Section 4 Electronically controlled engines
Clasification Society 2024 - Version 9.40
Clasifications Register Rules and Regulations - Rules and Regulations for the Classification of Special Service Craft, July 2022 - Part 10 Prime Movers - Chapter 1 Reciprocating Internal Combustion Engines - Section 4 Electronically controlled engines

Section 4 Electronically controlled engines

Parent topic: Chapter 1 Reciprocating Internal Combustion Engines

4.1 Scope

4.1.1 The requirements of this Section are applicable to engines for propulsion, auxiliary or emergency power purposes with programmable electronic systems implemented and used to control fuel injection timing and duration, and which may also control combustion air or exhaust systems. The requirements of this Section also apply to programmable electronic systems used to control other functions (e.g. starting and control air, cylinder lubrication, etc.) where essential for the operation of the engine.

4.1.2 These engines may be of the crosshead or trunk piston type. They generally have no direct camshaft driven fuel systems, but have common rail fuel/hydraulic arrangements and may have hydraulic actuating systems for the functioning of the exhaust systems.

4.1.3 The operation of these engines relies on the effective monitoring of a number of parameters such as crank angle, engine speed, temperatures and pressures using programmable electronic systems to provide the services essential for the operation of the engine such as fuel injection, air inlet, exhaust and speed control.

4.1.4 Details of proposals to deviate from the requirements of this Section are to be submitted and will be considered on the basis of a technical justification produced by the Enginebuilder.

4.1.5 Each engine is to be configured for the specified performance and is to satisfy the relevant requirements for propulsion, auxiliary or emergency engines.

4.1.6 During the life of the engine details of any proposed changes to control, alarm, monitoring or safety systems which may affect safety and the reliable operation of the engine are to be submitted to LR for approval.

4.2 Risk-based analysis

4.2.1 An analysis is to be carried out in accordance with relevant standards acceptable to LR to demonstrate compliance with the applicable requirements of this sub- Section appropriate to the engine application. The analysis is to be a risk-based consideration of engine operation and craft and personnel safety, and is to demonstrate adequate risk mitigation through fault tolerance and/or reliability in accordance with the specified criteria in Pt 10, Ch 1, 4.2 Risk-based analysis 4.2.2 to Pt 10, Ch 1, 4.2 Risk-based analysis 4.2.4 relevant to the engine application.

4.2.2 For craft with a single main propulsion engine, a Failure Mode and Effects Analysis (FMEA), or alternative recognised analysis of system reliability, is to be carried out and is to demonstrate that an electronic control system failure:

  1. will not result in the loss of the ability to provide the services essential for the operation of the engine, see Pt 16, Ch 1, 2.5 Control systems 2.5.10 and Pt 16, Ch 1, 2.12 Additional requirements for wireless data communication links 2.12.2;

  2. will not affect the normal operation of the services essential for the operation of the engine other than those services dependent upon the failed part, see Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.4 and Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.4; and

  3. will not leave either the engine, or any equipment or machinery associated with the engine, or the craft in an unsafe condition, see Pt 16, Ch 1, 2.3 Alarm systems 2.3.14, Pt 16, Ch 1, 2.4 Safety systems, general requirements 2.4.5, Pt 16, Ch 1, 2.5 Control systems 2.5.4, Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements 2.10.3, Pt 16, Ch 1, 2.10 Programmable electronic systems – General requirements 2.10.4 and Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.5.

4.2.3 A risk-based analysis is to be carried out for:

  1. main engines on craft with multiple main engines or other means of providing propulsion power; and/or

  2. auxiliary engines intended to drive electric generators forming the craft’s main source of electrical power or otherwise providing power for essential services.

