.

3. Breakers EB3 and EB4 are closed so that 440Vac ESB is connected to 440Vac MSB No.1.

4. The ME and engines pumps configuration for the DP mode are as below, Table 5-1, the words inbold will the pump on duty during DP operation.





Table 5-1 Power supplies for the essential equipments

MV Switchboard MV -1 MV -2Service Tank MGO MDODG DG1, DG2 DG3, DG4Thrusters BT1, ST5 BT2, BAZ3, SAT4LV switchboard LV -1 LV -2MCC Boards LGSP No.1A LGSP No.1B

LGSP No.2LGSP No.3LGSP No.4LGSP No.5

LGSP No.6ALGSP No.7

PD-1PD-2

LGSP No.3LGSP No.4LGSP No.5

LGSP No.6BLGSP No.7

PD-3

FW Cooling: LV -1 LV -2

No.1 ME Jacket CFW Pump (Duty)No.1 Central Cool FW Pump (Duty)

No.2 ME Jacket CFW Pump (Standby)No.2 Central Cool FW Pump (Standby)

No.1 GE CFW Pump (Duty)No.2 GE CFW Pump (Standby)Sec.1 FWD Thruster C.F.W Pump 1(Duty)Sec.1 FWD Thruster C.F.W Pump 2(Standby)

No.3 GE CFW Pump (Duty)No.4 GE CFW Pump (StandbySec.2 FWD Thruster C.F.W Pump 1(Duty)Sec.2 FWD Thruster C.F.W Pump 2(Standby)

SW Cooling: LV -1 LV -2 Aux.C.S.W.Pump

No.1 Main / Vac. Conditioning CSWPump

No.1 GE C.S.W Pump

No.2 Main / Vac. Conditioning CSWPump

No.3 GE C.S.W Pump

No.2 GE C.S.W Pump No.4 GE C.S.W PumpSec.1 FWD Thruster C.S.W Pump No.1Sec.1 FWD Thruster C.S.W Pump No.2

Sec.2 FWD Thruster C.S.W Pump No.1Sec.2 FWD Thruster C.S.W Pump No.2

LO LV -1 LV -2

No.1 Main LO Pump No.2 Main LO PumpNo1,2,3 G/E L.O Priming Pump(EPD-1) GE No.4 LO Priming Pump (MSWB No.2

Feeder Panel)No.1 ME Hyd. Start up pump Standby No.2 ME Hyd. Start up pump Standby

FO: LV -1 LV -2

No.1 ME FO Circulation PumpNo.1 ME FO Supply PumpNo.1 GE DO Supply Pump

No.2 ME FO Circulation PumpNo.2 ME FO Supply PumpNo.3 GE DO Supply Pump

No.2 GE DO Supply Pump No.4 GE DO Supply Pump

CA LV -1 LV -2No.2 Main Air Compressor (ESB) No.1 Main Air Compressor(LGSP-5B)

No.2 Service Air CompressorControl Air Compressor

Vent / HVAC LV -1 LV -2No.2 E/R Vent. Fan (Reversible) No.2 ECR Package Air Cond UnitNo.3 E/R Vent. Fan (Non-Reversible) No.2 Swbd Room Package Air





Conditioning UnitNo.1 ECR Package Air Cond Unit No.4 E/R Vent. Fan (Non-Reversible)No.1 Swbd Room Package AirConditioning Unit

No.2 Pump Room Exh. Fan (Port)

Bow Thruster room Supply Fan (ESB) No.2 W/H Package Air Conditioning UnitNo.1 Pump Room Exh. Fan (Stbd)

(LGSP-6A)No.1 WH Package Air Conditioning Unit(LGSP-6A)

CPP LV-1 LV-2Propeller CPP Hyd. Pump unit No.1and No.3(PD-2)

Propeller CPP Hyd. Pump unit No.2 andNo.3 (PD-3)

No.2 Steering Gear (EM’CY SWB) No.1 Steering Gear Starter

EM,CY CPP Hyd Pump Sarter (EM’CYSWB)EM,CY CPP Hyd Filter (EM’CY SWB)

Stern tunnel LV-1 LV-2No.5 Stern Thruster HPP Starter ForServo Pump No.1(A7,LGPS-2)No.5 Stern Thruster HPP Starter ForServo Pump No.2(A8,LGPS-2)No.5 Stern Thruster Oil Filtration PumpUnit (LGPS-2)

Stern Azi LV-1 LV-2

No.4 Stern Azimuth Thruster HPP Starter(A7)No.4 Stern Thruster HPP Starter (A8)SAZ4 Circ. Pump (A9)

Bow Azi LV-1 LV-2No3 Thruster Oil Filtration Pump( LGSP-1A)No3 Thruster HPP Starter(A7,LGSP-1A)No3 Thruster HPPCirc.Starter(A9,LGSP-1B)

No3 Thruster Oil Filtration Pump( LGSP-1B)No3 Thruster HPP Starter(A7,LGSP-1B)No3 Thruster HPPCirc.Starter(A9,LGSP-1B)

Bow tunnel 1 & 2 LV-1 LV-2

No1 Thruster HPP Starter (A7) LGSP-1A No2 Thruster HPP Starter (A7) LGSP-1BNo1 Thruster HPP Starter (A8) LGSP-1A

No1 Thruster Oïl Filtration Pump (A7)LGSP-1A

No2 Thruster HPP Starter (A8) LGSP-1B

No2 Thruster Oïl Filtration Pump (A7)LGSP-1B





5.2 6.6KV DISTRIBUTION SYSTEM

5.2.1 Reference



3. Wiring Diagram of Power System. DWG No: 200E163010EB

4. High Voltage Switchboard DWG: 20114235 MHSO67-8


6. Emergency Switch Board. DWG: 14235MEO158-9Redundancy concept

5.2.1.1 The redundancy concept at the power generation level is based on the distribution 6.6kV MV-level. Theworst case failure is the loss of three thrusters due to failure of 6.6KV MSB No.2.

5.2.1.2 Table 5-2 shows the distribution of MV generators.

Table 5-2 Distribution of MV generators and consumers

Switchboard ConnectedGenerator

Connected Thruster Other Consumers

MV No.1 DG 1 & DG 2 BT1 (Bow Tunnel 1)

BAZ3( Bow Azimuth Thr)(St:By)

ST5 (Stern Tunnel 1)

LV 440V No.1

MV No.2 DG 3 & DG 4 BT2(Bow Azimuth Thr)

BAZ3(Bow Azimuth Thr)(Main)

SAT4(Stern Azimuth Thr)

LV 440V No.2

5.2.2 Loss of supply to LV Distribution

5.2.2.1 Loss of MV MSB 1 or MV MSB 2 causes the loss of a 440V auxiliary switchboard. Even though the vesselhas automatic changeovers for the engine and CPP pumps supplies, it has been recommended from theClass to run all three (3) CPP pumps in DP mode (Cap: P1,P2=30% and P3=40%. P1 and P2 VariableDisplacement P3 fixed). In case of a drop of power to one of Main Engine CPP hydraulic pumps the CPPmay maintain operation. However, only steering gear pumps do not have auto changeover function but ismanually changeover. The configuration of the breakers for the bus tie, engine pumps and thrusters

pumps are stated in table 5-1. The words in bold will be the main pump while on the hand will be workedas hot standby.

5.2.3 Loss of supply to thrusters

5.2.3.1 Loss of MV 6.6KV No.1 will lead to loss of BT1, ST5 and CPP6. The vessel is still able to maintain positionwith remaining thruster and prevailing environment.

5.2.3.2 Loss of MV 6.6kV No.2 will lead to the loss of one BT2, BAZ3 and SAZ4. However, BAZ3 can be manuallychanged over to MV 6.6kV No.1; during the process changeover, the vessel is still able to maintainposition with remaining thrusters: one bow thruster, one stern tunnel thruster, CPP and Rudder.

5.2.4 Failure Modes of the 6.6kV Distribution System

5.2.4.1 The significant failure modes of the 6.6kV distribution system are taken to be:

1. Catastrophic electrical failure of the switchboard.

2. Spurious trip of one thruster’s feeder.





3. Spurious trip of one transformer feeder.

5.2.5 Failure Effects of the 6.6kV Distribution System

5.2.5.1 Catastrophic electrical failure of the switchboard: The MV switchboard operates in 2 way splits during DPoperation. Therefore catastrophic electrical failure of the switchboard will not exceed WCDFI.

Failure of MV No.1: Loss of BT1, ST5, secondary power supply to BAZ3 and 440Vac MSB 1 consumers.

Failure of MV No.2: Loss of BT2, BAZ3 and SAT4 and 440Vac MSB 2 consumers.

5.2.5.2 Spurious trip of one thrusters feeder: This should not lead to a critical situation as the vessel shouldalways be operated in such a way that the failure of a single thruster can be tolerated.

5.2.5.3 Spurious trip of main transformer No.1 feeder: Loss of power supply to 440V MSB No.1 should cause theautomatic changeovers of essential engines pumps however rudder standby hydraulic pump requires tobe manually changed over. If there is no manual intervention taken by the DP operator consideration maybe given to operate both steering gear pumps during the DP operation.

5.2.5.4 Spurious trip of main transformer No.2 feeder: Loss of power supply to 440V MSB No.2 should cause theautomatic changeovers of essential engines pumps and auto changeover of thrusters BAZ3 but rudderstandby hydraulic pump has to manually changeover. It is assumed that the thrusters still continue

operating. Therefore consideration may be given that both steering gear pumps are running during the DPoperation.

5.2.6 Hidden Failures of the 6.6kV Distribution System

5.2.6.1 Since the bus tie is opened in the 6.6kV distribution system, failure of the switchboard protection will notexceed the results of the worst case of the design intent. However, periodical switchboard maintenanceand protection testing is sufficient mitigation against hidden failures of protective functions.

5.2.7 Common Mode Failures Affecting the 6.6kV Distribution System

5.2.7.1 Since the 6.6kV main switchboard is operating with an open bus tie, the only failures that have beenidentified was only affect one of the 6.6kV MV switchboard section 2 which equal to WCFDI.

5.2.8 Worst Case Failure of the 6.6kV Distribution System5.2.8.1 The worst case failure of the 6.6KV distribution system will be failure of 6.6KV MSB No.1 which is loss of

BT1, ST5 and CPP6. The vessel is still able to maintain the position but it depends on the prevailingenvironment.





5.3 LV DISTRIBUTION SYSTEM

5.3.1 Reference



3. Wiring Diagram Of Power System. DWG No: 200E163010EB4. High Voltage Switchboard DWG: 20114235 MHSO67-8



5.3.2 Location

5.3.2.1 The main 440V switchboard is located in switchboard room.

5.3.2.2 The emergency switchboard is located in emergency genset room.

5.3.3 Redundancy Concept

5.3.3.1 The redundancy concept of the distribution system is based on a two way split, which LV 440Vac No.1and LV 440Vac No.2 are supplied from 6.6kV switchboards No.1 and No.2 respectively. The WCFDI is theloss of one of the 440Vac bus bar and loss of thrusters one of the hydraulic pump and engines mainpumps, however all the pumps are backup by standby pump from another bus bar. If failure of either 440Vswitchboard the pumps will auto changeover except steering gear pumps.

5.3.4 440V Distribution

5.3.4.1 The 440V distribution system is based on a two-way split with LV 440Vac No.1 and LV 440Vac No.2 aresupplied from 6.6kV switchboards No.1 and No.2 respectively. Refer to Tables 5.3 and 5.4 for details ofthe power distribution to the consumers.

5.3.4.2 The step down transformer for 6.6KV / 440V is used air cooled and the transformers are located in themedium voltage transformer room.

5.3.4.3 The LV distribution supports the redundancy concept by supplying two pumps from separate sides of thephysical two-way split. Refer to Table 5-1 for the thruster and engine pump power supplies.





Table 5-3 440V feeder panel: LV1 and LV2

440V SWITCHBOARD LV1

MAIN INCOMING POWER FROM TRANSFORMER MV 6.6KV

440V SWITCHBOARD LV2

MAIN INCOMING POWER FROM TRANSFORMER MV 6.6KV

EMERGENCY SWITCHBOARD NO.1 PACKAGED TYPE AIR-CON FOR ECR EMERGENCY SWITCHBOARD NO.2 PACKAGED TYPE AIR-CON FOR ECR

LGSP-1A NO.1 PACKAGED TYPE AIR-CON FOR SWBDROOM

LGSP-1B NO.2 PACKAGED TYPE AIR-CON FOR SWBDROOM

LGSP-2 NO.1 VACUUM PUMP FOR CARGO STRIPPING LGSP-3SEC.2 NO.2 VACUUM PUMP FOR CARGO

STRIPPING

LGSP-3 SEC.1 NO.1 M/E HYD.START-UP PUMPSTARTER LGSP-4 NO.2 M/E HYD.START-UP PUMPSTARTER

LGSP-4 NO.1 BOILER POWER PANEL LGSP-5 NO.4 G/E L.O PRIMING PUMP

LGSP-5 NO.1 UPS FOR MSVB LGSP-6B NO.2 BALLAST PUMP

LGSP-6A SEC.1 E/R CRANE MAIN SWITCH BOX LGSP-7 REMOTE V/V HYD. POWER UNIT

LGSP-7 NO.1 BALLAST PUMP G-1 (GALLEY 440V FEEDER PANEL) NO.2 AIR CONDITIONING PLANTCOMPRESSOR

PD-1 (E/R 440 FEEDER PANEL) ODME SAMPLING PUMP LOCAL FIRE FIGHTING PANEL CYL. LUB. HEATING UNIT

PD-2 (E/R 440 FEEDER PANEL) NO.1 AIR CONDITIONING PLANT COMPRESSOR PD-3 (E/R 440V FEEDER PANEL) PORT HOSE HAND. CRANE ST.

NO.1FWD. DECK MACHINERY PROV. REF. PLANT COMP NO.1 STEERRING GEAR STARTER SAZ4 HPP STARTER(A7)

NO.1 AFT. DECK MACHINERY ST’BD HOSE HAND. CRANE ST. NO.2 FWD. DECK MACHINERY SAZ4 HPP STARTER(A8)

BLS NO.1 HYD PUMP ST INCENERATOR BLS NO.2 HYD PUMP ST SAZ4 CIRC. PUMP (A9)

NO.1 AUX BLOWER W.O TANK CONTROL. PANEL NO.2 AUX BLOWER NO.2 AFT DECK MACHINERY

NO.1 INERT GAS BLOWER FAN NO.2 G/E L.O PRIM PUMP ST. NO.2 INERT GAS BLOWER FAN NO.2 UPS FOR MVSB

NO.1 TRANSFORMER NO.2 TRANSFORMER NO.2 BOILER POWER PANEL

NO.2 BOILER POWER PANEL





Table 5-4 440V Group Starter Panels

440Vac GSP No.1

INCOMING POWER FROM 440V FEEDER PANEL No.1

440Vac GSP No.2

INCOMING POWER FROM 440V FEEDER PANEL No.2

MAIN LO PUMP NO.1 NO.1 G/E C.S.W PUMP NO.2 MAIN LO PUMP N0.2 CENTRAL C.F.W PUMP

NO.1 STERN TUBE LO PUMP NO.2 G/E C.S.W PUMP NO.2 STERN TUBE L.O PUMP NO.3 G/E C.F.W PUMP

NO.1 M/E FO CIRCULATION PUMP N0.1 CENTRAL C.F.W PUMP NO.2 M/E F.O CIRCULATION PUMP NO.4 G/E C.F.W PUMP

NO.1 M/E FO SUPPLY PUMP

NO.1 G/E C.F.W PUMP NO.2 M/E F.O SUPPLY PUMP M/E CHEM. CLEANING PUP

NO.1 G/E D.O.SUPP. PUMP NO.2 G/E C.F.W PUMP NO.3 G/E D.O.SUPP. PUMP NO.4 E/R VENT. FAN (NON-REV)

NO.2 G/E D.O.SUPP. PUMP NO.2 E/R VENT. FAN (REV) NO.4 G/E D.O.SUPP. PUMP NO.2 COPT CONDITIONING WATER PUMP

NO.1 BOILER FEED WATER PUMPNO.3 E/R VENT. FAN (NON-REV) NO.2 BOILER FEED WATER PUMP NO.2 DECK W SEAL PUMP

NO.1 ECONIMIZER FEED W. PUMP NO.1 COPT CONDITIONING WATERPUMP

NO.2 ECONIMIZER FEED W. PUMP FWD SEC.2 THRUSTER C.S.W PUMP (1)

NO.1 BOILER W. CIRC. PUMP NO.1 DECK W SEAL PUMP NO.2 BOILER W. CIRC. PUMP FWD SEC.2 THRUSTER C.S.W PUMP (2)

NO.1 M/E JACKET C.F.W PUMP FWD SEC.1 THRUSTER C.S.W PUMP (1) NO.2 M/E JACKET C.F.W PUMP FWD SEC.2 THRUSTER C.F.W PUMP (1)

NO.1 MAIN/VAC. COND C.S.W PUMPFWD SEC.1 THRUSTER C.S.W PUMP (2) NO.2 MAIN/VAC. COND C.S.W PUMP FWD SEC.2 THRUSTER C.F.W PUMP (2)

AUX C.S.W PUMPFWD SEC.1 THRUSTER C.F.W PUMP (1) NO.3 G/E C.S.W PUMP NO.4 G/E C.S.W PUMP

FWD SEC.1 THRUSTER C.F.W PUMP (2)





440Vac LGSP No.1A (SECTION1)

440Vac LGSP No.1B (SECTION 2) 440Vac LGSP No.2 (SECTION 1) 440Vac LGSP No.3(SECTION 1)

440Vac LGSP No.3 (SECTION 2)

BT1 HPP Starter (A7) F’Cle Transformer No.1 COPT L.O Prime Pump N0.1 Bilge, Fire & G/SPump

NO.2 BILGE, FIRE & G/S PUMP

BT1BT1 HPP Starter (A8) ICCP (FWD IGG Scrub. C.S.W Pump Bilge Circ Pump MDO TRANS. PUMP

BT1BT1 Oil Filtration Pump Bosun Store Supply Fan C.O.P Drain Trans. Pump Sludge Pump HFO TRANS. PUMP

BAZ3 HPP Starter (A7) BT2 HPP Starter (7)

Servo Pump 1

F.W.Generator Unit Oily Bilge Pump OILY BILGE SEPARATOR

BAZ3BAZ3 HPP Starter For Circ.Pump (A9)

BT2 Oil Filtration Pump Unit ST5 HPP St. For Servo Pump (1) -

R.P For Elec. Arc Welder No. 3 Thruster HPP Starter (A8)

Servo Pump 2

ST5 HPP St. For Servo Pump (2) -

B.L.S Local Cont. Panel BAZ3 HPP Starter For Circ. Pump (A9) ST5 Oil Filtration Pump Unit -

B.L.S crane BAZ3 Oil Filtration Pump L.O Transfer Pump -

BT2 HPP Starter (8)

Servo Pump 2





440Vac LGSP -4 (SECTION 1) 440VacL GSP -4(SECTION 2) 440Vac LGSP -5 (SECTION 1) 440Vac LGSP -5 (SECTION 2)

No.1 H.F.O Purifier No.2 H.F.O Purifier No.1 Service Air Compressor No.1 Main Air Compressor

No.1 H.F.O Puri. Sup. Pump No.2 H.F.O Purifier. Sup. Pump Deck Air Compressor No.2 Service Air Compressor

No.1 M/E L.O Purifier No.2 M/E L.O Purifier Vacuum Toilet SystemControl Air Compressor

No.1 Sup. Pump L.O Purifier No.2 M/E L.O Puri. Sup. Pump Sewage Treatment System No.2 COPT Prim L.O Pump

No.1 G/E L.O Purifier No.2 G/E L.O Purifier Aft ICCP SystemNo.1 G/E Turning Gear

Purifier room Exh. Fan No.2 G/E L.O Puri. Sup. Pump No.2 Main Air Compressor (ESBD)No.2 G/E Turning Gear

No.1 G/E D.O Auto Filter No.2 G/E D.O Auto Filter - -

Calorifier M.G.O Chiller Unit - -

No.1 G/E L.O Puri Sup. Pump





5.3.5 Emergency Power

5.3.5.1 The emergency distribution supplies AC power to steering gear, diesel generator LO priming pump, engine room supply fan and battery charger. Refer to Table 5.6 forthe emergency 440V power distribution.

5.3.5.2 The 440V 3-phase, 60Hz emergency switchboard is a single bus. Emergency switchboard primary connected from 440V Feeder Panel No.1 secondary from 440VacFeeder Panel No.2. The two breakers have interlock in order to prevent inadvertent operation. It also connected with the emergency generator of rating 350KW, 450V3ph 60Hz.

5.3.5.3 The 220V emergency switchboard is a single bus connected to the emergency 440V switchboard via two stepdown transformers 60kVA 3 phase 430V/230V.

Table 5-5 Emergency Power Distribution

440V EMERGENCY SWBD

NO.2 STEERING GEARDeck Foam Pump Starter EM’CY CPP HydFilter Steering Gear Room Supp. Fan

No.2 Main Air Compressor(Starter in LGSP-5)

No.1 DC 110V & 24V Batt. Ch. LGSP-1E1 (Bow Th. Rm Supp.Fan,Watchman Cab. Supp. Fan, BLS Foam P.)

Foam Room Exh. Fan

Elec. Whistle Relay Box No.2 DC 110V & 24V Batt. Ch. EPD-1 (No.1,2,and 3 G/E Lo.Prim. P, Hyd

Oil Auto Filt. Pan.Paint Store Exh. Fan

Elevator Control Panel S-Band Radar Control Unit Emergency Fire Pump Chemical Store Exh. Fan

High Foam Cont. Panel EM’CY CPP Hyd. Pump Starter No.1 E/R Vent. Fan (Rev) No.1 & 2 Emergency Transformer

No.1 & 2 UPS For MVSB

220V EMERGENCY MSBD

ELD-1 Panel (Accom) No.2 NID Panel EM’CY D/G Room Light Relay Box For AutoTel.

Steering Gear Room Ligth

ELD-2 Panel (E/R) FIRE ALARM PANEL J/B for Life Rescue Boat Battery Charger(Port)

Deep Fat Fryer Relay Box

Navigation Lighting Control Panel Bridge Control Console Public Addressor LGSP-1E2 (Speed Log Trans. Unit, Auto Tel. For BowThruster Room)

No.1 NID Panel Batt. Ch For EM’CY Generator Cargo Cont. Console Foam Room Lighting





Coolant Heater For EM’CY Generator General R.P Engine Control Console

Relay Box for auto tel





5.3.6 Failure Modes of the 440V Distribution System

5.3.6.1 The significant failures of the 440V distribution system are taken to be:-

1. Short circuit on main transformer no.1.

2. Short circuit on main transformer no.2.

3. Short circuit on 440V feeder panel‘1’. 4. Short circuit on 440V feeder panel ‘2’.

5. Failure of 440V auxiliary switchboard.

6. Short circuit on 440V emergency switchboard.

5.3.7 Failure Effects of the 440V Distribution System

5.3.7.1 Short circuit on main transformer T1: will result in loss of main transformer T1, the vessel will lose BT1 ,ST5 and all consumers on LV 440V switchboard bus bar ‘1’ listed in Table 5-3 and Table 5-4. All thethrusters and engines pumps are backup each other, if the 440Vac feeder panel no.1 failure, all thebackup pumps will auto start. There is no effect for the thrusters BT2, BAZ3 and SAT4 and the CPP willcontinue running when in DP mode due to the remaining two (2) hydraulic pumps is still engaged.

5.3.7.2 Short circuit on main transformer T2: will result in the loss of main transformer T2, the vessel will lose BT2,BAZ3, SAT4 and all consumers on 440V switchboard bus bar ‘2’. All the thrusters and engines pumpsbackup each other, if the 440Vac feeder panel no.2 failure, all the backup pumps will auto start. ThrustersBT1, ST5 should continue to operate.

5.3.7.3 Short circuit on 440V switchboard bus bar ‘1’: Is a very unlikely failure mode; however, if it did occur, theeffect would be the same as short circuit on main transformer T1.

5.3.7.4 Short circuit on 440V switchboard bus bar ‘2’: Is a very unlikely failure mode; however, if it did occur theeffect would be the same as short circuit on main transformer T2.

5.3.7.5 Failure of 440V auxiliary switchboard: Failure effect of either auxiliary switchboard should be less thanWCFDI. All the pumps for thrusters and main engine should back up each other,

1. Failure of LGSP 1A: leading to loss of thruster no.1 and backup supply for thruster no.3. Themachinery that lose BT1 HP Starter Cab. Servo Pump 1 & 2, BT1 oil filtration pump, BAZ3 HPPStarter Cab. Servo Pump 1 and BAZ3HPP Starter Cir. Pump 1. Failure of LGSP 1A will not exceedthe WCFDI.

