Section 4 Electronically controlled engines
Clasification Society 2024 - Version 9.40
Clasifications Register Rules and Regulations - Rules and Regulations for the Classification of Naval Ships, January 2023 - Volume 2 Machinery and Engineering Systems - Part 2 Prime Movers - Chapter 1 Reciprocating Internal Combustion Engines - Section 4 Electronically controlled engines

Section 4 Electronically controlled engines

Parent topic: Chapter 1 Reciprocating Internal Combustion Engines

4.1 General

4.1.1 The requirements of this Section are applicable to engines for propulsion, auxiliary or emergency power purposes with programmable electronic systems implemented and used to control fuel injection timing and duration, and which may also control combustion air or exhaust systems. The requirements of this Section also apply to programmable electronic systems used to control other functions (e.g. starting and control air, cylinder lubrication, etc.) where essential for the operation of the engine.

4.1.2 These engines may be of the crosshead or trunk-piston type. They generally have no direct camshaft driven fuel systems, but have common rail fuel/hydraulic arrangements and may have hydraulic actuating systems for the functioning of the exhaust systems.

4.1.3 The operation of these engines relies on the effective monitoring of a number of parameters such as crank angle, engine speed, temperatures and pressures using programmable electronic systems to provide the services essential for the operation of the engine such as fuel injection, air inlet, exhaust and speed control.

4.1.4 Details of proposals to deviate from the requirements of this Section are to be submitted and will be considered on the basis of a technical justification produced by the engine packager or system integrator.

4.1.5 Each engine is to be configured for the specified performance and is to satisfy the relevant requirements for propulsion, auxiliary or emergency engines.

4.1.6 During the life of the engine details of any proposed changes to control, alarm, monitoring or safety systems which may affect safety and the reliable operation of the engine are to be submitted to LR for approval.

4.2 Risk Assessment (RA)

4.2.1 A Risk Assessment (RA) is to be carried out in accordance with the requirements of Vol 2, Pt 1, Ch 3, 18 Risk Assessment (RA), and to demonstrate compliance with the applicable requirements of this sub-Section appropriate to the engine application. The analysis is to be a risk-based consideration of engine operation and ship and personnel safety, and is to demonstrate adequate risk mitigation through fault tolerance and/or reliability in accordance with the specified criteria in Vol 2, Pt 2, Ch 1, 4.2 Risk Assessment (RA) 4.2.2 to Vol 2, Pt 2, Ch 1, 4.2 Risk Assessment (RA) 4.2.4, relevant to the engine application.

4.2.2 For ships with a single main propulsion engine, a RA of system reliability is to be carried out and is to demonstrate that an electronic control system failure:

  1. will not result in the loss of the ability to provide the services essential for the operation of the engine, see Vol 2, Pt 9, Ch 7, 4.5 Control systems, general requirements 4.5.7 and Vol 2, Pt 9, Ch 8, 5.4 Additional requirements for Mobility category and safety critical systems 5.4.2;

  2. will not affect the normal operation of the services essential for the operation of the engine other than those services dependent upon the failed part, see Vol 2, Pt 9, Ch 8, 5.5 Additional requirements for integrated systems 5.5.4 and Vol 2, Pt 9, Ch 8, 5.5 Additional requirements for integrated systems 5.5.5; and

  3. will not leave either the engine, or any equipment or machinery associated with the engine, or the ship in an unsafe condition, see Vol 2, Pt 9, Ch 7, 4.3 Alarm systems, general requirements 4.3.15, Vol 2, Pt 9, Ch 7, 4.4 Safety systems, general requirements 4.4.5, Vol 2, Pt 9, Ch 7, 4.5 Control systems, general requirements 4.5.4, Vol 2, Pt 9, Ch 8, 5.1 General requirements 5.1.3, Vol 2, Pt 9, Ch 8, 5.1 General requirements 5.1.4 and Vol 2, Pt 9, Ch 8, 5.5 Additional requirements for integrated systems 5.5.5.

4.2.3 A RA is to be carried out for:

  1. main engines on ships with multiple main engines or other means of providing propulsion power; and/or

  2. auxiliary engines intended to drive electric generators forming the ship’s main source of electrical power or otherwise providing power for essential services.

The RA is to demonstrate that adequate hazard mitigation has been incorporated in electronically controlled engine systems or the overall ship installation, with respect to personnel safety and providing propulsion power and/or power for essential services for the safety of the ship. Arrangements satisfying the criteria of Vol 2, Pt 2, Ch 1, 4.2 Risk Assessment (RA) 4.2.2 will also be acceptable.

4.2.4 For engines for emergency power purposes, a RA is to be carried out to demonstrate that the design incorporates adequate hazard mitigation, such that the likelihood of an electronic engine system failure resulting in the loss of the ability to provide emergency power when required has been reduced to a level considered acceptable by LR and that means are provided to detect failures and permit personnel to restore engine availability to operate on demand. Failures which would result in engine failure and/or damage or loss of availability are to be identified and the report is to include documentation of:

  1. component reliability evidence;

  2. failure detection and alarms; and

  3. failure response required to restore engine availability and maintain personnel safety.

4.2.5 The RA report is to:

  1. Identify the standards used for analysis and system design.

  2. Identify the engine, its purpose and the associated objectives of the analysis.

  3. Identify any assumptions made in the analysis.

  4. Identify the equipment, system or sub-system and the mode of operation.

  5. Identify potential failure modes and their causes.

  6. Evaluate the local effects (e.g. fuel injection failure) and the effects on the system as a whole (e.g. loss of propulsion power) of each failure mode.