The analysis is to demonstrate that adequate hazard mitigation has been incorporated in electronically controlled engine systems or the overall craft installation with respect to personnel safety and providing propulsion power and/or power for essential services for the safety of the craft. Arrangements satisfying the criteria of Pt 10, Ch 1, 4.2 Risk-based analysis 4.2.2 will also be acceptable

4.2.4 For engines for emergency power purposes, a risk-based analysis is to be carried out to demonstrate that the design incorporates adequate hazard mitigation, such that the likelihood of an electronic control system failure, resulting in the loss of the ability to provide emergency power when required, has been reduced to a level considered acceptable by LR, and that means are provided to detect failures and permit personnel to restore engine availability to operate on demand. Failures which would result in engine failure and/or damage or loss of availability are to be identified, and the report is to include documentation of:

  1. component reliability evidence;

  2. failure detection and alarms; and

  3. failure response required to restore engine availability and maintain personnel safety.

4.2.5 The risk-based analysis report is to:

  1. Identify the standards used for analysis and system design;

  2. Identify the engine, its purpose and the associated objectives of the analysis;

  3. Identify any assumptions made in the analysis;

  4. Identify the equipment, system or sub-system and the mode of operation;

  5. Identify potential failure modes and their causes.

  6. Evaluate the local effects (e.g. fuel injection failure) and the effects on the system as a whole (e.g. loss of propulsion power) of each failure mode;

  7. Identify measures for reducing the risks associated with each failure mode (e.g. system design, failure detection and alarms, redundancy, quality control procedures for sourcing, manufacture and testing, etc.); and

  8. Identify trials and testing necessary to prove conclusions.

4.2.6 At sub-system level, it is acceptable to consider failure of equipment items and their functions, e.g. failure of a pump to produce flow or pressure head. It is not required that the failure of components within that pump be analysed, and failure need only be dealt with as a cause of failure of the pump.

4.3 Control engineering systems

4.3.1 Control, alarm, monitoring, safety and programmable electronic systems are to comply with Pt 16, Ch 1 Control Engineering Systems as applicable.

4.3.2 The engine control, alarm monitoring and safety systems are to be configured to comply with the relevant requirements (e.g. operating profile, alarms, shutdowns, etc.) of this Chapter and Pt 16, Ch 1 Control Engineering Systems for an engine for main, auxiliary or emergency power purposes. Details of the engine configuration are to be submitted for consideration see Pt 10, Ch 1, 1.4 Submission requirements 1.4.2.

4.4 Software

4.4.1 Software lifecycle activities are to be carried out in accordance with an acceptable quality management system, see Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.2 and Pt 16, Ch 1, 2.13 Programmable electronic systems – Additional requirements for essential services and safety critical systems 2.13.7.

4.4.2 Appropriate safety related processes, methods, techniques and tools are to be applied to software development and maintenance by the Enginebuilder. Selection and application of techniques and measures in accordance with Annex A of IEC 61508-3, Functional safety of electrical/ electronic/programmable electronic systems: Software requirements, or other relevant standards or codes acceptable to LR, will generally be acceptable.

4.4.3 To demonstrate compliance with Pt 10, Ch 1, 4.4 Software 4.4.1 and Pt 10, Ch 1, 4.4 Software 4.4.2:

  1. software quality plans and safety evidence are to be submitted for consideration, see Pt 10, Ch 1, 1.4 Submission requirements 1.4.2; and

  2. an assessment inspection of the Enginebuilder’s completed development is to be carried out by LR. The inspection is to be tailored to verify application of the standards and codes used in software safety assurance accepted by LR.

Copyright 2022 Clasifications Register Group Limited, International Maritime Organization, International Labour Organization or Maritime and Coastguard Agency. All rights reserved. Clasifications Register Group Limited, its affiliates and subsidiaries and their respective officers, employees or agents are, individually and collectively, referred to in this clause as 'Clasifications Register'. Clasifications Register assumes no responsibility and shall not be liable to any person for any loss, damage or expense caused by reliance on the information or advice in this document or howsoever provided, unless that person has signed a contract with the relevant Clasifications Register entity for the provision of this information or advice and in that case any responsibility or liability is exclusively on the terms and conditions set out in that contract.