Section 4 Essential features for control, alarm and safety systems

4.1.1 This Chapter applies to systems providing control, alarm or safety functions for the following:

• Mobility category engineering systems.
• Ship Type category engineering systems.

4.1.2 The design, construction and installation of control alarm and safety systems and control stations shall incorporate the ergonomics requirements of Vol 2, Pt 10 Human Factors.

4.2.1 Each machinery control station is to be provided with sufficient indication to ensure effective control of machinery and engineering systems and ready identification of faults. Indication should be provided, at least, for those parameters required to be monitored by relevant parts of these Rules.

4.2.2 At the main control station (if provided) or close to the subsidiary stations (if fitted) means of communication with the bridge area, the accommodation for engineering personnel and, if necessary, the machinery spaces are to be provided.

4.2.3 Provision is to be made at the main control station, or subsidiary control stations as appropriate, for the operation of an engineers’ alarm which is to be clearly audible in the engineers’ accommodation.

4.2.4 Provision is to be made at the main control station and any other subsidiary control station from which the main propulsion and auxiliary machinery or associated equipment may be controlled to indicate which station is in control.

4.2.5 Control of machinery, and associated equipment is to be possible only from one station at a time.

4.2.6 Changeover between control stations is to be arranged so that it may only be effected with the acceptance of the station taking control. The system is to be provided with interlocks or other suitable means to ensure effective transfer of control.

4.3.1 Where an alarm system is to be provided alerting relevant personnel to faults, abnormal situations and the other conditions requiring attention in machinery and engineering systems required by this Chapter or other Sections of the Rules, alarm information is to be displayed at the main control station or, alternatively, at subsidiary control stations. In the latter case, a master alarm display is to be provided at the main control station showing which of the subsidiary control stations is indicating a fault.

4.3.2 Machinery, safety and control system faults are to be indicated at the relevant control stations to advise duty personnel of a fault condition. The presence of unrectified faults is to be clearly indicated at all times.

4.3.3 Alerts associated with machinery and equipment required to satisfy this sub-Section are to be categorised according to the urgency and type of response required by the crew, as described in the IMO Code on Alerts and Indicators, 2009. The assignment of category to each alert is to be evaluated on the basis not only of the machinery or equipment being monitored, but also the complete installation. Categories not included in an alarm system may be omitted from the system design. Details of alternative alert management proposals supported with evidence of service experience may be submitted for consideration by LR. The alternative alert management is to be clearly specified.

4.3.4 Where the facility to provide messages in association with alerts exists, messages accompanying alerts are to describe the condition and indicate the intended response required by the crew.

4.3.5 Where the facility to provide messages in association with alerts exists, messages of different categories are to be clearly distinguishable from each other.

4.3.6 Alarms associated with machinery, safety and control system faults are to be clearly distinguishable from other alarms (e.g. fire, general alarm).

4.3.7 Where alarms are displayed as group alarms, provision is to be made to identify individual alarms at the main control station (if fitted) or alternatively at subsidiary control stations.

4.3.8 All alarms are to be both audible and visual. If arrangements are made to silence audible signals they are not to extinguish visual indications.

4.3.9 Acknowledgement of visual alarms is to be clearly indicated.

4.3.10 Acknowledgement of alarms at positions outside a machinery space is not to silence the audible signal or extinguish the visual indication in that machinery space.

4.3.11 If an alarm has been acknowledged and a second fault occurs prior to the first being rectified, audible signals and visual indications are again to operate. Where alarms are displayed at a local panel adjacent to the machinery and with arrangements to provide a group or common fault alarm in the control room then the occurrence of a second fault prior to the first alarm being rectified need only be displayed at the local panel, however the group alarm is to be re-initated. Unacknowledged alarms on monitors are to be distinguished by either flashing text or a flashing marker adjacent to the text. A change of colour will not in itself be sufficient to distinguish between acknowledged and unacknowledged alarms.

4.3.12 For the detection of transient faults which are subsequently self-correcting, alarms are required to lock in until accepted.

