DNV Ru Ship Pt.4 Ch.9

This copy of the document is intended for use by Bartosz Kurecki only. Downloaded 2022-01-14.
No further distribution shall be made.

RULES FOR CLASSIFICATION
Ships
Edition July 2021
Part 4 Systems and components
Chapter 9 Control and monitoring systems
The content of this service document is the subject of intellectual property rights reserved by DNV AS (“DNV”). The user
accepts that it is prohibited by anyone else but DNV and/or its licensees to offer and/or perform classification, certification
and/or verification services, including the issuance of certificates and/or declarations of conformity, wholly or partly, on the
basis of and/or pursuant to this document whether free of charge or chargeable, without DNV’s prior written consent. DNV
is not responsible for the consequences arising from any use of this document by others.
The PDF electronic version of this document available at the DNV website dnv.com is the official version. If there
are any inconsistencies between the PDF version and any other available version, the PDF version shall prevail.
DNV AS
This copy of the document is intended for use by Bartosz Kurecki only. Downloaded 2022-01-14. No further distribution shall be made.
FOREWORD
DNV rules for classification contain procedural and technical requirements related to obtaining and
retaining a class certificate. The rules represent all requirements adopted by the Society as basis
for classification.
© DNV AS July 2021
Any comments may be sent by e-mail to [email protected]
This service document has been prepared based on available knowledge, technology and/or information at the time of issuance of this
document. The use of this document by other parties than DNV is at the user's sole risk. Unless otherwise stated in an applicable contract,
or following from mandatory law, the liability of DNV AS, its parent companies and subsidiaries as well as their officers, directors and
employees (“DNV”) for proved loss or damage arising from or in connection with any act or omission of DNV, whether in contract or in tort
(including negligence), shall be limited to direct losses and under any circumstance be limited to 300,000 USD.
CHANGES – CURRENT
Part 4 Chapter 9 Changes - current
This document supersedes the July 2020 edition of DNVGL-RU-SHIP Pt.4 Ch.9.
The numbering and/or title of items containing changes is highlighted in red.
Changes July 2021, entering into force 1 January 2022
Topic Reference Description
Integrated control systems - Sec.2 [1.3.2] When emergency stop for an electrical consumer is required

safety functions and the function is implemented in an integrated control
system, it shall be arranged according to the requirements of
the electrical rules. A new guidance note is included giving the
reference.
Command and alarm Sec.2 [1.4.4] When command privileges are implemented in a management

acknowledge privileges in system, the command transfer function shall be according
management systems to the general principles of the rules. A new requirement is
included.
Manual activation of safety Sec.3 [1.3.3] The general principles of command transfer do not apply to

function manual activation of safety actions. A new guidance note is
included.
Transfer of command from Sec.3 [1.3.6] When command privileges are transferred between remote

local to remote position positions or from local to remote position, there shall be
means in place to prevent significant change of command. The
wording in the paragraph has been changed to clarify that the
requirement also applies when transferring from local position.
Electromagnetic compatibility Sec.5 Table 4 Amended frequency range and specification of limits.
Rebranding to DNV All This document has been revised due to the rebranding of DNV

GL to DNV. The following have been updated: the company
name, material and certificate designations, and references to
other documents in the DNV portfolio. Some of the documents
referred to may not yet have been rebranded. If so, please see
the relevant DNV GL document.
Editorial corrections
In addition to the above stated changes, editorial corrections may have been made.
Rules for classification: Ships — DNV-RU-SHIP Pt.4 Ch.9. Edition July 2021 Page 3
Control and monitoring systems
DNV AS
CONTENTS
Part 4 Chapter 9 Contents
Changes – current.................................................................................................. 3
Section 1 General requirements..............................................................................7

1 Classification........................................................................................7
1.1 Rule applications.............................................................................. 7
1.2 Classification principles......................................................................7
1.3 Type approval.................................................................................. 8
1.4 Product certification.......................................................................... 8
1.5 Software and hardware change handling............................................. 9
1.6 Assumptions................................................................................... 11
2 Definitions..........................................................................................11
2.1 General terms................................................................................ 11
2.2 Terms related to computer based system...........................................14
3 Documentation...................................................................................14
3.1 General..........................................................................................14
4 Certification and onboard test........................................................... 17
4.1 General..........................................................................................17
4.2 Verification of software development................................................. 18
4.3 Certification test............................................................................. 18
4.4 Onboard test.................................................................................. 19
Section 2 Design principles................................................................................... 20

1 System configuration......................................................................... 20
1.1 General..........................................................................................20
1.2 Field instrumentation.......................................................................20
1.3 Integrated control systems.............................................................. 20
1.4 Management systems...................................................................... 21
2 Response to failures.......................................................................... 21
2.1 Failure detection............................................................................. 21
2.2 System response............................................................................ 22
Section 3 System design....................................................................................... 23

1 System elements............................................................................... 23
1.1 General..........................................................................................23
1.2 Automatic control............................................................................23
1.3 Remote control............................................................................... 24
1.4 Protective safety system..................................................................24
DNV AS
1.5 Alarms...........................................................................................25
1.6 Indication.......................................................................................27
1.7 Planning and reporting.................................................................... 27
1.8 Calculation, simulation and decision support.......................................28
2 General requirements........................................................................ 28
2.1 System operation and maintenance...................................................28
2.2 Power supply requirements for control, monitoring and safety
systems.............................................................................................. 28
Section 4 Additional requirements for computer based systems........................... 30
1 General requirements........................................................................ 30
1.1 Assignment of responsibility for the integration of control systems.........30
1.2 Back-up means of operation............................................................ 30
1.3 Computer design principles.............................................................. 30
1.4 Storage devices.............................................................................. 30
1.5 Computer usage............................................................................. 31
1.6 System response and capacity......................................................... 31
1.7 Temperature control........................................................................ 31
1.8 System maintenance....................................................................... 31
1.9 System access................................................................................32
2 System software................................................................................ 32
2.1 Software requirements.................................................................... 32
2.2 Software development..................................................................... 33
3 Control system networks and data communication links................... 34
3.1 General..........................................................................................34
3.2 Network analysis............................................................................ 36
3.3 Network test and verification............................................................36
3.4 Network documentation requirements............................................... 37
3.5 Wireless communication.................................................................. 37
3.6 Documentation of wireless communication......................................... 38
Section 5 Component design and installation....................................................... 39
1 General.............................................................................................. 39
1.1 Environmental strains...................................................................... 39
1.2 Materials........................................................................................ 39
1.3 Component design and installation....................................................39
1.4 Maintenance, checking.....................................................................40
1.5 Marking......................................................................................... 40
1.6 Standardising................................................................................. 40
2 Environmental conditions, instrumentation....................................... 40
DNV AS
2.1 General..........................................................................................40
2.2 Electric power supply...................................................................... 41
2.3 Pneumatic and hydraulic power supply.............................................. 42
2.4 Temperature................................................................................... 42
2.5 Humidity........................................................................................ 42
2.6 Salt contamination.......................................................................... 42
2.7 Oil contamination............................................................................42
2.8 Vibrations.......................................................................................42
2.9 Inclination...................................................................................... 43
2.10 Electromagnetic compatibility......................................................... 43
2.11 Miscellaneous................................................................................45
3 Electrical and electronic equipment................................................... 46
3.1 General..........................................................................................46
3.2 Mechanical design, installation..........................................................46
3.3 Protection provided by enclosure...................................................... 46
3.4 Cables and wires............................................................................ 46
3.5 Cable installation............................................................................ 47
3.6 Power supply..................................................................................47
3.7 Fibre optic equipment......................................................................47
Section 6 User interface........................................................................................49

1 General.............................................................................................. 49
1.1 Introduction................................................................................... 49
2 Workstation design and arrangement................................................49
2.1 Location of visual display units (VDUs) and user input devices (UIDs).....49
3 User input device and visual display unit design............................... 50
3.1 User input devices.......................................................................... 50
3.2 Visual display units......................................................................... 51
3.3 Colours.......................................................................................... 51
3.4 Requirements for preservation of night vision (UIDs and VDUs for
installation on the navigating bridge)......................................................51
4 Screen based systems....................................................................... 52
4.1 General..........................................................................................52
4.2 Computer dialogue..........................................................................52
4.3 Application screen views.................................................................. 53
Changes – historic................................................................................................ 54
DNV AS
SECTION 1 GENERAL REQUIREMENTS
Part 4 Chapter 9 Section 1
1 Classification
1.1 Rule applications
1.1.1 The requirements of this chapter apply to all control, monitoring and safety systems required by the
rules.
Guidance note:
Additional requirements for specific applications may be given under rules governing those applications.
---e-n-d---o-f---g-u-i-d-a-n-c-e---n-o-t-e---
1.1.2 All control, monitoring and safety systems installed, but not necessarily required by the rules, that may
have an impact on the safety of main functions (see Pt.1 Ch.1 Sec.1 [1.2]), shall meet the requirements of
this chapter.
1.2 Classification principles
1.2.1 Control, monitoring and safety systems belong to three different system categories as shown in Table 1
in accordance with the possible consequence a failure may inflict on the vessels manoeuverability in regard to
propulsion and steering, see Ch.8 Sec.13.
Table 1 System categories
Service Effects upon failure System functionality
Failure of which will not lead to dangerous
— Monitoring function for informational/
Non-important situations for human safety, safety of the
administrative tasks
vessel and/or threat to the environment
— Alarm and monitoring functions
Failure could eventually lead to dangerous
Important situations for human safety, safety of the — Control functions which are necessary to
vessel and/or threat to the environment maintain the ship in its normal operational
and habitable conditions
Failure could immediately lead to dangerous — Control functions for maintaining the vessel’s
Essential services and
situations for human safety, safety of the propulsion and steering
safety functions
vessel and/or threat to the environment — Safety functions
Guidance note:
The machinery arrangement and eventual system redundancy, eventual additional notations and possible means for alternative
back-up control beyond main class may affect the system category.
These system categories are equivalent to those defined in IACS UR E22.
1.2.2 Classification of control, monitoring and safety systems shall be according to the following principles:
— type approval
— certification of control, monitoring and safety systems
— onboard inspection (visual inspection and functional testing).
DNV AS
Guidance note:
The main principle is that control system components are type approved and that control systems are certified.
1.3 Type approval
1.3.1 The main hardware components for essential and important control, monitoring and safety systems
covered by the rules of this chapter shall be type approved.
Guidance note:
The requirement normally applies to the following components:
— controllers, PLC’s
— I/O cards, communication cards
— operator stations, computers
— network switches, routers, firewalls
— other components that may be essential for the control system functionality.
Case-by-case approval of the components may, based on suitable documentation, be accepted as an alternative to the type
approval.
See IACS UR (E22, M3, M29, M44, M67) for type approval or documented evidence of compliance according to IACS UR E10.
1.4 Product certification
1.4.1 Essential and important control, monitoring and safety systems, as specified in the rules, shall be
certified unless:
— exemption is given in a Society issued type approval certificate, or
— the logic is simple, failure mechanisms easily understood and adequate assessment is possible during plan
approval.
The certification procedure consists of:
1) plan approval
— assessment of manufacturer documentation in accordance with the documentation requirements in
the rules
— issuance of approval letter.
2) manufacturing survey
— visual inspection
— verification/witness test of performance according to functional requirements based on approved test
programs
— verification/witness test of failure mode behavior
— verification of implementation software quality plan covering life cycle activities, if applicable.
3) issuance of product certificate
DNV AS
Guidance note:
The plan approval normally includes case-by-case document assessment of each delivery, alternatively partly covered by type
approval as specified in class programme DNV-CP-0338 Type approval scheme, and class guideline DNV-CG-0339 Environmental
test specification for electrical, electronic and programmable equipment and systems.
Manufacturers that are certified according to the approval of manufacturer (AoM) class program for 'System and software
engineering' (see DNV-CP-0507) are considered as pre-qualified for the software development aspects of the manufacturing
survey. The verification of the software quality plan is therefore omitted from the survey.
1.4.2 The control, monitoring and safety systems that are required to be certified are given in the applicable
rules.
1.4.3 In addition to the specific certification requirements given in the various rules, the control, monitoring
and safety systems listed in Table 2 shall be certified, if fitted.
Table 2 Compliance documents required for control systems
Compliance
Compliance
Object document Issued by Additional description
standard*
type
Main alarm system PC Society
Integrated control system PC Society
* Unless otherwise specified the compliance standard is the rules.
Guidance note:
For general compliance documentation requirements, see DNV-CG-0550 Sec.4.
For a definition of the compliance document types, see DNV-CG-0550 Sec.3.
Guidance note:
Other control, monitoring and safety systems may, when found to have an effect on the safety of the ship, be
required to be certified.
Guidance note:
This may e.g. be different management systems, see definition in Table 3. For such systems, documentation according to Table 5
are submitted for approval. During the approval, it will be decided whether or not certification is required.
1.5 Software and hardware change handling
1.5.1 The requirements in this section apply to software and hardware changes done after the certification,
i.e. changes done after approval and issuance of the certificate.
Guidance note:
Manufacturers that are certified according to DNV-CP-0507 System and software engineering are considered pre-qualified for the
requirements of this subsection.
1.5.2 Manufacturers or system suppliers shall maintain a system to track changes as a result of defects
being detected in hardware and software, and inform users of the need for modification in the event of
detecting a defect.
DNV AS
1.5.3 Major changes or extensions in hardware or software of approved systems shall be described
and submitted for evaluation. If the changes are deemed to affect compliance with rules, more detailed
information may be required submitted for approval and a survey may be required to verify compliance with
the rules.
1.5.4 Software versions shall be identifiable as required in Sec.4.
1.5.5 A procedure for how to handle changes (e.g. corrections, modifications, upgrades) in both basic- and
application software shall be submitted for approval when requested. The procedure shall describe how to
ensure traceability in the software change handling process for any changes that may be done after the
certification of the system. The general principles of a change handling procedure are illustrated in Figure 1.
The procedure shall cover the necessary steps to ensure compliance with at least the following principles:
— major modifications which may affect compliance with the rules shall be described and submitted to the
Society for evaluation before the change is implemented onboard
— no modification shall be done without the acceptance and acknowledgment by the responsible person on
board
— the modified system shall be tested and demonstrated for the responsible person on board
— the modification shall be documented (including objective/reason, specification/description, impact
analysis, relevant authorizations, implementation and test procedure, relevant signatures and dates, new
incremented SW revision, etc.)
— a test program for verification of correct installation and correct functioning of the applicable functions
shall be applied
— in case the new software upgrade has not been successfully installed, the previous version of the system
shall be available for re-installation and re-testing.