  7. Identify measures for reducing the risks associated with each failure mode (e.g. system design, failure detection and alarms, redundancy, quality control procedures for sourcing, manufacture and testing, etc.).

  8. Identify trials and testing necessary to prove conclusions.

4.2.6 In an electronically controlled engine, it is necessary to define the essential services on which the operation of the engine relies, and the control functions, alarm functions and safety functions for the equipment and machinery providing these services. Examples of essential services are:

  1. Starting arrangements.

  2. Fuel supply arrangements.

  3. Lubricating oil arrangements.

  4. Hydraulic oil arrangements.

  5. Cooling arrangements.

  6. Power supply arrangements.

4.2.7 At sub-system level, it is acceptable to consider failure of equipment items and their functions, e.g. failure of a pump to produce flow or pressure head. It is not required that the failure of components within that pump be analysed, and failure need only be dealt with as a cause of failure of the pump.

4.3 Control engineering systems

4.3.1 Control, alarm, monitoring, safety and programmable electronic systems are to comply with Vol 2, Pt 9 Electrotechnical Systems and Vol 2, Pt 10 Human Factors, as applicable.

4.3.2 The engine control, alarm, monitoring and safety systems are to be configured to comply with the relevant requirements (e.g. operating profile, alarms, shutdowns, etc.) of this Chapter and Vol 2, Pt 9 Electrotechnical Systems and Vol 2, Pt 10 Human Factors for an engine for main, auxiliary or emergency power purposes. Details of the engine configuration are to be submitted for consideration, see Vol 2, Pt 2, Ch 1, 1.4 Submission requirements 1.4.2.

4.4 Software

4.4.1 Software lifecycle activities are to be carried out in accordance with an acceptable quality management system, see Vol 2, Pt 9, Ch 8, 5.4 Additional requirements for Mobility category and safety critical systems 5.4.2 and Vol 2, Pt 9, Ch 8, 5.4 Additional requirements for Mobility category and safety critical systems 5.4.7.

4.4.2 Appropriate safety related processes, methods, techniques and tools are to be applied to software development and maintenance by the engine packager or system integrator. Selection and application of techniques and measures in accordance with Annex A of IEC 61508-3, Functional safety of electrical/electronic/programmable electronic systems: Software requirements, Vol 2, Pt 1, Ch 3, 21 Software in systems, machinery and equipment and Vol 2, Pt 9, Ch 8, 5.6 Programmable electronic systems – Additional requirements for the production of software for the production of software or other relevant standards or codes acceptable to LR, will generally be acceptable.

4.4.3 To demonstrate compliance with Vol 2, Pt 2, Ch 1, 4.4 Software 4.4.1 and Vol 2, Pt 2, Ch 1, 4.4 Software 4.4.2:

  1. software quality plans and safety evidence are to be submitted for consideration, see Vol 2, Pt 2, Ch 1, 1.4 Submission requirements 1.4.3.(b) and Vol 2, Pt 2, Ch 1, 1.4 Submission requirements 1.4.3.(c); and

  2. an assessment inspection of the engine packager’s or system integrator’s completed development is to be carried out by LR. The inspection is to be tailored to verify application of the standards and codes used in software safety assurance accepted by LR.

4.5 Additional requirements for emergency engines for naval vessels

4.5.1 Electronically controlled engines will only be accepted for use as emergency engines when the additional requirements of this sub-Section are satisfied.

4.5.2 Electrically powered control equipment required for engine starting or operation is to be served by not less than two individual power supplies, one fed from a main switchboard circuit and one from an emergency switchboard circuit provided in accordance with Vol 2, Pt 2, Ch 1, 4.5 Additional requirements for emergency engines for naval vessels 4.5.3 and Vol 2, Pt 2, Ch 1, 4.5 Additional requirements for emergency engines for naval vessels 4.5.4.

4.5.3 Each power supply is to be provided with an Uninterruptible Power System (UPS) in accordance with Vol 2, Pt 9, Ch 3, 7.3 Uninterruptible power systems capable of supplying the starting arrangements for three successive starts over a period of at least 30 minutes. A manual supply changeover switch is to be provided.

4.5.4 The power supplies are not to pass through a common switchboard or section board and are not to use common feeders, protective devices, control circuits, controlgear assemblies or battery chargers, so that any single fault will not cause the loss of both supplies. Where adequate circuit protection and stored battery and charging capacity exists, the engine starting batteries may be used to provide one supply.

4.5.5 Where the proposed arrangement of engine electronic control systems do not incorporate redundancy to satisfy the requirements of Vol 2, Pt 2, Ch 1, 4.2 Risk Assessment (RA) 4.2.1, evidence is to be submitted that demonstrates the arrangements have been assessed and found to comply with IEC 61508, functional safety of electrical/electronic/programmable electronic systems, or a relevant alternative standard. The submissions are to include proposals for LR to verify compliance (reviews, surveys, trials, etc.) with the applicable standard(s).

4.5.6 Where emergency engines are used as harbour sets, the system is to comply with the requirements of Vol 2, Pt 9, Ch 2, 5.2 Emergency source of electrical power 5.2.6. This function is to be included in the RA

4.5.7 Emergency engines are required to be immediately available in an emergency and capable of being controlled remotely or automatically.

Copyright 2022 Clasifications Register Group Limited, International Maritime Organization, International Labour Organization or Maritime and Coastguard Agency. All rights reserved. Clasifications Register Group Limited, its affiliates and subsidiaries and their respective officers, employees or agents are, individually and collectively, referred to in this clause as 'Clasifications Register'. Clasifications Register assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Clasifications Register entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract.