Section 2 Essential features for control, alarm and safety systems

2.1.1 Where it is proposed to install control and alarm systems to the equipment defined in Pt 6, Ch 1, 1.2 Plans 1.2.2, the applicable features contained in Pt 6, Ch 1, 2.2 Control station(s) for machineryare to be incorporated in the system design.

2.2.1 A system of alarm displays and controls are to be provided which readily ensure identification of faults in the machinery and satisfactory supervision of related equipment.

2.3.1 Where an alarm system which will provide warning of faults in the machinery and the safety and control systems is installed, the requirements of Pt 6, Ch 1, 2.3 Alarm systems 2.3.2 are to be satisfied.

2.3.2 Machinery, safety and control system faults are to be indicated at the relevant control station to advise duty personnel of a fault condition.

2.3.3 Individual alarm channels may be displayed as group alarms at the main control station (if fitted) or alternatively at subsidiary control stations.

2.3.4 All alarms are to be both audible and visual. If arrangements are made to silence audible alarms they are not to extinguish visual alarms. Alarm indicators are to be red and are to flash when unacknowledged.

2.3.5 If an alarm has been acknowledged and a second fault occurs prior to the first being rectified, audible and visual alarms are again to operate. Unacknowledged alarms on monitors are to be distinguished by either flashing text or a flashing marker adjacent to the text. A change of colour will not in itself be sufficient to distinguish between acknowledged and unacknowledged alarms.

2.3.6 For the detection of transient faults which are subsequently self-correcting, alarms are required to lock in until accepted.

2.3.7 Failure of the power supply to the alarm system is to be indicated.

2.3.8 The alarm system should be designed with selfmonitoring properties. As far as practicable, any fault in the alarm system should cause it to fail to the alarm condition.

2.3.9 The alarm system is to be designed as far as practical to function independently of control systems such that a failure or malfunction on these systems will not prevent the alarm from operating.

2.3.10 Disconnection or manual overriding of any part of the alarm system should be clearly indicated.

2.3.11 The alarm system is to be capable of being tested.

2.3.12 The alarm system should be designed with self-monitoring properties. Insofar as practicable, any fault in the alarm system should cause it to fail to the alarm condition.

2.3.13 In the wheelhouse, all illumination and lighting of instruments, keyboards and controls are to be adjustable down to zero, except the lighting of alarm indicators and the controls of dimmers which are to remain readable.

2.4.1 Where safety systems are provided, the requirements of Pt 6, Ch 1, 2.4 Safety systems – General requirements 2.4.2are to be satisfied.

2.4.2 Safety systems are to operate automatically in case of serious faults endangering the machinery, so that:

1. normal operating conditions are restored, e.g. by the starting of standby machinery, or

2. the operation of the machinery is temporarily adjusted to the prevailing conditions, e.g. by reducing the output of the machinery, or

3. the machinery is protected from critical conditions by shutting off the fuel or power supplies thereby stopping the machinery.

2.4.3 The safety system required by Pt 6, Ch 1, 2.4 Safety systems – General requirements 2.4.2.(c) is to be designed as far as practicable to operate independently of the control and alarm systems, such that a failure or malfunction in the control and alarm systems will not prevent the safety system from operating.

2.4.4 For safety systems required by Pt 6, Ch 1, 2.4 Safety systems – General requirements 2.4.2 and Pt 6, Ch 1, 2.4 Safety systems – General requirements 2.4.2.(b) complete independence from other control systems is not necessary.

2.4.5 Safety systems for different items of the machinery plant are to be arranged so that failure of the safety system of one part of the plant will not interfere with the operation of the safety system in another part of the plant.

2.4.6 The safety system is to be designed to ‘fail-safe’. The characteristics of the ‘fail-safe’ operation are to be evaluated on the basis not only of the safety system and its associated machinery, but also the complete installation. Failure of a safety system is to initiate an audible and visual alarm.

2.4.7 When a safety system is activated, an audible and visual alarm is to be provided to indicate the cause of the safety action.

2.4.8 The safety system is to be manually reset before the relevant machinery can be restarted.

2.4.9 Where arrangements are provided for overriding a safety system, they are to be such that inadvertent operation is prevented. Visual indication is to be given at the relevant control station(s) when a safety override is operated. The consequences of overriding a safety system are to be established and documented.

2.4.10 The safety system is to be arranged with automatic changeover to a standby power supply in the event of a failure of the normal power supply.

2.4.11 Failure of any power supply to a safety system is to operate an audible and visual alarm.

2.4.12 When safety systems are provided with means to adjust their set point, the arrangements are to be such that the final settings can be readily identified.

2.4.13 As far as practicable, the safety system required by Pt 6, Ch 1, 2.4 Safety systems – General requirements 2.4.2.(b) is to be arranged to effect a rapid reduction in speed or power.

2.5.1 Control systems for machinery operations are to be stable throughout their operating range.

2.5.2 Failure of the power supply to a control system for propulsion machinery and associated systems is to operate an audible and visual alarm. See Pt 6, Ch 1, 3.5 Remote control for propulsion machinery 3.5.1, Pt 6, Ch 1, 3.6 Controllable pitch propellers and transverse thrust units 3.6.4 or Pt 6, Ch 1, 3.7 Steering gear 3.7.5, as applicable.

2.5.3 When remote or automatic controls are provided, sufficient instrumentation is to be fitted at the relevant control stations to ensure effective control and indicate that the system is functioning correctly.

2.5.4 Where valves are operated by remote or automatic control, the system of control should include the following safety features:

1. Failure of actuator power should not permit a closed valve to open inadvertently.

2. Positive indication is to be provided at the remote control station for the service to show the actual valve position or alternatively that the valve is fully open or closed. Valve position indicating systems are to be of an approved type.

3. Equipment located in places which may be flooded should be capable of operating when submerged.

4. A secondary means of operating the valves, which may be local manual control, is to be provided.

2.5.5 Control systems should be designed to ‘fail-safe’. The characteristics of the ‘fail-safe’ operation are to be evaluated on the basis not only of the control system and its associated machinery, but also the complete installation.

2.6.1 Where an automatic fire detection system is to be fitted in a machinery space, the requirements of Pt 6, Ch 1, 2.6 Fire detection alarm systems 2.6.2 are to be satisfied.

2.6.2 A fire detector indicator panel is to be located in such a position that a fire in the machinery spaces will not render it inoperable.

2.6.3 The audible fire-alarm is to have a characteristic tone which distinguishes it from any other alarm system. The audible fire-alarm is to be audible on all parts of the bridge and in the accommodation areas.

2.6.4 The alarm system should, so far as practicable, be designed with self-monitoring properties.

2.6.5 Failure of any power supply to the alarm system is to be indicated.

2.6.6 Detector heads of an approved type are to be located in the machinery spaces so that all potential fire outbreak points are guarded.

2.6.7 The fire detection system is to be capable of being tested.

2.6.8 It is to be demonstrated to the Surveyor’s satisfaction that detector heads are so located that air currents will not render the system ineffective.

2.6.9 Fire detecting indicating panels are to denote, as a minimum, the section in which a detector or manually operated call point has operated. A section of detectors is not to cover more than 1 deck except a section which covers an enclosed stairway. No section of detectors is in general to include more than 50 detectors.

2.6.10 A section of fire detectors which covers loops of accommodations and control stations is not to include high fire risk spaces.

2.6.11 At least one indicating panel is to be so located that it is easily accessible to responsible members of the crew at all times. An indicating panel is to be located on the navigating bridge.

2.6.12 Clear information is to be displayed on or adjacent to each indicating unit about the spaces covered and the location of the section.

2.6.13 A combination of detectors is to be provided in order that the system will react to all possible fire characteristics.

2.6.14 A drawing showing the location of the fire detector heads and the fire indicator panel, is to be submitted.

2.6.15 Fire detection control units, indicating panels, detector heads and manual call points are to be Type Approved in accordance with Test Specification Number 1 given in LR’s Type Approval System.

2.7.1 The requirements of Pt 6, Ch 1, 2.7 Programmable electronic systems – General requirements 2.7.2 are to be complied with where control, alarm or safety systems incorporate programmable electronic equipment. Systems for essential services and safety critical application and systems incorporating shared data communication links are to comply with the additional requirements of Pt 6, Ch 1, 2.8 Data communication links and Pt 6, Ch 1, 2.9 Programmable electronic systems – Additional requirements for essential services and safety critical systems as applicable.

2.7.2 Where programmable electronic systems share resources, any components that can affect the ability to effectively provide required control, alarm or safety functions are to fulfil the requirements of Pt 6, Ch 1, 2.7 Programmable electronic systems – General requirementsrelated to providing those required functions.

2.7.3 Programmable electronic equipment is to revert to a defined safe state on initial start-up or re-start in the event of failure.

2.7.4 In the event of failure of any programmable electronic equipment, the system, and any other system to which it is connected, is to fail to a defined safe state or maintain safe operation, as applicable.

2.7.5 Programmable electronic equipment is to be certified by a recognized authority as suitable for the environmental conditions in which it is intended to operate.

2.7.6 Emergency stops are to be hard-wired and independent of any programmable electronic equipment.

2.7.7 Programmable electronic equipment is to be provided with self-monitoring capabilities such that hardware and functional failures will initiate an audible and visual alarm in accordance with the requirements of Pt 6, Ch 1, 2.3 Alarm systems and, where applicable, Pt 6, Ch 1, 4.2 Alarm system for machinery. Hardware failures are to be indicated at least at module level and the self-monitoring capabilities are to ensure that diagnostic information is readily available.

2.7.8 System configuration, programs and data are to be protected against loss or corruption in the event of failure of any power supply.

2.7.9 Access to system configuration, programs and data is to be restricted by physical and/or logical means providing effective security against unauthorized alteration.

2.7.10 Where date and time information is required by the equipment, this is to be provided by means of a battery backed clock with restricted access for alteration. Date and time information is to be fully represented and utilized.

2.7.11 Displays and controls are to be protected against liquid ingress due to spillage.

2.7.12 User interfaces are to be designed in accordance with appropriate ergonomic principles to meet user needs and enable timely access to desired information or control of functions. A system overview is to be readily available.

2.7.13 The keyboard is to be divided logically into functional areas. Alphanumeric, paging and specific system keys are to be grouped separately.

2.7.14 Where a function may be accessed from more than one interface, the arrangement of displays and controls is to be consistent.

2.7.15 The size, colour and density of information displayed to the operator are to be such that information may be easily read from the normal operator position under all operational lighting conditions.

2.7.16 Display units are to comply with the requirements of International Electrotechnical Commission Standard IEC 60950:1991, Safety of information technology equipment, including electrical business equipment, in respect of emission of ionising radiation.

2.7.17 Symbols used in mimic diagrams are to be visually representative and are to be consistent throughout the systems' displays.

2.7.18 Mimic diagrams are to clearly identify unreliable data.

2.7.19 Multi-function displays and controls are to be duplicated and interchangeable where used for the control or monitoring of more than one system is required at the same time. At least one unit at the main control station is to be supplied from an independent uninterruptible power supply (UPS).

2.7.20 The number of multi-function display and control units provided at the main control station and their power supply arrangements are to be sufficient to ensure continuing safe operation in the event of failure of any unit or any power supply.

2.7.21 Software lifecycle activities, e.g. design, development, supply and maintenance, are to be carried out in accordance with an acceptable quality management system. Software quality plans are to be submitted. These are to demonstrate that the provisions of ISO/IEC 90003 Software engineering – Guidelines for the application of ISO 9001:2015 to computer software, or equivalent, are incorporated. The plans are to define responsibilities for the lifecycle activities, including verification, validation, module testing and integration with other components or systems.

2.8.1 Where control, alarm or safety systems use shared data communication links to transfer data, the requirements of Pt 6, Ch 1, 2.8 Data communication links 2.8.2 are to be complied with. The requirements apply to local area networks, field buses and other types of data communication link which make use of a shared medium to transfer control, alarm or safety related data between distributed programmable electronic equipment or systems.

2.8.2 Data communication is to be automatically restored within 45 seconds in the event of a single component failure. Upon restoration, priority is to be given to updating safety critical data and control, alarm and safety related data for essential services. Components comprise all items required to facilitate data communication, including cables, switches, repeaters, software components and power supplies.

2.8.3 Loss of a data communication link is not to result in the loss of ability to operate any essential service by alternative means.

2.8.4 The properties of the data communication link (e.g. bandwidth, access control method, etc.) are to ensure that all connected systems will operate in a safe, stable and repeatable manner under all operating conditions. The latency of control, alarm and safety related data is not to exceed two seconds.

2.8.5 Protocols are to ensure the integrity of control, alarm and safety related data, and provide timely recovery of corrupted or invalid data.

2.8.6 Means are to be provided to monitor performance and identify hardware and functional failures. An audible and visual alarm is to operate in accordance with the requirements of Pt 6, Ch 1, 2.3 Alarm systems and, where applicable, Pt 6, Ch 1, 4.2 Alarm system for machinery in the event of a failure of an active or standby component.

2.8.7 Means are to be provided to prevent unintended connection or disconnection of any equipment where this may affect the performance of any other systems in operation.

2.8.8 Data cables are to comply with the applicable requirements of Pt 6, Ch 2, 7 Cables - Construction and testing. Other media will be subject to special consideration.

2.8.9 The installation is to provide adequate protection against mechanical damage and electromagnetic interference.

2.8.10 Components are to be located with appropriate segregation such that the risk of mechanical damage or electromagnetic interference resulting in the loss of both active and standby components is minimized. Duplicated data communication links are to be routed to give as much physical separation as is practical.

2.9.1 The requirements of 2.9.2 to 2.9.9 are to be complied with where control, alarm or safety systems for essential services or safety critical systems, incorporate programmable electronic equipment:

1. Safety critical systems are those which provide functions intended to protect persons from physical hazards (e.g. fire, explosion, etc.), or to prevent mechanical damage which may result in the loss of an essential service (e.g. main engine low lubricating oil pressure shutdown).

2. Applications that are not essential services may also be considered to be safety critical (e.g. domestic boiler low water level shutdown).

2.9.2 Alternative means of safe and effective operation are to be provided for essential services and, wherever practicable, these are to be provided by a fully independent hard-wired backup system. Where these alternative means are not independent of any programmable electronic equipment, the software is to satisfy the requirements of LR's Software Conformity Assessment System – Assessment Module GEN1 (1994).

2.9.3 Items of programmable electronic equipment used to implement control, alarm and safety functions are to satisfy the requirements of LR's Type Approval System Test Specification Number 1 (2002), adjusted where applicable for operation solely in Seasonal Zones, see also Pt 6, Ch 2, 1.5 Ambient temperatures 1.5.1.

2.9.4 The system is to be configured such that control, alarm and safety function groups are independent. A failure of the system is not to result in the loss of more than one of these function groups. Proposals for alternative arrangements providing an equivalent level of safety will be subject to special consideration.

2.9.5 For essential services, the system is to be arranged to operate automatically from an alternative power supply in the event of a failure of the normal supply.

2.9.6 Failure of any power supply is to initiate an audible and visual alarm in accordance with the requirements of Pt 6, Ch 1, 2.3 Alarm systems and, where applicable, Pt 6, Ch 1, 4.2 Alarm system for machinery.

2.9.7 Where it is intended that the programmable electronic system implements emergency stop or safety critical functions, the software is to satisfy the requirements of LR's Software Conformity Assessment System – Assessment Module GEN1 (1994). Alternative proposals providing an equivalent level of system integrity will be subject to special consideration, e.g. fully independent hard-wired backup system, redundancy with design diversity, etc.

2.9.8 Control, alarm and safety related information is to be displayed in a clear, unambiguous and timely manner, and, where applicable, is to be given visual prominence over other information on the display.

2.9.9 Means of access to safety critical functions are to be dedicated to the intended function and readily distinguishable.