Figure 1 General principles of a change handling procedure.
1.5.6 If the control system is intended for remote software support from outside the vessel (e.g. remote
maintenance), the functionality shall be described in the system documentation as required in Table 5.
DNV AS
The following requirements apply supplementary to [1.5.5], and shall be part of the procedure required in
[1.5.5]:
— a particular procedure for the remote SW maintenance operation shall exist
— no remote access or remote SW modification shall be possible without the acceptance and
acknowledgement by the responsible person on board
— the security of the remote connection shall be ensured by preventing unauthorized access, e.g. password,
and other means of verification, and by protecting the data being transferred (e.g. by encryption
methodologies)
— before the updated software is put into realtime use, the integrity of the new software shall be verified by
appropriate means
— the remote session shall be logged in accordance with the above procedure for change handling, see
[1.5.5].
1.6 Assumptions
1.6.1 The rules of this section are based on the assumptions that the personnel using the equipment to be
installed on board are familiar with the use of, and able to operate this equipment.
2 Definitions
2.1 General terms
Table 3 Definitions – General terms
Term Definition
for warning of an abnormal condition and is a combined visual and audible signal, where
alarm the audible part calls the attention of personnel, and the visual part serves to identify the
abnormal condition
comprise all equipment necessary to maintain control of essential functions required for
back-up control systems the craft's safe operation when the main control systems have failed or malfunctioned
(HSC Code 11.1.2)
includes all components necessary for control and monitoring, including sensors and
actuators
In this section, the term is short for control and monitoring system. A system includes all
control and monitoring resources required, including:
system — the field instrumentation of one or more process segments
— all necessary resources needed to maintain the function including system monitoring
and adequate self-check
— all user interfaces.
alarm system, which shall be provided to operate from the engine control room or the
maneuvering platform, as appropriate, and shall be clearly audible in the engineers'
accommodation
See SOLAS Ch. II-1/38
engineers' alarm
Guidance note:
The engineers' alarm is normally an integrated part of the extension alarm system, but may
be a separate system.
DNV AS
Term Definition
equipment under control mechanical equipment (machinery, pumps, valves, etc.) or environment (smoke, fire,
(EUC) waves, etc.) monitored and/or controlled by a control and monitoring system
system which needs to be in continuous operation for maintaining the vessel's propulsion
and steering. Examples of services are given in Ch.8 Sec.13. Additional class notations
may extend the term essential services. Such extensions, if any, can be found in the
relevant rule sections (hereafter called essential system).
essential control and
Guidance note:
monitoring system
The objective for an essential function is that it should be in continuous operation. However
the rules do not in all respects fulfil this objective as single failures may lead to unavailability
of a function.
comprises all instrumentation that forms an integral part of a process segment to maintain
a function
The field instrumentation includes:
— sensors, actuators, local control loops and related local processing as required to
field instrumentation maintain local control and monitoring of the process segment
— user interface for manual operation (when required).
Other equipment items do not, whether they are implemented locally or remotely, belong
to the field instrumentation. This applies to data communication and facilities for data
acquisition and pre-processing of information utilised by remote systems.
system supporting services which need not necessarily be in continuous operation for
maintaining the vessel's manoeuvrability, but which are necessary for maintaining the
important control and
vessels functions as defined in Pt.1 Ch.1 Sec.1 [1.2], or other relevant parts of the rules.
monitoring system
Additional class notations may extend the term important services. Such extensions, if
any, can be found in the relevant rule sections (hereafter called important system).
independent systems see Sec.2 [1.2.1]
combination of computer based systems which are interconnected in order to allow
common access to sensor information and command/control functions
An integrated control system may contain any combination of monitoring, alarm, control
and safety functions.
Guidance note:
integrated control system A system containing only monitoring and alarm functions is normally not considered an
integrated control system.
A system containing monitoring and alarm functions and in addition control functions is
normally considered as an integrated control system, also if the control functions are not
required by the rules.
manufacturing survey of inspection and verification of performance (normal, abnormal and degraded operation)
control and monitoring according to functional requirements based on approved test programmes and to verify
systems compliance with the rules including requirements for software development
DNV AS
Term Definition
control system/function supplementary or additional to those required by the rules; with
interface to single or multiple control, monitoring, alarm and/or safety systems required
by the rules
A management system may provide operational- or decision support to the operator in
managing e.g.:
— specific vessel- or machinery operations
— emergency- or damage control situations.
The support provided by the management system may either be
— guidance or recommendations to the operator who then decide what actions to
effectuate, or
— automatic actions.
management system Guidance note:
Management systems may contain a variety of functions, and are normally arranged
— with dedicated operator stations and servers
— without dedicated I/O, but utilizing data from the interfaced systems through different
communication links /network connections.
The management system may contain links to external systems.
Examples of management systems:
— safety management system (interfacing relevant systems for fire safety and watertight
integrity)
— decision or operational support system (providing overview, analytics and
recommendations on e.g. fuel optimization, operational capabilities, automatic
operations).
non-important control and systems supporting functions for which the Society has no requirements according to
monitoring systems relevant definitions in the rules (hereafter called non-important systems)
operator station unit consisting of a user interface, i.e. UIDs and VDU, and interface controller(s)
collection of mechanical equipment with its related field instrumentation, e.g. a machinery
process segment or a piping system
Process segments belonging to essential systems are referred to as essential.
system that is activated on occurrence of predefined abnormal process condition to bring
protective safety system
the process/EUC to a safe state. The safety action may be automatic or manual.
redundancy defined as two mutually independent systems that can maintain a function
comprise all equipment necessary to operate units from a control position where the
remote control systems operator cannot directly observe the effect of his actions
(HSC Code 11.1.1)
any human being that will use a system or device, e.g. captain, navigator, engineer, radio
user
operator, stock-keeper, etc.
work place at which one or several tasks constituting a particular activity are carried out
workstation and which provides the information and equipment required for safe performance of the
tasks
DNV AS
2.2 Terms related to computer based system
Table 4 Definitions – terms related to computer based systems
Term Definition
ship specific computer software performing general tasks related to the EUC being
application software
controlled or monitored, rather than to the functioning of the computer itself
software necessary for the hardware to support the application software
Guidance note:
basic software Basic software normally includes the operating system and additional general software
necessary to support the general application software and project application software.
multiprocessing environment, one or more sequences of instructions treated by a control
computer task
program as an element of work to be accomplished by a computer
include point to point links, instrument net and local area networks, normally used for
inter-computer communication. A data communication link includes all software and
hardware necessary to support the data communication.
data communication links Guidance note:
For local area networks, this includes network controllers, network transducers, the cables
and the network software on all nodes.
in the context of control and monitoring systems, hardware is the collection of physical
hardware
elements that comprise the control and monitoring system
processing location and can be a computer or other device, such as a printer. Every node
a node in a network
has a unique network address
assembly of code and data with a defined set of input and output, intended to
software module accomplish a function and where verification of intended operation is possible through
documentation and tests
manufacturer of equipment/systems in which programmable electronic systems are a
SW manufacturer
component in the delivery
any device from which a user may issue an input including handles, buttons, switches,
user input device (UID)
keyboard, joystick, pointing device, voice sensor and other control actuators
normally a computer monitor, but may also be any area where information is displayed
visual display unit (VDU) including indicator lamps or panels, instruments, mimic diagrams, light emitting diode
(LED) display, cathode ray tube (CRT), and liquid crystal display (LCD)
3 Documentation
3.1 General
3.1.1 The documentation of the different control, monitoring and safety systems that shall be submitted for
approval are in general given in the applicable rules.
DNV AS
3.1.2 In addition to [3.1.1], documentation for the control, monitoring and safety systems listed in Table 5
shall be submitted for approval.
Table 5 Documentation requirements
Object Documentation type Additional description Info
I200 - Control and monitoring system
Main alarm system AP
documentation
AP
documentation
See:
Integrated control
system — Sec.2 [1.3], Integrated control
Z070 - Failure mode description system arrangement AP
— Sec.4 [3.3] and Sec.4 [3.4] and
network analysis.
Engineers' alarm AP
documentation
I020 - Control system functional description
I030 - System block diagram (topology) AP
I040 - User interface documentation
Covering i.a. how failures in
the management system or
Z070 - Failure mode description communication may affect the AP
Management systems interfaced control, monitoring and
safety systems.
Covering the integration of the
I210 - Integration plan management system and the AP
interfaced systems.
Covering also integration tests and
Z251 - Test procedure relevant tests from the failure mode AP
description.
3.1.3 The documentation package for all control, monitoring and safety systems shall contain information
as defined for documentation type I200, see DNV-CG-0550 for description of the contents. A failure mode
description (Z070) may be requested in special cases, but where additional documentation is required, this is
generally specified in the applicable rules.
Guidance note:
Documentation for a specific control, monitoring and safety system should be complete in one submittal.
A document may cover more than one instrumented system. A document may cover more than one documentation type.
3.1.4 For systems subject to certification, documentation listed in Table 6 shall be presented for the surveyor
during the manufacturing survey.
3.1.5 For onboard tests and inspections, documentation listed in Table 7 shall be submitted to the local
survey station for approval.
DNV AS
Guidance note:
The test program(s) is normally developed by the yard and contains relevant tests for all control, monitoring and safety systems
installed on board. The test program is normally based on input from the various system manufacturers.
3.1.6 Operation manual (Z161) and a maintenance manual (Z163) for the control systems shall be kept
onboard.
3.1.7 For type approved components or systems, the type approval certificate contains a list of
documentation that shall be submitted for (case-by-case) approval.
Guidance note:
The documentation package I200 should contain a reference to type approval certificates relevant for the control, monitoring and
safety systems in the scope of delivery.
Table 6 Documentation required for the manufacturing survey
Documentation type Definition
The software life cycle activities shall minimum contain procedures for:
— software requirements specification
— parameters data requirements
— software function
— test
I140 - Software quality plan
— parameter data test
— validation testing
— traceability of system project files
— software change handling and revision control
— software security policy.
A document intended for regular use on board, providing information as applicable for:
— operational mode for normal system performance, related to normal and abnormal
performance of the EUC
— operating instructions for normal and degraded operating modes
— details of the user interface
— transfer of control
— redundancy
— test facilities
Z161 - Operation manual
— failure detection and identification facilities (automatic and manual)
— data security
— access restrictions
— special areas requiring user attention
— procedures for start-up
— procedures for restoration of functions
— procedures for data back-up
— procedures for software re-load and system regeneration.
Z162 - Installation manual A document providing information about the installation procedures.
DNV AS
Documentation type Definition
A document intended for regular use on board providing information about:
— maintenance instructions
Z163 - Maintenance manual — acceptance criteria
— fault identification and repair
— list of the suppliers' service net.
Table 7 Documentation required for on-board inspection
Object Documentation type Additional description
Typically submitted by the yard. Contains
Vessel control and Z253 - Test procedure for quay and sea
relevant tests for all control systems AP, L
monitoring systems trial
covered by class.
4 Certification and onboard test
4.1 General
4.1.1 All tests required in this subsection shall be covered by test programs approved by the Society.
The manufacturing survey according to [4.1], [4.2] and [4.3] shall be performed by a society surveyor.
Guidance note:
The manufacturing survey is often referred to as the FAT - factory acceptance test.
The main part of the manufacturing survey is the certification test, see [4.3].
See also [1.4].
4.1.2 For control, monitoring and safety systems that are considered particularly complex, prototypes or not
proven in use in Society classed vessels, the manufacturing survey may be extended.
4.1.3 The control, monitoring and safety systems shall as far as practicable be completed prior to the
manufacturing survey, and the manufacturer shall perform sufficient internal testing covering also the scope
of the approved test program to ensure that the control system is mature and ready for the manufacturing
