DNV Ship rules Pt.4 Ch.9 - Instrumentation and Automation

RULES FORCLASSIFICATION OF

SHIPS / HIGH SPEED, LIGHT CRAFT ANDNAVAL SURFACE CRAFT

NEWBUILDING

MACHINERY AND SYSTEMSMAIN CLASS

PART 4 CHAPTER 9

INSTRUMENTATION AND AUTOMATIONJANUARY 2003

CONTENTS PAGE

Sec. 1 General Requirements ................................................................................................................ 5Sec. 2 Design Principles ..................................................................................................................... 12Sec. 3 System Design ......................................................................................................................... 14Sec. 4 Additional Requirements for Computer Based Systems ......................................................... 17Sec. 5 Component Design and Installation ......................................................................................... 20Sec. 6 User Interface .......................................................................................................................... 25

DET NORSKE VERITAS

Veritasveien 1, N-1322 Høvik, Norway Tel.: +47 67 57 99 00 Fax: +47 67 57 99 11

CHANGES IN THE RULES

General

This booklet is a reprint of the previous edition and apart from clari-fications of text and the inclusion of amendments and corrections,published in the July 2002 edition of Pt.0 Ch.1 Sec.3, no other chang-es have been made.

This chapter is valid until superseded by a revised chapter. Supple-ments will not be issued except for an updated list of minor amend-ments and corrections presented in Pt.0 Ch.1 Sec.3. Pt.0 Ch.1 isnormally revised in January and July each year.

Revised chapters will be forwarded to all subscribers to the rules.Buyers of reprints are advised to check the updated list of rule chap-ters printed in Pt.0 Ch.1 Sec.1 to ensure that the chapter is current.

Comments to the rules may be sent by e-mail to [email protected] subscription orders or information about subscription terms, please use [email protected] information about DNV and the Society's services is found at the Web site http://www.dnv.com

© Det Norske VeritasComputer Typesetting (FM+SGML) by Det Norske Veritas Printed in Norway

If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such personfor his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-sation shall never exceed USD 2 million.In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of DetNorske Veritas.

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003 Pt.4 Ch.9 Contents –

CONTENTS

SEC. 1 GENERAL REQUIREMENTS .......................... 5

A. Classification..........................................................................5A 100 Rule applications...............................................................5A 200 Classification principles....................................................5A 300 Alterations and additions ..................................................5A 400 Assumptions......................................................................5

B. Definitions ..............................................................................5B 100 General terms ....................................................................5B 200 Terms related to computer based system ..........................6

C. Documentation ......................................................................6C 100 General ..............................................................................6C 200 Documentation types ........................................................7C 300 Type approved products....................................................8C 400 Plans and particulars, ships ...............................................8C 500 Plans and particulars, HS, LC and NSC ...........................9

D. Tests......................................................................................10D 100 General ............................................................................10D 200 Software module testing .................................................10D 300 Integration testing ...........................................................11D 400 System testing .................................................................11D 500 On-board testing..............................................................11

SEC. 2 DESIGN PRINCIPLES .................................... 12

A. System Configuration ........................................................12A 100 General ............................................................................12A 200 Field instrumentation ......................................................12A 300 System.............................................................................12A 400 Integrated system ............................................................12A 500 Redundancy.....................................................................12A 600 Additional requirements for HS, LC and NSC ...............12

B. Maximum Unavailable Time..............................................12B 100 General ............................................................................12B 200 Continuous availability (R0)...........................................12B 300 High availability (R1) .....................................................13B 400 Manual system restoration (R2)......................................13B 500 Repairable systems (R3) .................................................13

C. Response to Failures ...........................................................13C 100 Failure detection..............................................................13C 200 Fail-to-safety ...................................................................13

D. Emergency Operation.........................................................13D 100 Local control ...................................................................13D 200 Manual emergency operation..........................................13

SEC. 3 SYSTEM DESIGN ............................................ 14

A. System Elements .................................................................14A 100 General ............................................................................14A 200 Automatic control ...........................................................14A 300 Remote control................................................................14A 400 Safety ..............................................................................14A 500 Alarms.............................................................................14A 600 Pre-warning.....................................................................15A 700 Indication ........................................................................15A 800 Planning and reporting ....................................................15A 900 Calculation, simulation and decision support .................15

B. General Requirements........................................................15B 100 System operation and maintenance.................................15B 200 Power distribution...........................................................15

C. Additional Requirements for System Design of HS, LC and NSC ...............................................................................16

C 100 Safety ..............................................................................16C 200 Alarm ..............................................................................16

SEC. 4 ADDITIONAL REQUIREMENTS FOR COMPUTER BASED SYSTEMS .................... 17

A. General Requirements ....................................................... 17A 100 System dependency.........................................................17A 200 Storage devices ...............................................................17A 300 Computer usage ..............................................................17A 400 System response and capacity.........................................17A 500 Temperature control........................................................17A 600 System maintenance........................................................17A 700 System access..................................................................17

B. System Software ................................................................. 17B 100 Software requirements ....................................................17B 200 Software manufacturing..................................................18

C. User Interface ..................................................................... 18C 100 General ............................................................................18C 200 Illumination.....................................................................18C 300 Colour screens.................................................................18

D. Data Communication Links .............................................. 18D 100 General ............................................................................18D 200 Local area networks ........................................................19D 300 Local area networks designed with redundancy ............19D 400 Instrument net .................................................................19D 500 Interconnection of networks ...........................................19

SEC. 5 COMPONENT DESIGN AND INSTALLATION ............................................... 20

A. General ................................................................................ 20A 100 Environmental strains .....................................................20A 200 Materials .........................................................................20A 300 Component design and installation.................................20A 400 Maintenance, checking ...................................................20A 500 Marking...........................................................................20A 600 Standardising...................................................................20

B. Environmental Conditions, Instrumentation .................. 20B 100 General ............................................................................20B 200 Electric power supply .....................................................21B 300 Pneumatic and hydraulic power supply ..........................21B 400 Temperature ....................................................................21B 500 Humidity .........................................................................21B 600 Salt contamination ..........................................................21B 700 Oil contamination............................................................21B 800 Vibrations........................................................................21B 900 Inclination .......................................................................22B 1000 Electromagnetic compatibility ........................................22B 1100 Miscellaneous .................................................................23

C. Electrical and Electronic Equipment ............................... 23C 100 General ............................................................................23C 200 Mechanical design, installation.......................................23C 300 Protection provided by enclosure....................................23C 400 Cables and wires .............................................................23C 500 Cable installation ............................................................23C 600 Power supply...................................................................23C 700 Fibre optic equipment .....................................................23

SEC. 6 USER INTERFACE ......................................... 25

A. General ................................................................................ 25A 100 Application......................................................................25A 200 Introduction.....................................................................25A 300 Definitions.......................................................................25

B. Workstation Design and Arrangement ............................ 25B 100 Location of visual display units and user

input devices ...................................................................25B 200 Allocation of functions to screen based systems ............26

C. User Input Device and Display Unit Design .................... 26C 100 User input devices...........................................................26C 200 Visual display units.........................................................26

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003Pt.4 Ch.9 Contents –

C 300 Colours ............................................................................26C 400 Requirements for preservation of night vision................27

D. Additional Requirements to Screen Based Systems ........ 27D 100 Computer dialogue..........................................................27D 200 Application screen views ................................................27

E. Design of Workplace for Permanently Manned Workstations ....................................................................... 27

E 100 General ............................................................................27

F. Work Environment for Permanently Manned Workstations .......................................................................27

F 100 Vibration .........................................................................27F 200 Noise ...............................................................................28F 300 Lighting...........................................................................28F 400 Temperature ....................................................................28F 500 Ventilation.......................................................................28F 600 Surfaces...........................................................................28F 700 Colours ............................................................................29F 800 Safety of personnel..........................................................29

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003 Pt.4 Ch.9 Sec.1 –

SECTION 1GENERAL REQUIREMENTS

A. Classification

A 100 Rule applications

101 The requirements of this chapter, with the exception ofSec.6, are to apply to all instrumentation and automation re-quired by the rules.

Guidance note:Additional requirements for specific applications will be givenunder rules governing those applications.

---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

Guidance note:With regards to requirements related to electromagnetic radia-tion, a general reference is made to Classification Note 45.1.


102 All instrumentation and automation systems installed,but not necessarily required by the rules, that may have an im-pact on the safety of main functions (listed in Pt.1 Ch.1 of theRules for Classification of Ships), are to meet the requirementsof this chapter, with the exception of Sec.6.

103 The requirements in Sec.6 only apply if referred to in theadditional class notations.

104 Text quoted from the International Code of Safety forHigh-Speed Craft (HSC Code) is printed in italics.

A 200 Classification principles

201 Classification of instrumentation and automation sys-tems is generally to be according to the following principles:

— document assessment— on-board inspection (visual inspection and functional test-

ing).

Guidance note:The approval may be either case-by-case approval for each unit,or type approval as specified in Certification Notes 1.2 and 2.4.


202 Essential and important computer based systems arenormally to be provided with a product certificate. Exemptionis given for type approved systems unless required in the typeapproval certificates. The certification procedure normallyconsists of:

Approval

— document evaluation— approval of performance according to functional require-

ments based on approved test programs (Approval test ofapplication software)

— verification of correct implementation of the plan for soft-ware manufacturing

— issue Approval test of application software statement

Manufacturing survey

— survey of hardware and software— issue certificate.

Guidance note:Type approval of systems includes hardware and applicationsoftware.


A 300 Alterations and additions301 When an alteration or addition to the approved system(s)is proposed, plans are to be submitted for approval. The alter-ations or additions are to be carried out under survey and theinspection, testing and installation are to be to the surveyor'ssatisfaction.

A 400 Assumptions401 The rules of this chapter are based on the assumptionsthat the personnel using the equipment to be installed on boardis familiar with the use of, and able to operate this equipment.

B. Definitions

B 100 General terms101 Alarm is for warning of an abnormal condition and is acombined visual and audible signal, where the audible partcalls the attention of personnel, and the visual part serves toidentify the abnormal condition.

102 A pre-warning indicates an equipment under control(EUC) or system state that needs attention.

103 Safety shutdown is a safety action that will be initiatedupon EUC failure and is to result in the shutting down of theEUC or part of the EUC in question.

104 A system includes all components necessary for moni-toring, control and safety, including sensors and actuators. Asused in this chapter, system is short for instrumentation and au-tomation system. A system includes all resources required tosupport one specific function, including:

— the field instrumentation of one or more process segments— all necessary resources needed to maintain the function in-

cluding system monitoring and adequate self-check— all user interfaces.

105 An essential instrumentation and automation system(hereafter called essential system) is a system supportingequipment which needs to be in continuous operation for main-taining the vessel's propulsion and steering functions. The def-inition essential system may also apply to other functions whenthese are defined in the rules, e.g. the emergency shut-down(ESD) system for a floating production vessel.

106 An important instrumentation and automation system(hereafter called important system) is a system supportingequipment which need not necessarily be in continuous opera-tion, but which is necessary to maintain the vessel's main func-tions as defined in Pt.1 Ch.1 Sec.2 of the Rules forClassification of Ships or which according to these rules issubject to approval when installed.

107 Non-important instrumentation and automation systems(hereafter called non-important systems) are systems support-ing functions for which the Society has no requirements ac-cording to relevant definitions in the rules.

108 Field instrumentation comprises all instrumentation thatforms an integral part of a process segment to maintain a func-tion.

The field instrumentation includes:

— sensors, actuators, local control loops and related localprocessing as required to maintain local control and mon-itoring of the process segment

— user interface for manual operation (when required).

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003Pt.4 Ch.9 Sec.1 –

Other equipment items do not, whether they are implementedlocally or remotely, belong to the field instrumentation. Thisapplies to data communication and facilities for data acquisi-tion and pre-processing of information utilised by remote sys-tems.

109 A process segment is a collection of mechanical equip-ment with its related field instrumentation, e.g. a machinery ora piping system.

Process segments belonging to essential systems are referredto as essential.

110 An integrated system is a combination of computerbased systems which are interconnected in order to allow com-mon access to sensor information and/or command and con-trol.

111 User is any human being that will use a system or de-vice, e.g. captain, navigator, engineer, radio operator, stock-keeper, etc.

112 Workstation is a position at which one or several func-tions constituting a particular activity are carried out.

113 Maximum unavailable time is the maximum duration oftime the function is allowed to be unavailable, i.e. the maxi-mum permissible time lag involved in restoring lost functionupon failure.

114 Equipment under control (EUC) is the mechanicalequipment (machinery, pumps, valves, etc.) or environment(smoke, fire, waves, etc.) monitored and/or controlled by an in-strumentation and automation system.

115 Process is the result of the action done by the EUC.

116 Indications are the visual presentation of values for theEUC or system status to a user (lamps, dials, VDU displays,etc.).

117 Uninterruptible power supply (UPS) is a device supply-ing output power in some limited time period after loss of inputpower with no interruption of the output power.

118 Independent systems: see Sec.2 A201.

119 Redundancy in systems: see Sec.2 A501.

120 "Remote control systems" comprise all equipment nec-essary to operate units from a control position where the oper-ator cannot directly observe the effect of his actions.

(HSC Code 11.1.1)

121 "Back-up control systems" comprise all equipment nec-essary to maintain control of essential functions required for thecraft's safe operation when the main control systems havefailed or malfunctioned.

(HSC Code 11.1.2)

B 200 Terms related to computer based system201 A complex system is a system for which all functionaland failure response properties for the completed system can-not be tested with reasonable efforts. Units and systems han-dling application software belonging to several functions, andsoftware that includes simulation, calculation and decisionsupport modules are normally considered as complex.

202 Computer includes any programmable electronic sys-tem, including main-frame, mini-computer or micro-compu-ter.

203 Computer based system serving an essential or impor-tant function: The function can be in operation without supportfrom the computer system, i.e. the computer is not part of thefunction.

204 Computer based system as part of an essential or impor-tant function: The function can not be in operation withoutsupport from the computer system, i.e. the computer is part ofthe function.

205 Visual display unit (VDU) is any area where information

is displayed including indicator lamps or panels, instruments,mimic diagrams, Light emitting diode (LED) display, Cathoderay tube (CRT), and Liquid crystal display (LCD).

206 User input device (UID) is any device from which a usermay issue an input including handles, buttons, switches, key-board, joystick, pointing device, voice sensor and other controlactuators.

207 A unit is an entity of hardware, software, or both.

208 A software module is an assembly of code and data witha defined set of input and output, intended to accomplish afunction and where verification of intended operation is possi-ble through documentation and tests.

209 Basic software is the software necessary for the hard-ware to support the application software.

Guidance note:Basic software normally includes the operating system and addi-tional general software necessary to support the general applica-tion software and project application software.


210 General application software is computer software per-forming general tasks related to the EUC being controlled ormonitored, rather than to the functioning of the computer itself.

211 Project application software is computer software per-forming tasks related to the actual EUC for a specific project.

212 A computer task is, in a multiprocessing environment,one or more sequences of instructions treated by a control pro-gram as an element of work to be accomplished by a computer.

213 Data communication links includes point to point links,instrument net and local area networks, normally used for in-ter-computer communication on board vessels.

A data communication link includes all software and hardwarenecessary to support the data communication.

Guidance note:For local area networks, this includes network controllers, net-work transducers, the cables and the network software on allnodes.


214 A node is as process segment or a part of the system con-nected as part of the data communication link.

215 A point to point link is used for data communication be-tween two dedicated nodes.

216 A local area network is used for data communication be-tween the field instrumentation and the other parts of a system,and between different systems.

217 An instrument net is used for data communication with-in the field instrumentation connecting instruments in a net-work.

218 Multifunction VDUs and UIDs are VDUs and UIDs thatare used for more than one essential and/or important functionfor both control and monitoring, e.g. VDUs and UIDs used forintegrated computer systems.

C. Documentation

C 100 General101 The documentation listed in 102 to 104 is to be submit-ted as detailed in 400 to 600. The documentation is to be sub-mitted in triplicate for approval, except the manuals markedwith *, where one copy is to be submitted for information only.

102 Documentation required to describe each instrumenta-tion system is to be selected from the documentation types list-ed below:

DET NORSKE VERITAS


— functional description— system block diagrams— system diagrams (Piping and Instrument Diagrams

(P&IDs), Duct and Instrument Diagrams (D&IDs), etc.)— user interface documentation*— power supply arrangement— arrangement and layout— cable routing layout drawing— instrument and equipment list— data sheets with environmental specifications— data sheets with performance and accuracy specifications— operation manual*— installation manual*— maintenance manual*.

103 Additional requirements for computer based systems:

— system philosophy (integrated system only)— failure mode description— test program for software at the manufacturer.

104 A description of all tests that are to be carried out at theharbour and sea trials, together with the acceptance criteria foreach test, is to be submitted to the local DNV station. See alsosubsection D.

105 Additional requirements for High Speed, Light Craftand Naval Surface Craft:

— failure mode and effect analysis (FMEA).

106 The documentation is to be limited to describe and ex-plain the relevant aspects governed by the rule requirements.

Guidance note:A document may cover more than one instrumented system. Adocument may cover more than one documentation type.


107 Symbols used are to be explained, or reference to astandard code is to be given.

C 200 Documentation types

201 GeneralThe documentation type number together with identification ofthe instrumentation system (see 400 to 600) can be used as aunique identifier for the document. The "T" indicates that thedocumentation type is required also for instrumentation sys-tems where type approved components or software modulesare used (see 300).

202 System philosophy(documentation type 020) (T)A document describing the purpose of the system and the prin-ciples that will be used in the technical implementation of thesystem.

203 Functional description(documentation type 030)

— a description of all functions incorporated in the system— a description of all interfaces towards other systems, in-

cluding the information carriers' characteristics— one-line diagrams for systems that are not computer based

Additionally for computer based systems:

— a description of the communication software installed onnodes in a network

— switching mechanisms for systems designed with redun-dancy.

204 System block diagrams

(documentation type 040) (T)Drawings showing the major inter-relationships between allparts (units, modules) of the system and interfaces with othersystems.

For computer based system, independence for systems andsensors is to be shown, when such independence is required.

205 System diagrams (P&IDs, D&IDs, etc.)(documentation type 050) (T)Schematic drawings showing the layout of the process includ-ing all instruments and control devices.

206 User interface documentation(documentation type 060)A drawing showing the physical layout and dimensions of eachcontrol station. A description of the functions allocated to eachkeyboard and screen. A description of individual screen views(schematics, colour prints, etc.). A description of how menusetc. are operated. A list of all alarms and operator messages.Where the alarms or messages are not self-explanatory addi-tional explanations are to be included.

207 Power supply arrangement(documentation type 070) (T)A drawing showing the power supply from main and back-upsource (if provided).

— electrical supply: diagram showing connection to distribu-tion board(s), batteries, converters or UPS, cable type andcross sectional area, and fuse sizes

— pneumatic supply: diagram showing connection to com-pressor(s), accumulators, reduction valves, dust filter andmoisture filter, pipe ratings and dew point

— hydraulic supply: diagram showing connection to hydrau-lic power unit(s), accumulators, pumps and filters, andpipe ratings.

208 Arrangement and layout(documentation type 080) (T)Drawings showing the physical location of all key componentsin the system.

209 Cable routing layout drawing(documentation type 090) (T)A drawing showing the physical routing of all cables being apart of the system. Where relevant, the drawing is also to showhow the requirements to ensure electromagnetic compatibility(EMC) stated in Sec.5 are implemented with respect to cableshielding, separation and routing.

210 Instrument and equipment list(documentation type 100)A list stating for each key component as applicable:

— system— name of manufacturer— type etc., necessary to identify the component— working range— set points— cross reference identification (tag number) to "system dia-

grams (P&IDs, D&IDs, etc.)"— reference to type approval certificate— reference to Ex certificate— safe installation distance to magnetic compass (bridge

mounted equipment only)— for computer based systems: I/O module number.

211 Data sheets with environmental specifications(documentation type 110)Data sheets showing for each key component conformancewith the requirements for environmental conditions stipulatedin Sec.5.

DET NORSKE VERITAS


212 Data sheets with performance and accuracy specifica-tions(documentation type 115)Data sheets showing for each key component performance andaccuracy specifications.

213 For ships: Failure mode description(documentation type 130) (T)A document describing the effects due to failures in the sys-tems (not failures in the equipment supported by the systems).The following aspects are to be covered:

— a list of failures which are subject to assessment, with ref-erences to the system documentation

— a description of the system response to each of the abovefailures

— a comment to the consequence of each of these failures.

Guidance note:It is recommended to do this description in two steps:

a) System level: Units, as shown in a system block diagram,should be identified. Each unit should be allocated a set ofproperties to reflect their expected response in case of sys-tem failures. The total system failure response to variousfailures to be described based on these unit descriptions.

b) Unit level: Essential units should be subject to separate as-sessment, with the purpose to verify that they, in case of fail-ures, respond according to their expected failure response.


214 For HS, LC and NSC: Failure mode and effect analysis(FMEA) (documentation type 135) (T)See Rules for Classification of High Speed, Light Craft andNaval Surface Craft, Pt.0 Ch.4 Sec.2.

215 Test program for application software at manufacturer(documentation type 140 (T)A description of all tests that are to be carried out at the manu-facturer's works on the software together with acceptance cri-teria for each test. The tests are to cover all functions identifiedin the documentation related to software and all normal failuremodes. See also subsection D.

216 Operation manual*(documentation type 160)A document intended for regular use on board, providing in-formation as applicable about:

— operation mode for normal system performance, related tonormal and abnormal performance of the EUC

— operating instructions for normal and degraded operatingmodes

— details of the user interface— transfer of control— redundancy— test facilities— failure detection and identification facilities (automatic

and manual)— data security— access restrictions— special areas requiring user attention— procedures for start-up— procedures for restoration of functions— procedures for data back-up— procedures for software re-load and system regeneration.

217 Installation manual*(documentation type 170)A document providing information about the installation pro-cedures.

218 Maintenance manual(documentation type 180)A document intended for regular use on board providing infor-mation about:

— maintenance and periodical testing— acceptance criteria— fault identification and repair— list of the suppliers' service net.

219 For ships: Cause and effect diagram(documentation type 190) (T)A matrix showing all inputs (causes) to a system and all corre-sponding outputs (effects). This documentation type is rele-vant for safety shutdown systems. Where more than one sheetis necessary for the matrix, the cause and effect diagram is tobe organised according to physical areas of the vessel. Allcauses and effects are to be given a descriptive text, and are tobe easily traceable to the corresponding arrangement and lay-outs, system diagrams (P&IDs, D&IDs, etc.) or electrical sin-gle line diagrams. Information about fail-safe mode is to beincluded for all input and output lines, see also "Schematic di-agrams of input and output circuits".

220 For ships: Schematic diagrams of input and output cir-cuits(documentation type 200) (T)For each type of input and output device, a typical electricalschematic drawing. For each individual input and output de-vice, information about fail-safe mode (normally energised ornormally deenergised operation) and what kind of line moni-toring that is implemented (line break, short circuit and/orearth fault).

C 300 Type approved products301 For type approved components or software modules,reference is to be made to the type approval certificate number,the manufacturer's name and product type identification.

Guidance note:Documentation that has been approved during the type approvalprocess is not to be submitted, unless it has been revised.


302 For systems where type approved components or soft-ware modules are incorporated, only the documentation typesmarked with "T" in 200 are to be submitted. However, docu-mentation types not marked with "T" is also to be submitted iftheir contents vary for different deliveries of the component orsoftware module.

303 For type approved systems, where different options existfor the configuration, the type approval certificate is to be com-pleted with information about the components and softwaremodules that are incorporated.

C 400 Plans and particulars, ships401 For 1A1 ships, documentation is to be submitted ac-cording to Table C1. The upper row of Table C1 refers to thedocumentation types defined in 200.

402 Requirements for documentation of additional class no-tations are stated in Pt.5 and Pt.6.

DET NORSKE VERITAS


C 500 Plans and particulars, HS, LC and NSC501 For 1A1 High Speed, Light Craft and Naval SurfaceCraft, documentation is to be submitted according to Table C2.

The upper row of Table C2 refers to the documentation typesdefined in 200.

502 Requirements for documentation of additional class no-tations are stated in Pt.5 and Pt.6.

Table C1 Requirements for documentation of 1A1 ships020 030 040 050 060 070 080 090 100 110 115 120 130 140 150 160 170 180 190 200

AUX X X X X X XBOC X X X X X X XICM X X X X XMAS X X X X X X X XLKA X X XMCH X X X X X X X XMCR X X X X X X X XPMS X X X X XSGC X X X X X X X X XSID X X X X X X XTEL X X XTRU X X X X X X X X X XWDO X X X X X Instrumentation systems: Documentation types:AUX Auxiliary engine control and monitoringBOC Oil-fired boilers, thermal oil heaters and water heaters con-

trol and monitoringICM Incinerators control and monitoringLKA Leak detection systemMAS Main alarm, control and monitoring systemMCH Propulsion control and monitoringMCR Remote control of propulsionPMS Power management systemSGC Steering gear control and monitoringSID Side (auxiliary) thrusters control and monitoringTEL Internal communication systemsTRU Propulsion thrusters control and monitoringWDO Watertight doors and hatches control and monitoring

020 System philosophy (T)030 Functional description040 System block diagrams (T)050 System diagrams (P&IDs, D&IDs, etc.) (T)060 User interface description070 Power supply arrangement (T)080 Arrangement and layout (T)090 Cable routing layout drawing (T)100 Instrument and equipment list 110 Data sheets with environmental specifications130 Failure mode description (T)140 Test program for application software at manufacturer (T)

T Required also for type approved systems

DET NORSKE VERITAS


D. Tests

D 100 General

101 All tests are to be according to test programs approvedby the Society.

102 Approval tests according to 200, 300 and 400 are to beperformed at the manufacturers works.

The following is to be evaluated during approval test of appli-cation software:

— tools for system set-up and configuration of the EUC— plan for software development and production, see also

Sec.4 B200.

103 The tests and visual examinations are to verify that allrelevant rule requirements are met. The tests are only to coverrequirements given by these rules. The test programs are tospecify in detail how the various functions are to be tested andwhat is to be observed during the tests.

104 Failures are to be simulated as realistically as possible,preferably by letting the monitored parameters exceed thealarm and safety limits. Alarm and safety limits are to bechecked.

105 It is to be verified that all automatic control functions areworking satisfactorily during normal load changes.

D 200 Software module testing201 Documentation of compliance with software module

Table C2 Requirements for documentation for 1A1 High Speed, Light Craft and Naval Surface Craft 020 030 040 050 060 070 080 090 100 110 115 120 135 140 150 160 170 180

AUX X X X X X XDSY X X X X X X X XFDO X X X X XGAL X X X X X XMAS X X X X X1) X X XMCH X X X X X X XMCR X X X X X X XPMS X X X X XSID X X X X X X XSSY X X X X X X X XTEL X X X XTVS X X X XWDO X X X XIn addition for class notation E0:BIC X X XBLC X X XEPC X X X X XFUO X XHYD X XLUO X XPNE X XSWC X X Instrumentation systems Documentation typesAUX Auxiliary engine control and monitoringBIC Bilge system control and monitoringBLC Ballast system control and monitoringDSY Directional control system control and monitoringEPC Generator and electrical power system control and mon-

itoringFDO Fire doors control and indication systemFUO Fuel oil system control and monitoringGAL General alarm / public address systemHYD Hydraulic power system control and monitoringLUO Lubricating oil system control and monitoringMAS Main alarm, control and monitoring systemMCH Propulsion control and monitoringMCR Remote control of propulsionPMS Power management systemPNE Pneumatic control and monitoring systemSID Side (auxiliary) thrusters control and monitoringSSY Stabilisation system control and monitoringSWC Sea and fresh water system control and monitoringTEL Internal communication systemsTVS Television surveillance systemWDO Watertight doors and hatches control and monitoring

020 System philosophy (T)030 Functional description040 System block diagrams (T)050 System diagrams (P&IDs, D&IDs, etc.) (T)060 User interface description070 Power supply arrangement (T)080 Arrangement and layout (T)090 Cable routing layout drawing (T)1)

100 Instrument and equipment list 110 Data sheets with environmental specifications135 Failure mode and effect analysis (FMEA) (T)140 Test program for application software at manufacturer (T)

T Required also for type approved systems

1) Network cables only

DET NORSKE VERITAS


testing according to requirements for software manufacturingas described in Sec.4 B200 is to be available in connection withsurvey at manufacturers' works.

D 300 Integration testing301 Integration tests includes integration of hardware com-ponents into hardware units and integration of software mod-ules in the same hardware unit.

302 Integration tests are to be done with the actual softwareand hardware to be used on board and are to include:

a) Hardware tests

— hardware failures.

b) Basic software tests

— basic software failures.

c) Application software tests.

d) Function tests of normal system operation and normalEUC performance, in accordance with the rules. Functiontests are also to include a degree of performance testingoutside of the normal operating parameters.

e) User interface tests.

Guidance note:The tests may be done on a representative test system if the com-puter hardware is type approved.


D 400 System testing401 System tests includes the entire system, integrating all

units. The tests may also include several systems.

402 System tests are to be done with the software installedon the actual systems to be used on board, interconnected todemonstrate the functions of the systems with several units and/ or the functions of several systems.

Guidance note:The tests may be done on a representative test system if the com-puter hardware is type approved.


403 The tests are to include those tests which were not /could not be completed on unit level.

D 500 On-board testing

501 The tests are to include:

a) During installation the correct function of individualequipment packages, together with establishment of cor-rect parameters for alarm, control and safety (time con-stants, set points, etc.).

b) During installation and sea trials, the correct function ofsystems and integration of systems, including the ability ofthe control systems to keep any EUC within the specifiedtolerances.

c) The correct protection and capacity of power supplies.

502 A copy of the approved test programme is to be kept onboard. It is to be completed with final set points and endorsedby the surveyor.

503 The test program for harbour and sea trials is to be ap-proved by the local DNV station.

DET NORSKE VERITAS


SECTION 2DESIGN PRINCIPLES

A. System Configuration

A 100 General

101 Whenever possible, essential and important systems areto be so arranged that a single failure in one system of one unitcannot spread to another unit (e.g. by use of selective fusing ofelectrical distribution systems).

A 200 Field instrumentation

201 The field instrumentation belonging to separate essentialprocess segments are to be mutually independent.

Guidance note:System B is independent of system A when any single systemfailure occurring in system A has no effect on the maintained op-eration of system B. A single system failure occurring in systemB may effect on the maintained operation of system A.Two systems are mutually independent when a single systemfailure occurring in either of the systems has no consequences forthe maintained operation of the other system according to above.Redundancy may provide the necessary independence. See 400.


202 The alarm system, automatic control system and safetyshutdown system are to be designed mutually independent un-less redundancy is provided and an alarm is given when the re-dundancy is lost.

203 When the field instrumentation of a process segment iscommon for several systems, and any of these systems is es-sential, failures in any of the systems are not to affect this fieldinstrumentation.

204 When manual emergency operation of an essential proc-ess segment is required, the field instrumentation required forthe manual emergency operation is to be independent of otherparts of any system.

205 When traditional mechanical components are replacedby electronic components, these components are to have thesame reliability as the mechanical component being replaced.

Guidance note:Electronic governors should have their power supply independ-ent of other consumers and maximum unavailable time of R0.Governors, which keep the last position upon power failure, areregarded as fulfilling the above. Speed sensor cabling should bemechanically well protected.Electric and electronic fuel injectors should be designed to per-mit the necessary functionality, in case of the most probable fail-ures.


A 300 System

301 For an essential system having more than one processsegment, failure in the field instrumentation of one processsegment is not to result in failure for the remaining parts of thesystem.

A 400 Integrated system

401 Essential systems, excluding common process seg-ments, are to be independent of other systems.

402 Non-important systems or parts of non-important sys-tems which may affect essential or important systems are tomeet the requirements for important systems.

403 UIDs for control are only to be available on workstationsfrom where control is permitted.

404 At least two interchangeable multifunction VDUs andUIDs are to be available at each control station.

Guidance note:The number of units at control stations are to be sufficient to en-sure that all functions may be provided for with any one unit outof operation, taking into account any functions which are re-quired to be continuously available.


A 500 Redundancy501 Redundancy, e.g. manual operating facilities, is to bebuilt in to the extent necessary for maintaining the safe opera-tion of the vessel. Changeover to systems, designed with re-dundancy, is to be simple even in cases of failure to control andmonitoring systems.

Guidance note:Redundancy is defined as two mutually independent systems thatcan maintain a function. The two systems may be of a differenttype or have different functionality. See also definition in Ch.1 ofthe Rules for Classification of Ships.Due regard should be taken as to manning levels when consider-ing the extent and availability of spare parts and the degree of re-dundancy to be employed. This is in order to ensure continuity ofoperation upon failure of the instrumentation equipment.


502 Automatic switching between two systems is not to bedependent on only one of the systems.

A 600 Additional requirements for HS, LC and NSC601 Failure of any remote or automatic control systemsshould initiate an audible and visual alarm and should not pre-vent normal manual control.

(HSC Code 11.2.1)

602 Manoeuvring and emergency controls should permit theoperating crew to perform the duties for which they are respon-sible in a correct manner without difficulty, fatigue or excessiveconcentration.

(HSC Code 11.2.2)

B. Maximum Unavailable Time

B 100 General101 The time needed to bring a system back in operationupon a failure condition, is to be adapted to the redundancy re-quirements imposed on the system served (see Ch.1 Sec.3 B ofthe Rules for Classification of Ships).

102 Typical maximum unavailable times for the differentcategories are found in Table B1.

103 The requirements in 200 to 500 only apply for systemsof maximum unavailable time category R0, R1, R2 or R3.

B 200 Continuous availability (R0)201 A system serving a function that is to be continuously

Table B1 Maximum unavailable timeR0 NoneR1 30 sR2 10 minutesR3 3 hours

DET NORSKE VERITAS


available is to be designed to provide no interrupts of the func-tion neither in normal operation modes nor in case of a singlesystem failure.

202 Changeover between redundant systems is to take placeautomatically and with no disturbances for the continuous op-eration of the function in case of system failure. User requestedchangeovers are to be simple and easily initiated and take placewith no unavailable time for the function.

203 User interfaces of redundant systems are to allow super-vision of both systems from the same position.

B 300 High availability (R1)301 A system serving a function that is to have high availa-bility, is to be designed to provide continuous availability innormal operation modes.

302 In case of system failures, changeover between redun-dant systems is to take place automatically if redundancy is re-quired. User requested changeover in normal operation is to besimple and easily initiated and take place within the same max-imum time.

303 User interfaces of redundant systems are to be locatedclose to each other and changeover between the systems is tohave no significant effect on the user's maintained execution ofother tasks.

B 400 Manual system restoration (R2)401 A system serving a function that requires manual systemrestoration is to be designed to provide restoration of the func-tion within a maximum time specified for R2, in case of systemfailures.

Guidance note:Restoring a function may involve a limited number of simplemanual actions.User interfaces of redundant systems may be designed for man-ning of normally unattended workstations when required, pro-vided such manning is immediately available.


B 500 Repairable systems (R3)501 A system serving a function of category R3 is to be de-signed to provide restoration of the function within a maxi-mum time specified for R3 in case of system failures.

Guidance note:Restoring a function may involve a number of manual opera-tions, including minor replacements or repair of equipment.


C. Response to Failures

C 100 Failure detection101 Essential and important systems are to have facilities to

detect the most probable failures that may cause reduced or er-roneous system performance.

102 The self-check facilities are to cover at least, but not lim-ited to; the following failure types:

— power failures— sensor and actuator failures.

And additionally, for computer based systems:

— communication errors— computer hardware failures— software execution failures— software logical failures— for essential systems: Loop failures (at least broken con-

nections and short circuit).

103 Adequate failure detection may be obtained by combin-ing two mutually independent systems, which together providethe required failure detection properties, e.g. an automatic con-trol system together with an independent alarm system.

104 Detection of failures in essential and important systemsis to initiate an alarm.

C 200 Fail-to-safety

201 The most probable failures, e.g. loss of power or wirefailure, are to result in the least critical of any possible newconditions.

Guidance note:Total loss of power to any single control system should not resultin loss of propulsion or steering.


D. Emergency Operation

D 100 Local control

101 It shall be possible for all machinery essential for thesafe operation of the ship to be controlled from a local position,even in the case of failure in any part of the automatic or re-mote control systems.

(SOLAS Reg. II-1/49.4). See also Ch.1 Sec.3 B300 of theRules for Classification of Ships.

D 200 Manual emergency operation

201 For functions where manual emergency operation is re-quired, this is to be used to maintain a minimum functionalityin case of major system failures.

202 This system is to be installed as an integral part of themechanical equipment.

DET NORSKE VERITAS


SECTION 3SYSTEM DESIGN

A. System Elements

A 100 General

101 A system consists of one or several system elementswhere each system element serves a specific function.

102 System elements belong to the following categories:

— automatic control— remote control— alarm— safety— indications— planning and reporting— calculation, simulation and decision support.

A 200 Automatic control

201 Automatic control is to keep process equipment varia-bles within the limits specified for the process equipment (e.g.the machinery) during normal working conditions.

202 The automatic control is to be stable over the entire con-trol range. The margin of stability is to be sufficient to ensurethat variations in the parameters of the controlled processequipment that may be expected under normal conditions, willnot cause instability. The automatic control system element isto be able to accomplish the function it is to serve.

203 Automatic control such as automatic starting and otherautomatic operations are to include provisions for manuallyoverriding the automatic controls unless designed according toSec.4 A101 or safe manual operation is not feasible. Failure ofany part of such systems is not to prevent the use of the manualoverride.

A 300 Remote control301 At the remote command location, the user is to receivecontinuous information on the effects of his orders.

302 One command location is to be designated as the maincommand location. The main command location is to be inde-pendent of other command locations.

303 When control is possible from several locations, onlyone is to be in control at a time.

304 Actual control is not to be transferred before acknowl-edged by the receiving command location unless the commandlocations are located close enough to allow direct visual andaudible contact. Transfer of control is to give audible pre-warning. The main command location is to be able to take con-trol without acknowledgement.

Guidance note:There may be several main command locations on different lev-els. For example for remote control of propulsion machinery, theengine room is the main station. For offshore bow loading thenavigating bridge is the main location. This implies that the com-mand location at navigating bridge may take control without ac-knowledgement from the bow command location, and the engineroom may take command without acknowledgement from thecommand location at the navigating bridge or from the bow com-mand location.


305 Means are to be provided to prevent significant altera-tion of process equipment parameters when transferring con-trol from one location to another.

306 On each alternative command location, it is to be indi-cated when this location is in control.

307 Control system elements are to include safety interlockswhen the consequence of erroneous user actions may lead tomajor damage or loss of essential or important functions.

308 Safety interlocks in different parts of the systems are notto conflict with each other.

Basic safety interlocks are to be hardwired and are to be activeduring remote and local operation.

Guidance note:Hardwired safety interlocks should not be overridden by pro-grammable interlocks.


A 400 Safety

401 A safety system element is to be arranged to automati-cally take safety actions on occurrence of predefined abnormalprocess equipment states. The corresponding system elementincludes all resources required to execute these actions.

402 The safety system element is to be so designed that themost probable failures, e.g. loss of power supply or wire fail-ure, result in the least critical of any possible new condition(fail to safety) taking into consideration the safety of the ma-chinery itself as well as the safety of the vessel.

403 Automatic safety actions are to give alarm at predefinedworkstations.

404 When the safety system element stops a unit, the unit isnot to start again automatically.

405 When a safety system element is made inoperative by amanual override, this is to be clearly indicated at predefinedworkstations.

406 When the safety system element has been activated, it isto be possible to trace the cause of the safety action by meansof central or local indicators.

A 500 Alarms

501 Alarms are to be visual and audible and are to indicateabnormal conditions only. In areas where the audible signalmay not be heard due to background noise, additional visualand audible display units are to be installed.

Guidance note:Several suitably placed low volume audible alarm units shouldbe used rather than a single unit for the whole area. A combina-tion of audible signals and rotating light signals may be of advan-tage.


502 Visual alarms are to be easily distinguishable from otherindications by use of colour and special representation.

Guidance note:In view of standardising, visual alarm signals should preferablybe red. Special representation may be a symbol.


503 Audible alarms are to be readily distinguishable fromsignals indicating normal conditions, telephone signals, differ-ent alarm systems and noise.

504 Responsibility for alarms is not to be transferred beforeacknowledged by the receiving location. Transfer of responsi-bility is to give audible pre-warming. On each alternative loca-tion, it is to be indicated when this location is in charge.

DET NORSKE VERITAS


505 Presentation and acknowledgement of alarms are only tobe possible at the workstation(s) dedicated to respond to thealarm.

Guidance note:Alarm lists may be available on any workstation.


506 Alarms at workstations are normally to be manually ac-knowledged in two steps:

1) silencing audible signal and additional visual signal (e.g.rotating light signals) leaving the visual signal on theworkstation unchanged. After acknowledgement, the au-dible signal is to operate for any new failure.

2) acknowledging the visual alarm. Alarms, including the de-tection of transient faults, are to be maintained until ac-knowledgement of the visual indication. The visualindications of individual alarms are to remain until no ab-normal condition is being detected. Acknowledged alarmsare to be clearly distinguishable from unacknowledgedalarms. Flashing is, when used, to indicate unacknowl-edged alarms.

507 Acknowledgement of visual signals is to be separate foreach signal or common for a limited group of signals. Ac-knowledgement is only to be possible when the user has visualinformation on the alarm condition for the signal or all signalsin a group.

508 Local audible signal for an alarm included in a central-ised alarm handling system is to be suppressed when localisedin the same workplace as the centralised alarm handling sys-tem.

509 Permanent suppression of alarm units shall not to bepossible. In particular cases, however, manual suppression ofseparate alarms may be accepted, when this is clearly indicatedat all times.

510 Sufficient information is to be provided to ensure opti-mal alarm handling. Alarm text is to be easily understood.

511 The more frequent failures within the alarm system,such as broken connections to measuring elements, are to re-lease alarm.

512 Interlocking of alarms is to be arranged so that mostprobable failures in the interlocking system, e.g. broken con-nection in external wiring, does not prevent alarms.

513 Blocking of alarm and safety functions in certain operat-ing modes (e.g. during start-up) is to be automatically disabledin other modes.

514 It is to be possible to delay alarms to prevent false alarmsdue to normal transient conditions.

A 600 Pre-warning

601 Pre-warnings are to be acknowledged. Pre- warnings areto be distinguishable from alarms.

A 700 Indication

701 Indications sufficient to allow safe operation of essentialand important functions are to be installed at all control loca-tions from where the function is to be accomplished. Alarms orpre-warnings are not considered as substitutes for indicationsfor this purpose.

Guidance note:It is advised that indicating and recording instruments are cen-tralised and arranged to facilitate watch-keeping, e.g. by stand-ardising the scales, applying mimic diagrams, etc.


A 800 Planning and reportingGuidance note:Planning and reporting functions are used to present a user withinformation to plan future actions.


801 Planning and reporting system elements are to have nooutputs for real-time process equipment control during plan-ning mode.

Guidance note:The output may however be used to set up premises for processequipment control, e.g. route plan used as input to an auto- pilotor load plan used as input for automatic or user assisted sequencecontrol of the loading.


A 900 Calculation, simulation and decision support901 Output from calculation, simulation or decision supportmodules is not to suppress basic information necessary to al-low safe operation of essential and important functions.

Guidance note:Output from calculation, simulation or decision support modulesmay be presented as additional information.


B. General Requirements

B 100 System operation and maintenance101 Start-ups and restarts are to be possible without special-ised system knowledge. On power-up and restoration after lossof power, the system is to be restored and resume operation au-tomatically.

102 Testing of essential systems and alarm systems is to bepossible during normal operation. The system is not to remainin test mode unintentionally.

Guidance note:Automatic return to operation mode or alarm should be arranged.


B 200 Power distribution201 Independent systems designed with redundancy are tohave separate supplies from the distribution system and sepa-rate circuit protection.

202 Systems designed with redundancy are, if connected tothe same distribution switchboard, to be supplied from at leasttwo power sources with independent supply to the distributionswitchboard.

Guidance note:The second source may be a battery.


203 Power for local emergency operation is to be derivedfrom the mechanical system, or from a local dedicated source.

204 Systems that may be exposed to conducted electromag-netic interference exceeding their immunity level through theirelectrical power supplies are to have provision for adequatelyfiltered power.

205 Essential and important systems are to be continuouslypowered and are to have an automatic change-over to a stand-by power supply in case of loss of normal power supply. Thestand-by power supply is to be from an uninterruptible powersupply (UPS). The UPS is to comprise of continuously chargedand dedicated accumulator batteries of an arrangement, loca-

DET NORSKE VERITAS


tion and endurance equivalent to that of the emergency sourceof electrical power.

Upon failure of the normal or the stand-by power supply, analarm is to be initiated.

C. Additional Requirements for System Design of HS, LC and NSC

C 100 Safety101 When two or more safety actions are initiated by onefailure condition (e.g. start of standby pump and stop of engineat low lubricating oil pressure), these actions are to be activat-ed at different levels. The least drastic action is to be activatedfirst.

C 200 Alarm201 Alarms should be maintained until they are accepted andthe visual indications of individual alarms should remain untilthe fault has been corrected, when the alarm should automati-

cally reset to the normal operating condition. If an alarm hasbeen accepted and a second fault occurs before the first is rec-tified, the audible and visual alarms should operate again.

(HSC Code 11.4.1, first part)

Guidance note:This requirement is in addition to the requirement found in A506.


202 Alarm systems should incorporate a test facility.

(HSC Code 11.4.1, last part)

203 The alarm system element is to be continuously poweredand is to have an automatic changeover to a stand-by powersupply in case of loss of normal power supply. Upon failure ofthe normal power supply, alarm is to be initiated.

204 The alarm system should meet appropriate construction-al and operational requirements for required alarms. (Refer tothe Code on alarms and indicators, 1995 adopted by the Or-ganisation by resolution A.830(19).)

(HSC Code 11.4.2)

DET NORSKE VERITAS


SECTION 4ADDITIONAL REQUIREMENTS FOR COMPUTER BASED SYSTEMS

A. General Requirements

A 100 System dependency

101 Where a computer based system is part of an essentialfunction, a secondary means of operation is to be provided byeither non-computer based system or by an independent com-puter based system of appropriate diversity.

A 200 Storage devices

201 The on-line operation of essential functions is not to de-pend on the operation of rotating bulk storage devices.

Guidance note:This does not exclude the use of such storage devices for main-tenance and back-up purposes.


202 Software and data necessary to ensure satisfactory per-formance of essential and important functions are to be storedin non-volatile memory (e.g. EPROM, EEPROM or FLASH).Exception may be given for RAM with battery backup if thefollowing three conditions are met:

— low battery voltage results in an alarm or visual indicationdetectable by routine inspections

— battery can easily be replaced by crew personnel withoutdanger of losing data

— battery failure is to have no influence on performance aslong as normal power supply is maintained.

A 300 Computer usage

301 Computers serving essential and important functions areonly to be used for purposes relevant to vessel operation.

A 400 System response and capacity

401 Systems used for control and monitoring are to provideresponse times compatible with the time constants of the relat-ed EUC (equipment under control).

Guidance note:The following response times are applicable for typical EUC onvessels:


402 System start-up and system restoration after power fail-ures is to take place with sufficient speed to comply with themaximum unavailable time for the systems. The system is torevert to a pre-defined state providing an appropriate level ofsafety.

403 System capacities are to be sufficient to provide ade-quate response times for all functions, taking the maximumload and maximum number of simultaneous tasks under nor-mal and abnormal conditions for the EUC into consideration.

A 500 Temperature control501 Wherever possible, computers are not to have forcedventilation. For systems where cooling or forced ventilation isrequired to keep the temperature at an acceptable level, alarmfor high temperature or maloperation of the temperature con-trol function, is to be provided.

A 600 System maintenance

601 Integrated systems supporting one or more essential orimportant function are to be arranged to allow individual unitsto be tested, repaired and restarted without interference withthe maintained operation of the remaining parts of the system.

602 Essential systems are to have diagnostic facilities to sup-port finding and repairs of failures.

A 700 System access701 Access to system set-up or configuration functions forthe EUC is to be protected to avoid unauthorised modificationsof the system performance. For screen based systems, tools areto be available to allow easy and unambiguous modification ofconfiguration parameters allowed to be modified under normaloperation.

Guidance note:As a minimum, this applies to:

- calibration data- alarm limit modification- manual alarm inhibiting.The operator is only to have access to the application(s) relatedto the operation of the functions covered by the system accordingto 301. Access to other applications or installations of such, areto be prevented. Hot keys normally giving access to other func-tions or program exits (Alt+Tab, Ctrl+Esc, Alt+Esc, double-clicking in background, etc.) are to be disabled.


702 Unauthorised access to essential and important systemsfrom a position outside the vessel is not to be possible.

B. System Software

B 100 Software requirements101 Basic software on processor systems running applica-tion software belonging to different functions, are to have fa-cilities for:

— running several modules under allocated priorities— detection of execution failures of individual modules— discrimination of faulty modules to ensure maintained op-

eration at least of modules of same or higher priority.

102 Individual application software modules allocated astasks under an operating system as specified above are not toperform operations related to more than one function. Thesemodules are to be allocated priorities in accordance with therelative priority between the functions they serve.

103 When hardware belonging to inputs, outputs, communi-cation links and user interface is configured to minimise theconsequences of failures, the related software is to be separat-ed in different computer tasks to secure the same degree of sep-aration.

104 When calculation, simulation or decision support ele-ments are used to serve essential functions, and a basic func-

Data sampling for automatic control purposes (fast changing parameters)

0.1 s

Data sampling, indications for analogue remote controls (fast changing parameters)

0.1 s

Other indications 1 sAlarm presentations 2 sDisplay of fully updated screen views 2 sDisplay of fully updated screen views including start of new application

5 s

DET NORSKE VERITAS


tionality can be maintained without these elements, theapplication software is to be designed to allow such simplifiedoperation.

105 System set-up, configuration of the EUC and the settingof parameters for the EUC onboard are to take place withoutmodification of program code or recompilation. The Society isto be notified if such actions cannot be avoided.

106 Means are to be provided to identify the software ver-sion(s) of the software in use.

Guidance note:

- When the setting of parameters is equivalent to programmingthen version identification of these settings is to be available.Version identification may be a check sum.

- For integrated systems, identification is to be available in thesystem overview.

- For any screen based system, identification is to be readilyavailable on the VDU during normal operation.

- PROM's are to be labelled.


B 200 Software manufacturing

201 All relevant actions are to be taken during manufactur-ing of software for a complex system to ensure that the proba-bility of errors to occur in the program code is reduced to anacceptable level.

Relevant actions are at least to include:

— actions to ensure that the programming of applications isbased on complete and valid specifications

— actions to ensure that software purchased from other par-ties has an acceptable track record and is subject to ade-quate testing

— actions to impose a full control of software releases andversions during manufacturing, installation onboard andduring the operational phase

— actions to ensure that program modules are subject to syn-tax and function testing as part of the manufacturing proc-ess

— actions to minimise the probability of execution failures.

Guidance note:Typical execution failures are:

- deadlocks- infinite loops- division by zero- inadvertent overwriting of memory areas- erroneous input data.


202 The actions taken to comply with 201 are to be docu-mented and implemented, and the execution of these actions isto be retraceable. The documentation is to include a brief de-scription of all tests that apply to the system (hardware andsoftware), with a description of the tests that are intended to bemade by sub-vendors, those to be carried out at the manufac-turer's and those to remain until installation onboard.

C. User Interface

C 100 General

101 The status of the information displayed is to be clearlyindicated.

Guidance note:This applies to e.g. indications not being updated or indication ofblocked alarm.


102 Alarm messages for alarms required in the rules (and re-lated alarms) are, when initiated, to be given priority over anyother information presented on the VDU. Such alarms are to beeasily distinguishable from other alarms. The entire list ofalarm messages is to be easily available.

103 Alarms are to be time tagged.

104 Time tagging for all alarms is to be consistent through-out the system.

Guidance note:To handle inconsistency of time tagging when the same alarm isavailable at several positions on the vessel.


105 Full redundancy is to be provided for VDU's receivingand displaying alarm presentations of essential screen basedsystems.

Guidance note:A printer or other equivalent means may provide the necessaryredundancy.


106 UIDs are to be designed and arranged to avoid inadvert-ent operation.

For essential and important systems, dedicated function key-boards are to be used.

107 Symbols and their associated information in a mimic di-agram are to have a logical relationship.

108 Means are to be provided to ensure that only correct useof numbers and letters and only values within reasonable limitswill be accepted when data is entered manually into the sys-tem.

If the user provides the system with insufficient input, the sys-tem is to request the continuation of the dialogue by means ofclarifying questions. Under no circumstances is the system toend the dialogue incomplete without user request.

C 200 Illumination201 Means are to be provided for adjustment of illuminationof all VDUs and UIDs to a level suitable for all applicable lightconditions. However, it is not to be possible to make adjust-ments down to a level making information belonging to essen-tial and important functions unreadable.

Guidance note:Adjustments may be arranged by use of different sets of colourssuited for the applicable light conditions.


C 300 Colour screens301 For cathode ray tubes (CRTs), colours used for essentialinformation are not to depend on a single source of light.

D. Data Communication Links

D 100 General101 Failure in a node is not to have any effect on the remain-ing part of the data communication link and vice versa.

102 Data communication links are to be automatically ini-tialised on power on. After a power interruption the links are toregain normal operation without manual intervention.

103 The capacity of the data communication link is to be suf-ficient to prevent overload at any time.

104 The data communication link is to be self-checking, de-tecting failures on the link itself and data communication fail-ures on nodes connected to the link. Detected failures are to

DET NORSKE VERITAS


release an alarm on dedicated workstations.

105 For essential and important functions, means are to beprovided to prevent the acceptance of corrupted data at the re-ceiving node.

106 When two or more essential functions are using the samedata communication link, this link is to be designed with re-dundancy.

107 Data communication links, designed with redundancy,are to be routed with as much separation as is practical.

D 200 Local area networks201 Means are to be provided to monitor the usage and statusof the network.

202 It is to be possible to remove and insert nodes without in-terrupting normal network operation.

203 When serving essential or important functions, facilitiesare to be provided to ensure that a message is received withina predefined time.

D 300 Local area networks designed with redundancy

301 The requirements of 200 are to be complied with.

302 Switching between the networks is to be automatic whenserving functions with category R0 and R1. Otherwise switch-ing may be manual as long as the switching is simple and un-ambiguous.

D 400 Instrument net

401 Instrument nets are to meet the requirements of localarea networks.

D 500 Interconnection of networks

501 Networks interconnected are to be mutually independ-ent.

Guidance note:Means of interconnections may be routers, bridges or gateways.


DET NORSKE VERITAS


SECTION 5COMPONENT DESIGN AND INSTALLATION

A. General

A 100 Environmental strains

101 Instrumentation equipment is to be suitable for marineuse, and is normally to be designed to operate under environ-mental conditions as described in B, unless means are providedto ascertain that the equipment parameters are not exceeded.These means are subject to approval on case-by-case basis.

102 Data sheets, sufficiently detailed to ensure proper appli-cation of the instrumentation equipment, are to be available.

103 Performance and environmental testing may be requiredto ascertain the suitability of the equipment.

A 200 Materials

201 Explosive materials and materials which may developtoxic gases, are not to be used. Covers, termination boards,printed circuit cards, constructive elements and other parts thatmay contribute to spreading fire, are to be of flame-retardantmaterial.

Guidance note:Materials with a high resistance to corrosion and ageing shouldbe used. Metallic contact between different materials should notcause electrolytic corrosion in a marine atmosphere. As base ma-terial for printed circuit cards, glass-reinforced epoxy resin orequivalent should be used.


A 300 Component design and installation

301 Component design and installation are to facilitate oper-ation, adjustment, repair and replacement. As far as practica-ble, screw connections are to be secured.

302 Mechanical resonances with amplification greater than10 are not to occur.

303 Electric cables and components are to be effectively sep-arated from all equipment, which, in case of leakage, couldcause damage to the electrical equipment. In desks, consolesand switchboards, which contain electrical equipment, pipesand equipment conveying oil, water or other fluids or steamunder pressure are to be built into a separate section with drain-age.

304 Means are to be provided for preventing moisture (con-densation) accumulating inside the equipment during opera-tion and when the plant is shut down.

305 Differential pressure elements (dp-cells) are to be able tosustain a pressure differential at least equal to the highest pres-sure for the EUC (equipment under control).

306 Thermometer wells are to be used when measuring tem-perature in fluids, steam or gases under pressure.

307 The installation of temperature sensors is to permit easydismantling for functional testing.

308 Clamps used to secure capillary tubes are to be made ofa material that is softer than the tubing.

A 400 Maintenance, checking

401 Maintenance, repair and performance tests of systemsand components are as far as practicable to be possible withoutaffecting the operation of other systems or components.

Provisions for testing, (e.g. three-way cocks) are to be ar-ranged in pipes connecting pressure switches/transducers toEUC normally in operation at sea.

Guidance note:The installation should as far as possible be built up from easilyreplaceable units and designed for easy troubleshooting, check-ing and maintenance. When a spare unit is mounted, only minoradjustments or calibrations of the unit should be necessary.Faulty replacements should not be possible.


A 500 Marking

501 All units and test points are to be clearly and permanent-ly marked. Transducers, controllers and actuators are to bemarked with their system function, so that they can be easilyand clearly identified on plans and in instrument lists. See alsoCh.8 Sec.3 E.

Guidance note:The marking of system function should preferably not be placedon the unit itself, but adjacent to it.


A 600 StandardisingGuidance note:Systems, components and signals should be standardised as faras practicable.


B. Environmental Conditions, Instrumentation

B 100 General

101 The environmental parameters given in 200 to 1100, in-cluding any of their combinations, represent “average adverse”conditions, which will cover the majority of applications onboard vessels. Where environmental conditions will exceedthose specified, special arrangements and special componentswill have to be considered.

Table B1 Parameter class for the different locations on boardParameter Class LocationTemperature A Machinery spaces, control rooms,

accommodation, bridgeB Inside cabinets, desks. etc. with temperature

rise of 5°C or more installed in location AC Pump rooms, holds, rooms with no heatingD Open deck, masts and inside cabinets, desks

etc. with a temperature rise of 5°C or more installed in location C

Humidity A Locations where special precautions are taken to avoid condensation

B All locations except as specified for location A

Vibration A On bulkheads, beams, deck, bridgeB On machinery such as internal combustion

engines, compressors, pumps, including piping on such machinery

C MastsElectro-mag-netic compati-bility (EMC)

A All locations except as specified for bridge and open deck

B All locations including bridge and open deck

DET NORSKE VERITAS


Components and systems designed in compliance with IEC en-vironmental specifications for ships, Publication No. 60092-504 (1994), and for EMC, IEC Publication No. 60533, may beaccepted after consideration.

Guidance note:For details on environmental conditions for instrumentation, seeStandard for Certification 2.4.

Navigation and radio equipment is to comply with IEC Publica-tion No. 60945, Marine navigational equipment - General re-quirements.

For EMC only, all other bridge-mounted equipment; equipmentin close proximity to receiving antennas, and equipment capableof interfering with safe navigation of the ship and with radio-communications is to comply with IEC Publication No. 60945(1996) Clause 9 (covered by EMC class B).


B 200 Electric power supply

201 Power supply failure with successive power breaks withfull power between breaks.

— 3 interruptions during 5 minutes— switching-off time 30 s each case.

202 Power supply variations for equipment connected toA.C. systems:

— combination of permanent frequency variations of ±5%and permanent voltage variations of ±10% of nominal

— combination of frequency transients (5 s duration) ±10%of nominal and voltage transients (1.5 s duration) ±20% ofnominal.

203 Power supply variations for equipment connected toD.C. systems:

— voltage tolerance continuous ±10% of nominal— voltage transients cyclic variation 5% of nominal.— voltage ripple 10%.

204 Power supply variations for equipment connected to bat-tery power sources:

— +30% to -25% for equipment connected to battery duringcharging

— +20% to -25% for equipment connected to battery not be-ing charged

— voltage transients (up to 2 s duration) ±25% of nominal.

B 300 Pneumatic and hydraulic power supply301 Nominal pressure ±20% (long and short time devia-tions).

B 400 Temperature401 Class A:Ambient temperatures +5°C to +55°C.

402 Class B:Ambient temperatures +5°C to +70°C.

403 Class C:Ambient temperatures -25°C to +55°C.

404 Class D:Ambient temperatures -25°C to +70°C.

B 500 Humidity501 Class A:Relative humidity up to 96% at all relevant temperatures, nocondensation.

502 Class B:Relative humidity up to 100% at all relevant temperatures.

B 600 Salt contamination601 Salt-contaminated atmosphere up to 1 mg salt per m3 ofair, at all relevant temperatures and humidity conditions.

B 700 Oil contamination701 Mist and droplets of fuel and lubricating oil. Oily fin-gers.

B 800 Vibrations801 Class A:

Frequency range 3 to 100 Hz.Amplitude 1 mm (peak value) below 13.2 Hz.Acceleration amplitude 0.7 g above 13.2 Hz.

802 Class B:

Frequency range 3 to 100 Hz.Amplitude 1.6 mm (peak value) below 25 Hz.Acceleration amplitude 4.0 g above 25 Hz.

803 Class C:

Frequency range 3 to 50 Hz.Amplitude 3 mm (peak value) below 13.2 Hz.Acceleration amplitude 2.1 g above 13.2 Hz.

DET NORSKE VERITAS


B 900 Inclination

901 For ships, see Rules for Classification of Ships Pt.4 Ch.1Sec.3 B200. For HS, LC and NSC, see Rules for Classificationof HS, LC and NSC Pt.4 Ch.1 Sec.1 A200.

B 1000 Electromagnetic compatibility

1001 The minimum immunity requirements for equipmentare given in Table B2, and the maximum emission require-ments are given in Table B3.

Guidance note:

Electrical and electronic equipment should be designed to func-tion without degradation or malfunction in their intended electro-magnetic environment. The equipment should not adverselyaffect the operation of, or be adversely affected by any otherequipment or systems used on board or in the vicinity of the ves-sel. Upon installation, it may be required to take adequate meas-ures to minimise the electromagnetic noise signals, seeClassification Note No. 45.1. Such measures may be in form of alist of electromagnetic noise generating- and sensitive equip-ment, and an estimate on required noise reduction, i.e. an EMC

Table B2 Minimum immunity requirements for equipmentPort Phenomenon Basic Standard Performance

criteriaTest value

A.C. power Conducted low frequency interference

IEC 60945 A 50 - 900 Hz: 10% A.C. supply voltage 900 - 6000 Hz: 10 - 1% A.C. supply voltage6 - 10 kHz: 1% A.C. supply voltage

Electrical fast transient (Burst) IEC 61000-4-4 B 2 kV 3)

Surge voltage IEC 61000-4-5 B 0.5 kV 1) /1 kV 2)

Conducted radio frequency interference

IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz sweep rate ≤ 1.5 x 10-3 decade/s 7)

modulation 80% AM (1 kHz)D.C. power Conducted low frequency

interferenceIEC 60945 A 50 Hz - 10 kHz : 10% D.C. Supply voltage


Surge voltage IEC 61000-4-5 B 0.5 kV 1) /1 kV 2)



modulation 80% AM (1 kHz)I/O ports, sig-nal or control




modulation 80% AM (1 kHz)Enclosure Electrostatic discharge (ESD) IEC 61000-4-2 B 6 kV contact/8 kV air

Electromagnetic field IEC 61000-4-3 A 10 V/m5) 80 MHz-2 GHz sweep rate ≤ 1.5 x 10-3 decade/s 7)

modulation 80% AM (1 kHz)1) line to line

2) line to ground

3) capacitive coupling

4) coupling clamp

5) special situations to be analysed

6) test procedure to be described in the test report

7) for equipment installed in the bridge and deck zone (EMC Class B) the test levels are to be increased to 10 Vrms for spot frequencies in accordance with IEC 60945 at 2/3/4/6.2/8.2/12.6/16.5/18.8/22/25 MHz. For screened cables, a special test set-up is to be used enabling the coupling into the cable screen.

Performance criterion A: The equipment under test (EUT) is to continue to operate as intended during and after the test. No degradation of performance or loss of function is allowed as defined in the relevant equipment standard and in the technical specification published by the manufacturer.

Performance criterion B: The EUT is to continue to operate as intended after the test. No degradation of performance or loss of function is allowed as defined in the relevant equipment standard and in the technical specification published by the manufacturer. During the test, degradation or loss of function or perform-ance that is self recoverable is however allowed but no change of actual operating state or stored data is allowed.

Table B3 Maximum emission requirements for equipmentClass Location Port Frequency Range (Hz) Limits

A All locations except bridge and open deck

Enclosure(Radiated Emission)

150k – 30M30 – 100M100M – 2G

except: 156 – 165M

80 – 50 dBµV/m60 – 54 dBµV/m

54 dBµV/m

24 dBµV/m

Power (Conducted Emis-sion)

10 – 150k150 – 500k500k – 30M

120 – 69 dBµV79 dBµV73 dBµV

B All locations including bridge and open deck

Enclosure (Radiated Emission)

150 – 300k300k – 30M30M – 2G

except:156 – 165M

80 – 52 dBµV/m52 – 34 dBµV/m

54 dBµV/m

24 dBµV/m

Power (Conducted Emis-sion)

10 – 150k150 – 350k

350k – 30M

96 – 50 dBµV60 – 50 dBµV

50 dBµV

DET NORSKE VERITAS


management plan. Testing may also be required to demonstrateelectromagnetic compatibility.


B 1100 Miscellaneous

1101 In particular applications other environmental parame-ters may influence the equipment, e.g.:

— acceleration— fire— explosive atmosphere— temperature shock— wind, rain, snow, ice, dust— audible noise— mechanical shock or bump forces equivalent to 20 g of 10

ms duration— splash and drops of liquid— corrosive atmospheres of various compositions, (e.g. am-

monia on an ammonia carrier).

1102 Acceleration caused by the ship's movement in waves.Peak acceleration ±1.0 g for ships with length less than 90 m,and ±0.6 g for ships of greater length. Period 5 to 10 s.

C. Electrical and Electronic Equipment

C 100 General

101 Fused isolating transformers are to be fitted between themain power supply and the different units or systems.

102 Switching of the power supply on and off is not to causeexcessive voltage or other strains that may damage internal orexternal components.

103 Units requiring insulating resistance in cables and wir-ing higher than 200 kΩ are normally not to be used. Exceptionscan be made for special cable arrangements.

104 Key components of computer based systems necessaryfor maintaining essential and important functions are to be sub-jected to burn-in for 72 hours at 70°C (temperature in environ-ment), or an equivalent screening procedure. Power is to besupplied to the devices during burn-in.

Guidance note:Examples of equivalent screening procedure:

- use of components subjected to burn-in by the manufacturer- operation for 1000 hours at 20°C.


C 200 Mechanical design, installationGuidance note:Circuits should be designed to prevent damage of the unit or ad-jacent elements by internal or external failures. No damageshould occur when the signal transmission lines between meas-uring elements and other units are short-circuited, grounded orbroken. Such failures should lead to a comparatively safe condi-tion (fail to safe).


Guidance note:The equipment should preferably function without forced cool-ing. Where such cooling is necessary, precautions should be tak-en to prevent the equipment from being damaged in case offailure of the cooling unit.


201 The components are to be effectively secured to avoidmechanical stressing of wires and soldered joints through vi-brations and mechanical shock.

Guidance note:Components weighing more than 10 grams (0.35 oz), should notbe fastened by their connecting wires only.


C 300 Protection provided by enclosure301 Enclosures for the equipment are to be made of steel orother flame retardant material capable of providing EMC pro-tection and satisfy the minimum requirements of Table C1.The required degree of protection is specified in IEC 60529(International Electrotechnical Commission, Publication No.60529).

Guidance note:Automation equipment of class A and B that is to be in operationduring emergency situations, located in areas exposed to washdown, should have IP 55 protection.


C 400 Cables and wires401 Cables and wires are to comply with the requirements inCh.8 Sec.9.

C 500 Cable installation501 Cable installations are to comply with the requirementsin Ch.8 Sec.10 and Ch.8 Sec.3 D300.

C 600 Power supply601 When using low voltage battery supply, the chargingequipment, batteries and cables are to keep the voltage atequipment terminals within +25% to -20% of the nominal volt-age during charging and discharging.

Provisions are to be made for preventing reverse current fromthe battery through the charging device.

602 Systems including a standby battery connected for con-tinuous charging are not to be disturbed in any way by discon-nection of the battery.

603 Battery installations are to be in accordance with Ch.8Sec.10 B300.

604 Regulated rectifiers are to be designed for the variationsin voltage and frequency stated in B.

605 Different system voltages are to be supplied through dif-ferent cables.

606 Terminal lists are to be clearly marked. Various systemvoltages are to be distinguished.

607 Uninterruptible power supplies are to be according tothe requirements given in Ch.8 Sec.2 A200.

C 700 Fibre optic equipment701 Fabrication and installation of fibre optic cables are tocomply with the requirements of Ch.8.

Guidance note:The construction of fibre optic devices is generally to complywith relevant specifications of IEC Publications.


702 Power budget calculation is to be used to:

Table C1 Minimum requirements for enclosuresClass Location Degree of

protectionA Control rooms, accommodation, bridge IP 22B Machinery space IP 44C Open deck, masts, below floor plates in

machinery spaceIP 56

D Submerged application IP 68

DET NORSKE VERITAS


— determine the length between I/O units,— select components to obtain a safe reliable transmission

system, and— to demonstrate that adequate power reserve has been pro-

vided.

After installation, optical time domain reflectometry (OTDR)measurements for each fibre are to be used to correct and re-evaluate the power budget calculations.

703 The safety of personnel and operations is to be consid-ered in the installation procedures. Warning signs and labelsgiving information to the operators are to be placed where haz-ard exists. Care must be taken to prevent fibres from penetrat-ing eyes or skin.

Guidance note:It is advised to use equipment with 'built-in' safety, e.g. interlockthe power to the light sources with the covers, possible to discon-nect/lock parts of the system under service, screen laser beams.Safe distance between the light source or fibre end and the eye ofthe operator may be determined by applying the formulae:

Safe distance: L (cm) ; Pn: Nominal power (mW)


704 Fibre optic systems using standard single- and multi-mode fibres to be used for intrinsically safe circuits in hazard-ous areas are to have a power level below 10 mW.

Lsafe

Pn 10+( )2

-----------------------=

DET NORSKE VERITAS


SECTION 6USER INTERFACE

A. General

A 100 Application

101 The rules of this section apply when the section is spe-cifically referred to by relevant requirements.

A 200 Introduction

201 The location and design of the user interface are to giveconsideration to the physical capabilities of the user and com-ply with accepted ergonomic principles.

202 This section gives requirements for the user interface toensure a safe and efficient operation of the systems installedaccording to the following objectives:

— controlled work load adapted to the user(s) in all modes,including for system degradation

— ensure fast and correct decisions— ensure fast and correct user actions— avoid unnecessary stress.

A 300 Definitions

301 Automation level is divided into three classes, reflectingthe work load for the user:

ALF: Fully-automatic,- the task requires occasional attentionand action when requested by the system.

ALS: Supervised-automatic,- the task requires frequent mon-itoring and occasional user input.

ALM: Manual and semi-automatic operation,- the task re-quires continuous attention and/or user input.

302 Workstation arrangement parameters are:

For UIDs: WReach: within reach EsAccess: easily accessible Avail: available

For VDUs: ImRead: immediately readable EsRead: easily readable Avail: available

Within reach and immediately readable is within the normalposture and normal line of sight for the user. Available is whenthe user must leave the normal work position. Refer to figures1 and 2 below.

Fig. 1VDU arrangement parameters.

Fig. 2UID arrangement parameters.

303 An object is any item that may change state or value, e.g.a measurement indication or a valve symbol.

B. Workstation Design and Arrangement

B 100 Location of visual display units and user input devices101 Workstations are to be arranged according to Table B1to provide the user with easy access to UIDs, VDUs and otherfacilities required for the operation.

102 UIDs operated frequently or continuously are to be po-sitioned in a normal working height.

103 Related UIDs and VDUs are as far as possible to be ar-ranged and grouped together.

104 When more than one user are to have simultaneous ac-cess to the same VDUs and UIDs, these are to be duplicated orlocated to give the required access from all user positions.

105 The space between individual UIDs is to be largeenough to avoid inadvertent operation.

Table B1 Location of VDUs and UIDsEssential functions

Auto-mationlevel

Alarm Control actuators

Start stop

config

Indication for

monitoring

Down- graded control

ALF EsRead - EsAccess EsRead AvailALS ImRead WReach EsAccess ImRead AvailALM ImRead WReach EsAccess ImRead Avail

Important functionsAuto-

mation level

Alarm Control actuators

Start stop

config

Indication for

monitoring

Down- graded control

ALF EsRead - Avail Avail -ALS EsRead EsAccess Avail EsRead -ALM EsRead EsAccess Avail EsRead -

Legend: See A301 and A302

- not applicable

DET NORSKE VERITAS


106 Each VDU is to be placed with its face normal to the us-er's line of sight, or to the mean value if the user's line of sightvaries through an angle.

107 When UIDs and VDUs are operated in a given sequence,they are to be arranged in that sequence.

B 200 Allocation of functions to screen based systems

201 Workstations for integrated systems are to be configuredto provide the user with simultaneous access to monitoring andcontrol functions.

202 The control system element with related indications andindications for monitoring for essential functions is to be con-tinuously available.

203 Manual request of a function is not to intervene withcontinuously available functions.

204 One user shall under no circumstances need to operatemore than two computer consoles simultaneously to perform aset of related functions.

C. User Input Device and Display Unit Design

C 100 User input devices

101 The shape of mechanical UIDs is to indicate the methodof operation of the control.

102 The direction of UID movements is to be consistent withthe direction of associated process response and display move-ment.

103 The operation of a UID is not to obscure indicator ele-ments where observation of these elements is necessary for ad-justments.

104 UIDs or combined UIDs/indicating elements are to bevisually and tactually distinguishable from elements used forindication only.

Guidance note:Rectangular buttons should be used for UID elements, and roundlights for VDU elements. For screen based systems, a suitableframing method should be chosen.


105 UIDs are to allow one hand single action operation. Re-quirements for fine motoric movements is to be avoided.

106 UIDs demanding fine adjustment are to be shaped andlocated to allow operation equally well by either hand.

C 200 Visual display units

201 The information presented is to be clearly visible to theuser and permit easy and accurate reading at a practicable dis-tance in the light conditions normally experienced on the loca-tion of the workstation by day and by night.

Guidance note:

a) Quantitative and comparative readings should be presentedby means of:

- digital counter, if subject to rare changes- clockwise moving index on circular scale or horizontally

moving index on linear scale, if subject to frequentchanges.

b) Qualitative readings should be presented by means of:

- vertically moving index on linear scale to indicate trendchanges

- clockwise moving index on circular scale to indicatespeed changes.

c) Control readings should be presented by means of:

- for moving index on circular scale, all pointers shouldoccupy the same angular position, preferably the «12o'clock» position, when indicating normal status.

For an index moving relative to a circular scale, the index shouldmove clockwise (or the scale anti-clockwise) for increased read-ings.

For an index moving relative to a linear scale, the scale should behorizontal or vertical and the pointer should move to the right orupwards for increased readings.

There may be special cases where these guidelines do not apply;for example, where the readings may be positive or negative, orwhere depth is indicated.


202 The scale resolution on a VDU is not to be higher thanthe accuracy of the measured values.

203 Numbers on digital displays are not to change faster thantwice per second.

204 Each process is to have a graphical representation in-cluding indications giving an overview of the process equip-ment.

Guidance note:This may be arranged as a graphical representation on a computerscreen or a mimic diagram with instruments fitted to representthe position of the sensors or actuators.


205 VDUs used for essential and important functions are tobe readable from the operating position of the workstation theyare providing information to.

Guidance note:VDUs used in connection with UIDs should be readable from adistance of at least 1000 mm. All other VDUs should be readablefrom a distance of at least 2000 mm.