2. Failure of LGSP 1B: leading to loss of BT2 and main supply for BAZ3. In the event failure of mainsupply to the BAZ3 the power supply of the BAZ3 can be manual changeover to LGSP 1A. Themachinery that losses are BT2 HP Starter Cab. Servo Pump 1 & 2, BT2 oil filtration pump, BAZ3HPP Starter Cab. Servo Pump 2 and BAZ3 HPP Starter Cir. Pump 2. Although loss of BAZ3 butthis can be manual restore the BAZ3 and resume the DP operation again. Failure of LGSP 1B willnot exceed the WCFDI.

3. Failure of LGSP 2:- leading to loss of Stern Tunnel Thruster No.5 which will lose power supplies toST5 HPP Starter Cab. Servo Pump No.1 & 2, ST5 Oil Filtration Pump and other auxiliarymachinery. Failure of LGSP 2 will not exceed the WCFDI.

4. Failure of LGSP 3 section 1 :- LGSP No.3 section 1 is fed from LV 440Vac main feeder panel No.1.Loss of LGSP 3 (section 1) will lead to loss of No.1 Bilge, Fire & GS Pump, and other non-DPrelated machinery. This will have no effect on the DP operation.

5. Failure of LGSP 3 (section 2):- LGSP No.3 section 2 is fed from LV 440Vac main feeder panelNo.2. Loss of LGSP 3 (section 2) will lead to the loss of No.2 Bilge, Fire & GS Pump, MDOTransfer Pump, HFO Transfer Pump and other non-DP related machinery. This will have no effecton the DP operation.





6. Failure of LGSP 4 (section 1):- LGSP No.4 (section 1) is fed from LV 440Vac main feeder panelNo.1. Failure of GSP No.4 will lose power supplies to No.1 HFO purifier, No.1 HFO purifier supplypump, No.1 main LO purifier, No.1 LO Purifier Supply Pump, No.1 GE LO purifier, No.1 GE LOPurifier supply pump, No.1 GE DO auto filter and other non-DP related machinery. All the purifiersand feed pumps in the LGSP 4 (section 1) are backup with the purifiers and feed pumps in theLGSP 4 (section 2). Failure of LGSP 4 (section 1), will have no effect on the DP operation.

7. Failure of LGSP 4 (section 2):- LGSP No.4 (section 2) is fed from LV 440Vac main feeder panelNo.2. Failure of LGSP No.4 will loss of power supplies to No.2 HFO purifier, No.2 HFO purifiersupply pump, No.2 main LO purifier, No.2 LO Purifier Supply Pump, No.2 GE LO purifier, No.2 GELO Purifier supply pump, No.2 GE DO auto filter and other non-DP related machinery. All thepurifiers and feed pumps in the LGSP 4 (section 2) will be backup by the purifiers and feed pumpsin the LGSP 4 (section 1). Failure of LGSP 4 (section 2), will have no effect on the DP operation.

8. Failure of LGSP 5 (section 1):- LGSP No.5 section 1 is fed from LV 440Vac main feeder panelNo.1. Failure of LGSP No.5 section 1 and will lose power supplies to No.1 Service Air Compressorand other non relevant DP machinery and therefore will have no effect on the DP operation.

9. Failure of LGSP 5 (section 2):- LGSP No.5 section 2 is fed from LV 440Vac main feeder panelNo.2. Failure of LGSP No.5 section 2 will lose power supplies to No.1 Main Air Compressor, No.2Service Air Compressor, Control Air Compressor and other non relevant DP machinery thereforewill have no effect on the DP operation.

10. Failure of LGSP 5 (section ESB):- LGSP No.5 section ESB is fed from LV 440Vac ESB. Failure ofLGSP No.5 section ESB will lose power supplies to No.2 Main Air Compressor and other nonrelevant DP machinery and therefore will have no effect on the DP operation.

11. Failure of LGSP 6 (section 1):- LGSP No.6 (section 1) is fed from LV 440Vac main feeder panelNo.1. Failures of LGSP No.6 will lose No.1 Pump Room Exh. Fan (STBD), No.1 WH Package AirCond Unit and other non relevant DP systems. Failure of LGSP 6 (section 1), will lead to one airconditioning unit on the bridge, and one fan in the pump room. However this will have no effect onthe DP operation.

12. Failure of LGSP 6 (section 2):- LGSP No.6 (section 2) is fed from LV 440Vac main feeder panelNo.2. Failures of LGSP No.6 will loss of No.2 Pump Room Exh. Fan (Port), No.2 WH Package AirCond Unit and other non relevant DP systems. Failure of LGSP 6 (section 2), will lead to the loss ofone air conditioning unit on the bridge, and one fan in the pump room. However this will have noeffect on the DP operation

13. Failure of LGSP 7 (section 1):- LGSP No.7 (section 1) is fed from the emergency 440V feederpanel No.1. Failure of LGSP No.7 will lose the ME LO auto filter, ME FO auto filter and other nonrelevant to DP machinery. Failure of LGSP 7 (section 1), this will have no effect on the DPoperation.

14. Failure of LGSP 7 (section 2):- LGSP No.7 (section 2) is fed from LV 440Vac main feeder panelNo.2. Failure of LGSP No.7 and will lose other non-relevant DP equipment. Therefore have no

effect on the DP operation.

15. Failure of PD-2 :- PD-2 is fed from LV 440Vac main feeder panel No.1. Failure of PD-2 and will losethe power supply to No.1 CPP Hyd. Pump Starter, No.3 CPP hyd. Pump Starter and othermachinery. Failure of two CPP hyd. Pumps will not lead to loss of the CPP in the DP system. TheCPP will continue operate with No.2 CPP Hyd. Pump, along with No.3 CPP hyd. Pump powersupplies can be changed over to backup supply from PD-3. Failure of PD-2, will not lose the CPPas the hydraulic unit will still be operational.





16. Failure of PD-3:- PD-2 is fed from LV 440Vac main feeder panel No.2. Failure of PD-3 will losepower supply to No.2 CPP Hyd. Pump Starter, No.3 CPP hyd. Pump Starter, SAZ4 oil filtrationpump and other machinery. Failure of two CPP hyd. Pumps will not lead to loss of the CPP in theDP system. The CPP will continue operate with No.1 CPP Hyd. Pump, along with No.3 CPP hyd.Pump power supplies can be changed over to backup supply from PD-2. Failure of PD-3, will notlose the CPP as the hydraulic unit will still be operational.

17. Failure of EPD-1:- EPD-1 is fed from LV 440Vac ESB. Failure of EPD-1 will lose power supply toNo.1 and 3 GE LO Priming Pump, Hyd. Oil Auto Filter Cont. Panel. In the event failure of EPD-1 itwill have no effect on the DP operation

5.3.7.6 A short circuit on 440V emergency switchboard: will result in loss of supply to No.1 E/R Vent. Fan(Reversible), the Emergency fire pump, steering gear room fan, No.2 Steering gear starter, EmergencyCPP hyd. Pump Starter, Emergency CPP Hyd. Filter Starter, engine control console, bridge controlconsole and other non related DP equipment. It also provides a second power supply to No.1 and No.2UPS for MV Switchboard and the UPS will be backup by the battery bank. Losing steering gear No.1 willnot lead to loss of the rudder No.2 steering gear will be running as well.

5.3.8 Hidden Failures of the 440V Distribution System

5.3.8.1 Failure of the Emergency Generator to re-power the Emergency Switchboard on loss of its normal supplyfrom Bus ‘1’ and Bus ‘2’ is also a potential hidden failure.

5.3.8.2 Failure of the pumps that are unable to auto changeover is a potential hidden failure

5.3.9 Configuration Errors of the 440V Distribution System That Could Defeat Redundancy

5.3.9.1 The vessel safest mode of operation is to operate with the 440V busties open so that the fault remainslimited to one section of the switchboard.

5.3.9.2 The configuration of the engine and thruster pumps has to be configured accordingly during DP operationto prevent loss of all thrusters in the same time.

5.3.10 Maloperation of 440V Distribution System

5.3.10.1 No potential acts of maloperation have been identified in this analysis that would exceed the WCFDI asthe transformer breakers are interlocked and the emergency generators are interlocked with the 440Vacmain bus bar.

5.3.11 Worst Case Failure of the 440V Distribution System

5.3.11.1 The WCFDI with respect to the low voltage distribution system is the failure of one of the LV switchboard.This would result in failure of all the equipment including generators, main engines and thruster marineauxiliaries powered from that switchboard. However all these systems are equipped with standby unitsthat are powered from the second low voltage switchboard. Refer to Tables 5-1, and 5-3 for details.





5.4 220V DISTRIBUTION SYSTEM

5.4.1 Reference


2. Wiring Diagram Of Power System. DWG No: 200E163010EB

3. High Voltage Switchboard DWG: 20114235 MHSO67-8M34-1&2 HN1960s HMSB Rev. 04. Low Voltage Switchboard. DWG: 200114235MMS149-5



7. AC220V Navi Inst Distribution Board (NID) DWG: 200E466010EB

8. Diesel G/E Control & Monitoring System, DWG No: 200E364010EB

5.4.2 Location

5.4.2.1 The main 220V switchboard is located in the switchboard room

5.4.3 Description5.4.3.1 The 220V switchboard consists of two main sections, Bus bar ‘No.1’ and Bus bar ‘No.2’. The 220V

switchboard is a 60Hz, three wire system which supplies power to vessel navigation / instrumentation,engine control console, bridge control console, UPSs and 220V lighting distribution boards.

5.4.3.2 The 220Vac Feeder Panel No.1 is connected with 440V LGSP No.1 via a 440V/ 230V, 250kVAtransformer T1. The 220Vac Feeder Panel No.2 is connected with 440V GSP Panel No.2 via a 440V/220V, 250kVA transformer T2.

5.4.3.3 There are two different section distribution panels for the accommodation AC 220Vac where the Accom. AC 220V Section 1 board is fed from 220Vac Feeder panel no.1, whilst the 220V Section 2 board is fedfrom 220Vac feeder panel No.2.

5.4.3.4 220V engine control console (ECC) and 220Vac No.1 Navigation & instrumentation distribution board canbe powered from either the 220Vac MSB 1 or 220Vac ESB. During DP operations, both distribution boardsare to be supplied from 220Vac MSB 1 and the backup supply is fed from 220Vac ESB.

5.4.3.5 The No.2 Navigation & Instrumentation distribution board (No.2 NID) can be supplied either from 220VacMSB 2 or the 220Vac ESB. During DP operations, the No.2 NID is to be supplied from the 220Vac MSBNo.2

5.4.3.6 The 220Vac Bridge control console can be fed by the 220Vac Accom. AC 220V Section 2 board or the220Vac ESB. During DP mode, it is to be supplied from the Accommodation. AC 220V Section 2.

5.4.3.7 Refer to Table 5-6 and Table 5-7. For the consumer list

Table 5-6 220V feeder panel No.1 and No.2

220V SWITCHBOARD No.1

MAIN INCOMING POWER FROM TRANSFORMER440V

220V SWITCHBOARD No.2

MAIN INCOMING POWER FROM TRANSFORMER440V

Accommodation. AC 220V section board (Sec.1) Accommodation AC 220V section Board (Sec.2)

ER & P/R High Expansion system (Source no.1) No.2 Battery Charger & Discharge Board

No.1 NID LD-5 Panel

E.C.C (UPS for No.2 ICMS) No.2 NIDLD-4 Panel No.2 Control Air Dryer





5.5 24VDC POWER DISTRIBUTION


1. 200E466010EB : Battery Charger & Discharger Board (BCD)

5.5.2 Location

5.5.2.1 The 24Vdc system charging and discharging board located in the navigation locker.

5.5.3 24Vdc Distribution System

5.5.3.1 There are two 24Vdc systems on the vessel each with a 24Vdc system including battery charger andbattery bank. The No.1 battery charger is fed from the 220Vac Bridge Control Console Dist. board whilstthe No.2 battery charger is fed from the 220Vac No.2

5.5.3.2 The 24Vdc system distributes to the ECC 24Vdc power distribution panel and bridge control consoledistribution board. The 24Vdc consumers’ are listed in Table 5-8.

5.5.3.3 The ECC 24V power distribution panel is connected with dual power supplies and is fitted with an auto

changeover function. The primary 24Vdc is from the 220Vac Feeder panel No.1 through a transformer tothe 24Vdc system whilst the second 24Vdc power supply is fed from the No.1 Battery Charging andDischarging board.

5.5.3.4 The bridge control console panel has dual power supplies with auto changeover function. The primary24Vdc is fed from the 220Vac Feeder panel No.2 and is then rectified to the 24Vdc power supply, whilstthe second 24Vdc power supply is fed from the No.1 Battery Charging and Discharging board.





24VDC SYSTEM

DC24V BATERY CHARGING & DISCHARGING BOARDNo.1

DC24V BATERY CHARGING & DISCHARGINGBOARD No.2

No.1 Gyro Compass Engine Control Console

No.1 Wind Serial Splitter PSU for DARPS Wing Display

Engine Control Console No.2 Bow Tunnel Thruster

Bridge Control Console Bow Azimuth Thruster

No.1 Bow Tunnel Thruster Aft Azimuth Thruster

Aft Tunnel thruster No.2 Gyro Compass

PSU for DARPS Wing DisplayNo.2 Wind Serial Splitter

Emergency SwitchboardFanbeam Serial Splitter

No.3 Wind Serial SplitterNo.3 Gyro Compass

Gyro Switchover Unit

Bridge Control Console DC 24 DIST. BOARDENGINE CONTROL CONSOLE 24V POWERDIST. BOARD

Non Relevant DP equipment JME-1 [ME WIO Trans. Unit]

JME-2 [ME FO Leak Lvl Sw]

JME-3 [ME PCO Arm Monit. Box]

CPP Local & Zero Pitch Unit

Table 5-8 24Vdc Supplies to Engine Junction Boxes

5.5.4 UPS for MV switchboard

5.5.4.1 There are two UPS supplying the 110Vac control power supplies for the MV MSB VCB Control circuit,while 24Vdc supplies for No.1 ICMS, LV Switchboard and MV switchboard. These 110Vdc / 24Vdcsystems are located in the main switchboard room.

5.5.4.2 Each of the UPS systems take dual redundancy from 440Vac Feeder panel and 440V EmergencySwitchboard.

i. UPS No.1 takes its supply from No.1 440Vac Feeder Panel and 440Vac ESB

ii. UPS No.2 takes its supply from No.2 440Vac Feeder Panel and 440Vac ESB

5.5.4.3 The 110Vdc supplies power to the MV MSB control circuit whilst the 24Vdc supplies to the MV MSB bustie panel control circuit, LV Switchboard control circuit and to No.1 ICMS.

5.5.4.4 MV MSB No.1 Control circuit is powered from the 110Vdc UPS No.1 and No.2. It is the same as MV MSBNo.2.

5.5.4.5 Each of the 110Vdc load circuits is supplied from both battery chargers and diode isolation is used forswitchboard control supplies. The shipyard has to provide the discrimination studies regarding this diodeisolation to ensure it will not cause a blackout of the vessel and not trip the upper stream.





5.5.5 Failure Modes of the Power Distribution

1. Short circuit of 220V Feeder Panel No.1.

2. Short circuit of 220V Feeder Panel No.2.

3. Power failure of 220V ECC Distribution board

4. Short circuit of 220V Engine Control Console distribution board.

5. Power failure of 220V Nav. & Instrumentation distribution board.

6. Short circuit of 220V Nav. & Instrumentation distribution board.

7. Short circuit of 24V battery charging and discharging board.

8. Short circuit of 24V ECC board.

9. Short circuit of 24V Nav. & Safety equipment distribution board.

10. Short circuit on service transformer T1 feeder.

11. Short circuit on service transformer T2 feeder.

12. Short circuit on 220Vac emergency switchboard.

13. Short circuit on emergency transformer.

14. Failure of one of the battery charger to MV MSB.

15. Short circuit of one of the 110Vdc / 24Vdc system to MV MSB.

16. Failure of both 110Vdc / 24Vdc system to MV MSB.

5.5.6 Failure Effects of the Power Distribution

5.5.6.1 Short circuit of 220V Feeder Panel No.1: This would results in a loss of power supply to No.1 Navigation

Instrument Panel, ECC (UPS for No.2 ICMS), Engine control console, Accom. 220V Section board, No.1MV SWBD GPT Panel, Power Supply unit for No1 & 2 DG and other non relevant DP equipment. Loss ofone of the power supply to No.1 & No.2 DG will not stop the DG operation.

5.5.6.2 Short circuit of 220V Feeder Panel No.2: This would result in a loss of No.2 Navigation InstrumentationDistribution Panel, Accom. 220V Section board, No.2 MV switchboard, power supply unit for No.3 & 4 andnon-relevant DP equipment. Loss of one of the power supply to No.3 & No.4 DG will not stop the DGoperation.

5.5.6.3 Power failure to the 220V ECC distribution board: 220V ECC Dist. Board is supplied by LV220V MFP No.1and ESB 220V, if one power supply fails it will then auto changeover to the other power source. This willbe a hidden failure when the auto changeover is not occurred, the failure effect will be loss of 220V ECCDist. Board. Refer to the Section 5.5.6.4 for the failure effects.

5.5.6.4 A short circuit of 220V Engine control console distribution board: would not lead to the loss of the ME asthere is a redundant power supply B which is supplied from the No.2 AC 220 V Feeder Panel. The ECCsupplies to all the Generator Control Systems are supplied via 24 VDC UPS. As such, there will be noapparent effect on the loss of this distribution board apart from the loss of supply to the UPS supplying theGenerator Control System.

5.5.6.5 Power failure to 220V Navigation & Instrumentation distribution board No.1: 220V Navigation &Instrumentation distribution board no.1 is supplied by 220Vac No.1 Feeder panel and ESB 220V, eitherone power supply failure will be auto changeover to the other power sources. This will be hidden failurewhen the auto changeover is not to occur, the failure effect will be loss of 220V Navigation &Instrumentation distribution board. This will lead to loss of main supply to BT 1 control system, ST5 controlsystem, and No1 UPS for DP system. The thrusters will still continue operating as there will be backup

supply from the 24Vdc power supplies. This will not immediate affect the DP computer system, due tofailure of supply to No.1 UPS. There will be having minimum 30 minutes battery backup from the UPS.





5.5.6.6 Power failure to 220V Navigation & Instrumentation distribution board No.2: 220V Navigation &Instrumentation distribution board no.2 is supplied by 220Vac No.2 Feeder panel and ESB 220V, eitherone power supply failure will be auto changeover to the other power sources. This will be hidden failurewhen the auto changeover is not to occur, the failure effect will be loss of 220V Navigation &Instrumentation distribution board. This will lead to loss of main supply to BT 2 control system, BAT3control system, SAT4 control system, C-Joy control cabinet and No2 UPS for DP system. The thrusters

will still continue operating as there will be backup supply from the 24Vdc power supplies. This will notimmediate affect the DP computer system, due to failure of supply to No.2 UPS. There will be havingminimum 30 minutes battery backup from the UPS.

5.5.6.7 Short circuit / Failure of No.1 24V battery charging and discharging board: This would result in the loss ofno.1 and no.3 Wind serial splitter, power supply to engine control console, one of the power supply to No.1Gyro compass, power supply to bridge control console, lighting supply to emergency switchboard, PSU forDARPS wing display, backup supply to BT 1 and backup supply to ST 5.

5.5.6.8 Short circuit of No.2 24V battery charging and discharging board: This would result in the loss of no.2Wind serial splitter, power supply to engine control console, one of the power supply to No.2 & No.3 Gyrocompass, PSU for DARPS wing display, backup supply to BT 2, BAT3 and SAT 4.

5.5.6.9 Short circuit of 24V Engine control console distribution board: will cause loss of monitoring system for theME and will not lead to loss of ME or CPP. This has to be proven during the proving trials.

5.5.6.10 Short circuit of 24Vdc Bridge control console dist. Board: There will be no effect to the DP operation as theconsumers are not relevant to DP equipment.

5.5.6.11 Short circuit on service transformer T1 feeder: will result in loss of service transformer T1, all consumerson 220V switchboard bus bar ‘1’. All thrusters and generators will remain healthy as the control powersupply has redundancy.

5.5.6.12 Short circuit on service transformer T2 feeder: will result in loss of service transformer T2, all consumerson 220V switchboard bus bar ‘2’. All thrusters and generators will remain healthy as th e control powersupply has redundancy.

5.5.6.13 Short circuit on 220V emergency switchboard: will result loss of one of the supply to No.1 & 2 nav. &instrumentation dist. Board which will auto changeover to respective 220Vac feeder panel, and loss ofbackup supply to 220Vac ECC Dist. Board and 220Vac bridge control console. All the thrusters andgenerators will remain healthy as the control power supply has redundancy.

5.5.6.14 Short circuit in on emergency transformer: This will result loss of 220Vac emergency switchboard. All thethrusters and generators will remain healthy as the control power supply has redundancy.

5.5.6.15 Failure of one of the No.1 UPS to MV MSB: This will result loss of one of the 110Vdc / 24Vdc powersupply to MV MSB. Upon this failure, alarm will be initiated in the ICMS system, and the 110Vdc/24Vdcsystem will be backup by the battery.

5.5.6.16 Failure of one of the No.2 UPS to MV MSB: This will result loss of one of the 110Vdc / 24Vdc powersupply to MV MSB. Upon this failure, alarm will be initiated in the ICMS system, and the 110Vdc/24Vdc

system will be backup by the battery.

5.5.6.17 Short circuit of one of the 110Vdc / 24Vdc system to MV MSB: Short circuit of the 110Vdc / 24Vdc systemwill result loss of one of the control supplies to the MV MSB. Upon failure, alarm will be initiated in theICMS system and backup by the other 110Vdc / 24Vdc control supplies from the other battery charger.

5.5.7 Hidden Failures of the Power Distribution System

5.5.7.1 Insufficient battery capacity is a creatable hidden failure. There should be an alarm for “batteries” on failureof supply to battery charger.

5.5.7.2 Failure to change over the power supply at 220Vac Nav. & instrumentation distribution to LV 220Vac MFPwill be hidden failure and it may lead to loss all the main 220Vac power supply to all the thruster controlsystem.





5.5.7.3 When short circuit failure in the thruster control system, it may leads to trip the particular thruster’sbreakers at 220Vac and 24Vdc panel. Assuming that selectivity analysis is been carried out and isperformed in satisfactory.

5.5.7.4 Failure changing over the power supply from LV 220Vac MFP No.1 to 220Vac ESB at ECC 220Vacdistribution board will be remain as hidden failure and it may lead to loss ME which will cause loss of T6.Please refer to the effect at the section 5.5.6.4.

5.5.8 Common Mode Failures Affecting the Distribution System

5.5.8.1 There is no common mode failure will cause the effect exceed the WCFDI.

5.5.9 Configuration Errors of the Power Distribution System That Could Defeat Redundancy

5.5.9.1 The 220Vac feeder panel are powered by their own respective 440Vac MSB. Therefore no configurationerrors could defeat the redundancy.

5.5.10 Maloperation of the LV Distribution System

5.5.10.1 There is no maloperation that could be reasonably anticipated.

5.5.11 Worst Case Failure of the LV Distribution System

5.5.11.1 The worst case failure in the LV distribution system will be short circuit of 220V Engine control consoledistribution board which leading to loss of ME where both of the control system power supplies are fed by220V ECC distribution board. Loss of ME will cause loss of T6. Failure effect of the ECC dist. Board willnot excess than WCFDI. However there is another concern where one of the power supply unit for fourgenerators are fed from the common ECC AC 220Vac. In the event there is a short circuit at the board thismay lead over current through the system and this may damage all four generators supply unit. This has toclarify with the vendors and recommended to have a discrimination analysis report.





6 THRUSTERS

6.1 INTRODUCTION


Approval drawings Brunvoll Tunnel Thruster Unit Type FU-100-LTC-2750-2200kW with Electric DriveSystem

Approval drawings Brunvoll Tunnel Thruster Unit Type FU-100-LTC-2450-2200kW with Electric DriveSystem

Approval drawings Brunvoll Retractable Azimuth Thruster Unit Type AR-100-LNC-2600 2500kW withElectric Drive System

Approval drawings Brunvoll Thruster Units Type FU-100-LTC-2450, Type FU-100-LTC-2750, Type AR-100-LNC-2600

Installation manual –BCP with BCX

Technical Specification Steering Gear

Technical data sheet 04.43.01 Rev 18

6.1.2 Overview

6.1.2.1 The 157K Shuttle Tanker is equipped with six thrusters these include two bow tunnel thrusters, one bowazimuth thruster, one stern azimuth thruster, one stern tunnel thruster and one engine driven mainpropulsion CPP unit.

6.1.2.2 All thrusters, CPP and steering gear have independent sensors to the DP system as well as localindicators for the pitch, azimuth and angle feedback.