survey.
4.1.4 For management systems where certification is required, the certification test may not be practicable
to complete during the manufacturing survey, unless the interfaced systems are part of the test or
adequately simulated. In such cases, the certification test covering relevant interfaces, functions, user
interfaces and failure modes shall be completed after installation on board when the interfaced systems are
operational.
Guidance note:
The scope of approval and test for management systems should be agreed with the Society.
4.1.5 The tests and visual inspections shall demonstrate compliance with applicable rule requirements for
application functions and response to failure modes. The test programs shall specify in detail how the various
functions shall be tested and what shall be observed during the tests.
DNV AS
4.1.6 Failure modes shall be simulated as realistically as possible. Alarms and protective safety functions
shall preferably be tested by letting the monitored parameters exceed the defined limits. Alarm and
protective safety limits shall be checked.
4.1.7 It shall be verified that all automatic control functions are working satisfactorily during normal load
changes.
4.2 Verification of software development
4.2.1 Evidence of the development process for the application software shall be made available by the
control system manufacturer and be presented upon request for the surveyor during the manufacturing
survey (see software quality plan in documentation requirements Table 6).
The evidence of the development process for the application software will typically be in the form of
documentation covering at least the following elements of information for the specific control system
delivery:
— software requirements specification
— parameter specification
— software function test
— parameter data test
— validation testing
— system project files stored at the manufacturer
— software security policy.
Guidance note:
For manufacturers that are pre-qualified in accordance with the 'approval of manufacturer' class programme DNV-CP-0507, this
part of the manufacturing survey is omitted.
4.2.2 The manufacturing survey shall cover an evaluation of the tools for control system setup, access and
configuration of the application functions, see Sec.4 [1.9].
4.3 Certification test
4.3.1 The certification test shall include the entire system in accordance with the approved documentation,
integrating all hardware and software units in the designed topology.
Guidance note:
Field instruments, actuators, etc., is normally not part of the certification test.
4.3.2 The certification test shall be performed with the project specific software installed on the actual
hardware components to be delivered on board. The test shall minimum include:
a) hardware tests, verification of hardware performance including hardware failures
b) basic software tests, verification of general functionality
c) application software tests, verification of application functions
d) failure mode testing, verification of system response to representative failures
e) user interface tests.
Guidance note:
The tests may upon agreement with the Society be done on a representative test system.
DNV AS
4.3.3 If the system under test is interfaced to other systems beyond the scope of the manufacturer, the
applicable interfaces shall also be tested. The testing shall at least demonstrate that interfaces are completed
in accordance with relevant specifications and allow for verification of specified communication protocols,
addresses, data registers, relevant logic functions and HMI displays.
Guidance note:
Depending on the level of integration and functional dependencies, the integration testing may be done through various simulation
tests as part of the manufacturing survey and in addition through integration testing on board after installation in the target
environment.
4.4 Onboard test
4.4.1 The tests shall include:
a) During installation, the correct function of individual equipment packages, together with establishment of
correct parameters for alarm, control and protective safety (time constants, set points, etc.).
b) During installation and integration of systems and equipment packages: relevant tests of control system
networks, interfaces and data communication links, integration tests, basic failure mode tests. This also
applies to management systems (including management systems not subject to certification).
Guidance note:
The scope of on-board testing may also include completion of possible pending items from the certification tests, especially
related to integration and interfaces. In such cases, the scope of testing should be agreed between the yard, manufacturer
and the Society.
c) During installation and sea trials, the correct function of systems and integration of systems, including
the ability of the control systems to keep any EUC within the specified tolerances.
d) Where back-up/emergency/local means of control for essential vessel functions are required by the
rules, these functions shall be tested. For these tests, the normal means of control shall as far as
practicable be disabled.
4.4.2 The test program for quay- and sea trials shall be approved by the local Society station.
4.4.3 The remote propulsion control system shall, if fitted, be tested at sea to demonstrate stable control
and operation of the propulsion system with its necessary auxiliaries over the full operating range, and
regardless of the type of propulsion. It shall be demonstrated that necessary ramping/controller functions are
implemented to ensure that any operation of the maneuvering levers do not cause shutdown, instability or
damage to the propulsion machinery or power generating units.
4.4.4 If the propulsion system is designed for different operational modes, the test described in [4.4.3] shall
be run for each relevant mode of operation.
Guidance note:
This applies to e.g. dual fuel engines or combinations of gas and diesel engines, propulsion arrangements with PTI/PTO (power
take in/-out), hybrid systems with combinations of different principles for providing propulsion power, etc.
DNV AS
SECTION 2 DESIGN PRINCIPLES
1 System configuration
1.1 General
1.1.1 Essential and important systems shall be so arranged that a single failure in one control and
monitoring system or one unit cannot spread to another unit.
1.1.2 Failure of any remote or automatic control systems shall initiate an audible and visual alarm and shall
not prevent normal manual control.
1.2 Field instrumentation
1.2.1 The field instrumentation belonging to separate essential process segments shall be mutually
independent.
Guidance note:
System B is independent of system A when any single system failure occurring in system A has no effect on the maintained
operation of system B. A single system failure occurring in system B may have an effect on the maintained operation of system A.
Two systems are mutually independent when a single system failure occurring in either of the systems has no consequences for
the maintained operation of the other system according to above.
1.2.2 When manual emergency operation of an essential process segment is required, separate and
independent field instrumentation is required for the manual emergency operation.
1.2.3 The accuracy of an instrument shall be sufficient to serve the functionality and safe operation of the
EUC.
1.3 Integrated control systems
1.3.1 An integrated control system shall be arranged with sufficient redundancy and/or segregation so as to
prevent loss of the control of essential functions or multiple main functions upon a single failure.
Guidance note:
This is to ensure that in integrated control systems, a single failure should not cause loss of more functionality than it would if the
different functions were implemented in individual, stand-alone control systems/means of control. (See MSC/Circ.891/4.8.)
A limited extent of remote control, monitoring and alarm functions in the integrated control system may be accepted lost upon
single failures if adequately analyzed and documented in the failure mode description. In such cases, the lost functionality should
normally be available from local positions.
1.3.2 If safety functions required by the rules are implemented in an integrated control system, these
shall be implemented in dedicated and autonomous hardware units. Communication to other parts of the
integrated control system shall be secured in accordance with Sec.4 [3] to ensure integrity of the safety
functions.
Guidance note:
When emergency stop of a consumer is required by the rules, see requirements given in Ch.8 Sec.2 [8.6].
DNV AS
1.3.3 Functions in an integrated control system shall be arranged in accordance with any redundancy
requirements applicable for the equipment or system being served.
1.3.4 Functions for cargo systems shall be mutually independent of hardware units used for essential vessel
functions.
1.3.5 Control shall only be available on workstations from where control is intended and access shall be
provided via a command transfer system.
1.3.6 At least two operator stations shall be available at the main workstation ensuring that all functions that
may need simultaneous attention are available.
Guidance note:
See also the requirement for operator interface for each network segment in Sec.4 [3.1.2].
1.3.7 For integrated control systems, compliance with the above requirements shall be documented in a
failure mode description (Z070), see Sec.1 Table 5. The failure mode description shall specifically address the
network properties, see Sec.4 [3.2]. Furthermore, allocation of SW functions and I/O shall also be addressed
in the failure analysis.
1.4 Management systems
1.4.1 Management systems (see Sec.1 Table 3) shall, if integrating multiple functions, be considered as an
integrated control system and hence be arranged with redundancy, see [1.3.1].
1.4.2 A failure in a management system, including it's interfaces and communication network, shall not
propagate to the interfaced control, monitoring and safety systems.
1.4.3 If a management system is arranged with dedicated hardware, the functions and user interface of the
management system shall not substitute the required functions and user interface of the interfaced control,
monitoring and safety systems.
Guidance note:
The management systems are generally supplementary to the control, monitoring and safety functions required by the rules; this
implies that necessary user interface to the required functions shall be provided independent of the management system.
1.4.4 If command- and alarm acknowledge privileges are available on management system operator
stations, transfer of command and alarm acknowledge functionality shall be arranged according to Sec.3 [1].
2 Response to failures
2.1 Failure detection
2.1.1 Essential and important systems shall have facilities to detect the most probable failures that may
cause reduced or erroneous system performance.
Failures detected shall initiate alarms.
2.1.2 The self-check facilities shall cover at least, but not limited to, the following failure types:
— power failures.
Additionally for essential systems:
DNV AS
— loop failures, both command and feedback loops (normally short circuit and broken connections)
— earth faults.
Additionally for computer based systems:
— communication errors
— computer hardware failures.
See also Sec.4.
2.2 System response
2.2.1 The most probable failures, e.g. loss of power or wire failure, shall result in the least critical of any
possible new conditions.
Guidance note:
Total loss of power to any single control system should not result in loss of propulsion or steering.
2.2.2 A redundant system shall, upon failure, have sufficient self-diagnostics to effectively ensure transfer of
active execution to the standby unit, and the transfer shall not cause an interruption of the process control
that jeopardizes safe operation of the EUC. This applies also to the most time critical functions.
Guidance note:
This typically applies to duplicated networks or controllers where a failure in one unit or network should not lead to a downtime
that may jeopardize the time response of the activation of a critical function, like e.g. a shutdown.
DNV AS
SECTION 3 SYSTEM DESIGN
1 System elements
1.1 General
1.1.1 A system consists of one or several system elements where each system element serves a specific
function.
1.1.2 System elements belong to the following categories:
— automatic control
— remote control
— alarm
— protective safety
— indications
— planning and reporting
— calculation, simulation and decision support.
1.1.3 Whenever automatic or manual shutdown is required in the applicable rules, the function shall be
implemented in a safety system that is mutually independent of the control and alarm systems related to the
same equipment under control (EUC).
Exceptions from these general principles may be given if specified in the application rules for the EUC.
Guidance note:
The independency requirement does not intend to prevent the different control-, alarm- and safety system units from
communicating status information over e.g. a network, but each unit shall be able to perform its main functions autonomously, and
not be dependent on the other control system units.
Redundancy in system design is in general not accepted as an alternative way to meet the requirement for independency between
systems.
1.2 Automatic control
1.2.1 Automatic control shall keep process equipment variables within the limits specified for the process
equipment (e.g. the machinery) during normal working conditions.
1.2.2 The automatic control shall be stable over the entire control range. The margin of stability shall be
sufficient to ensure that variations in the parameters of the controlled process equipment that are expected
under normal conditions, will not cause instability. The automatic control system element shall be designed
so as to accomplish the function it shall serve.
1.2.3 Automatic control such as automatic starting and other automatic operations shall include provisions
for manually overriding the automatic controls unless safe manual operation is not feasible. Failure of any
part of such systems shall not prevent the use of the manual override.
1.2.4 In closed loop systems, feedback failures shall initiate an alarm, and the system shall enter the least
critical of possible new conditions. This implies the system to either remain in its present state or move
controlled to zero state.
1.2.5 Where indication of the automatically controlled parameter is required, the sensor for indication shall
not be common with the sensor for feedback to the automatic control.
DNV AS
1.3 Remote control
1.3.1 At the remote workstation being in command, the user shall receive continuous information on the
effects of the orders given.
1.3.2 One workstation shall be designated as the main remote workstation.
Guidance note:
A workstation may consist of multiple operator stations.
1.3.3 When control is possible from several workstations, only one workstation shall be in control at any one
time.
Guidance note:
This does not apply to manual activation of safety actions, e.g. remote shut-down, that may be available from multiple locations in
parallel.
1.3.4 Control shall not be transferred before being acknowledged by the receiving workstation, unless the
workstations are located close enough to allow direct visual and audible contact. Transfer of control shall give
an audible pre-warning unless the workstations are located in close proximity allowing visual and audible
contact.