Character height in mm should be not less than three and a halftimes the reading distance in meters. Character width should bebetween 60% to 80% of the letter height, e.g.: character heightfor reading distance 2m: 2 x 3.5 = 7 mm, with resulting minimumcharacter size: 7 mm x (approximately) 5 mm.


206 VDU letter type is to be of simple, clear-cut design.

207 Indication of set point for slow changing objects is to bedisplayed.

208 The indication pointer in a circular or linear scale is notto hide scale labels.

209 For VDUs subject to strong light, means are to be pro-vided to minimise glare or reflection.

Guidance note:

a) All VDUs should be placed in position relative to the user,taking into consideration the surrounding light sources.

b) Where a transparent cover is fitted over a VDU, it shouldminimise reflection.

c) In rooms with windows, sun curtains should be installed toprevent direct sun light on VDUs.


C 300 Colours

301 Information is not to be dependent of the use of coloursalone, but is to be distinguishable in a black and white repre-sentation.

302 The use of colours is to be consistent for all systems.

303 Colour coding of functions and signals is to be in ac-

DET NORSKE VERITAS


cordance with Table C3.

Guidance note:Inactive components should be represented by a colour or colourpair which is not distinctive, e.g. grey on white.


C 400 Requirements for preservation of night vision

401 Warning and alarm indicators are to show no light innormal position (indication of a safe situation).

402 All UIDs and VDUs are to be fitted with permanent in-ternal or external light source to ensure that all necessary infor-mation is visible at all times.

403 Means are to be provided to avoid light and colourchanges upon, e.g. start-up and mode changes, which may af-fect night vision.

404 All information is to be presented on a background ofhigh contrast, emitting as little light as possible by night.

Guidance note:All vessel's bridge instruments should show a light text on a darknon-reflecting background at night. The contrast should be with-in 1:3 and 1:10.


D. Additional Requirements to Screen Based Systems

D 100 Computer dialogue

101 Menus are to be as shallow as possible.

Guidance note:Wherever practical, single action toggle buttons should be used.


102 Frequently used operations are to be available in the up-per menu level, on dedicated software or hardware buttons.

103 All menus and displays are to provide a self-explanatoryinterface to the user.

Guidance note:If the complexity of the operation is such that further help is re-quired, it will be accepted to have help function available with asingle user action.


104 When in dialogue mode, update of essential informationis not to be blocked.

105 Terms used in a dialogue are to be adapted to the normalusers. Abbreviations and terms used in electronic data process-ing are to be avoided.

106 It is to be up to the user to start, interrupt, resume andend a dialogue.

107 Whenever necessary to ensure safe and efficient entry ofdata, the user is to be prompted with a default.

Guidance note:If data is previously entered for a data element, this should be thedefault, else a value representative for the data element should bedefault.


108 The systems are to indicate the acceptance of a controlaction to the user without unnecessary delay.

109 Confirmation of a command is only to be used when theaction requested may have a critical irreversible consequence.

110 It is to be possible for the user to recognise whether thesystem is busy executing an operation, or waiting for addition-al user action. When the system is busy, buffering of more thanone user input is not allowed. It is to be possible to interrupttime-consuming operations.

111 The user is to have available means to return to a knownsafe state with a single action.

Guidance note:A default set of information should be available by e.g. pressinga dedicated button.


112 Procedures for controlling objects are to be the same.

D 200 Application screen views201 For integrated systems, all windows to be called to theVDU are to have a similar representation of all components(menus, buttons, symbols, colours, etc.).

202 Objects affected by a failed object are to indicate thestate of the failed object.

Guidance note:An alarm due to failure of e.g. a sensor should give alarm indica-tion for all objects being directly or indirectly dependent of thefailed sensor.


203 Alarms are to be displayed in the order in which they oc-cur.

204 Alarms are to be traceable.Guidance note:Printed alarm lists or access to an event log is acceptable.


E. Design of Workplace for Permanently Manned Workstations

E 100 General101 To be defined.

F. Work Environment for Permanently Manned Workstations

F 100 Vibration101 Uncomfortable levels of vibration causing both shortand long term effects are to be avoided.

Guidance note:Bridge equipment:The workplace should ideally be sited clear of the nodes and an-tinodes of the fundamental mode of vertical hull vibration in or-der to avoid longitudinal and vertical vibration.The fundamental frequency of vibration of the superstructureblock should not be close to the propeller blade frequency or itsharmonics at service speed.

Table C3 Colour codingFunction Colour codeDanger, Alarm, Emergency RedAttention, Pre-warning, Caution, Undefined

Yellow

Status of normal, safe situation Green

DET NORSKE VERITAS


Table F1 lists the vibration ranges which should be avoided.


F 200 Noise

201 Uncomfortable levels of noise, or noise that may affectsafe and efficient operation, is not to occur. Both short andlong term effects are to be avoided.

Guidance note:

Bridge equipment

The noise level for the workplace should not exceed 65 dB(A) ingood weather, with workplace instruments in operation.

Noise from ventilation and air intake fans and other noise sourcesshould be excluded from the workplace by suitable siting of thefans and associated trunking.

The vessel's sirens or whistles should be placed as high as prac-ticable and, if possible, forward of any workplace, so that thenoise level does not exceed 100 dB(A).


F 300 Lighting

301 A satisfactory level of lighting facilitating the perform-ance of all workplace tasks at sea and in port, daytime andnight time, is to be provided.

Guidance note:

Individual task areas should have a greater luminance than thegeneral lighting level.


302 Care is to be taken to avoid glare and stray image reflec-tions in the workplace environment.

Guidance note:High contrast in brightness between work areas and surroundingsshould be avoided.Non-reflective or matt surfaces should be used to reduce indirectglare to a minimum.


303 A satisfactory degree of flexibility within the lightingsystem is to be available to enable the personnel to adjust light-ing intensity and direction as required in the different areas ofthe workplace and at individual instruments and controls.

Guidance note: Vision in dim light has the following characteristics:

- perception of detail and colour is affected- the eye becomes more sensitive to the blue end of the light

spectrum- peripheral vision is enhanced.- Table F2 lists the recommended general illuminations directly

below the light source at working level.

Vision in dim light has the following characteristics:

- perception of detail and colour is affected- the eye becomes more sensitive to the blue end of the light

spectrum- peripheral vision is enhanced.

Adaptation to darkness is important to ensure a good visual look-out at night. It takes 30 to 40 minutes for complete adaptation todarkness.


304 During hours of darkness, it is to be possible to discerncontrol devices and read displayed information.

Guidance note:Bridge equipment can be lit by internal or externally locatedlighting.

Except at the chart table, red light should be used whenever pos-sible in areas or on items of equipment requiring illumination inthe operational mode, including instruments on the bridge wing.

Indirect low level red lighting should be available at deck level,especially for internal doors and stair-cases where, preferably,each step should be lit separately.

Provision should be made to prevent red lights from being visibleoutside the vessel.


F 400 Temperature

401 The workplace is to be equipped with an adequate tem-perature control system.

Guidance note:The temperature range for the workplace should not exceed 16°Cto 26°C, and should preferably be within 19°C to 23°C for an ex-ternal temperature range of -10°C to 35°C. The temperature gra-dient from floor level up to 2 m should be within 3 to 4°C.


F 500 Ventilation

501 A sufficient range of air movement is to be available tothe personnel.

Guidance note:Bridge equipment:

In general, the air movement should be 0.05 m/s to 1.2 m/s, var-ying with the different temperatures for the workplace: the higherthe temperature, the greater the air movement needed for com-fort.

With temperature maintained in the range 18°C to 23°C, the airmovement should be 0.3 m/s to 0.5 m/s.

The recommended rate of air change for enclosed spaces is 6complete changes per hour.

Used air should be changed with fresh conditioned air or recircu-lated reconditioned air.

Air should not be blown directly at personnel.


F 600 Surfaces

601 The workplace surface finishes are to be considered anintegral part of the structure, layout and environment design.

602 All prepared surfaces are to be glare free.

Table F1 Vibration rangesRange Effect0.1 to 0.5 Hz Motion sickness, particularly

around 0.25 Hz1.5 to 30 Hz Vision blur, particularly 10 to 25 Hz10-20 Hz Involuntary increase in muscle tone, lead-

ing to difficulty in controlling posture and movement

Sum: 0 to 30 Hz major source of problems

Magnitude of effects depends upon vi-bration amplitude

Table F2 Recommended illuminationPlace Colour or illuminationWorkstation area White, variable from 0 to 500 lx.Bridge, night Red, continuously variable from 0 to 10 lx.

DET NORSKE VERITAS


Guidance note:To achieve a glare free, matt finish for front part of the deckhead,bulkheads, consoles, surfaces around and below windows andother, short-haired fibre coating should be used.


603 The workplace and surrounding area are to have a non-slip surface when wet or dry.

Guidance note:The level of friction on outdoor areas should not decrease bymore than 10% between dry and wet conditions.


604 All surfaces are to be robust enough to withstand the dai-ly wear of the marine environment and require a minimum ofcleaning whilst retaining a good appearance.

Guidance note:All surfaces should be capable of withstanding without deterio-ration temperature ranges of -20°C to 70°C, sea water, oils andsolvent common to vessels, and ultra-violet light.


F 700 Colours

701 Colours for bridge equipment are to be chosen to give acalm overall impression and minimise reflectance.

Guidance note:Bright colours should not be used. Dark or mid green colours arerecommended, alternatively, blue or brown may be used.

Table F3 indicates the reflection range for some typical colourdensities.

Colour can provide a sense of warmth by the use of red/yellow,or coolness by the use of green/blue.Table F4 indicates the reflectance range for some typical colourdensities.


F 800 Safety of personnel801 The workplace area is to be free of physical hazards tothe personnel.

Guidance note:There should be no sharp edges or protuberances that could causeinjury to personnel.The deck should be free of trip hazards, such as curled up carpetedges, loose gratings or equipment.Means should be provided for properly securing portable equip-ment.


802 Sufficient hand or grab rails are to be fitted to enablepersonnel to move or stand safely in bad weather. Protection ofstairway openings is to be given special consideration.

803 All safety equipment on the workplace is to be clearlymarked and readily available and have its stowage positionclearly indicated. Table F3 Reflectance range

Place Typical colour densities ReflectanceDeckhead, front part Grass green, dark grey 0% to 20%Around windows White, light green 60% to 90%Bulkhead Light green 30% to 60%Decks Dark green, dark grey 5% to 30%Consoles Grass green, slate grey 20% to 50%Manoeuvring con-trols

Light green, light grey 40% to 70%

Other Grass green, light grey 20% to 50%

Table F4 Reflectance rangeReflectance range Typical colour densities5% to 10% Dark Green or Blue or Brown15% to 30% Mid Green or Blue or Red50% to 60% Pale Green or Blue or Yellow80% to 90% Off White or Pale Yellow

DET NORSKE VERITAS

DNV Ship rules Pt.4 Ch.9 - Instrumentation and Automation

Documents

Transcript of DNV Ship rules Pt.4 Ch.9 - Instrumentation and Automation