6.1.2.3 Thrusters arrangement - please refer to figure 6-1 for details.

BT1

T1

BT2

T2

BAZ3

T3

SAZ4

T4

ST5

T5

CPP6

T6

Figure 6-1 Arrangement of Thrusters





6.1.3 Thruster Particulars

Table 6-1 Tunnel Thruster Motor Particulars

Bow Tunnel Thruster MotorParticulars

Stern Tunnel Thruster MotorParticulars

Thruster Type FU100LTC2750(No.1 and No.2 Bow thruster,T1 & T2)

FU100LTC2450(Stern Thruster, T5)

Prime Mover Electric motor Electric motor

Prime Mover Vertical type, squirrel cage, inductionmotor

Vertical type, squirrel cage, inductionmotor

Rated Input Power 2200kW 2200kW

Rated Input Speed 890 RPM 890 RPM

Propeller Type 4 bladed, Kaplan design, controllablepitch type

4 bladed, Kaplan design, controllablepitch type

Thrust 285kN (nominal value) 275kN (nominal value)

Azimuth Thruster Motor Particulars CPP & Rudder

Thruster Type AR100LNC2600(bow and stern T3 & T4)

CPP :BCP 2000 (T6)Steering Gear :IRV4200-2

Prime Mover Electric motorMAN B&W 6S70ME-28.2 TIER II

– main engine

Prime MoverVertical type, squirrel cage, induction

motor

Two stroke, single acting non-reversible, crosshead type marine

diesel engine with constant pressureturbo charging

Rated Input Power 2500kW 15200 kW

Rated Input Speed 710 RPM 82 RPM

Propeller Type 4 bladed, Kaplan / Wageningen 37,symmetric design, controller pitch type

4 Propeller blade, controller pitch type

Material of propeller Nickel-Aluminium Bronze Bronze

Thrust 400kN (bollard pull)


6.1.4.1 Although each thruster is almost entirely independent to other thrusters it is necessary to consider thepossibility that a loss of position or heading can occur due to malfunction of the Torque or Steering control

system. For the purpose of this analysis, discussions of thruster failure is divided into sections on:

1. Lubrication

2. Steering – (Azimuth and CPP)

3. Thruster auxiliaries

4. Azimuth control

5. Pitch control

6. Emergency stops





6.2 THRUSTER MECHANICAL COMPONENTS AND MOTOR


Technical specification Brunvoll Tunnel Thruster Unit (Bow Tunnel Thrusters) Rev 16.11.2011

Technical specification Brunvoll Tunnel Thruster Unit (Stern Tunnel Thrusters) Rev 07.06.2011

Technical specification Brunvoll Retractable Azimuth Thruster Rev 07.10.2011Piping diagram in Engine Room 200M241001MB Rev C

Hull Piping Diagram 200F241001PB Rev C

6.2.2 Tunnel Thruster motor

6.2.2.1 The tunnel thruster motor specifications are shown in Table 6-2.

Table 6-2 Tunnel Thruster Motor Details

Tunnel Thruster 1 & 2 Tunnel Thruster 5

Construction Squirrel cage Squirrel cage

Cooling Fresh water cooled Fresh water cooled

Rated Output 2200kW 2200kW

Operating voltage 6600V 6600V

Phases 1 x 3 phase 1 x 3 phase

Rated speed 890 RPM 890 RPM

Rated frequency 60 Hz 60 Hz

6.2.3 Azimuth Thruster Motor

6.2.3.1 The azimuth thruster motor specification details are shown in Table 6-3.

Table 6-3 Azimuth Thruster Motor Specifications

Azimuth Thruster Motor Particulars

Construction Squirrel cage

Cooling Fresh water cooled

Rated Output 2500kW

Operating voltage 6600V

Phases 1 x 3 phase

Rated speed 710 RMP

Starting Method Auto Transformer

Rated frequency 60 Hz

Input shaft speed 710 RPM

Propeller Speed 249 RPM





6.2.4 Failure modes of the thruster motors

1. Motor fails to reach full speed

2. Overheating of motor winding

3. Excessive vibration

6.2.5 Effects of thruster motor faults6.2.5.1 Motor fails to reach full speed: Insufficient line voltage at motor terminals or a fault (open, short, earth) on

a stator winding could affect motor operation. This could be caused by a number of faults and should beinvestigated before continuing to use the motor. Some minor faults have the potential to develop intomajor electrical and mechanical failures.

6.2.5.2 Overheating of motor winding: This may be caused by insufficient lubrication or contaminated lubricant.This should be alarmed at the ICMS when it reaches the 1st stage level and will result in a drive trip if itprogresses to 2nd stage level.

6.2.5.3 Excessive vibration: This may be caused by mechanical damage. If this condition is detected, the cause ofthe problem will have to be investigated as this could develop into a major mechanical failure.

6.3 TUNNEL THRUSTER COOLING SYSTEM


Technical specification Brunvoll Tunnel Thruster Unit (Bow Tunnel Thrusters) Rev 16.11.2011

Technical specification Brunvoll Tunnel Thruster Unit (Stern Tunnel Thrusters) Rev 07.06.2011

Technical specification Brunvoll Retractable Azimuth Thruster Rev 07.10.2011

Piping diagram in Engine Room 200M241001MB Rev C


6.3.2 Description

6.3.2.1 Refer to Figure 2.18, the electric motors for the tunnel thrusters are FW cooled and the hydraulic systemis air cooled. Therefore the temperature in the thruster compartment has to be kept in the certaintemperature to provide cooling for the hydraulic system.

6.3.2.2 The thruster lube oil system is cooled through heat transferred between the thruster and the surroundingsea water.





Shaft Seal

Arrangement

O i l t o G e a r H o u s i n g

O i l t o S

h a

f t S e a

l S y s t e m

Drain from Gear Housing

Air Bleeding

Drain from Shaft Sealing System

Gravity Tank

M

Power Unit Servo used for

controllable pitch application

Drain

Hand

Pump

Filter

Servo

Pump

Figure 6-2 Tunnel Thruster Hydraulics

6.3.3 Failure modes of the tunnel thruster mechanical part and its auxiliaries

1. Loss of one of the thruster hydraulic oil pump.

2. Blocked hydraulic oil suction filter.

3. Pipe failure on the thruster hydraulic oil system.

4. Contamination of the hydraulic oil system.


6.3.4 Tunnel thrusters failure effects (thruster mechanical part and its auxiliaries)

6.3.4.1 Loss of one of the thruster hydraulic oil pump: The failure of one of the thruster hydraulic oil pumps wouldbe indicated on the local control panel and the ICMS. On the failure of running hydraulic pump, the

standby hydraulic pump will auto start.





6.3.4.2 Blocked hydraulic oil suction filter: A blocked hydraulic oil suction filter would restrict flow through thepump to the hydraulic oil system. When the pressure switch detects the pressure drop it will initiate thestandby hydraulic pump to start running.

6.3.4.3 Pipe failure on the thruster hydraulic oil system: Pipe work failure in the hydraulic system on the supply tothe thruster would drain the system and limit the circulation of hydraulic oil. This would be alarmed on thelocal control panel and ICMS as a ‘low lube oil level alarm’. Leaks in the pipe work are likely to start as arelatively low flow rate which should be detected during regular watch keeping. Piping is considered aspassive components and would not be considered for the review of Dynpos AUTR.

6.3.4.4 Contamination of the hydraulic oil system: This is not a consideration as the hydraulics are air cooled andnot considered to be susceptible in contamination.

6.3.4.5 Unforeseen catastrophic failure of a component part (manufacturer’s component fails within its expec tedlifespan): It is difficult to quantify this type of failure as, provided all manufacturing processes are properlyadhered to, then it should not happen. Areas where this would be most critical are the bearings, gear teethand the internal pipe work.

6.4 AZIMUTH THRUSTER COOLING SYSTEM

6.4.1 Drawing referenceTechnical specification Brunvoll Retractable Azimuth Thruster Rev 07.10.2011

Piping diagram in Engine Room 200M241001MB Rev C






6.4.2 Description

GRAVITY TANK

CJC Filter Seperator

Hyd. Power

Pack

From

FWCoolingPump

ToF.W

ExpTk

Figure 6-3 Azimuth Thruster Hydraulic System

6.4.2.1 Azimuth Thruster Hydraulic System: The Brunvoll AR100LNC2600 retractable azimuth thruster is rotatablethrough 360˚ with a Kaplan design controllable pitch propeller in a symmetric nozzle for optimal thrustperformance in both directions. The thruster unit can be lowered into the operating position and retractedinto the hull by means of hydraulically operated lifting equipment. There are two hydraulic pumps that areused for the azimuth turning motors, propeller pitch mechanism, lowering/retracting of thruster andoperating of locking devices.

6.4.2.2 The Steering hydraulic motor is governed by solenoid valves in order to ensure rapid and preciseresponse. Steering direction and azimuth rate of turn are controlled by changeover type proportionalsolenoid valves which are electronically controlled system controls. As for the CPP system, pitch directions(ahead and astern) and control speed (pitch response time) are controlled by changeover typeproportional solenoid valve.

6.4.2.3 The hydraulic oil from the brake valve and proportional solenoid valve will flow to the oil cooler and cooledby the fresh water. After cooling, the hydraulic oil is directed to the thrusters.





6.4.2.4 Fresh water supplied from the forward freshwater cooling system supplies cooling to (T3) azimuth thrusterhydraulic oil coolers. SAZ4 (T4) is part of the GE No.3/4 freshwater cooling system. Both fresh watercooling systems have local temperature monitoring only..

6.4.3 Failure modes of the azimuth thruster mechanical part and its auxiliaries

1. Loss of one of the hydraulic oil pump.

2. Failure of thruster retraction pump

3. Blocked hydraulic oil suction filter.

4. Blocked hydraulic oil line filter.

5. Contamination of the hydraulic oil system.

6. Pipe work failure on the hydraulic system.

7. Failure of the steering actuator 3-4 way proportional valve to one position.

8. Loss or reduction of cooling water to the thruster lube oil cooler.

9. Unforeseen catastrophic failure of a component part (manufacturer’s component fails within its

expected lifespan).

6.4.4 Azimuth Thrusters failure effects (thruster mechanical part and its auxiliaries)

6.4.4.1 Loss of one of the hydraulic oil pump: The failure of the thruster hydraulic oil pump would be indicated onthe local control panel and the ICMS as a low lube oil pressure alarm. When the hydraulic oil pressure islow, the standby pump will auto start to continue operate.

6.4.4.2 Failure of retraction pump: will have no effect on the operability of the thruster.

6.4.4.3 Blocked hydraulic oil suction filter A blocked suction filter would restrict flow through the pump and thehydraulic system. This can be detected if the pressure drop across the filters is high.

6.4.4.4 Blocked hydraulic oil line filter: A blocked line filter would restrict the flow through the steering and CPPsystem. Alarm will be given on the local control panel and ICMS as a “Low Hydraulic Oil level alarm”caused by a relatively low flow rate of the hydraulic oil.

6.4.4.5 Contamination of the hydraulic oil system: Core failure on the thruster hydraulic oil cooler could result inwater contamination of the thruster hydraulic oil system; this would emulsify and reduce the lubricatingproperties of the oil. Prolonged exposure to emulsified hydraulic oil could cause oxidation of thrustercomponents over time. The increase in volume of the hydraulic oil system would be alarmed on the localcontrol panel and the ICMS as a ‘high hydraulic oil level’ alarm.

6.4.4.6 Pipe work failure on the hydraulic system: Pipe work failure on the hydraulic piping would drain the systemand limit the circulation of hydraulic oil. Low oil level in the reservoir would initiate an emergency stop ofthe drive motor. This would be alarmed on the ICMS and local control panel. Leaks in the pipe work are

likely to start as a relatively low flow rate which should be detected during regular watch keeping. Piping isconsidered as passive components and would not be considered for the review of Dynpos AUTR.

6.4.4.7 Failure of the steering actuator 3-4 way proportional valve to one position: If the 3-4 way proportional valvewere to fail to the neutral position, the swash plate would be kept in the neutral position where charge oilsupply, through the sequence pressure limiting bypass valves, would keep the steering motors and loopflushing valve hydraulically locked. If the proportional valve was to fail in an active position the swash platewould be maintained to direct the variable displacement pump to continue pumping in that direction. Thiswould cause the thruster to rotate clockwise or anti- clockwise and eventually is alarmed on the DP systemas a prediction error. Eventually the thruster is automatically deselected from DP. This was unable to betested during the proving trials as per the attending Brunvoll Engineer ’s advise, this failure would not beachieved as the terminals are located on the Brunvoll thruster PCB itself.





6.4.4.8 Loss or reduction of cooling water to the oil cooler: Loss or reduction of fresh water to the thrusterhydraulic oil cooler would be indicated by higher operating temperatures. High hydraulic fluid temperaturesin the hydraulic reservoir would initiate an emergency stop of the drive motor. This is alarmed on the localcontrol panel and ICMS.

6.4.4.9 Unforeseen catastrophic failure of a component part (manufacturer’s component fails within its expectedlifespan): It is difficult to quantify this type of failure as, provided all manufacturing processes are properly

adhered to, then it should not happen. Areas where this would be most critical are the winding, motors,and the internal pipe work.

6.4.5 Hidden azimuth thruster failures

6.4.5.1 The contamination of the steering hydraulic system by fresh water from the cooler cores on the hydraulicoil cooler would not be detected if the hydraulic oil reservoir is not monitored for high tank level. This couldbe remedied through regular sampling and testing.

6.4.5.2 Inability to auto changeover the power supply to hydraulic pumps due to power failure may lead to loss ofparticular azimuth thruster.

6.4.6 Common mode failure affecting the azimuth thrusters

6.4.6.1 Tunnel thrusters No.1 and No.2 and azimuth thruster No.3 are part of the forward freshwater coolingsystem. A burst cooler in those systems would result in some of the thrusters eventually tripping on highoperating temperatures. On the forward freshwater system there are four manually operated crossovervalves between section 2 (Bow thrusters No.2 and azimuth thruster No.3) and section 1 (thruster 1). Ifthese valves could be operated in time this would prevent loss of consumers in the system. Mitigation toaid this is a low level alarm in the head tank, a bilge alarm in the near vicinity of the cooler and adifferential pressure alarm across the cooler.

6.4.6.2 Thruster No.4 is part of the GE No.3/4 freshwater cooling system. A burst cooler in the system wouldresult in the failure of these and other thrusters fed from MSB 2 as Generators No.3 and No.4 are in thesame circuit.

6.4.7 Azimuth thruster configuration errors that could defeat redundancy

6.4.7.1 Bow azimuth thruster no.3 can be connected to either MSB1 or MSB2. Normal operation is to run it onMSB2. If the thruster is run on MSB1 and the board were lost it would most likely cause loss of positiondue to having only Bow Tunnel thruster No. 2 and stern azimuth thruster No. 4 remaining. In mitigation, theconfiguration has to be recorded in the operation procedures and a sign to be made in the ECR.

6.4.8 Maloperation of the azimuth thrusters

6.4.8.1 As the hydraulic oil systems could be exposed to water contamination; failure to take regular samples fortesting of the lubricating oil/hydraulic oil could lead to multi-system failure.

6.4.9 Worst case failure – Azimuth thruster (motor and mechanical part)

6.4.9.1 Catastrophic mechanical failure or motor failure will be the worst case failure for the Azimuth thruster

(motor and mechanical part) as this will lead to loss of particular Azimuth thruster. The remaining thrusterswill compensate for the failure of the azimuth thruster and maintain station.





6.5 MAIN PROPULSION CONTROLLABLE PITCH PROPELLER AND STEERING GEAR

6.5.1 Reference:

Berg Propulsion Installation manual BCP with BCX

6.5.2 Description

6.5.2.1 Refer to figure 6-4, the vessel has one controllable pitch propeller engine supplied by Berg Propulsion6.5.2.2 For more information on the Main Engine auxiliary systems please refer to section 2. The propeller system

consists of three main parts:

1. Mechanical parts for power transformation of propeller rotation.

2. Hydraulic parts for lubrication and hydraulic control of the equipment.

3. Electronic control system.

6.5.2.3 The Berg Propulsion controllable pitch propeller can rotate the propeller blades about their own axis. Therotation of the propeller blades are controlled from the bridge or the engine room. The propeller blades are

hydraulically actuated.6.5.2.4 The controllable pitch propellers are actuated by pressurised hydraulic oil to control the pitch angle of the

propeller blades. The pressurised oil is guided to the propeller hub through a twin tube which runs througha hollow bored shaft line. The turning of the propeller blades is managed by applying hydraulic oil pressureto either side of the piston, which in turn moves the piston rod back and forth.

6.5.2.5 The twin tube, propeller shaft and bearings are installed in a stern tube which is filled with pressurised oilfor lubrication purposes. The stern tube header tank contains the oil at a certain height above sea level toachieve the required head pressure.





6.5.3 Main Propulsion Mechanical and Hydraulic System

Gravity Tank

Propeller

CPP Hyd.

Pump No.3

M3 M2

Solenoid

Valve

Water In Propeller

CPP Hyd.

Pump

No.2

Propeller

CPP Hyd.

Pump

No.1

M1

Water Out

CJC

Circulation Unit

PropellerCPP Hyd.

Emergency

pump

E

BCX Leakage TAnk O i l D i s t r i b u t e r

Hydraulic Tank

3 Bar

M o i s t u r e

T r a n s m i t t e r

Figure 6-4 Propulsion Controllable Pitch Propeller Hydraulic Diagram





6.5.3.1 The lubrication of the propeller hub is maintained by static pressurised hydraulic oil, guided to the propellerhub by the hollow bored shaft line. The oil is contained in the hydraulic power pack, which is equipped witha supplementary gravity tank. The static pressure is achieved by a pump unit on the power pack.Pressurised oil is necessary to prevent ingress of water in the propeller hub and to maintain sufficientblade bearing lubrication. To prevent the hydraulic system from over pressure. Safety valves are includedin the hydraulic system.

6.5.3.2 The hydraulic system pressurised oil enables the turning of the propeller blades. It consists of a hydraulicpower pack unit, three hydraulic oil electrical driven pump units and piping. The three electrical pumps arefitted in the hydraulic unit. All three hydraulic pumps need to be running in order to run maximum pitchingspeed.

6.5.3.3 Pump 1 and pump 2 are variable displacement pumps and pump 3 is used for fixed displacement and forthe unloading valve to activate the pitching function.

6.5.3.4 The CPP hydraulic system is equipped with oil cooler. The medium for cooling is fresh water from theauxiliary freshwater cooling system which also is used to cool the stern tube.

6.5.4 Steering Gear

6.5.5 Reference:Working drawing, Kongsberg Maritime, Steering Control System

Rolls Royce rotary Vane Steering Gear





6.5.6 Description

3

2

4

1

RELIEF VALVE

POWER UNIT 2

M

I n t e r c o n n e c t i n g

/ i s o l a t i n g

v a l v e

RELIEF VALVE

POWER UNIT 1

M

I n t e r c o n n e c t i n g

/ i s o l a t i n g

v a l v e

COMMON TANK

Figure 6-5 Steering Gear

6.5.6.1 Refer to figure 6-5; the vessel is fitted with a Becker Rudder and one Rolls Royce Frydenbo SteeringGear, interfaced to the DP Control System, joystick control unit and emergency manual steering controls.

6.5.6.2 The steering gear has two electric driven hydraulic pumps. The pumps can operate the steering gearindependently or both pumps running together. In DP mode, both pumps are to be running. Failure on onepump will not have any effect on steering gear apart from slower response.





6.5.6.3 There are two control panels, one mounted on the wheelhouse and the other in the ECR. The wheelhousecontrol panel is equipped with start / stop push buttons, steering mode selections, non-follow-up pushbuttons and follow-up controllers for independent or simultaneous steering of the rudders. Emergencycontrols are located in the steering gear room.

6.5.7 Failure Modes of the CPP and Steering Gear

1. Failure of one of the CPP hydraulic pump.2. Failure of proportional valve.

3. Contamination of the CPP hydraulic oil system.

4. Pipe work failure on the CPP hydraulic system.

5. Loss or reduction of cooling water to the CPP hydraulic oil cooler.


7. Failure of one of the rudder steering gear pump

8. Contamination of the hydraulic oil in steering gear system.

9. Pipe work failure on the steering gear hydraulic oil system.

6.5.8 Failure Effects of the CPP and Steering Gear

6.5.8.1 Failure of one of the CPP hydraulic oil pump: The failure of the CPP hydraulic oil pump would be indicatedon the local control panel and the ICMS as a low lube oil pressure alarm. During DP operations all 3 pumpsneed to run as failure of one pump will reduce the pitching ability of the CPP and cause it to not be able tooperate to full pitch.

6.5.8.2 Failure of proportional valve: If the proportional valve were to fail to the neutral position, the swash platewould be kept in the neutral position; pitch will fail at neutral position. If the proportional valve was to fail inan active position the swash plate would maintain the pitch in the last position. This would cause an alarmon the DP system with prediction error.

6.5.8.3 Contamination of the CPP hydraulic oil system: Core failure on the CPP hydraulic oil cooler could result inwater contamination of the CPP hydraulic oil system; this would emulsify and reduce the lubricatingproperties of the oil. Prolonged exposure to emulsified hydraulic oil could cause oxidation of CPPcomponents over time. The system is fitted with a water monitoring sensor to activate a warning in theevent of water contamination.

6.5.8.4 Pipe work failure on the CPP hydraulic system: Pipe work failure on the CPP hydraulic piping would drainthe system and limit the circulation of hydraulic oil. Low oil level in the reservoir would initiate an alarm onthe ICMS and local control panel. Leaks in the pipe work are likely to start as a relatively low flow ratewhich should be detected during regular watch keeping. Piping is considered as passive components andwould not be considered for the review of Dynpos AUTR.

6.5.8.5 Loss or reduction of cooling water to the CPP Hydraulic oil cooler: Loss or reduction of fresh water to theCPP hydraulic oil cooler would be indicated by higher operating temperatures. High hydraulic fluidtemperatures in the hydraulic reservoir would initiate an emergency stop of the CPP. This is alarmed onthe local control panel and ICMS.

6.5.8.6 Unforeseen catastrophic failure of a component part (manufacturer’s component fails within its expectedlifespan): It is difficult to quantify this type of failure as, provided all manufacturing processes are properlyadhered to, then it should not happen. Areas where this would be most critical are the pumps, proportionalvalve and the internal pipe work.

6.5.8.7 Failure of one of the rudder hydraulic pump: In the event failure of one of the rudder hydraulic pump, itwould not result in loss of the rudder as there is another backup steering gear hydraulic pump in operation.(Assumption: both pumps running at same time whilst on DP).





6.5.8.8 Contamination of the hydraulic oil in steering gear system: Bacteria contamination in the oil tank couldemulsify and reduce the lubricating properties of the oil. Prolonged exposure to emulsified hydraulic oilcould cause oxidation of thruster components over time. Regular testing of the oil would highlight anycontamination problems.

6.5.8.9 Pipe work failure on the steering gear hydraulic oil system: Pipe work failure in the hydraulic oil systemwould drain the system and limit the circulation of oil. Low oil level would be alarmed on the ICMS and

local control panel. Leaks in the pipe work are likely to start as a relatively low flow rate which should bedetected during regular watch keeping. Piping is considered as passive components and would not beconsidered for the review of Dynpos AUTR.

6.5.9 Hidden Failures of the CPP and Steering Gear

6.5.9.1 The contamination of the CPP and steering gear hydraulic system by fresh water from the cooler cores onthe hydraulic oil cooler would not be detected as the hydraulic oil reservoir is not monitored for high tanklevel. This could be remedied through regular sampling and testing.

6.5.10 Common Mode Failures of the CPP and Steering Gear

6.5.10.1 No common mode failure has been identified.

6.5.11 Configuration Errors of the CPP and Steering Gear6.5.11.1 There is no configuration error for the CPP and steering gear as the CPP is driven by the engine.

6.5.12 Maloperation of the CPP and Steering Gear

6.5.12.1 The hydraulic oil system could be exposed to water contamination; regular samples for testing of thehydraulic oil should be conducted.

6.5.13 Worst Case Failure of the CPP and Steering Gear

6.5.13.1 Catastrophic mechanical failure or failure of engine will be the worst case failure for the CPP (mechanicalpart) as this will lead to loss of CPP. The remaining thrusters will take over the failure of CPP role forposition keeping capability.





6.6 THRUSTER ELECTRICAL SYSTEMS

6.6.1 References

Approval Drawings Brunvoll Tunnel Thruster Unit Type FU-100-LTC-2750-2200kW with Electrical Drivesystem rev. Date 07.10.2011

Approval Drawings Brunvoll Retractable Azimuth Thruster Unit Type AR-100-LNC-2600-2500kW withElectrical Drive system rev. Date 07.10.2011

S7001’s CPP Tech Data and System Diagram

Wiring Diagram of Navi & Comm System

6.6.2 General

6.6.2.1 The Shuttle Tanker is equipped with six thrusters these include two bow tunnel thrusters, one bow azimuththruster, one stern azimuth thruster, one stern tunnel thruster and one engine driven main propulsion CPPunit. The three tunnel thrusters and two azimuth thrusters are electrically driven. Please refer to table 6-1and table 6-2 for details.

6.6.3 Tunnel Thruster Remote Control system

Thruster Controller

Thruster

manual

Control

DP IJS

Blade

Angle

Transmitter

Solenoid

Valve

220Vac

Main

power

24Vdc

Backup

power

Figure 6-6 Thruster Remote Control System

6.6.3.1 Refer to Figure 6-6, this tunnel thruster (Controllable Pitch Propeller type) remote control system isdesigned to control the thruster blade angle by operating the control levers provided in the wheelhouse,

independent joystick and DPS. This is done by employing microcomputers with overload protectionfunctions for the main motor. In addition the main motor and auxiliaries can be started and stopped fromthe W/H.





6.6.3.2 There are two electronic cabinets for each Brunvoll Tunnel Thruster, one unit on the Bridge and the otherin the thruster room. Power supply for the electronic cabinets and the man and auxiliary control panels aretaken from a 220 VAC source and a backup 24VDC supply. These sources are fed to the electroniccabinet on the bridge and from this cabinet supplied to the other consumers described earlier.

6.6.3.3 The thruster control system provides communications between the thruster and thruster control unit. Inaddition to the control signals; multiple sensors and transducers are provided for monitoring. The

Kongsberg system controls the thrust of the tunnel thrusters through the Brunvoll Electronic Cabinetlocated on the bridge.

6.6.3.4 Hydraulic pitch control: The propeller blade pitch is used to adjust the magnitude and direction of thrustfrom each tunnel thruster. Pitch angle is set by the position of a hydraulic piston mounted in each propellerhub. The hydraulic pressure to change the pistons position is provided by redundant hydraulic pumps andelectro-hydraulic control valves to change the flow of oil to the oil distribution box and increase or decreasethe piston position. An electronic control system controls each thruster electro-hydraulic control valve.Other hydraulic valves regulate pressure and release overpressures. The pitch system has high and lowpressure switches for alarm only and an oil pressure failure switch that stops the drive motor. Pitchposition is given via mechanical feedback and transducers supply the pitch feedback for display andcontrol.

6.6.3.5 Electronic Pitch Control: Each thruster has an electronic control system for monitoring and control. Eachelectronic control system monitors which system is in command, the pitch request from the system incommand and the control transducer feedback showing the current pitch setting. The system comparesthe current pitch setting with the required pitch setting and uses the pitch difference to operate the valve.This pitch difference is sent as a ±10V control valve command, opening the valve by a proportionalamount in the direction to correct the command feedback difference. As the actual pitch approaches thecommanded value the proportional control will slow down the rate of change. The ±10V valve commandcan be seen as a rate of change command. When the pitch feedback is within tolerance of the pitchcommand, the controller sends a 0V command and the valve is closed. The signal to the Brunvoll thrustercontrol unit is ±10V however the signal is converted to a 4-20mA DP feedback signal. The order signalfrom DP to the thruster is a 4-20mA command signal. The Brunvoll thrusters will trip or will issue an open

ready signal when the pitch control fails. The thruster will be deselected from the DP system.6.6.3.6 Drive Control: The starters are auto transformers. The thrusters can be started and stopped from the

wheelhouse control panel. The drive motor starter interlocks for zero pitch, starter ready, and sufficientpitch pressure prevents the motor from starting up until the required criteria is met. Once the motor hasstarted, its starter closes the running contact to the ECU to indicate it is ready for use. The starter providesa load signal to the ECU for overload protection.

6.6.3.7 Each thruster control system monitors the health of its thruster system and controls the pitch to match thelocal or remote commands. If DP control is selected, then the DP system controls and monitors thethrusters over dedicated hardwire connections. If IJS control is selected, the IJS system controls andmonitors the thrusters over its own set of dedicated hardwire connections which are separate from DP. Ifthe system does not meet the criteria for safe and reliable operation then it will shutdown. It highlights

system alarms on the local panel and thrusters remote panels on the bridge. The thruster control systemsupplies pitch indication to the bridge and DP control system.

6.6.3.8 Adequate protection is assumed to be in place to protect the thrusters control system and selectivityanalysis has conducted and is approved by the class society.

6.6.3.9 Interface: each tunnel thruster has a separate DP request contact from the DP/ Manual/ Joystickchangeover switch to thruster control unit. The DP controller interface consists of the thruster ready signal4-20mA pitch command and feedback signals.

6.6.4 Failure modes of the tunnel thrusters Control System

1. Failure of 220Vac supply to thruster control panel.

2. Failure of 24Vdc supply to thruster control panel.

3. Failure of the thruster control unit.

4. Wire break or failure of thruster ready signal.





5. Wire break or failure of thruster pitch command signal from DP.

6. Wire break or failure of thruster pitch command signal from ECU signal to thruster.

7. Wire break or failure of thruster pitch feedback signal from DP signal.

8. Wire break or failure of thruster pitch feedback signal from ECU signal to thruster.

6.6.5 Failure Effects of the Tunnel Thrusters Control System6.6.5.1 Failure of 220Vac supply to thruster control panel: Loss of 220V supply to the thruster control panel will

not affect the operation of the thruster; the control system continues to run on back up 24Vdc powersupply. An alarm will be generated for 220V AC power supply failure.

6.6.5.2 Failure of 24Vdc supply to thruster control panel: Loss of 24Vdc supply to the thruster control panel will notaffect the operation of the thruster; the control system continues to run on 220Vac power supply. An alarmwill be generated for 24Vac power supply failure.

6.6.5.3 Failure of Thurster control unit: As each thruster is independent in terms of its control philosophy. Failureof one thruster control unit will not affect the other units. The thruster pitches to zero and an alarm will begenerated on the thruster control panel and deselected from the DP system.

6.6.5.4 Wire break or failure of thruster ready signal: will initiate a thruster not ready for DP alarm, thruster pitchwill go to zero and DP deselects the thruster. An alarm will be generated on the thruster control panel andDP system.

6.6.5.5 Wire break or failure of thruster pitch command signal from DP: will not cause the thruster drive motor tostop. A “thruster not ready” alarm is initiated on the DP panel, thruster pitch to freeze and deselected fromDP.

6.6.5.6 Wire break or failure of thruster pitch command signal from ECU to thruster: will not cause the thrusterdrive motor to stop. Thruster pitch is freezes and the thruster is rejected from DP.

6.6.5.7 Wire break or failure of thruster pitch feedback signal from DP: Will receive “Thruster X input error force”,“RIO:Open loop/cable break” alarms on DP, but predicted calculated value on the main DP mimic showingin red text.

6.6.5.8 Wire break or failure of thruster pitch feedback signal from ECU to thruster: will not cause the thrusterdrive motor to stop. A “thruster not ready” alarm is initiated on the DP panel, thruster pitch to freeze anddeselected from DP.

6.7 AZIMUTH THRUSTER ELECTRICAL SYSTEMS

6.7.1 Thruster Electrical Systems

6.7.2 References

Approval Drawings Brunvoll Retractable Azimuth Thruster Unit Type AR-100-LNC-2600-2500kW withElectrical Drive system rev. Date 07.10.2011

S7001’s CPP Tech Data and System DiagramWiring Diagram of Navi & Comm System





6.7.3 Azimuth Thruster Remote Control system

Figure 6-7 Azimuth Thruster Remote Control System

6.7.3.1 Refer to figure 6-7, this retractable azimuth thruster remote control system is designed to control thesteering and thruster blade angle by operating any of control levers provided in the wheelhouse,independent joystick and DPS. This is done by employing microcomputers with overload protection

functions for the main motor. In addition the main motor and auxiliaries can be started and stopped fromthe Wheelhouse.

6.7.3.2 There are two electronic cabinets for each Brunvoll Azimuth Thruster, one unit on the Bridge and the otherin the thruster room. Power supply for the electronic cabinets and the man and auxiliary control panels aretaken from a 220 VAC source and a backup 24VDC supply. These sources are fed to the electroniccabinet on the bridge and from this cabinet supplied to the other consumers described earlier.

6.7.3.3 The thruster control system provides communications between the thruster and thruster control unit. Inaddition to the control signals; multiple sensor and transducers are provided for monitoring. TheKongsberg system controls thruster direction and pitch through the Brunvoll Electronic Cabinet located onthe bridge.

6.7.3.4 Hydraulic Steering control: The steering hydraulic system houses the steering thruster control box whichthe controller converts the command signal from the DP system to control the hydraulic steering bysolenoid valve. Steering hydraulic motor is governed by solenoid valves. Steering direction and speed arecontrolled by changeover type proportional solenoid valve. The thruster control box also houses theterminal connections for the switches, sensors, and transducers to be monitored by the vessel monitoringsystem.

6.7.3.5 Hydraulic pitch control: CPP direction and control speed are controlled by changeover type proportionalsolenoid valve which allows the electronic control system to make rapid and precise changes.

Thruster Controller

ThrustermanualControl

DP IJS

Blade AngleTransmitter

SolenoidValve

220VacMainpower

24VdcBackuppower

StgGear

StgGear

AziTransmitter

AziTransmitter





6.7.3.6 Electronic Pitch Control: Each thruster has an electronic control system for monitoring and control. Eachelectronic control system monitors which system is in command, the pitch request from the system incommand and the control transducer feedback showing the current pitch setting. The system comparesthe current pitch setting with the required pitch setting and uses the pitch difference to operate the valve.This pitch difference is sent as a 4-20mA control valve command, opening the valve by a proportionalamount in the direction to correct the command feedback difference. As the actual pitch approaches the

commanded value the proportional control will slow down the rate of change. The 4-20mA valve commandcan be seen as a rate of change command. When the pitch feedback is within tolerance of the pitchcommand, the controller sends a 12mA command and the valve is closed. The signal between theBrunvoll azimuth thruster control unit with the DP system is 4-20mA feedback signal. The azimuththrusters will trip or will issue an open ready signal when the pitch control fails. The thruster will bedeselected from the DP system.

6.7.3.7 Electronic azimuth control: The thruster control box monitors which system is in command, the azimuthrequest from the system in command and the control transmitter feedback showing the current thrusterdirection. The system compares the current thruster direction with the required azimuth setting and usesthe azimuth difference to operate the proportional valve. This azimuth difference is sent as a 4-20mAcontrol valve command, opening the valve by a proportional amount in the direction to correct thecommand feedback difference. As the actual direction approaches the commanded value the proportionalcontrol will slow down the rate of change. The 4-20mA valve command can be seen as a rate of changecommand. When the azimuth feedback is within tolerance of the azimuth command, the controller sends a12mA command and the valve is closed.

6.7.3.8 Drive Control: The starters are auto transformers. The thrusters can be started and stopped from the localcontroller or the bridge panel. The drive motor start interlocks for, the thruster at its lowered position, zeropitch and sufficient pitch pressure prevents the motor from starting up until the required criteria is met.Once the motor has started, its starter closes the running contact to the ECU to indicate it is ready for use.The starter provides a load signal to the ECU for overload protection.

6.7.3.9 Each thruster control system monitors the health of its thruster system and controls the pitch to match thelocal or remote commands. If DP control is selected, then the DP system controls and monitors the

thrusters over dedicated hardwire connections. If IJS control is selected, the IJS system controls andmonitors the thrusters over its own set of dedicated hardwire connections which are separate from DP. Ifthe system does not meet the criteria for safe and reliable operation then it will shutdown. It highlightssystem alarms on the local panel and thrusters remote panels on the bridge.

6.7.3.10 The thruster control system supplies pitch indication to the bridge and DP control system. Bow azimuththruster No.3 control unit receives 220Vac supply from the No.2 AC220 navigation instrument distributionpanel in parallel with the No.2 battery charger and discharger board 24Vdc Distribution board. The Stern Azimuth thruster No.4 control unit receives 220Vac supply from the No.1 AC 220 navigation instrumentdistribution panel in parallel with the No.1 battery charger and discharger board 24Vdc distribution board.The control is transferred between the bridge as well as given to the DP or IJS system.

6.7.3.11 Interface: each tunnel thruster has a separate DP request contact from the DP/ Manual/ Joystick

changeover switch to thruster control unit. The DP controller interface consists of the thruster ready signal,4-20mA pitch command and feedback signals.

6.7.4 Failure modes of the azimuth thrusters control system

1. Failure of 220Vac supply to thruster control panel.

2. Failure of 24Vdc supply to thruster control panel.

3. Failure of the thruster control unit.

4. Wire break or failure of thruster ready signal.

5. Wire break or failure of thruster pitch command signal from DP.

6. Wire break or failure of thruster pitch command signal from ECU signal to thruster.

7. Wire break or failure of thruster Azimuth command signal from DP.

8. Wire break or failure of thruster Azimuth command signal from ECU signal to thruster.





6.8 PROPULSION CONTROLLABLE PITCH PROPELLER CONTROL SYSTEM

6.8.1 References

Berg Propulsion Installation manual Controllable Pitch Propeller and Propulsion equipment

S7001 AC C20(MAKER DWG)

Main Engine

Moisture Monitoring

BCX Leakage TankHub lubrication

Gravity Tank

Local Control or zero-

pitch System

Remote Control

System

Propellor and hub

Sterntube and bearings

Hydraulic Tank

Oil Distributor

Type:BCX





Figure 6-8 Propulsion CPP Control System

6.8.1.1 The propeller in this vessel is controlled by Berg local and zero pitch CPP control unit EC60629. It isinterfaced with Kongsberg’s bridge manoeuvring system - Auto chief C20 for the purpose of remote controloperation and monitoring.

6.8.1.2 All user interfaces during normal operations are via control panels located at various locations. The

propeller can be controlled and monitored from the following control stations:

1. ME LOP cabinet

2. Wheelhouse CPP backup control panel

3. ECR CPP backup control panel

4. Berg CPP Control LCU

6.8.1.3 All these cabinets/control panels are connected to Kongsberg’s bridge manoeuvring system - Auto chiefC20.

6.8.1.4 Auto Chief C20 is the main engine monitoring and control system used in this vessel. The main enginemonitoring information is available in K-Chief 600 Alarm monitoring and control system as well.

6.8.2 Failure Modes of Controllable Pitch Propeller Control System

1. Loss of main 24V DC supply to Auto Chief C20.

2. Loss of backup 24V DC supply to Auto Chief C20.

3. Loss of 24V DC supply to Berg local and zero pitch CPP control unit EC60629 or the failure of thecontrol unit .

4. LAN Communication failure between DP OS1 and Auto Chief C20

5. LAN Communication failure between DP OS2 and Auto Chief C20

6. Wire break or failure of command signals from Berg CPP control unit to pitch valve ahead and pitchvalve astern.

7. Wire break or failure of feedback signals.

6.8.3 Failure Effects of Controllable Pitch Propeller Control System

6.8.3.1 Loss of main 24V DC power supply to Auto Chief C20: Loss of main 24Vdc to Power Switch Over modulesPSO-P1, PSO-P2 and PSO-P3. This will not affect Auto chief C20 system, as continued operation is madepossible by the backup 24V DC power supply. An alarm will be generated for the 24Vdc power supplyfailure.

6.8.3.2 Loss of backup 24V DC power supply to Auto Chief C20: Loss of backup 24Vdc supply to Power SwitchOver modules PSO-P1, PSO-P2 and PSO-P3. This will not affect Auto chief C20 system with continuedavailability of the main 24Vdc power supply. An alarm will be generated for the 24Vdc power supply

failure.6.8.3.3 Loss of 24V DC supply to Berg local and zero pitch CPP control unit or the failure of the control unit: This

will loss the control and monitoring of propeller pitch. Propeller blades pitch will be frozen at the lastposition. Propeller will be rejected from DP and a prediction error alarm will be initiated in the DP system.Vessel maintains position with remaining thrusters.

6.8.3.4 LAN Communication failure between DP OS1 and Auto Chief C20: This will not affect the operation ofpropeller as the communication continues through redundant LAN communication link between DP OS2and Auto Chief C20.

6.8.3.5 LAN Communication failure between DP OS2 and Auto Chief C20: This will not affect the operation ofpropeller as the communication continues through redundant LAN communication link between DP OS1and Auto Chief C20.





6.8.3.6 Wire break or failure of command signals Berg CPP control unit to pitch valve ahead and pitch valveastern: Pitch fail as set in last command, the DP console will issue a pitch prediction error alarm and thepropeller ready signal to DP will lose. Consequently the propeller will be deselected from DP.

6.8.3.7 Wire break or failure of feedback signals: There are two sets of feedback signals, one from the propeller tothe Berg CPP control unit and the other from the propeller to the Local Control Unit (LCU). Failure of eitherone has no effect on the CPP and it still follows DP commands.

6.8.4 Hidden Failures of the Controllable Pitch Propeller Control System

6.8.4.1 No hidden failures were found during the analysis.

6.8.5 Common Mode Failure of the Controllable Pitch Propeller Control System

6.8.5.1 Even though there is redundant 24V DC power supplies provided for Auto Chief C20 system, the failure of24V DC supply to Berg local and zero pitch CPP control unit will defeat the redundancy as the control isperformed by this unit.

6.8.6 Configuration Errors of the Controllable Pitch Propeller Control System

6.8.6.1 Any initial configuration, reconfiguration or replacement of equipment following equipment failure orunplanned maintenance will allow for the possibility of configuration errors. However, correct procedures

and vigilance will alleviate configuration errors.

6.8.7 Maloperation of the Controllable Pitch Propeller Control System

6.8.7.1 Typical operating circumstances and conditions would not give rise to any opportunity for maloperation ofany of the human machine interface with competent and adequately trained operators. Maloperation wouldonly be possible in the event of unplanned maintenance or inspection of other systems within closeproximity to the enclosed operator stations components.

6.8.8 Worst Case Failure of the Controllable Pitch Propeller Control System

6.8.8.1 The worst case failure of the CPP control system is the loss of Berg local and zero pitch CPP control unitEC60629. This will not exceed the WCFDI as vessels position still can be maintained by remainingthrusters.

6.9 STEERING GEAR CONTROL SYSTEM

6.9.1 References

Working drawing, Kongsberg Maritime, Steering Control System

Rolls Royce rotary Vance Steering Gear





Control

Cabinet

Port

No.1

Control Panel

Dual RPC 400

Control

Cabinet

Stbd

No.2

Port Wing Console

FU Controller

Stbd Wing Console

FU Controller

220 Vac from Nav UPS No.1

Motor Pump

Starter Unit

Feedback

Unit No.1

Feedback

Unit No.2

RR Control

CabinetRudder Order Rudder Order

Pump RunningPump Running

Figure 6-9 Steering Gear Control System

6.9.1.1 The K-Bridge Steering Control System integrates the Rolls Royce Steering gear to the manual controls,DP system and the independent joystick.

6.9.1.2 The control cabinets (port and Stbd) are connected via two redundant networks each (Net A and Net B) to

the DP system. The DP system gives 4-20mA order signal to the steering gear control and alarm panel.That is fed to the directional pilot valves to command the steering.

6.9.1.3 The DP ready signal has been arranged such that they are fed through the steering gear control and alarmpanel and a failure of both pumps will result in the ready signal being removed.

6.9.1.4 The DP feedback 4-20mA signals come from the feedback units that connected to the steering gearstarter panel. The feedback unit will send the signal to steering gear control panel thru transformer box.Incorrect rudder control feedback will cause and incorrect rudder angle. The DP system compares therudder feedback with its command and will given prediction error alarm.

6.9.2 Failure Modes of Rudder

8. Loss of main 24V DC supply.

9. Loss of backup 24V DC supply.

10. Wire break or failure of command signals from DP.

11. Wire break or failure of command signals from steering control and alarm panel to directional pilotvalve.

12. Wire break or failure of feedback signals from DP.

13. Wire break or failure of feedback signals from feedback unit to potentiometer.

14. Failure of steering control and alarm panel.

6.9.3 Failure effects of rudder

6.9.3.1 Loss of main 24Vdc power supply: Loss of main 24Vdc to the steering gear control and alarm panel willnot affect the control system of the steering control, as continued operation is made possible by the backup 24V DC power supply. An alarm will be generated for the 24Vdc power supply failure.





6.9.3.2 Loss of backup 24Vdc power supply: Loss of backup 24Vdc supply to the steering gear control and alarmpanel will not affect the control system of the control steering with continued availability of the main 24Vdcpower supply. An alarm will be generated for the 24Vdc power supply failure.

6.9.3.3 Wire break or failure of command signals from DP: Rudder will be frozen at the last position. An alarmprediction alarm will be initiated in the DP system. Vessel maintains position with remaining thrusters.

6.9.3.4 Wire break or failure of command signals from Steering gear control panel to directional pilot valve:Rudder steering will go to zero, the DP console will issue a rudder prediction error alarm and the rudderready signal remains in DP. The DPO should manually deselect the rudder from DP.

6.9.3.5 Wire break or failure of feedback signals from DP: The rudder will continue to follow the steering commandsignals on failure of the feedback. The DP console will alarm for thruster prediction error.

6.9.3.6 Wire break or failure of feedback signals from feedback unit to the potentiometer: Rudder steering isfrozen at the last order, the DP console will issue a ‘prediction error’ alarm in DP. This may possiblecausing the vessel loss of heading and position. Consideration maybe given to fail the rudder into midship.

6.9.3.7 Failure of steering control and alarm panel: As the rudder control system is independent from others interms of its control philosophy, failure of the steering electronic control unit will only affect the respectiverudder.

6.9.4 Hidden Failures of the Steering Control System

6.9.4.1 No hidden failures were found during the analysis.

6.9.5 Common Mode Failure of the Steering Control System

6.9.5.1 There is only one rudder driven by two steering pumps during DP operation. Those failures are identifiedin the analysis.

6.9.6 Configuration Errors of the Steering Control System

6.9.6.1 Both steering gear pumps should be operating during DP operation.

6.9.7 Maloperation of the Steering Control System

6.9.7.1 Kongsberg equipment is protected against single accidental maloperations by requiring vital push buttonsto be pressed twice to operate.

6.9.7.2 Manual rudder levers should be zeroed during DP so a rudder that fails to local control, fails to zero angle.

6.9.8 Worst Case Failure of the Rudder System

6.9.8.1 The worst case failure of the rudder would be uncontrolled thrust by a rudder producing the correct anglein the wrong direction due to a control or feedback error.





6.10 THRUSTER EMERGENCY STOPS

6.10.1 Description

6.10.1.1 Emergency stop buttons for all three tunnel thrusters and two azimuth thrusters are provided at the bridgewing stbd, bridge wing port, bridge centre thrusters remote control panels and DP consoles. The mainengine emergency stop buttons are provided at Autochief C20 control station fitted on bridge centre

thrusters remote control panel, ECR Autochief C20 control panel, DP console and local.6.10.1.2 The thruster E-stop circuit is fitted with a wire break detection module to ensure that an open circuit on the

emergency stop cable will not stop the thruster. This module gives an alarm if it detects a cable wire break.This function also provides protection against multiple thrusters tripping as a result of a fire in thenavigation bridge or in the cable routes to the thrusters.

6.10.2 Failure Modes of the Emergency Stops

6.10.2.1 The failure modes of the emergency stops are considered to be:

1. Failure to operate.

2. Spurious operation of one stop.

3. Failure of 24V DC to the E stops panels.

4. Wire break or short in emergency stop circuit.

6.10.3 Failure Effects of the Emergency Stops

6.10.3.1 Failure to operate: Clearly, this could lead to a critical situation if there was a need to shut down a roguethruster. Such a fault could occur in the circuit after the Emergency Stop relay, where there is nomonitoring of faults. However, these areas are relatively small and well protected inside the panels. It isacceptable mitigation to test the emergency stops periodically.

6.10.3.2 Spurious operation of one stop: The vessel always operates in such a way that the failure of one thruster

can be tolerated.

6.10.3.3 Failure of 24V dc to the E stop panels: There is a single 24V DC supply to the E stop panels. Failure ofthis supply will only affect the illumination on E stop panels.

6.10.3.4 Wire break or short circuit in emergency stop circuit: Emergency stop facility will be disabled and there isloop monitoring function for the wire break failure. If there is a short circuit on a loop, it will shutdown thecorresponding thrusters/engine.

6.10.4 Common mode failure of the thrusters

6.10.4.1 Thrusters No.1 No.2 and No.3 are part of the forward freshwater cooling system. This system is divided

into two systems with 4 manually operated crossover valves. The tunnel thruster no.2 and Bow azimuththruster no.3 are on section 2 forward thruster fresh water cooler and the bow thruster no.1 is on thesection 1 forward thruster fresh water cooler. A burst cooler in this system would result in the thruster(s)using that cooler eventually tripping on high operating temperatures. This has been explained in detail insection 2. Thruster no.6 (Main Engine CPP) has its own freshwater cooling system.

6.10.4.2 The forward and aft sea water cooling system has only one discharge valve each. Blockage of thisdischarge valves will cause the respective thrusters cooled by it to fail due to high temperature. Furtherdetails can be found in section 2.7.

6.10.4.3 Thruster No. 5 (Stern Tunnel Thruster) is part of No.1 & No.2 G/E freshwater cooling system. A burstcooler in the system would result in the failure of this and other thrusters fed from MSB 1 as GeneratorsNo.1 and No.2 are on the same circuit.

6.10.4.4 Thruster No.4 (Aft Azimuth Thruster) is part of the GE No.3/4 freshwater cooling system. A burst cooler inthe system would result in the failure of this and other thrusters fed from MSB 2 as Generators No.3 andNo.4 are in the same circuit.





6.10.4.5 Mains switch board No.1 powers thrusters T1, T5 and T6 (the engine and CPP essential pumps are dualsupply) and Main switchboard No.2 powers thrusters T2, T3 and T4 (dual supply).

6.10.4.6 Thruster Control Systems: The No.1 bow tunnel thruster and No.5 aft tunnel thruster are fed from the No.1 AC 220VAC feeder panel as well as the 24vdc No.1 Battery charger and Discharger board. No.2 bowTunnel thruster, No.3 Bow Azimuth Thruster and No.4 Stern Azimuth Thruster are supplied from No.2 AC220VAC feeder panel as well as the 24Vdc No.2 Battery Charger and Discharger board. This is in line with

the split design of having the thruster motors for Bow tunnel No1 and Stern Tunnel No.5 supplied from theNo.1 MSB. Bow tunnel thruster No.2, Bow Azimuth No.3 and No.4 are supplied from No.2 MSB.

6.10.4.7 Thruster Emergency Stop: Provided the fault detection circuit is effective then there will be no risk of firedamage causing the loss of all thrusters.

6.10.4.8 Main 6.6kV switchboard: A short circuit, or other fault, has the potential to cause voltage dips on the 6.6kVboards, which could disrupt thruster operation. Such a failure of a common 6.6kV switchboard could failtwo or three thrusters:

1. Failure of MV MSB No.1 leading to loss of thrusters T1, T5 and T6 or

2. Failure of MV MSB No.2 leading to loss of thrusters T2, T3 and T4. (T3 can be manual changeoverand to be supplied by MV MSB No.1)

6.10.5 Hidden thruster failures

6.10.5.1 Hidden failure of the power supply to the auto-changeover unit supplying the hydraulic pumps may lead toloss of a thruster.

6.10.5.2 The emergency stops for the thrusters are an important protection against drive off. The system isprotected against wire breaks by wire break protection circuits but should still be regularly tested.

6.10.6 Thruster configuration errors that could defeat redundancy

6.10.6.1 If there is pipe leakage or cooler burst and the isolation valves are not configure accordingly, this may leadto high temperature for the forward thrusters. The DP configuration setup has to be placed in order to havethe correct setup for the isolation valves

6.10.6.2 Improper operation that defeats the redundancy concept with respect to the isolation and crossover valveare identified as configuration errors. If the 4 crossover valves and the two cooler isolation valves could beoperated in time this would prevent loss of thrusters in the system. Mitigation to aid this is a low level alarmin the head tank, a bilge alarm in the vicinity of the cooler and a differential pressure alarm across thecoolers.

6.10.6.3 Thruster Control system software: Configuration errors would only be evident in the event of a corruptedsoftware install. As software is not being investigated in this analysis, configuration errors resulting fromsoftware have not been investigated further.

6.10.7 Maloperation of the Thruster

6.10.7.1 Thruster emergency stop: Inadvertent operation could cause the loss of at least one thruster but there are

guards around the pushbuttons on the manual control panel. The risk of inadvertent operation of thewrong thruster is unlikely as the panel layout is intuitive.

6.10.7.2 Taking any part of the thruster control system into local control would cause the thruster to be deselectedby the DP system, however, each thruster has its own individual set of local / remote selectors, thereforeno more than one thruster should be affected by a single act of maloperation.

6.10.8 Worst Case Failure of the Thruster

6.10.8.1 Loss of a cooler in the central FW cooling system would result in the loss of GE 1 and 2. This would resultin the loss of MSB 1 which would result in loss of thrusters 1, 5 and 6. This is considered to be aconsequence of failure of the power to the thrusters. A component failure within each thruster will at mostfail that particular thruster.





7 K-CHIEF 600 INTEGRATED CONTROL AND MONITORING SYSTEM

7.1 GENERAL

7.1.1 Drawing References

SSME S7001-2 Reapproval dwg-1 (K-CHief 600)221636A_FDS for control system

344794a_K-Chief 600 FMEA

S7001 Alarm point list

7.1.2 Description

7.1.2.1 The vessel is fitted with a Kongsberg K-Chief 600 system which contains the auxiliary systems and PMSsystems specified to comply with the requirements for control systems in DP Dynpos-AUTR notation.

7.1.2.2 The basic function of K-Chief 600 is to monitor ship alarms, process control and power management.

7.1.2.3 The K-Chief 600 system architecture has a modular design, and builds on Operator Stations and I/O/control modules interconnected by local data networks. Figure 7-1 shows the general architecture of the K-Chief 600 system.

7.1.2.4 Modular design allows flexibility in configuring the system to individual requirements, covering the wholerange from low complexity alarm systems to highly integrated alarm and monitoring systems with advancedprocess control.

7.1.2.5 The K-Chief system has included the following functions/controls.

Alarm and monitoring system.

Auxiliary control system

Power management system

Cargo control system

Ballast automation system Main Engine monitoring system

7.1.2.6 The control is done locally by the Distributed Processing Units (DPU), while the operator interface is doneby the Operator Stations (OS).

7.1.2.7 The Watch Call System (extension alarm system) is provided to give alarms to the bridge andaccommodation when the system is set to UMS mode (Unmanned Machinery Space). The Watch Callsystem includes a Watch Bridge Unit (WBU) and several Watch Cabin Units (WCUs). The number ofWCUs depends on the ship configuration.

7.1.2.8 The key components of the PMS have been discussed within Section 4. However certain aspects of thePMS, such as networking and power supply are discussed within this section for completeness.





Figure 7-1 General Architecture of K-Chief 600 System





7.2 K-CHIEF 600 OPERATOR STATIONS:

7.2.1 Description:

7.2.1.1 The K-Chief Operator Stations are the main interface between the operator and the process that are underthe operator’s control. An OS has three main parts:

1. Main Computer Unit (MCU- Windows XP marinised industrial computer).

2. Operator panel with buttons and position controls.

3. Colour monitor.

7.2.1.2 The main MCUs are functionally linked to one or more DPUs (Distributed Processing Units). A DPUprovides the MCU with process signals or the capability to control parts of the process.

7.2.1.3 For redundancy purposes, one more MCU is linked in a similar way to the same DPUs.

7.2.1.4 All field/local DPU’s are interfaced with MCU through SCU DPUs (Segment Controller Unit DistributedProcessing Units. Each DPU has two independent communication channels (CAN A and CAN B).

7.2.1.5 All MCUs are interlinked by a dual LAN network (LAN A and LAN B). The two MCUs work in parallel andcollect simultaneously data by using both communicating channels (CAN networks) through SCU DPU. Allother MCUs connected in the network are continuously updated with data from the Master MCU throughthe dual LAN communication link. Network switches are used to galvanically isolate the operator stationsfrom each other.

7.2.1.6 Master/slave functionality is used to define whether data from CAN A or CAN B is to be used. The MCUcommunicating on CAN A is defined as master. Whenever the Master MCU fails to communicate with oneor more DPUs, the Slave MCU automatically undertakes the communication, and the data retrieved fromthe CAN B network is used.

7.2.1.7 There are total six operator stations used in this vessel; two operator stations (K-Chief OS1 and K-ChiefOS2) are in the Engine Control Room (ECR), two are in the Cargo Control Room (K-Chief OS 3 and K-Chief OS 4) and the rest two (K-Chief OS 5 and K-Chief OS 6) are located on the wheelhouse.

7.2.1.8 The operator stations provide the operator with a number of standard display pictures containinginformation about the engine and surrounding equipment, cargo control systems, ballast automationsystem etc. Control of different systems can be done from the corresponding operator stations.

7.2.1.9 The default operator control stations for engine and surrounding equipment are OS1 & OS2, for ballastsystem and cargo system are OS3 & OS4 and for thrusters and DP system are OS5 & OS6. However thecommands can be transferred from one control position (i.e., ECR or CCR or WH OSes) to another byaccess & transfer control facility provided in K-chief 600 operator stations.

7.2.1.10 Each Operator stations contain a Process Data Server (PDS). The PDS is a software program containingupdated process data for all signals, states and events. The PDS in each of the Operator Station is alwayssynchronized.

7.2.1.11 When a signal or state is changed, the PDS in the corresponding OS will be updated, information about thechange will be transmitted to the other Operator Stations via the LAN network and the PDS in thosestations will be updated (as all PDSs are synchronized).

7.2.1.12 The table below (table 7-1) gives the list of operator stations with its location and power supply details.





Table 7-1 Operating Stations Power Supply

Operator Station Location Power Source

OS1 Engine Control Room K-Chief UPS1

OS2 Engine Control Room K-Chief UPS2

OS3 Cargo Control Room K-Chief UPS3

OS4 Cargo Control Room K-Chief UPS4

OS5 Wheelhouse K-Chief UPS1

OS6 Wheelhouse K-Chief UPS2

7.2.2 Failure Modes of Operator Station:7.2.2.1 Failure modes have been assessed for each operator station and all failures assessed are listed below:

Loss of 230V UPS supply to operator station.

MCU Failure.

Failure of network connection.

Network connection fails with errors.

7.2.3 Failure Effects of Operator Station:

7.2.3.1 Loss of 230V UPS supply to operator station: Alarm on IAS for loss of supply. As the power supply for

each K-Chief OS in wheel house, Cargo Control Room and Engine Control room are fed from differentUPSes, there will be a loss of only one OS at a time if there is a failure in one UPS or any single failures topower supply. It will not affect to loss of control as operator still can use the other OS which is supplied bythe second UPS.

7.2.3.2 MCU failure: As there are two operator stations available on every location, loss of one OS due to ahardware failure will not lead to a loss of control.

7.2.3.3 Failure of network connection: communications error alarm on the K-chief OS. Network communicationsmaintained on remaining healthy network.

7.2.3.4 Network connection fails with errors; Communications error alarm on K-chief OS. Network communicationsmaintained on remaining healthy network.

7.2.4 Common Mode Failures of the Operator Stations7.2.4.1 No common mode failure of the operator stations has been identified.

7.2.5 Hidden Failures of the Operator Stations

7.2.5.1 Software failure will remain hidden; however software is not part of this analysis.

7.2.6 Maloperation of the Operator Stations

7.2.6.1 Typical operating circumstances and conditions would not give rise to any opportunity for maloperation ofany of the human machine interface with competent and adequately trained operators. However,mechanical wear or damage to components from repeated use is possible and should be considered.Maloperation would only be possible in the event of unplanned maintenance or inspection of other systemswithin close proximity to the enclosed operator stations components.





7.2.7 Configuration Errors of the Operator Stations

7.2.7.1 Configuration errors would only be possible as a result of accidental or inappropriate reconfiguration as aresult of unplanned maintenance.

7.2.8 Worst Case Failure of the Operator Stations

7.2.8.1 The worst case scenario on failures assessed is total loss of an operator station. Loss of an operator

station will only mean that commands are entered at another station. Any loss of hardware or network datawill produce alarms on the system.

7.3 K-CHIEF 600 DISTRIBUTED PROCESSING UNITS (DPU’S) AND DPU CABINETS:

7.3.1 Description:

7.3.1.1 A DPU is an intelligent unit performing signal conditioning, scaling, alarm detection and control functions byitself. The data is then transmitted to the operator stations.

7.3.1.2 All control and monitoring in K-Chief 600 is carried out by the DPUs. The DPUs are located close to thecontrolled machinery to minimise cable installation. K-chief 600 consists of a number of DPU’s distributedin different field stations.

7.3.1.3 The DPUs communicate with each other by a dual redundant Control Area Network (CAN). The CANnetwork is an event-based multi master network. The DPUs can intercommunicate with each other evenwhen both operator stations are not functioning.

7.3.1.4 The interconnection between the DPU and the OSs is made by two independent wire connections in orderto achieve a redundant connection to the source of information. A local DPU is functionally linked to twoOperator Stations (OS) that presents the sensor information provided by the DPU.

7.3.1.5 The SCU DPU (Segment Controller Unit Distributed Processing Unit) may include overall process controlsuch as sequential control. In PMS, SCU includes the logics for overall power management systemincluding control of auto sequences, while other DPUs in the PMS field stations are controlling each powergenerator.

7.3.1.6 The SCU DPU can also act as a gateway between operator station and process net (CAN). Separate setsof SCU DPU’s are used for this purpose.

7.3.1.7 The SCU DPU’s are mounted in OS consoles while other DPU’s are mounted in distributed DPU cabinetsthose are located close to the controlled machinery to minimise cable installation.

7.3.1.8 There is a combination of several types of DPU’s are mounted in a DPU cabinets depending on theprocess. There is a common SCU DPU (can be either single or redundant) for each control segments (eg:PMS, Cargo control, Pump control etc.) and an independent redundant local CAN for eachcontrol/monitoring segments. All SCU DPUs are linked by a redundant process net called global CAN.

7.3.1.9 The K-Chief 600 DPUs meant for the cargo monitoring and controls are connected to redundant operatorstations OS3 and OS4 in the cargo control room through a pair of SCU DPU’s. All of the rest DPUs areconnected to redundant operator stations OS1 and OS2 in the engine control room through another set of

SCU DPU’s.

7.3.1.10 All SCU DPU’s and field stations are powered from UPS units, which mai ntain power without interruption ifthe vessels power system is lost. In the event of a power outage, the UPS’s supply power for at least 30minutes as required. The loss of any one power supply will activate an appropriate alarm on the IAS. SCUDPU’s and field stations are supplied from a range of UPS units, which are detailed as can be seen inTable 7-2.

Table 7-2 DPU’s Location and Power Supplies

DPU’s Location Power Supply





SCU A DPU 0500/0600/0700/ 0800/1900

Engine Control Console (ECR) K-Chief UPS1

SCU B DPU 5500/5600/5700/ 5800

Engine Control Console (ECR) K-Chief UPS2

SCU A DPU 0900 Cargo Control Console (CCR) K-Chief UPS3

SCU B DPU 5900 Cargo Control Console (CCR) K-Chief UPS4

DPU 0520-0531 No.1 DPU Cabinet (ECR) K Chief UPS1 & UPS 2

DPU 0720-0739 No.7 DPU Cabinet (H.V.S.B) K Chief UPS1 & UPS 2

DPU 0820-0834 No.6 DPU Cabinet (GSP) K Chief UPS1 & UPS 2

DPU 0532 - 0545 No.2 DPU Cabinet (Engine Room) K Chief UPS1 & UPS 2

DPU 0546 - 0552 No.3 DPU Cabinet (Engine Room) K Chief UPS1 & UPS 2

DPU 0920-0937 No.4 DPU Cabinet (Valve Control/Alarm -CCR)

K Chief UPS3 & UPS 4

DPU 0938-0944 No.5 DPU Cabinet (Valve Control/Alarm -CCR)

K Chief UPS3 & UPS 4

7.3.1.11 The DPU’s require 24Vdc for its operation. The supply is fed from 230V AC UPSs via rectifier units installedin consoles. The output from the rectifier unit is single 24Vdc.

7.3.1.12 Engine Control Console DPUs (DPU 0520 to DPU 0531): The basic functions of these DPUs are generatorengine monitoring and control through ICMS.

7.3.1.13 H.V.S.B DPUs (DPU 0720 to DPU 0739): The basic functions of these DPUs are switchboard monitoringand control through the PMS (C4 modules).

7.3.1.14 GSP (Group Starter Panels) DPUs (DPU 0820 to DPU 0834): The basic functions of these DPUs are forpump control and monitoring.

7.3.1.15 Engine Room DPUs (DPU 0532 to DPU 0552): The basic functions of these DPUs are for alarmmonitoring.

7.3.1.16 Valve Control /Alarm DPUs (DPU 0920 to DPU 0944): The basic functions of these DPUs are for cargo

control and monitoring.7.3.1.17 The AC C20 module communicates with the Main Engine for control and monitoring of the Main Engine

and propeller.

7.3.2 Failure Modes of DPU’s and DPU Cabinets:

7.3.2.1 Failure modes have been assessed for each group of DPUs are listed below:

SCU DPU’s power supply failure.

Failure of SCU DPU.

24V dc supply failure in DPU cabinets.

DPU modules failure in FS.

Network connection fails low.





Network connection fails with errors (jabber, etc).

7.3.3 Failure Effects of DPU’s and DPU Cabinets:

7.3.3.1 SCU DPU’s power supply failure: As almost all SCU DPU’s are redundant and power supply for each unitis fed from two different sources as shown in table 5-1, a single failure in power supply will not affect the

operation. If the master SCU DPU losses supply, there will be an alarm on operator station and operationresumes on the slave SCU DPU without redundancy. AC C20 SCU DPU is an exception to redundant SCUDPU as it is a single. The loss of power supply to this DPU will not lead to loss of vessel position as vesselcan be still positioned from DP control system.

7.3.3.2 Failure of SCU DPU’s will have the same effects of power supply failure as described above.

7.3.3.3 24V dc supply failure in DPU cabinets: The effect of the power supply failure will be that the DPUs incabinet will no longer communicate with either the operator station or the field instrumentation and loss ofcontrol over equipment routed through affected cabinet. 24V dc supply failure in no.1 DPU cabinet will lossall serial line communications such as VDR, Tank level system, G/E alarm and monitoring, thrusters alarmand monitoring information etc. However this should not trip any generators or thrusters and loss of vesselposition. The control distribution should be in such a way that the loss of DPU cabinet supply should notlead to loss of vessel position.

7.3.3.4 DPU module failure in FS: As there is no redundancy built into the DPU modules in FS, total failure of aDPU module will cause any connected field instrumentation to fail to a pre-defined fail safe state and will bealarmed in operator stations.

7.3.3.5 Network connection fails low: As the networks are dual networks any single connection failure will producean alarm but have no effect on operation of the system. The communication resumes through theredundant network.

7.3.3.6 Network connection fails with errors (jabber/Multiple collisions): The term ‘Jabber’ is used to describe acondition where a faulty transceiver continuously transmits random data on to the network inhibiting orcorrupting all other transmissions. Errors in individual transmissions should be rejected and initiate

retransmission.

7.3.4 Common Mode Failures of the DPU’s and DPU Cabinets

7.3.4.1 No common mode failures directly associated with the DPU cabinets themselves were revealed by thisanalysis.

7.3.5 Hidden Failures of the DPU’s and DPU Cabinets

7.3.5.1 Hidden failures in a dual system occur when a failure of a component does not show up until a subsequentfailure causes a loss of the dual system.

7.3.5.2 DPU cabinets (Dual Supply) - A dual powered DPU cabinet has internal semiconductors that connect thetwo power supplies together. A failure of these internal circuits is not alarmed and may not be detectable by

the system. Regular maintenance and testing of DPU cabinet power supply redundancy (e.g. tested duringannual DP trials) will identify a failed power supply. Loss of one DPU cabinet will not exceed the WCFDI.

7.3.6 Configuration Errors of the DPU’s and DPU Cabinets

7.3.6.1 Configuration errors of the DPU’s are prevented by each DPU having a different MAC address so theprogram changes sent by the Operator Station are specific to that station.

7.3.6.2 Each DPU module has a unique identification code in the system. This ID code identifies how the module isconfigured, i.e. as digital I/O, analogue I/O or a mixture of both, and where it is installed. The IAS systemcan, therefore, monitor at all times that the correct module is installed in the correct position.

7.3.7 Worst Case Failure of the DPU’s and DPU Cabinets

7.3.7.1 The worst case failure of the DPU’s and DPU cabinets is failure of the power supply. This will loss the

control and monitoring of associated equipments routed through affected DPU cabinet. However thisshould not trip any generators or thrusters and loss of vessel position.





7.4 K-CHIEF 600 NETWORK COMMUNICATIONS

7.4.1 Description:

7.4.1.1 The K-Chief 600 marine automation system uses three networks for the communication between differentnodes; Local Area Network (LAN), Global Controller Area Network (Global CAN) as process net and LocalController Area Network (Local CAN) as local subnet. All are dual redundant networks. Refer Fig 7-2 for adetailed drawing.

7.4.1.2 By using a Fleet Master workstation it is possible to send process data from the K-Chief 600 system to theadministrative network and then to shore via satellite communication. The Fleet Master workstationcontains a Process Data Gateway (PDG), a software program acting like a firewall, separating andprotecting the process data from the data on the administrative network.

7.4.1.3 The redundant LAN, Net A and Net B are used to communicate between the Operator Stations and otherPC based equipments. Switches are used to galvanically isolate the Operator Stations from each other.There are two network switches used in this vessel; OS switch A1 located in OS 1 for Net A and OS Switch A2 located in OS 2 for Net B.

7.4.1.4 The redundant LAN is an open net employing international standard protocol (Ethernet, TCP/IP) thatpermits connection and data exchange using Kongsberg Maritime standard interface programs.

7.4.1.5 Process net, also called Global CAN, is connecting the sub segments using redundant CAN bus running on125 kbps. It is a highly reliable process bus and used for communication between different sub segments.Each sub segment has a pair of redundant SCU DPU’s, working as a local gateway and routing the signalsfrom process network to local network.

7.4.1.6 The local subnet is connecting the different IO DPU’s to the SCU DPU and is using redundant CAN busrunning on 125 kbps, also called as Local CAN.

7.4.1.7 PMS, Cargo Control, Alarm and Monitoring Control etc. are normally arranged as separate CAN segments(local segments), where the input and output signals are connected to DPUs separated from the global

CAN segment by two redundant Segment Controller Units(SCU).





LOCAL

CAN

K-CHIEF

OS 1

DPU’S IN

NO.1 DPU

CABINET

DPU’S IN

NO.3 DPU

CABINET

SCU A

DPU 0500

SCU B

DPU 5500

AMC 1

SCU A

DPU 1900

AC C20

DPU’S IN

NO.7 DPU

CABINET

IN HVSB 1

DPU’S IN

NO.7 DPU

CABINET

IN HVSB 2

SCU A

DPU 0600

SCU B

DPU 5600

BWCMS

SCU A

DPU 0700

SCU A

DPU 5700

PMS

SCU A

DPU 0800

SCU B

DPU 5800

PUMP CONTROL

SCU A

DPU 0900

SCU B

DPU 5900

CARGO CONTROL

DUAL GLOBAL CAN

LOCAL

CAN

LAN

NET A

NET B

K-CHIEF

OS 2

K-CHIEF

OS 5

K-CHIEF

OS 6

K-CHIEF

OS 1

K-CHIEF

OS 2

DUAL LAN

L A N

L A N

L A N

L A N

8" AIPC

IN HVSB 1

LOCAL

CAN

DPU’S IN

DPU CAB.

IN V/V CTRL

CAB 1

DPU’S IN

DPU CAB.

IN V/V CTRL

CAB 2

LOCAL

CAN

DPU’S IN

NO.6 DPU

CABINET

IN GSP 1

DPU’S IN

NO.6 DPU

CABINET

IN GSP 2

ECR

WHEEL HOUSE

CCR

CAN1

CAN2

Figure 7-2 157K Shuttle Tanker K-Chief Networks





7.4.2 Failure Modes of Network communication

7.4.2.1 Failure modes have been assessed for each OS network switch, and other network components on K-Chief networks and all significant failures assessed are listed below:

1. OS network switch failures

2. Loss of power or other failure of an OS network switch

3. Network connection Failure (LAN, Global CAN and Local CAN)

4. Jabber/multiple collisions

5. NIC failure

7.4.3 Failure Effects of Network Communications

7.4.3.1 Effects of OS network switch failures: As networks are dual network with completely redundant cabling andcomponents, any failure will have minimal effect on the DP system. A failure in any OS network switch willonly affect either Net A or Net B. However it should be noted that any failure that results in the loss of eithernetwork channel, the DP system will no longer be fault tolerant.

7.4.3.2 Loss of power or other failure of OS network switch: This will only affect either Net A or Net B.Communication will continue as normal through the redundant network.

7.4.3.3 Network connection failure (LAN Global CAN and Local CAN): As all networks are dual, any singleconnection failure will produce an alarm but have no effect on operation of the system.

7.4.3.4 Jabber/multiple collisions: The term ‘Jabber’ is used to describe a condition where a faulty transceivercontinuously transmits random data on to the network inhibiting or corrupting all other transmissions. Errorsin individual transmissions should be rejected and initiate retransmission.

7.4.3.5 NIC failure: The network interface cards have several protective functions built in, including line overload,line under load, jabber, etc. The detection of a failure will cause the appropriate network node(s) to cease

transmitting. This state will remain until the failure disappears when a reset is sent to the transmitterwatchdog to allow it to recommence sending.

7.4.4 Common Mode Failures

7.4.4.1 Network Storms: Ethernet networks have been historically problematic as a result of network storms. Thesecan be caused when incorrect packets broadcast on to a network that causes multiple stations to respondall at once; typically each node will answer, which causes the storm to grow exponentially. When thishappens there are too many frames on the network for any data to be able to be processed. Protectivefunctions built into the NIC will filter out some types of packets not destined for the host but multicasts andbroadcasts are sent to the processor. The switches and Ethernet converters on board are equipped withmulticast filtering technology to solve this problem.

7.4.5 Hidden Failures

7.4.5.1 Hidden failures in a dual system occur when a failure of a component does not show up until a subsequentfailure causes a loss of the dual system.

7.4.5.2 Hidden failures are guarded against by alarming faults to the operator at any of the consoles.

7.4.5.3 This analysis has not uncovered any potential hidden failures in the communication network for IAS Systemfitted to the vessel.

7.4.6 Maloperation of the Network

7.4.6.1 Network components responsible for communications are positioned within contained units or housedwithin the contained aspect of other systems. Maloperation would therefore only be possible in the event ofmaintenance or inspection of other systems within close proximity to networking components.





7.4.7 Configuration Errors of the Network

7.4.7.1 Any incorrect initial configuration or reconfiguration of equipment following equipment failure or unplannedmaintenance will allow for the possibility of configuration errors, however the risk of such errors is reducedwith maintenance procedure and vigilance.

7.4.8 Worst Case Failure of the Network

7.4.8.1 Loss or failure of network switch is effectively a complete loss of one network, either Network A or NetworkB for a range of operator stations. This is not critical if the alternate network is operational.

7.5 K-CHIEF 600 UN-INTERUPTABLE POWER SUPPLIES

7.5.1 Reference:

20120229 SSME S7001-2 Reapproval dwg-4 (Kongsberg sensor Power consumption, UPSconfiguration)

7.5.2 Description:

7.5.2.1 The K-Chief 600 system is fitted with three UPS’s labelled as K-Chief UPS 1, K-Chief UPS 2, K-Chief UPS

3 and K-Chief UPS 4.

7.5.2.2 The UPSs can withstand to full load for 30 minutes if the main incoming supply failed.

7.5.2.3 The consumers from each UPS are listed in table below.

Table 7-3 K-Chief UPS Distribution

K-Chief UPS #1 K-Chief UPS #2 K-Chief UPS #3 K-Chief UPS #4

Operator Station 1 Operator Station 2 Operator Station 3 Operator Station 4

Operator Station 6 Operator Station 5 Cargo Cabinet GLN-300

ECC ECC V/v Control Cab. 1 V/v Control Cab. 1

HVSWBD 1 HVSWBD 1 V/v Control Cab. 2 V/v Control Cab. 2

HVSWBD 2 HVSWBD 2

GSP 1 GSP 1

GSP 2 GSP 2

Cabinet 2 Cabinet 2

Cabinet 3 Cabinet 3

7.5.3 Failure Modes of the K-Chief UPSs

7.5.3.1 The following failure modes have been analysed for this report:

Failure of input power supply to zero Volts.

Battery faults.

Failure of Individual Outputs

Failure of all outputs from a K-Chief UPS due to internal short circuit.





7.5.4 Failure Effects of the K-Chief UPSs

7.5.4.1 Failure of input power supply to zero Volts: UPS should continue to operate for at least 30 minutes. Alarmwill appear on K-Chief operator station. This will not affect any K-Chief operation as there is no loss ofpower to any K-Chief components.

7.5.4.2 Battery failure: This will results in loss of power supply to all outputs from respective UPS if the mainsupply to the UPS fails. This can be deal by performing battery endurance test regularly. A single failure ofUPS will not affect any K-Chief operation as all K-Chief components are either redundant (eg: operatorstation, SCU DPUs) or supplied by two UPSs (eg: DPU cabinets).

7.5.4.3 Failure of Individual Outputs: This also will not affect any K-Chief operation as all K-Chief components areeither redundant (eg: operator station, SCU DPUs) or supplied by two UPSs (eg: DPU cabinets).

7.5.4.4 Failure of all outputs from a UPS: Due to redundant supplies to each UPS supply consumer, the failure ofall outputs from single UPS will not fail the system. In summary any single point failure of K-Chief UPSswill not affect the station keeping.

7.5.5 Hidden Failures of the K-Chief UPSs

7.5.5.1 The most common hidden failure of UPS arises when the UPS batteries fail to provide the expected life.Provided they are replaced about every two years and regularly checked this should not happen.

7.5.6 Common Mode Failures of K-Chief UPSs

7.5.6.1 No common mode failures directly associated with the UPSs themselves were revealed by this analysis.

7.5.7 Worst Case Failure of the K-Chief UPSs

7.5.7.1 The worst case failure of a K-Chief UPS is the total loss of UPS due to short circuit or battery failure.

However as all K-Chief components are either redundant (eg: operator station, SCU DPUs) or supplied bytwo UPSs (eg: DPU cabinets), a single point failure will not affect any K-Chief operation.





8 DP CONTROL SYSTEM

8.1 SYSTEM DIAGRAM AND OVERVIEW

8.1.1 Reference

Cable Layout Drawing, K-Pos DP 22 System:- 1180307 Rev E

Cable Layout Drawing, K-Pos DP 22 Reference System(s):- 1180309 Rev C

Cable Layout Drawing, cJoy System:- 1180308 Rev C

Cable Layout Drawing, BlomPMS:- 1181712 Rev D

FMEA Document, K-Pos DP-21 and cJoy:- 1180321 Rev B

Kongsberg K-Pos DP-21 and cJoy Cable Information:- 1203503 Rev A

S7001-Navi.Diagram

8.1.2 Introduction

8.1.2.1 The dynamic positioning control system maintains the vessel’s position with respect to the seabed by use

of vectored thrusts. The DP control system computes a thrust magnitude (motor torque) and direction foreach thruster to counteract the effects of wind, tidal current and wave motion. The calculation is based oninformation received from position reference systems and vessel sensors. The dynamic positioning controlsystem is also the subject of a detailed FMEA by Kongsberg Maritime.

8.1.3 Description

8.1.3.1 The shuttle tanker uses a dual redundant Kongsberg K-POS dynamic positioning control system. Refer tofigure 8.1 for a simplified diagram.

8.1.3.2 The heart of the K-Pos system is a DPC-2 dual controller. The DPC-2 controller is located in the electricalequipment room and the two DP operator stations K-Pos OS 1 and OS 2 are located in the wheel house.In addition to the duplex system, there is a Kongsberg cJoy system (joystick) operator terminal which has

an independent hardwired connection to the thrusters. The cJoy cC-1 controller is located in the converterroom with a cJoy operator terminal housed in the forward wheelhouse. The cJoy system has a manual joystick and can only be used for auto heading; it is not a backup DP system.

8.1.3.3 Switching between DP control, cJoy independent joystick and manual operation is carried out by achangeover switch which is located at the DP operator console OS1. This switch is protected by a clearsprung plastic to prevent accidental tempering.





DPC- 2

Gyro 1 Gyro 2 Gyro 3

MRU 5(1)

MRU D(2)

MRU D(3)

Wind 1 Wind 2

DARPS 132

SpotbeamSerial Splitter

Spotbeam Antenna

Inmarsat Antenna

DARPS 132 System Antenna

DP UHF Antenna

(1)

DPIALA

Antenna(1)

DARPS 200 System AntennaDP

GPS Antenna

(2)

DP UHF Antenna

(2)

DPIALA

Antenna(2)

DPGPS

Antenna(1)

Demod

Artemis MK5 Antenna

KPOS-OS1 KPOS-OS2

Net

Net

A

B

A

B

Cyscan

DARPS1

RemoteCabinet

Demod

Inmarsat SerialSplitter

DP UHF464

Antenna(3)

DARPS 200

Wind 3

Figure 8-1 Simplified Drawing of DP Control System





8.2 DP CHANGEOVER SWITCH

8.2.1 Description

8.2.1.1 The DP changeover switch is used for transfer of control from manual thruster station to main DP or theindependent joystick. This mechanical switch is supplied by Kongsberg. The switch is supplied with24Vdc which is converted from the UPS1 supply to DP OS1. This supply is only to light up the buttonsthat indicate “DP”, “Manual” and “cJoy”.

8.2.1.2 The reliability for the changeover switch is considered high and probability for critical failure low.

8.2.2 Failure modes of the DP Changeover Switch

8.2.2.1 For the purposes of this FMEA, the significant failure modes of the DP Changeover switch are taken tobe:

1. Loss of 24Vdc power supply to DP changeover switch

2. Wire break on the contact

3. Mechanical Failure

8.2.3 Failure effects of the DP Changeover Switch

8.2.3.1 Loss of 24Vdc power supply to DP changeover switch: Failure of 24Vdc power supply to the DPchangeover switch will result in only loss of the indication lights on the DP changeover switch.

8.2.3.2 Wire break on the contact: If the switch is already in the DP position, the contacts are closed and thethrusters are already receiving analogue commands from the DP controllers. An open circuit of thecontact ( on request for Manual mode or cJoy mode) will not change the thruster mode. An open contacton the request for DP mode connections will take the affected thruster out of DP.

8.2.3.3 Mechanical Failure: This failure will cause the switch to be unable to changeover to other modes. If theswitch fails, the thrusters will be on their last mode of operation.

8.2.4 Hidden failures of the DP Changeover Switch

8.2.4.1 No significant hidden failures have been detected within the mechanical changeover switch. The switch isguarded with a proper sprung transparent cover therefore the reliability for this changeover switch isconsidered high and probability for critical failure is low.

8.2.5 DP Changeover Switch configuration errors

8.2.5.1 There is no configuration error as the switch is a mechanical switch.

8.2.6 Maloperation of the DP Changeover Switch

8.2.6.1 There is no maloperation of the DP changeover switch as the switch is guarded with a transparent sprungcover to avoid accidental tempering.

8.2.7 Worst Case failure of DP Changeover Switch

8.2.7.1 The worst case failure is a complete failure for the DP changeover switch. The operation of the thrusterswill fall under the last mode of operation before the switch failed. It would not be possible to changemodes of operation via the changeover switch until the switch has been rectified.

8.3 DP OPERATOR STATIONS

8.3.1 Description

8.3.1.1 The Operator Stations (OS) are the main interface between the operator and the processes that areunder the operator’s control. An Operator Station has three main parts:

1. Windows XP marinised industrial computer.

2. Operator panel with buttons and a trackball / joystick.

3. Colour monitor.8.3.1.2 The Operator Stations are installed as standard Kongsberg consoles, and are located in the wheelhouse

(OS1 and OS2).





8.3.1.3 Each operator station runs the Kongsberg DP Software. This is a tailored software suite enablingconfiguration of DP functions within the DPC-2 Controller. These include the settings of some alarmlevels, vessel sensor settings, manual draught settings and reference sensor weighting.

8.3.1.4 The DP Operator Stations can display a number of different mimics including Thruster View, Power Viewand Sensor View. Each ‘mimic’ has several sub views providing more detailed information as required.These are available from drop down menus accessed by using the trackball and left and right buttons

located on the DP operator panels.8.3.1.5 Both OS are designated as RCU Servers for the DPC-2 Controller. After they are switched on, the two

RCUs will request configuration load and standard file load from one of the operator stations. These filesare stored on the MP7900 computer’s hard disk.

8.3.1.6 All operator stations are powered from UPS units, which maintain power without interruption if the vesselpower system is lost. In the event of a power outage, the UPSs can supply power for at least 30 minutesas required by DNV rules. A power supply table listing the UPS supplies is given in Table 8-1.

8.3.1.7 Both the DP Operator Stations are each installed with a capacitor capable of sounding an alarm horn forone minute following a power loss to the Operator Station. Therefore no separate power supply is neededfor audible alarms in the event of power failure.

8.3.2 Failure modes of the DP Operator Stations8.3.2.1 For the purposes of this FMEA, the significant failure modes of the operator stations are taken to be:

1. Failure to accept operator commands (full or partial).

2. Failure to display data (Screen failure).

3. Console dead – Power Supply fault/Internal Fault.

4. Network failure.

5. Software Corruption.

8.3.3 Failure effects of DP Operator Station failures

8.3.3.1 Failure to accept operator commands (full or partial): This will be apparent to the DPO and he will simplytake command at another OS. As this is probably due to faulty logic or a faulty switch it is unlikely that itwill be alarmed.

8.3.3.2 Failure to display data (Screen failure): Again this is self-evident. No alarm will be given for the loss of adisplay.

8.3.3.3 Console dead (internal power supply failed): In the event that the ‘online’ console fails catastrophicallythis is alarmed and the DPO will take command at another station.

8.3.3.4 Network Failure: Loss of Net A or Net B is alarmed and has no effect on the DP system, as the sameinformation is transmitted on the remaining network. However the system is now operating with noredundancy.

8.3.3.5 Software Corruption: Software design is not considered in the DP FMEA, however software corruptiondue to a faulty hard disk or other hardware issue has been considered. It is not expected that such afailure would affect more than a single operator station. The DPO would have to take command on thenext OS.

8.3.4 Hidden failures of the DP Operator Consoles

8.3.4.1 It is possible for a fault to remain dormant, for example until a button is pressed. The risk of a hidden faultcan be reduced by testing all the control positions and modes on the consoles on a regular basis andcarrying out frequent lamp, key and audible alarm tests. Such a fault could also cause a double pressbutton to only require a single press, however for the double push buttons require to activate a command,the contr ol system requires the receipt of two ‘pulses’ from that button. For the command to activate on asingle pulse (two pulses need to be within a set time period) there would have to be an internal software

issue with the DP Operator Station which is out with the scope of this FMEA.





8.3.5 Common mode failures affecting the DP Operator Consoles

8.3.5.1 There is no common mode failures affecting the DP operator consoles identified.

8.3.6 DP Operator Console configuration errors

8.3.6.1 Configuration errors would only be evident in the event of a corrupt operator system or software installed. As the software is not being investigated in this analysis, configuration errors pertaining to software have

not been considered.8.3.7 Maloperation of the DP Operator consoles

8.3.7.1 Maloperation can be caused by badly designed features or inexperienced personnel. This analysiscannot account for inexperience but can verify that the design of the operator station minimises thechances for maloperation.

8.3.7.2 Within sensor settings of the K-Pos DP controller there are options in the gyro setup dialog box and theVRS setup dialog box to configure the ‘Reject/Alarm’ limits. There may be occasions when the DPOchanges the default settings. It is important that procedures are in place to regulate any changes from thedefaults and ensure they are communicated to all operators.

8.3.8 Worst Case failure of DP Operator Stations

8.3.8.1 The worst case failure is a completely dead console; the DPO will have to ‘take’ command at an alternateconsole. There is no effect on position or heading control during this time.

8.4 DPC-2 CONTROLLER

8.4.1.1 As discussed earlier The DPC-2 comprises of two identical single board computers (SBC) called RCU502s. The dual controllers are nominally called DPC A and DPC B. Although the controllers are the heartof the DP system they need to communicate with the rest of the system. This is accomplished by utilisingseveral different mediums:

1. Ethernet

2. Serial Communication

3. Analogue / Digital Communication

8.4.1.2 The controllers have a shared I/O. The redundant system components are configured via software andhardware voters to ensure continued operation in the event of a single failure. Both controllers are ‘online’operating in a ‘master/slave’ configuration. If one controller fails, the other controller assumes operationas the master.

8.4.2 Ethernet:

8.4.2.1 Ethernet network is installed to allow communication between the operator station and RCU controllerwithin the DP Cabinet. Communication from the DPC to the rest of the system is via a dual redundantEthernet network operating at 100M full duplex. Each RCU 502 has a dual Ethernet IEEE 802.3type10BASE-T/100BASE-TX interface. These are separate isolated Ethernet controllers.

8.4.3 Serial communication:

8.4.3.1 The DPC-2 cabinet has four RSER200-4 serial line interface modules that are linked to both RCUs. Eachof these modules can have up to 4 serial inputs, all of which are galvanically isolated. The serial inputsare spread across the RSER units and the RBUS dual-rail racks to enhance redundancy. Data is fed viatwo wire connections from the RSER to serial inputs on the RCU502.

8.4.3.2 Serial data is received as a proprietary NMEA 0183 sentence. The National Marine Electronics Association has developed a specification that defines the interface between various pieces of marineelectronic equipment. The standard permits marine electronics to send information to computers and toother marine equipment. Vendors, such as Kongsberg in this case, can adapt the string to feed their ownequipment.





8.4.4 Analogue/Digital communication:

8.4.4.1 The DPC-2 is equipped with eight RMP200-8 multipurpose I/O modules. Communication between theRMP201-8 and field equipment is via software configurable digital or analogue I/O ports. Communicationbetween the RMP201-8 and the RCU502 is on a dual-rail RBUS interface designated RBUS A and RBUSB. The RBUS interface is a standard multi drop RS485 serial line. Each RMP houses a processor and anRBUS driver. Analogue inputs are MRU inputs (+/-10V), UPS common alarms, Gyro ready signals and

Thruster feedback signals. Digital inputs (DI) are MRU ‘ready’, gyro ‘ready’ and Thruster / Rudder “ready”.8.4.4.2 To transfer the data from the RBUS to the RCU502 an RHUB module is used. This is a 5-channel

galvanically isolated repeater for connection to the RBUS dual-rail connections (downstream), and thetwo RCU controllers (upstream).

8.4.4.3 All modules described above, the RMP201-8, RHUB200-5 and RSER200-4 are part of Kongsberg’sRIO200 module family. RIO200 modules are the same shape and are mounted on a DIN dual-rail system.The modules snap onto the rails with a double spring action making them secure. The rails provide a dualpower supply to the modules and in the case of the RMP201-8; it provides the interface to the RBUS.From the drawing below it can be seen that PSU 1 supplies RBUS A and PSU 2 supplies RBUS B. Withinthe modules, semiconductors connect the two supplies together. RMP and RSER units monitor if poweris available on the respective rails and initiate an alarm if power is missing. Figure 8-2 below illustrates

the internal connections within the DPC-2 controller.





RBUS B

R H U B ( U 6 1 )

R S E R ( U 6 2 )

R S E R ( U 6 3 )

R M P ( U 6 4 )

Serial Outputs

24V DC

H u b B

W

i n d 2

G y r o 2

D G P S 2

G y r o 2 R e a d y

M R U 2 S

i g n a l s

D A R P S ( 2 )

NET A

to rest of DP

System

DP UPS 1

PSU 1

R H U B ( U 3 1 )

R S E R ( U 3 2 )

R S E R ( U 3 3 )

R M P ( U 3 4 )

NDU A1

Serial Outputs

RCU 501 A

Serial Inputs

24V DC

24V DC

RBUS

A

24V DC

H u b A

W

i n d 1

D A R

P S ( 1 )

D G P S 1

W

i n d 3

B l o m

P M S

R M P ( U 3 5 )

R M P ( U 3 6 )

R M P ( U 3 7 )

G

y r o 3

C

y S c a n

R M P ( U 4 1 )

D A R

P S ( 1 )

A r t e m i s

G

y r o 1

M R U 1 S

i g n a l s

G y r o 1 R e a d y

P w r l i m

i t a t i o n

T h r u s t e r 1 s

i g n a l s

U P S 1 A

l a r m s

T h r u s t e r 3 s

i g n a l s

P o w e r L i m

i t a t i o n

T h r u s t e r 5 s

i g n a l s

P o w e r L i m

i t a t i o n

M R U 3 S

i g n a l s

R M P ( U 6 5 )

R M P ( U 6 6 )

PSU 2

DP UPS 2

G y r o 3 R

e a d y

P o w e r L i m

i t a t i o n

T h r u s t e r 2 s

i g n a l s

T h r u s t e r 4 s

i g n a l s

P o w e r L i m

i t a t i o n

U P S 2 A

l a r m s

NDU B1

RCU 501 B

Serial Inputs

24V DC

24V DC

Redundant RCU Net

NET B

to rest of DP

System

DP UPS 1

Figure 8-2 DPC-2 Simplified Drawing





8.4.4.4 In the DPC-2, the two controller computers operate in parallel, each receiving the same input from thesensors, thrusters, reference systems etc. Both controllers independently compute the requiredinformation to maintain station and pass this information across the network to the field stations. The fieldstations take the median value. In the event of the loss of a controller, the system drops to simplex modeconfiguration.

8.4.4.5 The master controller can be selected by the DP operator. If a failure of the ‘master’ occurs the ‘slave’

controller will automatically take over with a bumpless transfer of command.8.4.5 Dynamic Position Controller failure modes

8.4.5.1 Failure modes have been assessed for the DP Controllers and the failures assessed are listed below:

1. Failure of a DP Controller RCU

2. Failure of a DP cabinet Power Supply

3. Total failure of DP system

4. Communication fault on one network interface (within the cabinet)

5. Failure of an RMP module

6. Failure of an RHUB module7. Failure of a common RSER module

8. Failure of RBUS rail

9. Failure of “Red Net” node or cable

8.4.6 Dynamic Position Controller failure effects

8.4.6.1 Failure of a DP Controller RCU: The failure of a single RCU controller is the most likely failure whether it’sdue to a power failure or hardware failure. This will cause a bumpless transfer to one of the redundantprocessors and will therefore not cause any loss of position. The system will drop down to “simplex”mode as described above.

8.4.6.2 Failure of DP Cabinet Power Supply: All units within the DPC Cabinet are dual supplied from PSU 1 andPSU 2. In the event of a loss of either supply the DPC will continue to operate without a redundant powersupply. Alarms will alert the operator of the failure.

8.4.6.3 Total failure of DP System: In the event of a total loss of the DP system requiring changeover to ManualThruster Control, lever control may be taken for all thrusters via the cJoy system.

8.4.6.4 Communication fault on one network interface: The DP system will alarm for the loss of an appropriatenetwork (A or B) from the faulty RCU. The DP system will still operate as a duplex system but with noredundancy.

8.4.6.5 Failure of an RMP module: Information from the specific module will not be available to the DP system. As can be seen from figure 8-2, the loss of a single RMP module would at most cause the loss of a

thruster, a gyro and UPS alarm monitoring to the DP system (i.e. U34). See Table 8-3 below.8.4.6.6 Failure of an RHUB module: Failure of an RHUB module will result in a loss of redundancy in the DPC I/O

setup. The two controllers will still receive data but only from either RBUS A or RBUS B. The RCUcontrollers are alarmed to indicate loss of RBUS input.

8.4.6.7 Failure of a common RSER module: Four separate RSER modules are used to accept inputs from thedifferent sensors and PME. In the event of failure of a module, data from the sensor will not be availableto any of the RCUs. As table 8-2 below illustrates, sensor inputs have been distributed to ensure loss of aRSER module will not have a major impact. Loss of a RSER is also alarmed to the operator. All RSERmodules are dual supplied from the dual-rail within the DPC-2 cabinet.

8.4.6.8 Failure of an RBUS Rail: Each RBUS rail provides power to the snap-on I/O modules and carries datafrom the RMP units to the RHUB. In the event of a failed power supply this would be detected by the

attached RIO modules. A fault on the RBUS RS485 link would mean the RHUBs would have differinginformation. This would be detected when the signal is sent to the RCUs. The failure of a rail or adifference between the two RBUS networks will be alarmed to the operator.





8.4.6.9 Failure of “Red Net” node or cable: Alarm on DP, DPC-2 still operates on remaining network.

Table 8-2 RSER/RMP Module Assignments for Ref Sys/Sensors

DPC-A DPC-B

RSER(U32)

RSER(U33)

RMP(U34)

RMP(U37)

RMP(U41)

RSER(U62)

RSER(U63)

RMP(U64)

RMP(U65)

RMP(U66)

Gyro 1NMEA

Ch2

Ready(DI)

Ch7

Gyro 2

NMEA

Ch2

Ready(DI)

Ch 5

Gyro 3NMEA

Ch 4

Ready(DI)

Ch 7

Wind 1

NMEA

Ch1

Wind 2NMEA

Ch1

Wind 3NMEA

Ch3

MRU 1

Ch1:R

Ch2:P

Ch3:H

CH4:D

MRU 2

Ch1:R

Ch2:P

Ch3:DI

MRU 3

Ch1:R

Ch2:P

Ch3:DI

DGPS1NMEA

Ch4

Darps1NMEA

Ch2,3

DGPS2NMEA

Ch4

Darps2NMEA

Ch3,3

FanbeamNMEACh1

ArthemisNMEACh1

BlomPMS

NMEA

Ch4





Table 8-3 RMP Module Assignments for Thrs/machinery

RMP (U34) RMP (U35) RMP (U36) RMP (U64) RMP (U65) RMP (U64) RMP (U65)

Thrs 1

Ch1:Rdy

Ch2:FBCh3:P.redCh6: Cmd

Thrs 2

Ch1:RdyCh2:FB

Ch3:P.redCh6: Cmd

Thrs 3

Ch1:RdyCh2:ThrFBCh3: P.redCh4: AziFB

Ch6:ThrCmd

Ch8:AziCmd

Thrs 4

Ch1:RdyCh2:ThrFBCh3: P.redCh4: AziFB

Ch6:ThrCmdCh8:AziCmd

Thrs5

Ch1:RdyCh2:FBCh3:P.redCh6: Cmd

8.4.6.10 As can be seen from the table above, the rudder and Thruster 6 (CPP) are not hardwired to the DPC 2.The CPP is hardwired to the K-Chief AC C20 and the rudder is controlled by the KM Navigation unit.The DP controller gives commands and receives feedback from these units via Net A and B.





8.4.7 Hidden Failures in the DPC-2 Controller

8.4.7.1 Due to the complexity of the software it is never possible to test all functions in all situations. There isalways a risk that a situation will arise that could cause both processors to give an undesirable output.The only protection against this is the many systems in use all running the same core software which hasbeen developed over many years and the tests and trials that are done.

8.4.7.2 The RMP and RSER units monitor the DIN-rails and give an alarm if power is missing from the rail. The

RHUB module does not monitor the power supply and it is conceivable that either a bad connection orincorrect seating of the unit could cause the RHUB to have only one supply. This is not alarmed ordetectable by the unit. Redundancy tests by failing one of the main DPC PSUs (PSU 1 or PSU 2) wouldreveal this fault. In mitigation, for this to be critical, both RHUBs would have to fail the same way (i.e. bothwith bad connection to the same rail) there will not initiate alarm however when the other DPC powersupply fail, it will lose contact between both RHUBs and the RCU502 controllers. Failure of RHUB will notexceed worst case design failure intent, and it reduces the fault tolerance.

8.4.8 Common Mode Failures Affecting the DPC-2 Controller

8.4.8.1 The RMP200-8 has eight multipurpose I/O channels, two of the channels are galvanically isolated tohandle individually configured analogue I/O. The other six channels have a common ground so there isthe potential for a common mode failure. This is not critical as a failure is no worse than loss of a

complete RMP module.

8.4.8.2 As all modules within the DPC-2 share the same dual power source, there is a common point within eachmodule where internal diodes connect to provide dual redundant power. For internal faults, currentlimiting circuits within the module prevent it from drawing excessively high currents or causing significantvoltage dips. These might affect both power supplies and thus the performance of other redundantmodules in the DPC-2. Although the DPC would recover, there would be no automatic DP control untilreboot was complete which would be a matter of several minutes.

8.4.8.3 The following information is taken from the K-Pos FMEA. ‘An internal short circuit between power andground (behind the internal diodes and before the internal current limiter) on a module PCB is consideredto be highly unlikely. In a system with two PSU’s such a fault will cause both A and B fuses for the shortcircuited module to blow, and both 24 VDC supplies may dip. Depending on fuse selectivity, this mayresult in complete reset of the DPC. All modules not connected to the blown fuses will return online. Thisfault is less likely than the above mentioned semiconductor fault, and is therefore not treated further. Formore details, refer to FMEA document for each module’.

8.4.9 Maloperation of the DPC-2 Controller

8.4.9.1 Maloperation of the DPC-2 is not expected as there is no operator input.

8.4.10 Configuration Errors of the DPC-2 That Could Defeat Redundancy

8.4.10.1 Configuration errors would only be evident in the event of a corrupt load install. As software is not beinginvestigated in this analysis, configuration errors resulting from software have not been investigatedfurther.

8.4.11 Worst Case Failure of the DP Controllers

8.4.11.1 The worst case prescribed for the DPC2 controllers is the loss of one RCU 502. In this case there will beaudible as well as text alarms on both of the operator station stating the loss of communication/networkfailure. There will be no loss in station keeping as there is redundancy for the RSER/RMP modules beingfed to both the controllers.





8.5 DP SYSTEM SENSORS – MRU – ANEMOMETER - GYROCOMPASS

8.5.1 References

Cable Layout Drawing, K-Pos DP 22 System:- 1180307 Rev E


Cable Layout Drawing, cJoy System:- 1180308 Rev C

Cable Layout Drawing, BlomPMS:- 1181712 Rev D

FMEA Document, K-Pos DP-21 and cJoy:- 1180321 Rev B

Kongsberg K-Pos DP-21 and cJoy Cable Information:- 1203503 Rev A

8.5.2 Description

8.5.2.1 157K Shuttle Tanker is fitted with a range of environmental sensors as required for DP 2 classification.There are sensors for heading, pitch roll heave and wind speed and direction. Heading is measured bygyro compasses, while pitch and roll are detected by motion reference units. Wind speed and direction ismeasured by an array of anemometers. Information on heading and vessel motions are used to correctposition reference information for GPS antenna orientation. Wind speed and direction (wind force) is used

as input to the DP systems’ mathematical model as a feed forward term to improve the DP controlsystems response to sudden increases or decreases in wind velocity or rapid changes in direction.

8.5.2.2 The following sensors are available to the main DPC-2 dual controller on the vessel:

3 x Gyro Compasses (C.Plath Navigat X Mk 1)

3 x Motion Reference Units ( 2 x MRU-D, 1 x MRU 5)

3 x Wind Sensors (3 x Gill Ultrasonic Sensors)

8.5.2.3 There is a sensor integrator (SINT) on board this vessel that has inputs from the three DP Gyros andwind sensor 1 (via serial splitter 1). The SINT has no effect on DP equipment and is primarily used fornavigation equipment. Failure on the SINT has no effect on the DP systems.

8.5.3 Gyro compasses

8.5.3.1 There are three gyro compasses to provide heading information; all three are C.Plath Navigat X Mk 1.Gyro 1, Gyro2 and Gyro 3 are located in the instrument room.

8.5.3.2 The C.Plath Navigat X Mk 1 unit can remain north stabilised during power interruptions of within threeminutes. A 2˚ deviation could be expected after a three minute failure. Once power is re -established thecompass will quickly find the correct heading. Latitude error is virtually eliminated due to the liquiddamping system used in the gimbals’ array.

8.5.3.3 Gyros 1, 2 and 3 are fed to the DP control system as well as the Blom PMS. Gyro 1 feeds the OMC 146IO box as well as the independent joystick.

8.5.3.4 Heading input is also required for the DARPS systems. The headings required from the DARPS systems

is not taken directly off the Gyros but from the DP system itself in order to ensure that the DARPSheading is the same heading utilised by the DP system.

8.5.3.5 Gyro 1 and Gyro 2 are also interfaced to the Gyro switchover unit. However, the telegram to the DP fromthese gyros are not from the switchover unit but rather, hardwired from the Gyros itself to the DPCcabinet. As such any failure with the switchover unit will have no effect on the DP system. Gyro No. 3 isnot connected to the switch over unit. As the Gyro switch over unit has no effect on the DP system, it isnot investigated further.

8.5.4 Power supplies and distribution

Table 8-4 Power supplies for Gyros

DP Sensors Main supplyGyro 1 DP UPS 1

Gyro 2 DP UPS 2





Gyro 3 DP UPS 2

8.5.4.1 All three gyro units feed the DPC-2 RSER cards using an NMEA 0183 sentence.

8.5.4.2 The gyro compasses are probably the most critical of the vessel reference sensors, failure of the vesselheading reference can cause the vessel to oscillate or lose heading and position control altogether withserious consequences if near other vessels/structures.

8.5.5 Motion Reference Units8.5.5.1 There are two Seatex MRU D (MRU No.2 and MRU No.3) motion reference units and one MRU 5 (MRU

No.1) motion reference unit. MRU X is located in the fire control station room on the accommodationupper deck, MRU X is located in the air conditioning room also on the accommodation upper deck. MRUX is located in the 1 to 3 are located in the room next to the Battery room on the accommodation D-Deck.

8.5.5.2 MRU-5 units provide high performance motion data with a high reliability achieved by using solid-statesensors with no moving parts and proven electrical and mechanical construction. The MRU5 measuresPitch and Roll with an accuracy of + 0.05˚ up to a pitch and roll angle of ±5˚. Pitch, Roll and heave data issent as analogue inputs (+/-10V) to the DPC-2.

8.5.5.3 MRU –D is similar to the MRU 5 but only outputs roll and pitch data to the DP control system at a reducedaccuracy of 0.35˚ for a ±5˚ amplitude on either axis.

8.5.6 Power supplies and distribution

Table 8-5 Power supplies for MRUs

DP Sensors Power supplyMRU 1 (MRU 5) DPC -2 cabinet PSU 1 (DP UPS 1)

MRU 2 (MRU D) DPC -2 cabinet PSU 2 (DP UPS 2)

MRU 3 (MRU D) DPC -2 cabinet PSU 1 (DP UPS 1)

8.5.6.1 The MRUs are fed from the DPC-2 power supplies which are supplied from DP UPS1 and DP UPS 2.

PSU 1 supplies MRU 1 and MRU 3, PSU 2 supplies MRU 2, please refer to table 8-5.8.5.6.2 Various reference systems such as DGPS use accurately measured angles relative to the hull for their

calculations.

8.5.6.3 There is no direct MRU input to DGPS, instead the MRU input to the DP Controller is used tocompensate the raw DGPS signals and correct it taking into consideration the angle of the hull, fore andaft, port and starboard, relative to the horizontal. The importance of the MRU signal increases as theweather worsens and the ships movements become more severe.

8.5.6.4 The Seatex MRUs are alarmed for pitch/roll difference and loss of power (MRU ready) and with a threesensor system, a defective or inaccurate MRU will be deselected from DP if there is a discrepancy. If thesystem has degraded to two MRUs and a difference of more than 2 ˚ is present, there will be an alarm fordifference and it will be up to the DPO to decide which MRU is correct and take appropriate action.

8.5.7 Wind sensors

8.5.7.1 There are three wind Gill Ultrasonic Wind Sensors installed on the 157K Shuttle Tanker. The windsensors should be distributed in areas where environmental and physical obstructions will not cause lossof all sensors. Wind Sensor 1 and 2 are mounted on the main mast and Wind Sensor 3 is mounted on theforward mast.

8.5.7.2 The Gill wind sensor used on the 157K Shuttle Tanker is an ultrasonic unit that uses four transducers tocalculate wind speed and direction by measuring the time taken for an ultrasonic pulse of sound to travelbetween these four transducers.





8.5.10 Failure modes of the DP sensors

8.5.10.1 Failure modes of the gyrocompasses

1. No heading information (Serial data)

2. Heading incorrect (frozen, unstable, offset, jump)

3. Serial link continuously active

4. Electrical fault on power supply

8.5.11 Failure modes of the motion reference units

1. No output for pitch, roll and/or heave (±10V)

2. Incorrect or unstable output for pitch, roll and/or heave

3. Combinations of the above


8.5.12 Failure modes of the wind sensors

1. Speed fails high/low

2. Speed incorrect (frozen, unstable)

3. Direction incorrect (frozen, unstable)

4. Combinations of the above


8.5.13 Failure effects of the DP sensors

8.5.13.1 Failure effects of the gyrocompasses: The gyro compasses inputs into the DP via the RSER200-4modules within the DPC-2. RSER modules have watchdogs installed which alarm for several input faultsincluding, empty packet – no data but power present, no input on terminals, multiple contiguous corrupttelegrams. Any one of these failures would indicate to the operator that the relevant sensor was faulty.

8.5.13.2 In the event of an incorrect heading, this would be detected by voters within the DP system and thesensor would be deselected.

8.5.13.3 A failure of a gyro compass will have no effect on position if all other systems are operating as required.

8.5.13.4 Failure effects of the motion reference units: All of the failures listed above will be alarmed at the DPsystem.

8.5.13.5 A failure of an MRU will have no effect on DP operations. However when down to two units in the event ofanother failure the DPO must be aware and select the correct unit for DP. DPO awareness is thereforeimportant.

8.5.13.6 Failure effects of the wind sensors: There is always the possibility of a false reading from a wind sensor.This should not be a serious problem to the DP as wind sensors are routinely deselected. Wind sensor

accuracy is often impaired when large structures such as cranes cause unpredictable wind eddy currentsand have a destabilising effect on the DP system. Good operational practices and awareness can, to alarge extent, negate this problem. Great care must be taken when there are only two wind sensors in use.

8.5.13.7 The wind sensor inputs into the DP via the RSER200-4 modules within the DPC-2. The protectivefunctions built into the RSER modules are discussed above. A corrupt/missing NMEA string would bedetected and the wind sensor deselected from DP.

8.5.14 Hidden failures of the DP sensors

8.5.14.1 There are no significant hidden failures of this system because the sensors are independent and anyfailure that causes a false reading will trigger DP alarms.

8.5.15 Common mode failures of the DP sensors

8.5.15.1 All three gyros are identical C.Plath Navigat X Mk 1units and may be subject to a common mode failure ofhardware or firmware.





8.5.15.2 All three MRUs are similar Seatex units and may be subject to a common mode failure of hardware orfirmware, however as these are industry standard units that have been in service for many years this isconsidered unlikely.

8.5.15.3 Correct positioning of the wind sensors helps prevent common mode failures caused by the environment.On the Shuttle Tanker sensors are located on the port and starboard sides at the RADAR mast. Lightningstrike on wind sensors are common mode failures, mitigated by the use of lightning protectors.

8.5.16 Maloperation of the DP sensors

8.5.16.1 Maloperation is not considered a high risk with automatic systems such as the equipment above.

8.5.17 DP Sensor configuration errors

8.5.17.1 Setting the latitude incorrectly on the gyro compasses.

8.5.17.2 Incorrect mounting angle offset on the MRUs.

8.5.17.3 Within sensor settings there are options in the Gyro setup dialog box and the MRU setup dialog box toconfigure the ‘Reject/Alarm’ limits. There may be changes in environmental conditions that require theDPO to change the default settings. It is important that procedures are in place to regulate any changesfrom the defaults and ensure they are communicated to all DP operators.

8.5.17.4 The default settings have been selected to ensure any excursion from the norm caused by a faulty sensorhas minimal effect on vessel heading or position. Changing these settings, for whatever reason, to allowa greater deviation between sensors, degrades the level of protection provided and may have a criticaleffect on vessel heading or position if another sensor fails.

8.5.17.5 Scaling of Wind Sensors: Where wind sensors are mounted at different heights scaling is necessary.Wind force experienced by the vessel at sea level may be different to that calculated using a reading froman anemometer high up on the vessel. Scaling is normally done to the standard 10 meter height, that is tosay that the DP system computes the model by using the wind speed at 10m. If anemometers are locatedabove or below this level, a correction must be applied to produce a wind speed signal which isequivalent to that produced by an anemometer mounted at 10m. If this scaling is not carried out,switching between wind sensors at different heights can produce vessel movement.

8.5.17.6 Wind sensor scaling should be checked after any software or parameter updates.

8.5.17.7 The purpose of the scaling is to correct for different sensor heights, it does not change the windcoefficient of the vessel. Wind is stronger with higher elevation, as shown in Figure 8-3 below. This graphshows how a wind sensor at 10m would register a wind speed of 10m/s but if it is located higher or lowerit will read differently.

8.5.17.8 The thrust produced by the model to hold position is directly related to the forces acting on the vesseltherefore any unknown forces will be presumed to be due to the current or the sea state. Using figuresfrom the Beaufort scale as an example, at the 10m reference if the wind speed was 5m/s for a requiredduration sea state would be described as moderate. An uncorrected or incorrect reading of 10m/s for asimilar duration would indicate a sea state of very rough, a difference which could have significant effecton the DP model if a change in heading was requested.





5 6 7 8 9 10 11 12 13 14 15

0

10

20

30

40

50

60

70

80

90

100

Wind Speed (m/s)

E l e v a t i o n A b o v e S e a L e v

e l ( m )

Variation of Wind Speed with Elevation Above Sea Level

Figure 8-3 Variation of wind Speed with elevation above sea level

8.5.18 Worst case failure of the DP sensors

The worst case failure will be loss of either one DP UPS which will cause the failure of the sensors that issupplied by it. However this will not have immediate effect to the DP system and operation but the DPsystem will be with reduced redundancy.

8.5.18.1 The DP UPS consumers are listed as follows:

I. DP UPS 1: MRU 1, MRU 3 ( both MRUs supplied via DP PSU 1), Wind 1, Wind 3 and Gyro 1II. DP UPS 2: MRU 2 ,wind 2, Gyro 2 and Gyro 3

8.6 DP POSITION REFERENCE SENSORS – DGPS, FANBEAM, AND ARTEMIS


Cable Layout Drawing, K-Pos DP 22 System: - 1180307 Rev E


Cable Layout Drawing, cJoy System: - 1180308 Rev C

Cable Layout Drawing, BlomPMS: - 1181712 Rev D

FMEA Document, K-Pos DP-21 and cJoy: - 1180321 Rev B

Kongsberg K-Pos DP-21 and cJoy Cable Information: - 1203503 Rev A

8.6.2 Description:

8.6.2.1 DNV requires at least three sources of position references of which two must use different measurementprinciples. This requirement is satisfied by the provision of satellite, laser system and microwave system.In the case of the DGPS systems, satellite data to receivers on the vessel translates to the position of thevessel with respect to the Earth’s surface. Range and bearing systems like the Fanbeam and Artemissystems, measure the position of a moving object relative to a fixed point.

8.6.2.2 On the 157K Shuttle Tanker, there are six sources of position information, two Differential, Absolute andRelative Positioning Systems (DARPS), one Fanbeam and one Artemis systems.





8.6.3.14 Gyro heading is fed to the both the DARPS systems from the DP and not from individual gyros so as toensure that both the DP system and the DARPS systems have the same heading data.

8.6.3.15 When DARPS data from the FPSO/buoy have been combined with the Shuttle Tanker data, relativepositions between the two vessels can be computed. See fig 8.4 below.

Loading

Point

Figure 8-4 Simplified calculation of relative DARPS data

8.6.3.16 As with any line of sight system it is important that the antenna are not masked from the satellite bysections of the vessel, particularly in the more northern latitudes where the line of sight is closer to thehorizon. All antennas for the DARPS 200 system are located on the main antenna mast above thewheelhouse. All antennas for the DARPS 132 are located on the mast on the bow. The DARPS 132receiver is located on the wheelhouse and the GPS and UHF antennas for this unit is located on the bowmast. Lightning protectors should be installed in the lines between the antennas and the DGPS racks.

8.6.3.17 It is possible to select which correction sources are used to compute the vessel’s position. To enhanceredundancy, it is normal practice to have DARPS 132 and DARPS 200 in different correction modes. Inaddition, the two DGPS should use different elevation masks whenever possible. This will force the twosystems to use different satellites. This helps eliminate common mode failures due to the use of the samesatellite stations.

8.6.3.18 On the K-POS Operator Station, there are two buttons related to each DARPS unit as a positionreference. One of the buttons is to enable the absolute position reference, DGPS and the other button isto enable the relative measurement of the DARPS unit as a position reference for the DP system. SerialNMEA position data is continuously transmitted (1Hz) to the K-POS DPC 2 via RSER200-4 to allowstation keeping.

8.6.3.19 The IALA correction signal to either DARPS unit is a free signal that is transmitted form base stations onland. This signal depends on an obstruction free path between the antenna and the base station in order

to be received by the DARPS systems.8.6.3.20 The Seastar Spotbeam / Inmarsat demodulators take the compressed signal from the correction stations,

decode it and send the RTCM data to the DGPS processor. The signal is a proprietary signal onlydecodable by Seastar software. From this data the DPO can determine which stations are strongest andpossibly nearest and select them as reference stations if he chooses to do so manually. The defaultrange for usable correction signal to the demodulators is 2000km.

8.6.3.21 Corrections from Inmarsat, Spotbeam, IALA are available and can be independently selected to either orboth systems. This gives a measure of redundancy.

8.6.3.22 In addition to the above correction signals to the DARPS units, as the DARPS 132 is of dual frequencytype, either the Spotbeam or Inmarsat demodulator will be able to supply ionospheric corrections as wellas XP corrections to the unit.





8.6.3.23 On the 157K Shuttle Tanker, the DARPS 132 outputs NMEA DGPS information to the K-POS DPC 2,OMC 146 (Wind 1 Logging Unit), Wing Display 1 and 4 and Blom PMS. Relative positioning data is onlyfed to the K-POS DPC 2.

8.6.3.24 The DARPS 200 outputs NMEA DGPS information to K-POS DPC 2, Wing Display 2, Wing Display 3 andto Blom PMS. Relative positioning is also only fed to the K-POS DPC 2.

8.6.3.25 Power Supplies: Power to the DARPS 200 is from UPS 2 and for DARPS 132 is from UPS 1. Both

systems can be connected to the DP system at the same time.

8.6.4 Fanbeam

8.6.4.1 The Fanbeam system is a laser based position reference system.

8.6.4.2 The fanbeam system consists of a laser-scanning unit mounted on a motorised yoke that can rotate 360ºat up to 50º per second. The Fanbeam’s laser unit can measure to a range of 1000m to within an accuracyof ±10 cm.

8.6.4.3 Pulses reflected from a retro-reflector are timed and multiplied by the speed of light to give distance. Theelectro-optical encoder is read at the time the reflected pulse is received to determine the bearing.

8.6.4.4 An autotilt mechanism incorporated into the yoke of the Fanbeam laser unit allows the laser scanning

head to be adjusted by ±15º vertically.8.6.4.5 The Fanbeam laser is located on the bow mast. The universal control unit (UCU) is located in the

wheelhouse.

8.6.4.6 Operation: The fanbeam laser, as the name suggests, uses a laser to detect and lock on to a reflective tripon a fixed platform. The control unit which is Universal Control Unit (UCU) then calculates the angle andrange of the reflective strip from the vessel and converts this information into a position reference that canbe used by DP.

8.6.4.7 Power Supplies: The Fanbeam laser unit and UCU is powered from UPS 2. The serial splitter thattransmits the Fanbeam data to DP is fed from No.2 Battery Charger and Discharger Board.

8.6.4.8 Serial NMEA position data is continuously transmitted to the K-POS 22 via RSER200-4 to allow station

keeping.8.6.5 Artemis

8.6.5.1 Artemis MK5 is installed on the 157K Shuttle Tanker. The Artemis MK5 is an accurate, microprocessorbased microwave position reference system of the range bearing type. It measures the absolute distanceand the relative angle between two Artemis stations, using microwaves in the frequency band 9200-9300MHz.

8.6.5.2 On the 157K Shuttle Tanker, the Artemis Mobile Station consists of:

1. An antenna unit, type: A5AU

2. An antenna, type: A5AN

3. An operating panel4. A windows based PC

8.6.5.3 The Mobile Station on board can be operated with a hand held operating panel which is connected to the Antenna unit to read or set specific system parameters. It can also be used to read the position data fromthe Antenna unit once the system is operational. The Mobile Station is connected to a PC to enter and/orchange settings and to read the position data and system parameters.

8.6.5.4 The total system consists of two stations; one configured as the Mobile Station, and one as a FixedStation. The Fixed Station of the Artemis Mk5 usually comprises of the same components of the MobileStation minus the PC. The Mobile Station can also measure the range and bearing to an Artemis Beacon.

8.6.5.5 The Fixed Station is always installed on a fixed (stationary) point, usually on a platform or rig.

8.6.5.6 The position of the 157K Shuttle Tanker is determined by the range and bearing of the vessel from theFixed Station or Artemis Beacon.





Figure 8-6 Principle of Artemis Beacon system

8.6.5.14 The distance between the Mobile Station on the vessel and the beacon is derived from the time elapse ofcoded interruptions in the microwave signals transmitted by the Mobile Station and the Beacon. Thebeacon system has a range of 10 to 2000m, depending on the type of beacon antenna fitted. There arethree different antenna types to suit specific application. Overall accuracy of the distance measurement is1 m.

8.6.5.15 Unlike the Fixed Station the Beacon does not provide the azimuth, but only the distance to the Mobile

Station. The azimuth is obtained by combining the relative mobile antenna bearing with the heading of thevessel as measured by her gyrocompass. To obtain a true relative mobile antenna bearing, the Mobileantenna must be aligned with the vessel’s centre line. The accuracy of the azimuth depends on theindividual accuracies of the relative mobile antenna bearing and the heading. An overall accuracy of 0.4°is possible.

8.6.5.16 The communication between the Artemis unit and the Windows based PC is through a RS422 serial lineconnection.

8.6.5.17 The PC outputs a BCD telegram to the kPos DPC 2.

8.6.5.18 On the 157K Shuttle Tanker the Mobile Station Antenna is mounted on the bow mast.

8.6.5.19 Power Supply: The Artemis MK 5 Antenna and Computer are supplied from DP UPS 1.

8.6.6 Failure modes of the position references

8.6.6.1 The position references can be considered to have the following significant failure modes.

1. No position information output

2. False position information output

3. Loss of Input Power or internal fault

4. Serial link continuously active





8.6.7 Failure effects of the position reference systems

8.6.7.1 General: The DGPS systems feed two serial input each into the DPC 2 on separate RSER modules.RSER modules have watchdogs installed which alarms for several input faults including, empty packet – no data but power present, no input on terminals and multiple contiguous corrupt telegrams. Any one ofthese failures would indicate to the operator that the relevant DGPS input was faulty.

8.6.7.2 No position information output: This would alarm loss of sensor, the vessel will be operating with a

minimum of 2 sensors. DPO would select another sensor as required. No effect on position as other PMEsensors will be selected.

8.6.7.3 False position information output/ blockage of line of sight: This would alarm as a discrepancy and loss ofone position reference that the vessel will be operating with a minimum of 2 sensors. The DPO wouldselect another sensor or make sure the position reference sensors are operate as required. No effect onposition as other PME sensors will be selected.

8.6.7.4 Loss of Input Power or internal fault: This would alarm a loss of sensor in DP system. The DPO wouldselect another sensor or make sure the position reference sensors are operate as required. No effect onposition as other PME sensors will be selected.

8.6.7.5 Serial link continuously active: This would alarm loss of sensor in DP system. The RSER would reject

inputs from that set of terminals. No effect on position as other PME sensors will be selected.8.6.8 Hidden failures of the position reference systems

8.6.8.1 There are no known hidden failures of the position reference system that would affect redundancy.

8.6.9 Configuration errors and maloperation of the position reference systems

8.6.9.1 General: Reference system problems and configuration errors are one of the most common causes ofloss of position. In addition to manufacturer’s r ecommended operating practice, there is a great deal ofindustry guidance on how to avoid such problems. Such information is available to DPOs and other usersfrom the IMCA website and similar sources.

8.6.9.2 As the DARPS system communicates with a secondary unit or DARPS Beacon on the station to bereferences off from, the offsets and loading point has to be defined very accurately on the DP system onboth the master and slave units.

8.6.9.3 On the Fanbeam, depending on the orientation of the laser unit, the Bow/Stern switch on the connectorboard must be set accordingly. This would be verified during the DP tuning or CAT.

8.6.9.4 The ‘variance’ setting on the Reference Systems Settings mimic is a new concept. The DPO must ensurehe is aware of the consequences of setting different values. This will impact on the ‘Status’ and‘Weighting’ of the PME in use.

8.6.10 Common mode failure associated with position reference systems

8.6.10.1 DGPS/DARPS:

1. Lightning strike to DGPS antennae.

2. Ionospheric scintillation can render satellite based systems unusable. This is somewhat mitigatedby the use of dual frequency GPS.

3. Severe weather conditions such as tropical rain storms or line of sight communication blockagebetween UHF/TDMA antenna.

4. Jump in satellite derived position due to constellation change, etc.

8.6.10.2 Fanbeam:

1. Lightning strike to Fanbeam Laser Unit.

2. Fanbeam laser unit tracking onto other reflective sources.

3. Severe weather conditions or line of sight communication blockage between Laser Unit and

reflective tube/prism or dirty optical window on Laser Unit.

8.6.10.3 Artemis:





1. Lightning strike to Artemis Antenna.

2. Line of sight communication blockage between Mobile Station and Fixed Antenna/Beacon.

8.6.10.4 As can be seen above, changing environmental factors can have an effect on the accuracy of the PME.The DP software has a ‘variance’ setting on the Reference System Settings mimic where the DPO canset a value (1-5) for each reference source. This variance setting combined with quality of signal for thereference source provides a ‘weighting’ for each PME. Thereby ensuring the DP model is computed using

the most accurate information available.

8.6.11 Worst case failure of the position reference systems

8.6.11.1 Loss of either UPS 1 or UPS 2 will cause the loss of one DGPS/DARPS and one Fanbeam or oneDGPS/DARPS and one Artemis, this is mitigated by the fact that there are 6 PME outputs when DNVrules only require three, so following failure of UPS 1 or UPS 2, two sensors remain using differentmeasuring principles.

8.7 CJOY INDEPENDENT JOYSTICK SYSTEM

8.7.1 References

S7001DP Cable Layout

1180308 Rev C cJoy System Cable layout

8.7.2 Description

8.7.2.1 The independent joystick system (IJS) is the Kongsberg cJoy system controlled by a cC-1 compactcontroller equipped with single RCU502 processor. It is located in the instrument room. The cC-1 can beused as a manual joystick and in auto heading mode but has no DP capability. The IJS takes headinginformation from Gyros 1 and wind information from Wind sensor 1. There is no input of pitch or roll. Asingle 230V power supply is provided from the Ship’s supply.

8.7.3 Operation

8.7.3.1 The cC-1 controller utilises 6 galvanically isolated analogue modules to control the 6 thrusters and the

steering gear for command, feedback and system ready.8.7.3.2 A cJoy Operator terminal serves as the main operator interface for the cJoy Compact Joystick system.

There is one installed at the forward bridge. Power for these units is supplied from the cC-1 via cJoy junction boxes. Communication with the cC-1 via the Ethernet network.

8.7.3.3 As with the DPC-2 the cC-1 RCU502 requires a download of configuration files to become active, in thiscase a cJoy Operator Terminal. The download is carried out across the dedicated Ethernet network. Theoperator terminal will act as a boot server for the controller.

8.7.3.4 The cJoy operator terminal is basically a PC104+ embedded µPC running Microsoft Windows XPembedded operating system with the KM application on top. User interfaces include:

1. 3 axis joystick.

2. Heading wheel.3. 6.5 inch colour display.

4. Heading alarms and buzzers.

8.7.4 Failure modes of the IJS

8.7.4.1 For the purposes of this FMEA the significant failure modes of the independent joystick are taken to be:-

1. Failure of the cC-1 controller

2. Failure of a cJoy OT

3. Failure of an RIO module

4. Faulty network





8.7.5 Failure effects of the IJS

8.7.5.1 Failure of the cC-1 controller: Whether due to a processor fault or a total power failure will stop the IJSsystem from operating.

8.7.5.2 Failure of a cJoy OT: The vessel hardware list shows that only one OT is available, therefore failure of theOT will prevent operation of the IJS.

8.7.5.3 Failure of an RIO module: Failure of an RMP module will cause loss of control to one thruster. Failure ofan RSER module will cause the loss of sensors inputs. Without a heading or wind input the IJS isinoperative. Failure of the RBUS network will also stop the IJS operating as the RMP modules cannot beaddressed.

8.7.5.4 Faulty network: A faulty cable or network node between the cC-1 and the junction box will failcommunication between the operator terminal and the controller rendering the OT inoperable.

8.7.6 Hidden failures of the IJS

8.7.6.1 The IJS system is not monitored/alarmed whilst it is not selected so a cC-1 fault, a cJoy terminal fault or anetwork fault will not be detected until the system is required for use.

8.7.7 Maloperation of the IJS

8.7.7.1 Not expected to be an issue.

8.7.8 Common mode failure of the IJS

8.7.8.1 See common mode failure of the DPC-2 system, section 8.4.8.

8.7.9 Worst case failure of the IJS

8.7.9.1 No IJS failure should affect operations in DP mode but several events could fail the whole of the IJS as itis not redundant, apart from that, as each thruster receives a separate discrete analogue signal worstcase failure would be loss of control to a single thruster.

8.8 BLOM PMS

8.8.1 Reference

8.8.1.1 05000848 Rev F – BLOM PMS / BLOM RPMS Installation manual

1181712 Cable Layout- Blom Logger Rev D

8.8.2 Description

8.8.2.1 Blom PMS (Blom Position Monitoring System) is a real time data acquisition, calculation, logging anddisplay system designed to monitor vessel position during offshore oil loading. The system interfaces allnavigational sensors:- Artemis, Fanbeam, DGPS, Gyros, Wind sensors, MRUs and the DP system.

8.8.2.2 The BLOM PMS comprises TFT / LCD Monitor, Interface box, Controller, Telemetry, Alarm / Buzzer,Trackball.

8.8.2.3 Data is fed into the computer through the interface box. Data is read by the controller and processed. Theoperator may control it using the trackball device. Results and activities are presented on the monitor andon certain conditions, alarms will be given.

8.8.3 Operation

8.8.3.1 BLOM PMS calculates position and quality of the various navigation systems and displays the results ona user configurable display screen by means of various information panels. The system integrates allavailable positioning information and computes the best combined position for all connected systems.

8.8.3.2 The telemetry system is used for data transmission between two vessels operating in tandem positions(One behind the other). For BLOM PMS, the free sector should be 180º centred on the bow direction. It isrecommended to place the telemetry on the bridge roof or the main mast. It is not advisable to place thetelemetry within 2 meters of other antennas and pay attention to the RF exposure. Commissioning of the

BLOM system was not complete during the vessel’s proving trials.





8.8.4 Failure modes of the BLOM

8.8.4.1 For the purposes of this FMEA the significant failure modes of the BLOM PMS are taken to be:-

1. Failure of the BLOM PMS Controller

2. Failure of the BLOM PMS Interface Box

3. False data send to BLOM PMS

4. Faulty network

8.8.5 Failure effects of the BLOM PMS

8.8.5.1 Failure of the BLOM PMS Controller: A processor fault or a total power failure will stop the BLOM PMSsystem from operating.

8.8.5.2 Failure of the BLOM Interface Box: The BLOM PMS system will not have any position reference systeminput to process.

8.8.5.3 False data sent to BLOM PMS: The system will calculate different position and display wronginformation. There will be no effect to the DP system

8.8.5.4 Faulty network: There will be no network communication between the BLOM system and the DP system.

The network is connected to net A via K-POS OS 1. This will not affect DP system.

8.8.6 Hidden failures of the BLOM PMS

8.8.6.1 There are no known hidden failures for the BLOM PMS which could affect redundancy.

8.8.7 Maloperation of the BLOM PMS

8.8.7.1 BLOM PMS is a real time data acquisition, calculation, logging and display system designed to monitorvessel position during offshore oil loading. This system is purely for monitoring purposes and thereforeany fault that leads to maloperation has no effect on the DP system and DP operation.

8.8.8 Common mode failure of the BLOM PMS

8.8.8.1 BLOM PMS does not have any redundancy as the system is purely a position monitoring system.

Therefore failure of BLOM PMS will have no effect to DP system.

8.8.8.2 When connecting external memory drives to the BLOM PC, care has to be taken to ensure that noviruses are introduced to the system as this may potentially affect the rest of the DP systems as theBLOM computer is connected to the DP network via net A through the K-POS OS1.

8.8.9 Worst case failure of the BLOM PMS

8.8.9.1 Failure of BLOM PMS will lead no effect to DP system.

8.9 DP UNINTERRUPTIBLE POWER SUPPLIES

8.9.1 Drawing Reference

1180307 Rev.E – Cable Layout

8.9.2 Description

8.9.2.1 To comply with the redundancy requirements of class, the vessel essentially utilizes two DP UPS,designated UPS 1 and UPS 2. Each UPS is powered by a 220V 1Ø 60Hz supply. The main supply forUPS 1 is from LV 220V MFP No.1, and the main supply for UPS 2 is from LV 220V MFP No.2. Each UPSdistributes 230V single phase regulated AC supply to the related consumers.

8.9.2.2 All the UPS are identical Powerware single 1Ø 3KVA units. These are tower units with a built inmaintenance bypass switch. The battery bank and breaker panel for each UPS is also housed in the UPScabinet.





8.9.2.3 Operation: The Powerware UPS is an on-line UPS supplying continuous, clean, single-phase power tothe DP system and critical equipment required to maintain station. While feeding the load it alsomaintains the charge in the battery pack. If the input supply should fail the UPS will continue to supplyclean power to the load without interruption. Class requirements state the UPS must supply critical DPequipment for a minimum of 30 minutes following a power interruption.

8.9.2.4 Each UPS consists of the following:

1. Input Filter

2. AC to DC converter

3. Battery system

4. DC to AC inverter

5. Maintenance Bypass switch (S2)

6. Output filter

7. Controller

8. ESD Trip Switch (K2)

8.9.2.5 The switched AC to DC converter allows the charging of the battery backup supply & supply of normalpower. The static inverter changes the DC supply into regulated AC output power. The static bypassswitch provides an alternative route for the input power to reach the consumers if the converters fail. Thebattery system uses a DC to DC converter to control charge and discharge, and convert the batteryvoltage to the DC bus voltage.

8.9.2.6 Control and monitoring of the UPS is achieved by a digital signal processor that commands theconverters/inverter switches and monitors voltage control. It can quickly detect main supply powerproblems and shut down the AC to DC converter to prevent potential issues. The keypad on the front ofthe UPS in conjunction with the controller software can be used as a diagnostic aid. For example it canbe utilised to test battery fitness every 30 days. With the relevant alarms if required.

Table 8-7 DP UPS Distribution

UPS

1 2 Location

DPC-2 X X Instrument room

cJoy (cC-1) Instrument room

K-Pos OS1 X Bridge

K-Pos OS2 X Bridge

Gyro 1 X Instrument room



Wind 1 X Bridge overhead panel



DARPS 200 Cabinet X Bridge

DARPS 200 monitor X Bridge

DARPS 132 Cabinet X Bridge

DARPS 132RemoteCabinet

X Forward Bow Mast





8.9.3 Failure modes of the DP UPSs

8.9.3.1 The following failure modes have been analysed for this report:

1. DC supply low.

2. Inverter output low.

3. Inverter output high.

4. Bypass.

5. Battery faults.

8.9.4 Failure Effects of the DP UPSs

8.9.4.1 The Control and monitoring circuits of the UPS will detect the failures above and alert the DPO via the DPalarms. As would be expected the UPS(s) feed multiple consumers and total loss of a UPS would be asignificant failure. The table in the narrative above indicate consumers which would be affected followingloss of the relevant UPS.

8.9.5 Hidden Failures of the DP UPSs

8.9.5.1 UPS hidden failures are guarded against by having a UPS ‘common alarm’ to the DP system. This alarmshould be set to alarm for main supply failure, UPS in bypass and battery low. It is important to resolveany issues with the UPS as any further failures are not alarmed until the original ‘common alarm’ iscleared.

8.9.6 Maloperation of the DP UPSs

8.9.6.1 If a UPS is left in ‘manual bypass’ for extended times this could have a detrimental effect on consumersas raw supply is provided, this is not recommended when supplying sensitive electronic equipment.

8.9.7 Worst Case Failure of the DP UPSs

8.9.7.1 The worst case failure will be internal parts failure of the UPS 1 or UPS 2. Loss of either UPS 1 or UPS 2will cause the loss of one DGPS and one Fanbeam or one DGPS and one Artemis, this is mitigated by thefact that there are 4 PME sensors when DNV rules only require three, so following failure of UPS 1 or UPS

2, two systems remain using different measuring principles.

8.10 DP COMMUNICATIONS

8.10.1 Description

8.10.1.1 The DP communication systems allow verbal communication between the Bridge, DP room and the otherlocations. Communications from and to the wheelhouse on the 157K Shuttle Tanker includes:

1. PA/GA with Talkback System

2. Sound Powered Telephone Systems

3. Automatic Telephone Exchange

4. UHF Radio System

5. VHF

DARPS 132 Monitor X Bridge

Fanbeam UCU X Bridge

Fanbeam Laser J/B X Forward Mast

Artemis Antenna X Forward Mast

Artemis Computer X Bridge

Alarm Printer X Bridge

OMC 146 Display X CCR

BLOM X Bridge





8.10.1.2 Redundancy/Commonality: There are several different methods of voice communication available ateach location. The systems are independent in method with minimal crossover of power supplies.

8.10.2 Failure modes of the communications systems

8.10.2.1 The design of the voice communication system has been analysed by examining the relevant systemcomponents, considering the failure modes of each component and determining the effect of that failureon the ability to communicate with important spaces during the proving trials.

8.10.2.2 The failure causes considered included supply faults and component failures. The ability to use the auto-telephone and the sound powered telephones on the bridge to contact thruster spaces, and ECR will betested during the proving trials.

8.10.3 Hidden failures of the communications systems

8.10.3.1 Most of these systems will be tested by being used regularly. Less popular systems such as the talkbacksystem must be regularly tested to assure operation and battery backup.

8.10.4 Maloperation of the communications systems

8.10.4.1 It is not expected that maloperation of these systems could affect position keeping.

8.10.5 Worst case failure of the communications systems

8.10.5.1 No single failure should lead to total loss of communication but one system may be affected at a time.





9 EMERGENCY SHUTDOWN (ES) SYSTEM

9.1 ES SYSTEM

9.1.1 Reference

S7001-Power Diagram

Local Group Starter9.1.2 Description

9.1.2.1 The ES system is used to provide a safe and rapid shutdown of systems and equipment. The ES systemprocesses input signals from manual push button.

9.1.2.2 The Emergency stop boxes are located at the following locations below.

ES 1A ES 1B ES 2A ES 2B ES 3 ES 4

FCS

E/R Entrance(Crew changingroom)

E/R Entrance(Officer changingroom)

Galley Entrance

9.1.2.3 The ES system divided into 6 groups which are the ES 1A, ES 1B, ES 2A, ES 2B, ES3, and ES4. The

ES is wired in series in each group.

9.1.2.4 The emergency stops are grouped based on the two way split design for MSB1 and MSB2. Operation ofES1A will stop G/Es 1/2 and M/E from running. Operation of ES1B will stop G/Es 3 and 4 from running.

9.1.2.5 The emergency stop consumers are listed in table 9-1:-

Table 9-1 ES System

ES1-A ES1-B

No.1 Main L.O Pump SV FOR NO.2 G/E M.D.O FLUSHING PUMP

No.1 Stern Tube L.O Pump NO.2 AUX. BLOWER

No.1 M/E F.O Circ Pump NO.2 I.G BLOWER FAN

No.1 M/E F.O Supply Pump NO.2 ECR PACKAGE AIR CONDITIONING UNIT

NO.1/2 G/E DO SUPP PUMPNO.2 SWBD ROOM PACKAGE AIR CONDITIONINGUNIT

NO.2 & 3 E/R FAN REMOTE V/V HYD. POWER UNIT

NO.1 AUX. BLOWER NO.2 M/E HYD. START−UP PUMP

NO.1 I.G BLOWER FAN CYL. LUB. OIL HEATING UNIT

NO.1 ECR PACKAGE AIR CONDITIONING UNIT NO.4 THRUSTER HPP STARTER CABINET (A7)NO.1 SWBD ROOM PACKAGE AIR CONDITIONINGUNIT

NO.4 THRUSTER HPP STARTER CABINET (A8)





NO.1 M/E HYD. START−UP PUMP NO.4 THRUSTER CIRC. PUMP STARTER CABINET(A9)

NO.1 BOILER POWER PANEL NO.4 G/E L.O PRIM. PUMP

ODME SAMPLING PUMP NO.2 BOILER POWER PANEL

NO.1 AIR CONDITIONING PLANT COMPRESSOR NO.2 AIR CONDITIONING PLANT COMPRESSOR

ODME SAMPLING PUMP NO.2 MAIN L.O PUMP

NO.1 AIR CONDITIONING PLANT COMPRESSOR NO.2 STERN TUBE L.O PUMP

INCINERATOR NO.2 M/E F.O CIRC. PUMP

W.O TANK CONT. PANEL NO.2 M/E F.O SUP. PUMP

SV FOR NO.1 G/E M.D.O FLUSHING PUMP NO.3/4 G/E D.O SUP. PUMP

NO.1 E/R VENT. FAN(REVERIBLE) NO.4 E/R VENT. FAN(NON−REVERIBLE)

EM’CY CPP. HYD. PUMP STARTER M.D.O TRANS. PUMP

EM’CY CPP. HYD. FILTER STARTER H.F.O TRANS. PUMP

NO.1 COPT PRIM. L.O PUMP OILY WATER SEPARATOR CONTROL PANEL

DRAIN TRANS. PUMP NO.2 COPT PRIM. L.O PUMP

PROV. REF. FAN SOOT BLOWER CONT. PANEL

L.O TRANS. PUMP NO.4 THRUSTER OIL FILTRATION PUMP

NO.5 THRUSTER HPP STARTER CAB. SERVOPUMP 1(A7)

NO.2/3 CPP. HYD. PUMP STARTER

NO.5 THRUSTER HPP STARTER CAB. SERVOPUMP 2(A8)

NO.2 H.F.O PURIFIER

NO.5 THRUSTER OIL FILTRATION PUMP NO.2 H.F.O PURI. SUP. PUMP

BILGE CIRC. PUMP NO.2 MAIN L.O PURIFIER

OILY BILGE PUMP NO.2 MAIN L.O PURI. SUP. PUMP

SLUDGE PUMP NO.2 G/E L.O PURIFIER

WELDING SPACE EXH. FAN NO.2 G/E L.O PURI.SUP. PUMP

NO.1/3 CPP. HYD. PUMP STARTER M/E M.G.O CHILLER UNIT

NO.1/2/3 G/E L.O PRIM. PUMP NO.2 G/E D.O AUTO FILTER

HYD. OIL AUTO FILTER CONT. PANEL

M/E L.O AUTO FILTER

M/E F.O AUTO FILTER

No.1 H.F.O Purifier

NO.1 H.F.O PURI. SUP. PUMP

NO.1 MAIN L.O PURIFIER

NO.1 MAIN L.O PURI. SUP. PUMP

NO.1 G/E L.O PURIFIERNO.1 G/E L.O PURI.SUP. PUMP





PURI. ROOM EXH. FAN

HIGH EXP. FOAM PANEL

NO.1 G/E D.O AUTO FILTER

CALORIFIER

ES2A ES2B

NO.1/2/3/4 DUCT HEATER ACCOM. AC220V SUB DIST. BOARD

NO.1/2/3/4 W/H WINDOW DEFROSTING FAN NO.5/6/7/8 DUCT HEATER

STEERING GEAR ROOM FAN NO.5/6/7/8 W/H WINDOW DEFROSTING FAN

FOAM ROOM EXH. FAN SANITARY & LAUNDRY SPACE EXH. FAN

PAINT STORE EXH. FAN GALLEY PACKAGE AIR CONDITIONING UNIT

CHEMICAL STORE EXH. FAN NO.2 W/H PACKAGE AIR CONDITIONING UNIT

AIR HANDLING UNIT (1) GALLEY EXH. FAN

NO.1 W/H PACKAGE AIR CONDITIONING UNIT GALLEY SUP. FAN

PROV. REF. PLANT FAN CONTROL PANEL

AIR HANDLING UNIT (2)

ES3 ES4

G−2 PANEL ACCOM. AC220V SECTION BOARD (NO.2 SECTION)

GALLEY PACKAGE AIR CONDITIONING UNIT NO.3 THRUSTER OIL FILTRATION PUMP

GALLEY EXH. FAN BOW THRUSTER ROOM SUP. FAN

GALLEY SUP. FAN WATCHMAN CABIN SUP. FAN

BOSUN STORE SUP. FAN

NO.2 THRUSTER OIL FILTRATION PUMP

NO.1 PUMP ROOM EXH. FAN (STBD)

NO.2 PUMP ROOM EXH. FAN (PORT)

9.1.2.6 The system is split to match the redundancy concept. Such an arrangement in the ES system mightcause the failure of half the systems pumps and fans which may equal the WCFDI.

9.1.2.7 The system is designed with the circuits normally closed. Activation of the emergency stop push button,opens the circuit and causes that consumers in that group to stop.

9.1.2.8 Failure modes of the ES System and Fire Detection System

1. Short Circuit of the ES circuit

2. Open Circuit of the ES circuit

9.1.3 Failure effects of the ES System

9.1.3.1 Short circuit of the ES circuit:- Once there is short circuit in one group of the ES system, there will be noeffect on the equipment as the contact used in pushbuttons are NC contacts. There are no alarmsprovided in the ICMS for detecting the short circuit on ES pushbuttons and this will fail the functioning ofES pushbuttons. To mitigate this problem it is advised to test the functions of these pushbuttons

periodically





9.1.3.2 Open circuit of the ES circuit:- Once there is open circuit in one group of the ES system, it will stop themachinery in that particular group. Alarm will be initiated in the ICMS system. The system is being split tomatch the redundancy concept. Such an arrangement in the ES system might cause the failure of half thesystems which may not exceed WCFDI .

9.1.4 Hidden failures of the ES System

9.1.4.1 No hidden failures identified.

9.1.5 Maloperation of the ES System

9.1.5.1 Maloperation is guarded against by fitting protective coverings on all ES buttons.

9.1.6 ES System configuration errors that could defeat redundancy

9.1.6.1 There is no configuration that will defeat redundancy.

9.1.7 Common mode failure associated with the ES System

9.1.7.1 There is no common mode failure that associates with the ES system.

9.1.8 Worst case failure of the ES System

9.1.8.1 The system is being split to match the redundancy concept. Such an arrangement in the ES system might

cause half of the pumps of generators and main engine fail. This will not affect the engines and DPoperation as there are standby pumps take over the duty.




10 CONCLUSIONS AND RECOMMENDATIONS

10.1 CONCLUSIONS

10.1.1 Worst Case Failure Design Intent:

10.1.1.1 The vessel’s worst case failure design intent can be summarised as:-

No single failure (as defined for Dynpos AUTR) will lead to a failure effect exceeding:o Failure of up to two generators due to fuel contamination.o One common 6.6kV bus – ‘ MV 6.6 MSB No.1o Three thrusters – ‘one bow tunnel thruster (T1), one stern tunnel thruster (T5) and one CPP (T6)

10.1.2 Worst Case Failure

10.1.2.1 No single failure as defined for DP Equipment Class 2 has been identified that has an effect exceedingthe Worst Case Failure Design Intent.

10.1.3 Compliance

10.1.3.1 On the basis of the desktop analysis, the design of the DP system is considered to comply with therequirements of IMO DP Equipment Class 2 and Dynpos AUTR.

10.1.4 Conclusion

10.1.4.1 No single failure as defined for DP Equipment Class 2 has been identified that has an effect exceedingthe Worst Case Failure Design Intent. Therefore, provided the vessel is operated within its post failureenvironmental envelope, position and heading should be maintained following the worst case failure. For

05 m07 3166 rep 001 rev o shuttle tanker fmea

Documents