4.3.13 The alarm system is to be arranged with automatic changeover to a standby power supply in the event of a failure of the normal power supply. Where an alarm system could be adversely affected by an interruption in power supply, changeover to the standby power supply is to be achieved without a break.

4.3.14 Failure of any power supply to the alarm system is to operate an audible and visual alarm.

4.3.15 The alarm system should be designed with self-monitoring properties. Insofar as practicable, any fault in the alarm system should cause it to fail to the alarm condition.

4.3.16  The alarm system is to be capable of being tested during normal machinery operation, see Vol 2, Pt 9, Ch 12, 1.2 Trials 1.2.2.

4.3.17 The alarm system is to be designed as far as practicable to function independently of control and safety systems such that a failure or malfunction in these systems will not prevent the alarm system from operating.

4.3.18 Disconnection or manual overriding of any part of the alarm system is to be clearly indicated.

4.3.19 When alarm systems are provided with means to adjust their set point, the arrangements are to be such that the final settings can be readily identified.

4.3.20 Where monitors are provided at the station in control and, if fitted, in the duty engineer’s accommodation, they are to provide immediate display of new alarm information regardless of the information display page currently selected. This may be achieved by provision of a dedicated alarm monitor, a dedicated area of screen for alarms or other suitable means.

4.3.21 Where practicable, alarms displayed on monitors are to be displayed in the order in which they occur. Alarms requiring manual shutdown or slowdown action are to be given visual prominence.

4.3.22 Means are to be provided to test alarm and other indicator lamps.

4.3.23 Where a first stage alarm together with a second stage alarm and automatic shutdown of machinery are required in the relevant Table of this Section, the sensors and circuits utilised for the second stage alarm and automatic shutdown are to be independent of those required by the first stage alarm.

4.4.1 Safety systems are to operate automatically in case of serious faults endangering the machinery, so that:

1. normal operating conditions are restored, e.g. by the starting of standby machinery; or

2. the operation of the machinery is temporarily adjusted to the prevailing conditions, e.g. by reducing the output of the machinery; or

3. the machinery is protected from critical conditions by shutting off the fuel or power supplies thereby stopping the machinery.

4.4.2 The safety system is to be designed as far as practicable to operate independently of the control and alarm systems, such that a failure or malfunction in the control and alarm systems will not prevent the safety system from operating.

4.4.3 Safety systems for different items of the machinery plant are to be arranged so that failure of the safety system of one part of the plant will not interfere with the operation of the safety system in another part of the plant.

4.4.4 The safety system is to be designed to ‘fail safe’. The characteristics of the ‘fail safe’ operation are to be evaluated on the basis not only of the safety system and its associated machinery, but also the complete installation. Failure of a safety system is to initiate an audible and visual alarm.

4.4.5 When a safety system is activated, an audible and visual alarm is to be provided to indicate the cause of the safety action.

4.4.6 The safety system is to be manually reset before the relevant machinery can be restarted.

4.4.7 Where arrangements are provided for overriding a safety system, they are to be such that inadvertent operation is prevented. Visual indication is to be given at the relevant control station(s) when a safety override is operated. The consequences of overriding a safety system are to be established and documented.

4.4.8 The safety system is to be arranged with automatic changeover to a standby power supply in the event of a failure of the normal power supply.

4.4.9 Failure of any power supply to a safety system is to operate an audible and visual alarm.

4.4.10 When safety systems are provided with means to adjust their set point, the arrangements are to be such that the final settings can be readily identified.

4.4.11 As far as practicable, the safety system required by Vol 2, Pt 9, Ch 7, 4.4 Safety systems, general requirements 4.4.1.(b) is to be arranged to effect a rapid reduction in speed or power.

4.5.1 The control system is to be designed such that normal operation of the controls cannot induce detrimental mechanical or thermal overloads in the machinery.

4.5.2 Control systems for machinery operations are to be stable throughout their operating range.

4.5.3 Failure of any power supply to a control system is to operate an audible and visual alarm.

4.5.4 Control systems should be designed to ‘fail safe’. The characteristics of the ‘fail safe’ operation are to be evaluated on the basis not only of the control system and its associated machinery, but also the complete installation.

4.5.5 Remote or automatic controls are to be provided with suitable instrumentation (e.g. alarms and indications) at the relevant control stations to ensure effective control by duty personnel and to indicate that the system is functioning correctly.

4.5.6 When control systems are provided with means to adjust their sensitivity or set point, the arrangements are to be such that the final settings can be readily identified.

4.5.7 Failure of a control system is not to result in the loss of ability to provide Mobility and/or Ship Type systems by alternative means. This may be achieved by manual control or redundancy within the control system or redundancy in machinery and equipment, see also Vol 2, Pt 9, Ch 8, 5.5 Additional requirements for integrated systems 5.5.4. Instrumentation is to be provided at local manual control stations to ensure effective operation of the machinery by duty personnel.

4.6.1 Means are to be provided to ensure satisfactory control of propulsion from the bridge in both the ahead and astern directions.

4.6.2 The following indications are to be provided on the bridge:

1. Propeller speed.

2. Direction of rotation of propeller for a fixed pitch propeller or pitch position for a controllable pitch propeller. See also Vol 2, Pt 4, Ch 1, 10.2 Automatic and remote controls 10.2.3.

3. Direction and an indication representative of the magnitude of the thrust.

4. Clutch position where applicable.

5. Shaft brake position where applicable.

4.6.3 The propeller speed, direction of rotation and, if applicable, the propeller pitch are to be controlled from the bridge under all normal sea going and manoeuvring conditions.

4.6.4 Remote control of the propulsion machinery is to be from only one control station at any one time, see also Vol 2, Pt 9, Ch 7, 4.2 Control stations for machinery 4.2.5. Main propulsion control units on the navigating bridge may be interconnected. Means are to be provided at the control station to ensure smooth transfer of control between the bridge and other control stations.

4.6.5 Means of control, independent of the bridge control system, are to be provided on the bridge to enable the propulsion machinery to be stopped in an emergency.

4.6.6 Audible and visual alarms are to operate on the bridge and in the alarm system required by Vol 2, Pt 9, Ch 7, 4.2 Control stations for machinery if any power supply to the bridge control system fails. Where practicable, the preset speed and direction of thrust are to be maintained until corrective action is taken.

4.6.7 At least two means of communication are to be provided between the bridge and the main control station in the machinery space. One of these means may be the bridge control system; the other is to be independent of the main electrical power supply. See also Vol 2, Pt 9, Ch 7, 4.2 Control stations for machinery 4.2.2 and Vol 2, Pt 1, Ch 3, 5.12 Communications.

4.6.8 Automation systems are to be designed in a manner such that a threshold warning of impending or imminent slowdown or shutdown of the propulsion system is given to the officer in charge of the navigational watch in time to assess navigational circumstances in an emergency. In particular, the systems are to control, monitor, report, alert and take safety action to slow down or stop propulsion while providing the officer in charge of the navigational watch an opportunity to manually intervene, except for those cases where manual intervention will result in total failure of the engine and/or propulsion equipment within a short time, for example in the case of overspeed.

4.7.1 Systems providing remote control and indication functions for valves in Mobility and Ship Type category systems are to ensure effective operation, with due regard to any specified requirements for operation under damage conditions. The requirements of Vol 2, Pt 9, Ch 7, 4.7 Valve control and indication systems 4.7.2are to be satisfied.

4.7.2 Failure of control system power or actuator power is not to permit a valve to move to an unsafe condition.

4.7.3 Positive indication is to be provided at the remote control station for the service to show the actual valve position or alternatively that the valve is fully open or closed.

4.7.4 Equipment located in places which may be flooded is to be capable of operating when submerged.

4.7.5 A secondary means of operating the valves, which may be by local manual control, is to be provided.

4.7.6 For requirements applicable to closing appliances on scuppers and sanitary discharges, see Vol 1, Pt 3, Ch 4, 8 Scuppers and sanitary discharges