1.3.5 The main workstation shall be able to take control without acknowledgment, but an audible warning
shall be given at the workstation that relinquishes control. Audible warning is not required if the stations are
located in close proximity allowing visual and audible contact. The action for taking control shall not be the
same as the normal control action.
1.3.6 Means shall be provided to prevent significant alteration of command when transferring control
privileges from local to remote, from one remote location to another or from one means or mode of operation
to another. If this involves manual alignment of control levers, indicators shall show how the levers shall be
set to become aligned.
1.3.7 It shall be indicated at each alternative workstation, which control station that holds the command
rights.
1.3.8 Safety interlocks in different parts of the systems shall not conflict with each other.
Basic safety interlocks shall be hardwired and shall be active during remote and local operation.
Guidance note:
Hardwired safety interlocks should not be overridden by programmable interlocks, and in local operation, non-critical interlocks
should be disabled or possible to override.
1.4 Protective safety system
1.4.1 A protective safety system shall be designed so that failures result in the least critical of any possible
new states (fail safe) considering the safety of the vessel versus the safety of the machinery.
DNV AS
Guidance note 1:
The safety of the vessel denotes the need to maintain operation of the essential functions. The requirement implies that for each
probable failure in the protective safety system including its loops, the system should be designed to minimize the consequences,
evaluating the need to maintain operation versus the risk of causing unacceptable hazard due to breakdown of the machinery. In
this respect, the risk of continuing operation without the safety function and the possibility for manual supervision and intervention
should be considered.
1.4.2 Safety systems for essential vessel services shall be designed according to a fail-to-maintain principle
in order to prevent loss of essential services upon failures. Adequate self-diagnostics (e.g loop monitoring)
shall be implemented to distinguish between a failure in the loop and an alarm condition in the machinery/
process.
Guidance note:
For essential systems that have a stopped unit as it's fail-to-safe principle (e.g. one engine in a multiple engine plant), loop
monitoring need not be arranged.
1.4.3 Any required protective safety system shall be arranged so that failures rendering the safety function
out of operation are detected and alarmed.
1.4.4 A protective safety systems shall be arranged so that the automatic safety actions do not depend
on the network communication. This applies also where the safety system is part of an integrated control
system.
1.4.5 Protective safety actions shall give alarm at predefined workstations.
1.4.6 When the protective safety system element stops a unit, the unit shall not start again automatically.
1.4.7 When a protective safety system element is made inoperative by a manual override, this shall be
clearly indicated at predefined workstations.
1.4.8 When the protective safety system element has been activated, it shall be possible to trace the cause
of the safety action by means of central or local indicators.
1.4.9 When two or more protective safety actions are initiated by one failure condition (e.g. start of standby
pump and stop of engine at low lubricating oil pressure), these actions shall be activated at different levels,
with the least drastic action activated first.
1.4.10 An alarm shall be activated prior to a protective safety action, except for failure conditions where a
protective safety action is required within a short time in order to prevent total failure of the component (e.g.
overspeed shutdown of a diesel engine).
Guidance note:
When two or more protective safety actions are initiated by one failure condition (see [1.4.9]), the initial alarm for the failure
condition (e.g. low lubricating oil pressure alarm) will cover the requirement for prior alarm for all sub-sequent protective safety
actions for the same failure condition.
For pre-warning of slowdown or shutdown of the propulsion machinery to the navigation officers on bridge (SOLAS Ch.
II-1/31.2.10), see Ch.1 Sec.4 [1.4.8].
1.5 Alarms
1.5.1 Alarm indicating devices shall be arranged such as to ensure attention of the responsible duty officer,
e.g. machinery alarm indicating devices located in the normal working areas of the machinery space.
DNV AS
Guidance note 1:
Several suitably placed low volume audible signal units should be used rather than a single unit for the whole area. A combination
of audible signals and rotating light signals may be of advantage.
Guidance note 2:
IMO resolution A.1021 (26) clause 9.5, requires that alarms and indicators on the navigation bridge should be kept at a minimum.
Alarms and indicators not required for the navigation bridge should not be placed there unless permitted by the administration.
1.5.2 Visual presentation of alarms shall be easily distinguishable from other indications by use of colour and
special representation.
Guidance note:
In view of standardising, visual alarm signals should preferably be red. Special representation may be a symbol.
1.5.3 Audible signals used for alarms shall be readily distinguishable from signals indicating normal
conditions, telephone signals, and noise.
1.5.4 Responsibility for alarms shall not be transferred before acknowledged by the receiving location.
Transfer of responsibility shall give audible pre-warning. At each alternative location, it shall be indicated
when in charge.
1.5.5 Acknowledgement of alarms shall only be possible at the workstation(s) dedicated to respond to
the alarm. In normal operation (also including unattended mode), it shall not be possible to transfer the
acknowledgement rights from the machinery space/engine control room to a workstation located outside the
machinery space.
Guidance note:
Alarm lists should be available on any workstation.
1.5.6 Alarms shall be announced by visual indication and audible signal. It shall be possible to see and
distinguish different statuses of the alarms e.g. normal, active, unacknowledged, acknowledged and blocked.
Silencing and acknowledgement of alarms shall be arranged as follows:
Silencing the audible signal:
— Silencing the alarm shall cause the audible signal to cease.
— The visual alarm indication shall remain unchanged.
Acknowledgement of an alarm:
— When an alarm is acknowledged the visual indication shall change. An indication shall remain if the alarm
condition is still active.
— If the acknowledge alarm function is used prior to silencing of the audible signal, the acknowledgement
may also silence the audible signal.
An active alarm signal shall not prevent indication of any new alarms, with related audible signal and visual
indication. This requirement shall also apply for group alarms that have been acknowledged.
In case the alarms are presented on a screen, the most recent alarm shall always be displayed, and only
visible alarms may be acknowledged.
Where different alarms are combined in a group alarm, it shall be possible to identify the individual alarms
initiating the group alarm.
DNV AS
Guidance note:
The individual alarms in an alarm group may be identified on a local panel.
1.5.7 Acknowledgement of visual signals shall be separate for each signal or common for a limited group of
signals. Acknowledgement shall only be possible when the user has visual information on the alarm condition
for the signal or all signals in a group.
1.5.8 Local audible signal for an alarm included in a centralised alarm handling system shall be suppressed
when localised in the same workplace as the centralised alarm handling system.
1.5.9 Manual suppression of separate alarms may be accepted, when this is continuously indicated when
suppressed.
1.5.10 Sufficient information shall be provided to ensure optimal alarm handling. The presence of active
alarms shall be continuously indicated, and alarm text shall be easily understood.
1.5.11 The more frequent failures within the alarm system, such as broken connections to measuring
elements, shall initiate alarm.
1.5.12 Inhibiting of alarm and protective safety functions in certain operating modes (e.g. during start-up)
shall be automatically disabled in other modes.
1.5.13 It shall be possible to delay alarms to prevent false alarms due to normal transient conditions.
1.6 Indication
1.6.1 Indications sufficient to allow safe operation of essential and important functions shall be installed at
all control locations from where the function can be accomplished. Alarms or pre-warnings are not considered
as substitutes for indications for this purpose.
Guidance note:
It is advised that indicating and recording instruments are centralised and arranged to facilitate watch-keeping, e.g. by
standardising the scales, applying mimic diagrams, etc.
1.6.2 Adequate illumination shall be provided in the equipment or in the ship to enable identification of
controls and facilitate reading of indicators at all times. Means shall be provided for dimming the output of
any equipment light source which is capable of interfering with navigation.
1.6.3 Indication panels shall be provided with a lamp test function.
1.7 Planning and reporting
1.7.1 Planning and reporting system elements shall have no outputs for real-time process equipment control
during planning mode.
Guidance note:
Planning and reporting functions are used to present a user with information to plan future actions, e.g. in relation to route and
fuel optimisation.
DNV AS
Guidance note:
The output of the planning and reporting functions may however be used to set up premises for process equipment control, e.g.
route plan used as input to an autopilot or load plan used as input for automatic or user assisted sequence control of the loading.
1.8 Calculation, simulation and decision support
1.8.1 Output from calculation, simulation or decision support modules shall not suppress basic information
necessary to allow safe operation of essential and important functions.
Guidance note:
Output from calculation, simulation or decision support modules may be presented as additional information.
2 General requirements
2.1 System operation and maintenance
2.1.1 Start-ups and restarts shall be possible without specialised system knowledge. On power-up and
restoration after loss of power, the system shall be restored and resume operation automatically.
2.1.2 Testing of essential systems and alarm systems shall be possible during normal operation. The system
shall not remain in test mode unintentionally, and an active test mode shall be clearly indicated on the
operator interface.
Guidance note:
Automatic return to operation mode or alarm should be arranged.
2.2 Power supply requirements for control, monitoring and safety systems
2.2.1 This subsection gives requirements for the power supply to different categories of control, monitoring
and safety systems. Where additional or specific requirements apply, this is specified in the application rules
for the EUC or in applicable additional class notations.
2.2.2 The principal arrangement of the power supply to control, monitoring and safety systems shall reflect
the general redundancy requirements in Ch.1 Sec.3 [2.3]. Failure of a power supply shall not cause loss of
any main function for a longer period than specified in Ch.1 Sec.3 [2.3.6].
2.2.3 Power supply to control, monitoring and safety systems for electric consumers shall be arranged as
specified in Ch.8 Sec.2 [6.3.2]. The control, monitoring and safety systems shall be supplied from the same
distribution as the consumer or system being served.
2.2.4 Control, monitoring and safety systems serving essential services shall be provided with independent
power supplies in accordance with [2.2.2].
Guidance note:
When the essential service is arranged by redundant EUC, the control, monitoring and safety system for each EUC may be supplied
from the same distribution board / the same main switchboard.
For redundant control, monitoring and safety systems, it is acceptable that each independent power supply is feeding both
systems.
DNV AS
2.2.5 When independency is required between an EUC's control, monitoring or safety systems, the
independent systems shall be supplied by separate supply circuits.
2.2.6 Redundant units in integrated control systems shall be provided with independent power supplies.
2.2.7 The following categories of control, monitoring and safety systems shall be provided with
uninterruptible power supply:
— control, monitoring and safety systems required to be operable during black-out
— control, monitoring and safety systems required to restore normal conditions after black-out
— control, monitoring and safety systems serving functions with redundancy type R0
— control, monitoring and safety systems serving functions with redundancy type R1 - unless the control,
monitoring and safety system will be immediately available upon restoration of main power supply (i.e. no
booting process)
— control, monitoring and safety systems for services with other redundancy types if the restoration time of
the control, monitoring and safety system exceeds the corresponding allowed unavailable time
— certain control, monitoring and safety systems where specific requirements for stand-by power supply are
given.
The capacity of the stored energy providing the uninterruptible power shall be at least 30 minutes, unless
otherwise specified.
See Ch.8 Sec.2 Table 1.
2.2.8 If the user interface is required to be duplicated, the requirement for independent power supplies
also applies to the user interface. If uninterruptible power supply is required for the control system, this also
applies to at least one user interface at the dedicated workstations.
DNV AS
SECTION 4 ADDITIONAL REQUIREMENTS FOR COMPUTER BASED
SYSTEMS
1 General requirements
1.1 Assignment of responsibility for the integration of control systems
1.1.1 There shall be one named body responsible for the integration of control systems. This body shall have
the necessary expertise and resources enabling a controlled integration process.
Guidance note:
The responsible body may be the yard, a major manufacturer or another competent body.
1.2 Back-up means of operation
1.2.1 Where a computer based system is part of an essential function, back-up or emergency means of
operation shall be provided, which to the largest extent possible shall be independent of the normal control
system, with its user interface.
1.3 Computer design principles
1.3.1 The controllers on the process level in a computer based system shall have deterministic response time
and be provided with sufficient self-diagnostic properties to ensure a fail-to-safe behaviour.
Guidance note:
This normally excludes the use of commercial off the shelf (COTS) computers running on general purpose operating systems as
process- or safety controllers.
1.3.2 Control systems shall be protected from malware, and the protection shall not disrupt normal system
operation. Necessary means of protection shall ensure that temporary use of interface ports (by removable
devices like e.g. USB memory sticks or service connections to laptops) do not spread malware to control
systems.
Guidance note:
If it is not feasible for system components to host anti-virus software, alternative measures may be employed such as:
— network segmentation
— disabling or blocking interface ports for removable devices
— prevention of auto-execution of programs on removable devices
— manual scanning of removable devices before connected to control systems.
1.4 Storage devices
1.4.1 The online operation of essential functions shall not depend on the operation of rotating bulk storage
devices, such as hard discs.
DNV AS
Guidance note:
This does not exclude the use of such storage devices for maintenance and back-up purposes.
1.4.2 Software and data necessary to ensure satisfactory performance of essential and important functions
shall be stored in non-volatile memory.
1.5 Computer usage
1.5.1 Computers serving essential and important functions shall only be used for purposes relevant to vessel
operation.
1.6 System response and capacity
1.6.1 Systems used for control, monitoring and safety functions shall provide response times compatible with
the time constants of the related equipment under control (EUC).
Guidance note:
The following response times are applicable for typical EUC on vessels:
Data sampling for automatic control purposes (fast changing parameters) 0.1 s
Data sampling, indications for analogue remote controls (fast changing parameters) 0.1 s
Other indications 1 s
Alarm presentations 2 s
Display of fully updated screen views 2 s
Display of fully updated screen views including start of new application 5 s
1.6.2 System start-up and system restoration after power failures shall take place with sufficient speed to
comply with the maximum unavailable time for the systems concerned, reverting thereafter to a pre-defined
state providing an appropriate level of safety.
1.6.3 System capacities shall be sufficient to provide adequate response times for all functions, taking the
maximum load and maximum number of simultaneous tasks under normal and abnormal conditions for the
EUC into consideration.
1.7 Temperature control
1.7.1 Wherever possible, computers shall not have forced ventilation. For systems where cooling or forced
ventilation is required for keeping the temperature at an acceptable level, alarm for high temperature or
maloperation of the temperature control function, shall be provided.
1.8 System maintenance
1.8.1 Integrated control systems supporting one or more essential or important function shall be arranged to
allow individual units to be tested, repaired and restarted without interference with the maintained operation
of the remaining parts of the system.
DNV AS
1.8.2 Essential systems shall have diagnostic facilities to support finding and repairs of failures.
1.9 System access
1.9.1 Access to system set-up or configuration functions for the EUC shall be protected to avoid unauthorised
modifications of the system performance. For screen based systems, tools shall be available to allow easy
and unambiguous modification of configuration parameters provided modifications are allowable under
normal operation.
Guidance note:
As a minimum, this applies to:
— calibration data
— alarm limit modification
— manual alarm inhibiting.
The operator should only have access to the application(s) related to the operation of the functions covered by the system
according to [1.3.1], while access to other applications or installations of such, should be prevented. Hot keys normally giving
access to other functions or program exits (Alt+Tab, Ctrl+Esc, Alt+Esc, double-clicking in background, etc.) should be disabled on
the UID's intended for normal operation.
1.9.2 Unauthorised access to the operation of essential and important systems, from a position outside of
the vessel, shall not be possible. See Sec.1 [1.5].
2 System software
2.1 Software requirements
2.1.1 Basic software on processor systems running application software belonging to different functions shall
have facilities for:
— running several modules under allocated priorities
— detection of execution failures of individual modules
— discrimination of faulty modules to ensure maintained operation at least of modules of same or higher
priority.
2.1.2 Individual application software modules allocated as tasks under an operating system as specified
above shall not perform operations related to more than one function. These modules shall be allocated
priorities in accordance with the relative priority between the functions they serve.
2.1.3 When hardware belonging to inputs, outputs, communication links and user interface is configured to
minimise the consequences of failures, the related software shall be separated in different computer tasks to
secure the same degree of separation.
2.1.4 When calculation, simulation or decision support elements are used to serve essential functions, and a
basic functionality can be maintained without these elements, the application software shall be designed so
as to allow such simplified operation.
2.1.5 System set-up, configuration of the EUC and the setting of parameters for the EUC onboard shall take
place without modification of program code or recompilation. The Society shall be notified if such actions
cannot be avoided.
DNV AS
2.1.6 System- and application software shall be subject to version control, and modifications shall be carried
out in accordance with the change handling procedure, see Sec.1 [1.5.5]. This applies also to parameter
configuration. For any screen-based system, identification should be readily available on the VDU during
normal operation.
Guidance note:
Version control of parameters is only required when such configuration is done by loading/installing updated software versions or
by loading a file with multiple parameters.
2.1.7 Software shall at the time of vessel delivery be updated with qualified security patches.
Guidance note:
The intention of this requirement is to ensure that the cyber security properties of the control systems are up to date at the time
of delivery, and that the yard should pursue this requirement towards those performing the commissioning and completion of the
various control systems (own personnel or representatives from manufacturers or contractors).
2.2 Software development
2.2.1 All relevant actions under the development phase of a complex system software shall be taken to
ensure that the probability of errors that could occur in the program code are reduced to an acceptable level.
Relevant actions shall include at least:
— actions to ensure that the programming of applications is based on complete and valid specifications
— actions to ensure that software purchased from other parties has an acceptable track record and is subject
to adequate testing
— actions to impose a full control of software releases and versions during manufacturing, installation
onboard and during the operational phase
— actions to ensure that program modules are subject to syntax and function testing as part of the process
— actions to minimize the probability of execution failures.
Guidance note:
Typical execution failures are:
— deadlocks
— infinite loops
— division by zero
— inadvertent overwriting of memory areas
— erroneous input data.
2.2.2 The actions taken to comply with [2.2.1] shall be documented and implemented, and the execution of
these actions shall be traceable. The documentation shall include a brief description of all tests that apply to
the system (hardware and software), with a description of the tests intended made by sub-vendors, those
carried out at the manufacturer's and those that remain until installation onboard.
Guidance note:
Manufacturers certified according to DNV-CP-0507 System and software engineering are considered pre-qualified for the
requirements of this section.
DNV AS
3 Control system networks and data communication links
3.1 General
3.1.1 Any network integrating control and/or monitoring systems shall be single point of failure-tolerant
or alternatively designed so that the effect of a single failure does not exceed the principles given in Sec.2
[1.3]. This implies that the network with its necessary components and cables shall be designed with
adequate redundancy.
Guidance note:
The fault tolerance should be documented specifically see [3.2] and [3.4]. The requirement applies to the network containing the
integrated control systems, and not eventual external communication links to single controllers, remote I/O or similar (e.g. a serial
line to an interfaced controller) when such units otherwise can be accepted without redundancy.
3.1.2 The integrity and autonomy of network segments shall be secured with appropriate means. The
intention is to prevent propagation of failures and malicious code between network segments.
Guidance note:
See e.g. DNV-RP-G108 (cyber security in the oil and gas industry based on IEC 62443) for guidance on network segmentation.
Segmentation may be achieved by e.g. physically separated networks or by use of appropriate network devices with necessary
capabilities, e.g. routers and firewalls.
The autonomy of a segment normally assumes necessary user interface.
Requirements for network segmentation follow relevant application rules for e.g.:
— independent functions (e.g. control vs. safety)
— separation of systems (e.g. fire detection, steering control, navigation systems, admin networks, shore/external connection).
3.1.3 Network components controlling the network traffic and nodes communicating over the network shall
be designed with inherent properties to prevent network overload at any time. This implies that neither the
nodes nor the network components shall, be able to generate excessive network traffic or consume extra
resources that may degrade the network performance.
Guidance note:
This may imply that the nodes and network components have properties to monitor its own communication through the network,
and to be able to detect, alarm and respond in a predefined manner in case of an excessive traffic event.
For simple, non-redundant networked systems which are limited to control and monitoring of a single vessel function, a single
failure may cause degraded performance or loss of communication. This will normally be accepted provided that relevant alerts are
given and that fail-safe behavior is demonstrated through testing.
3.1.4 The performance of the network shall be continuously monitored, and alarms shall be generated if
malfunctions or reduced/degraded capacity occurs.
3.1.5 Cables and network components belonging to redundant networks shall be arranged to support the
single fault tolerance required by [3.1.1].
Guidance note:
This implies that cables and network components belonging to redundant networks as far as practicable should be physically
separated; by separate cable routing and installation of network components belonging to the redundant network in separate
cabinets, power supply to such units included.
DNV AS
3.1.6 It shall be possible to maintain local control of machinery as required by Ch.1 Sec.4 [1.1.3]
independent of network status. This may imply that essential nodes hosting such control functions shall be
able to work autonomously, and with necessary operator interface independent of the network.
Guidance note:
When applicable should be demonstrated during sea-trial.
3.1.7 Internode signals shall reach the recipient within a pre-defined time. Any malfunctions shall be
alarmed.
Guidance note:
The 'pre-defined time' should as a minimum correspond to the time constants in the EUC, which implies that the detection and
alarming is initiated quickly enough to enable appropriate operator intervention to secure the operation of the EUC.
3.1.8 If the automation system is connected to administrative networks, the connection principle shall
ensure that any function or failure in the administrative net cannot harmfully affect the functionality of the
control, monitoring and safety system. The administrative functions shall be hosted in separate servers and
shall, if at all necessary, have read only access to the control network.
Guidance note:
The 'administrative network' in this connection may contain functions like e.g. report generation, process analysis, decision support
etc. i.e. functions that by definition are not essential for vessel operation and not covered by the rules.
3.1.9 Functions being irrelevant for vessel operation (e.g. miscellaneous office- or entertainment-related
functions) shall not be connected in any way to any control, monitoring and safety system or utilise its
network.
Guidance note:
Upon special consideration and agreement, additional functions may be accepted as part of the network if sufficiently analysed,
documented and tested.
3.1.10 It shall not be possible for unauthorised personnel to connect equipment to the control, monitoring
and safety network or otherwise have access to such network.
Guidance note:
This pertains to both communication onboard the vessel as well as remotely via external communication. Any access point to be
clearly marked and shall be sufficiently secured e.g. by location with restricted access, a lockable device or password access.
3.1.11 Any powered component controlling the network traffic or a communication link shall automatically
resume to normal operation upon restoration of power after a power failure.
3.1.12 All nodes in a network shall be synchronized to allow a uniform time tagging of alarms (and events)
to enable a proper sequential logging.
3.1.13 The network shall be designed with adequate immunity to withstand possible exposure to
electromagnetic interference in relevant areas.
Guidance note:
This implies the use of suitable network media in areas exposed to high voltage equipment.
DNV AS
3.1.14 Systems allowing for remote connection (e.g. via internet), for e.g. remote diagnostics or
maintenance purposes, shall be secured with sufficient means to prevent unauthorised access, and functions
to maintain the security of the control, monitoring and safety system. The security properties shall be
documented. See also Sec.1 [1.5] for software change handling requirements.
Guidance note:
Any remote access to the control system should be authorised onboard. The system shall have appropriate virus protection also
related to the possibility of infection via the remote connection.
If remote connection for e.g. the above purposes is possible, the function is subject to special considerations and case-by-case
approval.
3.1.15 The data stream serving a CCTV system (closed circuit television) and other bandwidth-intensive
applications shall not be part of the network in a control system covered by the rules, unless sufficient
integrity can be documented in a network analysis.
3.2 Network analysis
3.2.1 The control, monitoring and safety network with its components, connected nodes, communication
links (also external interfaces) shall be subject to a failure analysis where all relevant failure scenarios are
identified and considered. The analysis may be in the form of e.g. an FMEA, and shall specifically focus on the
integrity of the different network functions implemented in separate network segments as well as the main
network components (switches, routers etc).
Guidance note:
The main purpose of the analysis would be to identify possible failures that may occur in the network, identify and evaluate the
consequences and to ensure that the consequences of failures are acceptable.
The analysis should be performed in connection with the system design, and not after the system is implemented.
The requirement is generally applicable for all control, monitoring and safety systems containing nodes connected on a common
network. However, for simpler systems, the above requirement may be fulfilled by covering the most relevant failure scenarios in a
test programme.
3.3 Network test and verification
3.3.1 The network functionality shall be verified in a test where at least the following items shall be verified:
1) the main observations/items from the failure mode description
2) self-diagnostics, alarming upon different network failures
3) worst-case scenarios: network storm
4) segment segregation: autonomous operation of segments
5) individual controller node integrity: nodes working without network communication
6) consequence of single cabinet failure.
DNV AS
Guidance note:
Item 3: Unless clearly analysed and concluded in the network analysis, network storms are considered relevant failure modes for
any type of communication network. For Ethernet-based networks, network storm with all message types addressing all installed
protocols should be included in the network analysis and tested. The network storm test procedure should describe the following:
— test equipment used to generate network storm and verify network load/traffic rate
— network bandwidth
— protocols and message types to be tested, protection mechanisms to be demonstrated
— how to perform the tests and expected results.
Item 6: The objective is to verify that essential vessel functions are still available after e.g. a fire in a single cabinet / cubicle.
3.4 Network documentation requirements
3.4.1 For integrated control systems, the network analysis ([3.2]) including a procedure for the test and
verification ([3.3]) shall be submitted for approval as part of the failure mode description (Z070), see Sec.1
Table 5.
3.5 Wireless communication
3.5.1 Wireless communication links may be used in systems as defined by IACS UR E22.
3.5.2 The wireless equipment shall not cause interference to licensed users of the ISM frequency bands in
the geographical areas where the ship shall operate. The radiated power level should be adjustable.
Guidance note:
The wireless-equipment should be certified according to technical requirements established by applicable IEEE802 standards for
operation within the ISM (industrial, scientific and medical) band. The user manual should identify any relevant spectrum and
power restrictions for the ISM bands that may have been enforced by the authorities in the various states of relevance in the
operating area of the vessel.
3.5.3 The wireless broadcasting shall operate in the radio bands designated for ISM.
Guidance note:
The ISM bands are located at 900 MHz (902-928 MHz), 2.4 GHz (2400-2483.5 MHz) and 5.8 GHz (5725-5850 MHz).
3.5.4 The wireless broadcasting shall sustain the anticipated electromagnetic environment on board and be
tolerant towards interference from narrow-band signals.
Guidance note:
The type of modulation used should be of the category 'spread spectrum' and be in compliance with the IEEE 802 series. Direct
sequence spread spectrum (DSSS) and frequency hopping spread spectrum (FHSS) are recognised standards for modulation.
If DSSS modulation is used and more than one access point (AP) may be active simultaneously, these APs should be physically
separated and also use separate channels. The minimum processing gain should not be less than 10 dB.
3.5.5 The wireless system shall entail a fixed topology and support prevention of unauthorised access to the
network.
Guidance note:
The access to the network should be restricted to a defined set of nodes with dedicated media access control (MAC) addresses.
DNV AS
3.5.6 In case more than one wireless system shall operate in the same area onboard and there is a risk
of interference, a frequency coordination plan shall be made and the interference resistance shall be
documented and then demonstrated on board.
3.5.7 The wireless equipment shall employ recognised international protocols supporting adequate means for
securing message integrity.
Guidance note:
The protocol should be in compliance with the IEEE 802 standard and the nodes should execute at least a 16-bit cyclic redundancy
check of the data packets.
3.5.8 In case any form of control signals or confidential data is transferred over the wireless network, data
encryption according to a recognised standard shall be utilised.
Guidance note:
Secure encryption schemes such as WiFi protected access (WPA) should be used to protect critical wireless data.
3.5.9 The data handling and final presentation of information shall comply with rules and regulations being
applicable to the information category.
Guidance note:
Isochronous (real-time) or asynchronous (transmit-acknowledgment) transport will be required depending on the application.
3.6 Documentation of wireless communication
3.6.1 The following information related to the wireless communication shall be included in the documentation
submitted for approval, see Sec.1 Table 5:
— functional description
— ISM certificate (IEEE802) from a licence authority (typical flag state) or alternatively applicable test
reports
— single line drawings of the WLAN topology with power arrangements
— specification of frequency band(s), power output and power management
— specification of modulation type and data protocol
— description of integrity and authenticity measures.
DNV AS
SECTION 5 COMPONENT DESIGN AND INSTALLATION
1 General
1.1 Environmental strains
1.1.1 Instrumentation equipment shall be suitable for marine use, and shall be designed to operate under
environmental conditions as described in [2], unless means are provided to ascertain that the equipment
parameters are not exceeded. These means are subject to approval on case-by-case basis.
1.1.2 Data sheets, sufficiently detailed to ensure proper application of the instrumentation equipment, shall
be available.
1.1.3 Performance and environmental testing to ascertain the suitability of the equipment shall be provided
upon request.
1.2 Materials
1.2.1 Explosive materials and materials which may develop toxic gases, shall not be used. Covers,
termination boards, printed circuit cards, constructive elements and other parts that may contribute to
spreading fire shall be of flame-retardant material.
Guidance note:
Materials with a high resistance to corrosion and ageing should be used. Metallic contact between different materials should not
cause electrolytic corrosion in a marine atmosphere. As base material for printed circuit cards, glass-reinforced epoxy resin or
equivalent should be used.
1.3 Component design and installation
1.3.1 Component design and installation shall facilitate operation, adjustment, repair and replacement. As
far as practicable, screw connections shall be secured.
1.3.2 Vibration resonances with amplification greater than 10 should not occur. Amplification greater than 10
may be accepted based on case-by-case evaluation for equipment designed for high vibrations.
1.3.3 Electric cables and components shall be effectively separated from all equipment, which, in case of
leakage, could cause damage to the electrical equipment. In desks, consoles and switchboards, which contain
electrical equipment, pipes and equipment conveying oil, water or other fluids or steam under pressure shall
be built into a separate section with drainage.
1.3.4 Means shall be provided for preventing moisture (condensation) accumulating inside the equipment
during operation and when the plant is shut down.
1.3.5 Differential pressure elements (dp-cells) shall be able to sustain a pressure differential at least equal to
the highest pressure for the equipment under control (EUC).
1.3.6 Thermometer wells shall be used when measuring temperature in fluids, steam or gases under
pressure.
1.3.7 The installation of temperature sensors shall permit easy dismantling for functional testing.
DNV AS
1.3.8 Clamps used to secure capillary tubes shall be made of a material that is softer than the tubing.
1.4 Maintenance, checking
1.4.1 Maintenance, repair and performance tests of systems and components shall as far as practicable to be
possible without affecting the operation of other systems or components.
Provisions for testing, e.g. three-way cocks, shall be arranged in pipes connecting pressure switches/
transducers to EUC normally in operation at sea.
Guidance note:
The installation should as far as possible be built up from easily replaceable units and designed for easy troubleshooting, checking
and maintenance. When a spare unit is mounted, only minor adjustments or calibrations of the unit should be necessary. Faulty
replacements should not be possible.
1.5 Marking
1.5.1 All units and test points shall be clearly and permanently marked. Transducers, controllers and
actuators shall be marked with their system function, so that they can be easily and clearly identified on
plans and in instrument lists. See also Ch.8 Sec.3 [5].
Guidance note:
Marking of test points with e.g alarm or tag numbers is acceptable as long as they can easily be identified in the alarm list or other
documentation.
The marking of system function should preferably not be placed on the unit itself, but adjacent to it.
1.6 Standardising
Guidance note:
Systems, components and signals should be standardised as far as practical.
2 Environmental conditions, instrumentation
2.1 General
2.1.1 The environmental parameters given in [2.2] to [2.11], including any of their combinations, represent
'average adverse' conditions, which will cover the majority of applications on board vessels. Where
environmental conditions will exceed those specified, special arrangements and special components shall be
considered.
Table 1 Parameter class for the different locations on board
Parameter Class Location
A Machinery spaces, control rooms, accommodation, bridge
Inside cabinets, desks. etc. with temperature rise of 5°C or more installed in
Temperature B
location A
C Pump rooms, holds, rooms with no heating
DNV AS
Parameter Class Location
Open deck, masts and inside cabinets, desks etc. with a temperature rise of
D
5°C or more installed in location C
A Locations where special precautions are taken to avoid condensation
Humidity
B All locations except as specified for location
A On bulkheads, beams, deck, bridge
On machinery such as internal combustion engines, compressors, pumps,
Vibration B
including piping on such machinery
C Masts
Electro- A All locations except as specified for bridge and open deck
magnetic compatibility (EMC) B All locations including bridge and open deck
Components and systems designed in compliance with IEC environmental specifications for ships 60092-504
(2016), and for EMC 60533, may be accepted after consideration.
Guidance note:
See IACS UR E10.
For details on environmental conditions for instrumentation, see class guideline DNV-CG-0339.
For navigation and radio equipment IEC 60945, Marine navigational equipment - General requirements, is applicable.
For EMC only, all other bridge-mounted equipment; equipment in close proximity to receiving antennas, and equipment capable of
interfering with safe navigation of the ship and with radio-communications the IEC 60945 (2002) Clause 9 (covered by EMC class
B) is applicable.
2.2 Electric power supply
2.2.1 Power supply failure with successive power breaks with full power between breaks.
— 3 interruptions during 5 minutes
— switching-off time 30 s each case.
2.2.2 Power supply variations for equipment connected to A.C. systems:
— combination of permanent frequency variations of ±5% and permanent voltage variations of +6% and
-10% of nominal
— combination of frequency transients (5 s duration) ±10% of nominal and voltage transients (1.5 s
duration) ±20% of nominal.
2.2.3 Power supply variations for equipment connected to D.C. systems:
— voltage tolerance continuous ±10% of nominal
— voltage transients cyclic variation 5% of nominal
— voltage ripple 10%.
2.2.4 Power supply variations for equipment connected to battery power sources:
— +30% to -25% for equipment connected to battery during charging
— +20% to -25% for equipment connected to battery not being charged
— voltage transients (up to 2 s duration) ±25% of nominal.
DNV AS
2.3 Pneumatic and hydraulic power supply
2.3.1 Nominal pressure ±20% (long and short time deviations).
2.4 Temperature
Table 2 Ambient temperature range and associated test temperatures
Class Ambient temperatures Test temperatures
A 0°C to +45°C +5°C and +55°C
B 0°C to +55°C +5°C and +70°C
C -25°C to +45°C -25°C and +55°C
D -25°C to +55°C -25°C and +70°C
2.5 Humidity
2.5.1 Class A:
Relative humidity up to 96% at all relevant temperatures, no condensation.
2.5.2 Class B:
Relative humidity up to 100% at all relevant temperatures.
2.6 Salt contamination
3
2.6.1 Salt-contaminated atmosphere up to 1 mg salt per m of air, at all relevant temperatures and humidity
conditions. Applicable to equipment located in open air and made of material subject to corrosion.
2.7 Oil contamination
2.7.1 Mist and droplets of fuel and lubricating oil including exposure from oily fingers e.g. in connection with
calibration and test.
2.8 Vibrations
2.8.1 Class A:
— Frequency range 2 to 100 Hz.
— Amplitude 1 mm (peak value) below 13.2 Hz.
— Acceleration amplitude 0.7 g above 13.2 Hz.
2.8.2 Class B:
— Amplitude 1.6 mm (peak value) below 25 Hz.
— Acceleration amplitude 4.0 g above 25 Hz.
DNV AS
2.8.3 Class C:
— Amplitude 2.5 mm (peak value) below 15 Hz.
— Acceleration amplitude 2.3 g above 15 Hz.
2.8.4 Extreme vibration strains:
More severe vibration strains shall be considered when this is expected at the location in question.
Guidance note:
This applies to instrument installations on e.g exhaust gas manifolds or fuel injection systems of medium and high speed diesel
engines where the following vibration levels should be considered:
— Frequency range 40 to 2000 Hz
— Acceleration amplitude 10.0 g
o
— Temperature 600 C.
2.9 Inclination
2.9.1 For ships, see Ch.1 Sec.3 [2.2]. For high speed, light craft and naval surface craft, see DNV-RU-HSLC
Pt.4 Ch.1.
2.10 Electromagnetic compatibility
2.10.1 The minimum immunity requirements for equipment are given in Table 3, and the maximum emission
requirements are given in Table 4.
Guidance note:
Electrical and electronic equipment should be designed to function without degradation or malfunction in their intended
electromagnetic environment. The equipment should not adversely affect the operation of, or be adversely affected by any other
equipment or systems used on board or in the vicinity of the vessel. Upon installation, it may be required to take adequate
measures to minimise the electromagnetic noise signals. Such measures may be in form of a list of electromagnetic noise
generating- and sensitive equipment, and an estimate on required noise reduction, i.e. an EMC management plan. Testing may
also be required to demonstrate electromagnetic compatibility.
Table 3 Minimum immunity requirements for equipment
Performance
Port Phenomenon Basic Standard Test value
criteria
50 - 900 Hz: 10% A.C. supply voltage
Conducted low frequency 900 - 6000 Hz: 10 - 1% A.C. supply
IEC 60945 A
interference voltage
A.C. 6 - 10 kHz: 1% A.C. supply voltage
power
Electrical fast transient 3)
IEC 61000-4-4 B 2 kV
(Burst)
1) 2)
Surge voltage IEC 61000-4-5 B 0.5 kV /1 kV
DNV AS
Performance
Port Phenomenon Basic Standard Test value
criteria
3)
3 Vrms ; 150 kHz - 80 MHz
Conducted radio frequency -3 6)
IEC 61000-4-6 A sweep rate ≤ 1.5 × 10 decade/s
interference
modulation 80% AM (1 kHz)
Conducted low frequency
IEC 60945 A 50 Hz - 10 kHz: 10% D.C. Supply voltage
interference
IEC 61000-4-4 B 2 kV
(Burst)
D.C.
power 1) 2)
Surge voltage IEC 61000-4-5 B 0.5 kV /1 kV
3)
3 Vrms ; 150 kHz - 80 MHz
Conducted radio frequency -3 6)
interference
IEC 61000-4-4 B 1 kV
(Burst)
I/O ports,
3)
signal or 3 Vrms ; 150 kHz - 80 MHz
control Conducted radio frequency -3 6)
interference
Electrostatic discharge (ESD) IEC 61000-4-2 B 6 kV contact/8 kV air

5)
10 V/m 80 MHz-6 GHz
Enclosure
-3
Electromagnetic field IEC 61000-4-3 A sweep rate ≤ 1.5 × 10 decade/s
1) line to line
2) line to ground
3) capacitive coupling
4) coupling clamp
5) special situations to be analysed
6) for equipment installed in the bridge and deck zone (EMC class B) the test levels shall be increased to 10 Vrms for
spot frequencies in accordance with IEC 60945 at 2/3/4/6.2/8.2/12.6/16.5/18.8/22/25 MHz. For screened cables, a
special test set-up shall be used enabling the coupling into the cable screen.
Performance criterion A: The equipment under test (EUT) shall continue to operate as intended during and after the test.
No degradation of performance or loss of function is allowed as defined in the relevant equipment standard and in the
technical specification published by the manufacturer.
Performance criterion B: The EUT shall continue to operate as intended after the test. No degradation of performance
or loss of function is allowed as defined in the relevant equipment standard and in the technical specification published
by the manufacturer. During the test, degradation or loss of function or performance that is self recoverable is however
allowed but no change of actual operating state or stored data is allowed.
DNV AS
Table 4 Maximum emission requirements for equipment
Class Location Port Frequency Range [Hz] Quasi-peak limits
150 k – 30 M
30 – 100 M 80 – 50 dBμV/m
Enclosure 100 M – 1 G 60 – 54 dBμV/m
1)
(Radiated emission) 1 G - 6 G 54 dBμV/m
All locations except except: 24 dBμV/m
2)
A
bridge and open deck
156 – 165 M
10 – 150 k 120 – 69 dBμV
Power
150 – 500 k 79 dBμV
(Conducted emission)
500 k – 30 M 73 dBμV
150 – 300 k
300 k – 30 M 80 – 52 dBμV/m
Enclosure 30 M – 1 G 52 – 34 dBμV/m
1)
(Radiated emission) 1 G - 6 G 54 dBμV/m
All locations including except: 24 dBμV/m
2)
B
bridge and open deck
156 – 165 M
10 – 150 k 96 – 50 dBμV
Power
150 – 350 k 60 – 50 dBμV
(Conducted emission)
350 k – 30 M 50 dBμV
1) Average limit, not quasi-peak.
2) Alternatively, the radiation limit at a distance 3 m from the enclosure port for the frequency range 156 MHz to 165
MHz shall be 30 dBµV/m peak.
2.11 Miscellaneous
2.11.1 In particular applications other environmental parameters may influence the equipment, e.g.:
— acceleration
— fire
— explosive atmosphere
— temperature shock
— wind, rain, snow, ice, dust
— audible noise
— mechanical shock or bump forces equivalent to 20 g of 10 ms duration
— splash and drops of liquid
— corrosive atmospheres of various compositions (e.g. ammonia on an ammonia carrier).
2.11.2 Acceleration caused by the ship's movement in waves. Peak acceleration ±1.0 g for ships with length
less than 90 m, and ±0.6 g for ships of greater length. Period 5 to 10 s.
DNV AS
3 Electrical and electronic equipment
3.1 General
3.1.1 Switching the power supply on and off shall not cause excessive voltage or other strains that may
damage internal or external components.
3.2 Mechanical design, installation
Guidance note:
Circuits should be designed to prevent damage of the unit or adjacent elements by internal or external failures. No damage should
occur when the signal transmission lines between measuring elements and other units are short-circuited, grounded or broken.
Such failures should lead to a comparatively safe condition (fail to safe).
Guidance note:
The equipment should preferably function without forced cooling. Where such cooling is necessary, precautions should be taken to
prevent the equipment from being damaged in case of failure of the cooling unit.
3.3 Protection provided by enclosure
3.3.1 Enclosures for the equipment shall be made of steel or other flame retardant material capable of
providing EMC protection and satisfying the minimum requirements of Table 5. The required degree of
protection is specified in IEC 60529.
Table 5 Minimum requirements for enclosures
Degree of
Class Location
protection
1)
A Control rooms, accommodation, bridge, local equipment room, central equipment room IP 20
B Machinery space IP 44
C Open deck, masts, below floor plates in machinery space IP 56
D Submerged application IP 68
1) If there is a chance of dripping water from piping, condensed water, etc. then a higher IP rating may be necessary
More detailed requirements for ingress protection of enclosure types related to location are given in Ch.8
Sec.10 Table 1.
Guidance note:
Automation equipment of class A and B that should be in operation during emergency situations, located in areas exposed to wash
down, should have IP 55 protection.
3.4 Cables and wires
3.4.1 Cables and wires shall comply with the requirements in Ch.8 Sec.9.
DNV AS
3.5 Cable installation
3.5.1 Cable installations shall comply with the requirements in Ch.8 Sec.10 and Ch.8 Sec.3 [4.3].
3.6 Power supply
3.6.1 When using low voltage battery supply, the charging equipment, batteries and cables shall keep the
voltage at equipment terminals within the voltage variations as specified in Ch.8 Sec.4.
Provisions shall be made for preventing reverse current from the battery through the charging device.
3.6.2 Systems including a standby battery connected for continuous charging shall not be disturbed in any
way by disconnection of the battery.
3.6.3 Battery installations shall be in accordance with Ch.8 Sec.10 [2.3].
3.6.4 Regulated rectifiers shall be designed for the variations in voltage and frequency stated in [2].
3.6.5 Different system voltages shall be supplied through different cables.
3.6.6 Terminal lists shall be clearly marked. Various system voltages shall be distinguished.
3.6.7 Uninterruptible power supplies shall be according to the requirements given in Ch.8 Sec.2 [1.2].
3.7 Fibre optic equipment
3.7.1 Fabrication and installation of fibre optic cables shall comply with the requirements of Ch.8 Sec.9.
Guidance note:
The construction of fibre optic devices should generally comply with relevant specifications of IEC publications.
3.7.2 Power budget calculation shall be used to:
— determine the length between I/O units,
— select components to obtain a safe reliable transmission system, and
— to demonstrate that adequate power reserve has been provided.
After installation, optical time domain reflectometry (OTDR) measurements for each fibre shall be used to
correct and re-evaluate the power budget calculations.
3.7.3 The safety of personnel and operations shall be considered in the installation procedures. Warning
signs and labels giving information to the operators shall be placed where hazard exists. Care shall be taken
to prevent fibres from penetrating eyes or skin.
DNV AS
Guidance note:
It is advised to use equipment with 'built-in' safety, e.g. to interlock the power to the light sources with the covers, to arrange
disconnection/locking of parts of the system under service, to screen laser beams.
Safe distance between the light source or fibre end and the eye of the operator may be determined by applying the formulae:
Safe distance: L [cm] ; Pn: Nominal power [mW].
3.7.4 Fibre optic systems using standard single- and multimode fibres to be used for intrinsically safe circuits
in hazardous areas shall have a power level below 10 mW.
DNV AS
SECTION 6 USER INTERFACE
1 General
1.1 Introduction
1.1.1 The location and design of the user interface shall give consideration to the physical capabilities of the
user and comply with accepted ergonomic principles.
1.1.2 This section gives requirements for the user interface to ensure a safe and efficient operation of the
systems installed.
2 Workstation design and arrangement
2.1 Location of visual display units (VDUs) and user input devices (UIDs)
2.1.1 Workstations shall be arranged to provide the user with easy access to UIDs, VDUs and other facilities
required for the operation.
2.1.2 The VDUs and UIDs shall be arranged with due consideration of the general availability parameters as
shown in Figure 1 and Figure 2.

Figure 1 VDU arrangement parameters
DNV AS


Figure 2 UID arrangement parameters
2.1.3 UIDs and VDUs serving the same function shall as far as possible be arranged and grouped together.
3 User input device and visual display unit design
3.1 User input devices
3.1.1 The method of activating a UID shall be clear and unambiguous.
3.1.2 The direction of UID movements shall be consistent with the direction of associated process response
and display movement. The purpose shall be to ensure easy and understandable operation, such as:
— a side thruster lever to be arranged athwart ships
— a propulsion thruster lever shall be arranged according to the vessel response
— the thruster response shall correspond to the lever movement.
3.1.3 The operation of a UID shall not obscure indicator elements where observation of these elements is
necessary for adjustments.
3.1.4 UIDs or combined UIDs/indicating elements shall be distinguishable from elements used for indication
only.
3.1.5 UIDs shall be simple to use, and shall allow for one hand operation. The need for fine motoric
movements should be avoided.
3.1.6 The naming, numbering and tagging for the different main components shall be consistent on the
applicable VDUs, UIDs and signboards.
DNV AS
3.2 Visual display units
3.2.1 The information presented shall be clearly visible to the user, and permit reading at a practicable
distance in the light conditions experienced, where installed.
3.2.2 In order to ensure readability, the update frequency of VDUs shall be consistent with the operational
use of the VDU and the accuracy requirement, if any, to the data displayed.
3.2.3 VDU letter type shall be of simple, clear-cut design.
3.2.4 Set points shall always be indicated at the location of the UID.
3.3 Colours
3.3.1 The use of colours shall be consistent. Red shall be reserved to indicate danger, alarm and emergency
only.
Guidance note:
Colour coding of functions and signals should in general be in accordance with Table 1.
Table 1 Colour coding
Function Colour code
Danger, alarm, emergency Red
Attention, pre-warning, caution, undefined Yellow
Status of normal, safe situation Green
3.4 Requirements for preservation of night vision (UIDs and VDUs for
installation on the navigating bridge)
3.4.1 Warning and alarm indicators shall show no light in normal condition.
3.4.2 All UIDs and VDUs shall be fitted with internal or permanent external light source to ensure that all
necessary information is visible at all times.
3.4.3 Means shall be provided to avoid light and colour changes during start-up and mode changes, which
may affect night vision.
3.4.4 Illumination
Means shall be provided for adjustment of illumination of all VDUs and UIDs to a level suitable for all
applicable light conditions. However, it shall not be possible to adjust down to a level making information
belonging to essential and important functions unreadable.
Guidance note:
Adjustments may be arranged by use of different sets of colours suited for the applicable light conditions.
DNV AS
4 Screen based systems
4.1 General
4.1.1 The status of all displayed objects shall be clear and unambiguous, and presentation of displays shall
be consistent.
Guidance note:
This implies that the indication of dynamic objects on the VDU shall reflect the true status of the indicated parameter in the
system.
4.1.2 Alarm required in the rules shall, when initiated, be given priority over any other information presented
on the VDU. The entire list of alarm messages shall be easily available.
4.1.3 Alarms shall be time tagged.
4.1.4 Time tagging for all alarms shall be consistent throughout the system. The different nodes in the
system shall be synchronised with sufficient accuracy to ensure consistent time tagging for all alarms
throughout the system.
The accuracy of the synchronisation shall as a minimum correspond to the time constants in the process so
that the true sequence of events may be traced in the alarm list.
4.1.5 UIDs shall be designed and arranged to avoid inadvertent operation.
Guidance note:
The purpose shall prevent unintentional activation/de-activation of systems, e.g. by means of a lid over a stop button or two-step
operation of critical screen-based functions.
4.1.6 For essential and important systems, dedicated input devices shall be used.
Guidance note:
The input device is normally a dedicated function keyboard, but alternative arrangements like e.g. touch-screens or dedicated
software-based dialogue boxes or switches may be accepted on special considerations.
4.1.7 Symbols and their associated information in a mimic diagram shall have a logical relationship.
4.1.8 Means shall be provided to ensure that only correct use of numbers and letters and only values within
reasonable limits will be accepted when data is entered manually into the system.
If the user provides the system with insufficient input, the system shall request the continuation of the
dialogue by means of clarifying questions. Under no circumstances is the system to end the dialogue
incomplete without user request.
4.2 Computer dialogue
4.2.1 Frequently used operations shall be available in the upper menu level, on dedicated software or
hardware buttons.
4.2.2 All menus and displays shall be self-explanatory or provided with appropriate help-functions.
DNV AS
4.2.3 When in dialogue mode, update of essential information shall not be blocked.
4.2.4 Relevant fields for entry of data shall occur with current or a default value. A valid data range shall be
defined for each field.
4.2.5 The systems shall indicate the acceptance of a control action to the user without undue delay.
4.2.6 Confirmation of a command shall be used when the action requested has a critical consequence.
4.2.7 It shall be possible for the user to recognise whether the system is busy executing an operation, or
waiting for additional user action. When the system is busy, buffering of more than one user input is not
allowed. Manually initiated time-consuming operations shall be possible to cancel.
4.3 Application screen views
4.3.1 For integrated control systems, all windows to be called to the VDU shall have a similar representation
of all components (menus, buttons, symbols, colours, etc.).
DNV AS
CHANGES – HISTORIC
Part 4 Chapter 9 Changes – historic
July 2020 edition
Identification of systems that Sec.1 [1.4.2] The certification requirements for control and monitoring

shall be certified systems are in general given in the different application rules.
The guidance note that contained a summary of all these
requirements is deleted to avoid duplication of requirements
and potential misalignment.
Safety management systems Sec.1 Table 2, Sec.1 The term 'management systems' is intended to cover additional

and decision support systems Table 3, Sec.1 Table 5, systems that are installed beyond those required by the rules,
Sec.1 [4.1.4], Sec.1 and that may provide manual or automatic support to the
[4.4.2], Sec.2 [1.4] operator in e.g. optimizing the operation, making operational
decisions or handling emergency / damage control. Since such
systems may involve operational aspects beyond the normal
scope of class, or an additional layer of integration on top of
various control, monitoring and safety systems, the approval
scope, certification requirements and integration tests on board
shall be agreed in each case.
Integrated control systems Sec.1 Table 3 When multiple functions are integrated, a single failure should

not cause loss of more functionality than it would if the
functions were implemented in stand-alone systems. Integrated
systems shall therefore be arranged with appropriate
redundancy.
Approval of manufacturer Sec.1 [1.5], Sec.1 The approval of manufacturer scheme for systems and

scheme (AoM) for systems and [4.2], Sec.4 [2.2] software engineering covers software quality processes and
software engineering manufacturers holding this certificate will have a reduced
approval scope for each delivery.
Software and hardware change Sec.1 Figure 1 The change management process is illustrated in a figure to

handling support the requirements.
Certification and test Sec.1 [4] The requirements for certification and testing are clarified

and the wording is amended to match the intended practice
including completion of tests on board.
Electronic governors Sec.2 [1.2.3] The requirement for powering of electronic governors has been

amended and is moved to rules for rotating machinery, Ch.3
Sec.1.
Response to failures Sec.2 [2.1.2] Earth failure detection is required for essential systems. The

requirement applies to earth failures in signal loops. This is now
clarified in the rules.
Alarm silence Sec.3 [1.5.6] Clarification of the alarm silence and acknowledge functionality.
Cyber security Sec.4 [1.3.2], Sec.4 The basic aspects of cyber security are clarified and

[2.1.7], Sec.4 [3.1.2] strenghtened in the rules.
DNV AS
July 2019 edition
Only editorial corrections have been made.
January 2018 edition
Changes January 2018, entering into force 1 July 2018.
General update and Sec.1 [1.5.5] The requirements for the software change handling procedure

clarifications of the rules is amended slightly.
Sec.3 [1.3.4] Clarification - audible pre-warning for command transfer
between workstations is not required when the two stations
are located close enough to allow visible and audible contact
between the operators.
Sec.3 [2.2] The requirements for power supplies to control, monitoring and
safety systems is amended / clarified in line with the general
redundancy principles of the machinery rules and the general
requirements of the electrical rules.
Sec.4 [3.3.1] Network test and verification - more guidance is provided
for the network analysis and network storm testing which is
required for control system networks.
January 2017 edition
Main changes January 2017, entering into force 1 July 2017
• General
— The term control and monitoring is generally replaced with control, monitoring and safety to emphasize
that the rules also apply to safety systems.
• Sec.1
— The description of the classification principles for control, monitoring and safety systems is elaborated and
amended to clarify the general requirements for type approval and certification.
— Sec.1 [1.4.1]: the list of systems to be certified are updated to reflect also the optional class notations.
— Sec.1 [3.1.3]: the documentation requirements are amended to emphasize the functional failure analysis.
— Sec.1 Table 6: a software security policy shall be part of the required software quality plan.
• Sec.2
— Certain requirements related to arrangement and segmentation of field instrumentation are deleted.
DNV AS
• Sec.3
— Sec.3 [1.1.3]: the requirement for independency between alarm, control and safety systems is amended.
October 2015 edition
This was a new edition in October 2015 and has been amended latest in July 2016.
Amendments July 2016
• General
— Only editorial corrections have been made.
Amendments January 2016
• General
— Only editorial corrections have been made.
DNV AS
About DNV
DNV is the independent expert in risk management and assurance, operating in more than 100
countries. Through its broad experience and deep expertise DNV advances safety and sustainable
performance, sets industry benchmarks, and inspires and invents solutions.
Whether assessing a new ship design, optimizing the performance of a wind farm, analyzing sensor
data from a gas pipeline or certifying a food company’s supply chain, DNV enables its customers and
their stakeholders to make critical decisions with confidence.
Driven by its purpose, to safeguard life, property, and the environment, DNV helps tackle the
challenges and global transformations facing its customers and the world today and is a trusted
voice for many of the world’s most successful and forward-thinking companies.
WHEN TRUST MATTERS

DNV Ru Ship Pt.4 Ch.9

Uploaded by

Copyright:

Available Formats

DNV Ru Ship Pt.4 Ch.9

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNV Ru Ship Pt.4 Ch.9

Uploaded by

Copyright:

Available Formats

What are the main changes described in the document?

What are the main changes described in the document?

What are the main sections covered in the document?

What are the main sections covered in the document?

This copy of the document is intended for use by Bartosz Kurecki only. Downloaded 2022-01-14.

No further distribution shall be made.

Topic Reference Description

Integrated control systems - Sec.2 [1.3.2] When emergency stop for an electrical consumer is required

Command and alarm Sec.2 [1.4.4] When command privileges are implemented in a management

Manual activation of safety Sec.3 [1.3.3] The general principles of command transfer do not apply to

Transfer of command from Sec.3 [1.3.6] When command privileges are transferred between remote

Electromagnetic compatibility Sec.5 Table 4 Amended frequency range and specification of limits.

Rebranding to DNV All This document has been revised due to the rebranding of DNV

Section 1 General requirements..............................................................................7

Section 2 Design principles................................................................................... 20

Section 3 System design....................................................................................... 23

Section 6 User interface........................................................................................49

Service Effects upon failure System functionality

Object Documentation type Additional description Info

Object Documentation type Additional description

Parameter Class Location

Class Ambient temperatures Test temperatures

Electrostatic discharge (ESD) IEC 61000-4-2 B 6 kV contact/8 kV air

Identification of systems that Sec.1 [1.4.2] The certification requirements for control and monitoring

Safety management systems Sec.1 Table 2, Sec.1 The term 'management systems' is intended to cover additional

Integrated control systems Sec.1 Table 3 When multiple functions are integrated, a single failure should

Approval of manufacturer Sec.1 [1.5], Sec.1 The approval of manufacturer scheme for systems and

Software and hardware change Sec.1 Figure 1 The change management process is illustrated in a figure to

Certification and test Sec.1 [4] The requirements for certification and testing are clarified

Electronic governors Sec.2 [1.2.3] The requirement for powering of electronic governors has been

Response to failures Sec.2 [2.1.2] Earth failure detection is required for essential systems. The

Alarm silence Sec.3 [1.5.6] Clarification of the alarm silence and acknowledge functionality.

Cyber security Sec.4 [1.3.2], Sec.4 The basic aspects of cyber security are clarified and

General update and Sec.1 [1.5.5] The requirements for the software change handling procedure

You might also like