Transcription
RULES FOR CLASSIFICATIONShipsEdition July 2020Part 4 Systems and componentsChapter 9 Control and monitoring systemsThe content of this service document is the subject of intellectual property rights reserved by DNV GL AS ("DNV GL"). The useraccepts that it is prohibited by anyone else but DNV GL and/or its licensees to offer and/or perform classification, certificationand/or verification services, including the issuance of certificates and/or declarations of conformity, wholly or partly, on thebasis of and/or pursuant to this document whether free of charge or chargeable, without DNV GL's prior written consent.DNV GL is not responsible for the consequences arising from any use of this document by others.The electronic PDF version of this document, available at the DNV GL website dnvgl.com, is the official, binding version.DNV GL AS
FOREWORDDNV GL rules for classification contain procedural and technical requirements related to obtainingand retaining a class certificate. The rules represent all requirements adopted by the Society asbasis for classification. DNV GL AS July 2020Any comments may be sent by e-mail to rules@dnvgl.comThis service document has been prepared based on available knowledge, technology and/or information at the time of issuance of thisdocument. The use of this document by others than DNV GL is at the user's sole risk. Unless otherwise stated in an applicable contract,or following from mandatory law, the liability of DNV GL AS, its parent companies and subsidiaries as well as their officers, directors andemployees ("DNV GL") for proved loss or damage arising from or in connection with any act or omission of DNV GL, whether in contract or intort (including negligence), shall be limited to direct losses and under any circumstance be limited to 300,000 USD.
This document supersedes the July 2019 edition of DNVGL-RU-SHIP Pt.4 Ch.9.Numbering and/or title of items containing changes are highlighted in red colour.Changes July 2020, entering into force 1 January 2021TopicReferenceIdentification of systems thatshall be certifiedSec.1 [1.4.2]Safety management systemsand decision support systemsSec.1 Table 2,Table 3, Sec.1Sec.1 [4.1.4],[4.4.2], Sec.2Integrated control systemsSec.1 Table 3DescriptionThe certification requirements for control and monitoringsystems are in general given in the different application rules.The guidance note that contained a summary of all theserequirements is deleted to avoid duplication of requirementsand potential misalignment.Sec.1Table 5,Sec.1[1.4]The term 'management systems' is intended to cover additionalsystems that are installed beyond those required by the rules,and that may provide manual or automatic support to theoperator in e.g. optimizing the operation, making operationaldecisions or handling emergency / damage control. Since suchsystems may involve operational aspects beyond the normalscope of class, or an additional layer of integration on top ofvarious control, monitoring and safety systems, the approvalscope, certification requirements and integration tests on boardshall be agreed in each case.When multiple functions are integrated, a single failure shouldnot cause loss of more functionality than it would if thefunctions were implemented in stand-alone systems. Integratedsystems shall therefore be arranged with appropriateredundancy.Approval of manufacturerSec.1 [1.5], Sec.1scheme (AoM) for systems and [4.2], Sec.4 [2.2]software engineeringThe approval of manufacturer scheme for systems andsoftware engineering covers software quality processes andmanufacturers holding this certificate will have a reducedapproval scope for each delivery.Software and hardware change Sec.1 Figure 1handlingThe change management process is illustrated in a figure tosupport the requirements.Certification and testSec.1 [4]The requirements for certification and testing are clarifiedand the wording is amended to match the intended practiceincluding completion of tests on board.Electronic governorsSec.2 [1.2.3]The requirement for powering of electronic governors has beenamended and is moved to rules for rotating machinery, Ch.3Sec.1.Response to failuresSec.2 [2.1.2]Earth failure detection is required for essential systems. Therequirement applies to earth failures in signal loops. This is nowclarified in the rules.Alarm silenceSec.3 [1.5.6]Clarification of the alarm silence and acknowledge functionality.Cyber securitySec.4 [1.3.2], Sec.4[2.1.7], Sec.4 [3.1.2]The basic aspects of cyber security are clarified andstrenghtened in the rules.Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 3Part 4 Chapter 9 Changes - currentCHANGES – CURRENT
Part 4 Chapter 9 Changes - currentEditorial correctionsIn addition to the above stated changes, editorial corrections may have been made.Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 4
Changes – current. 3Section 1 General requirements.81 Classification.81.1 Rule applications. 81.2 Classification principles.81.3 Type approval. 91.4 Required compliance documentation. 91.5 Software and hardware change handling.101.6 Assumptions. 122 Definitions.122.1 General terms. 122.2 Terms related to computer based system.153 Documentation.153.1 General.154 Certification and onboard test. 184.1 General.184.2 Verification of software development. 194.3 Certification test. 194.4 Onboard test. 20Section 2 Design principles. 211 System configuration. 211.1 General.211.2 Field instrumentation.211.3 Integrated control systems. 211.4 Management systems. 222 Response to failures. 222.1 Failure detection. 222.2 System response. 23Section 3 System design. 241 System elements. 241.1 General.241.2 Automatic control.241.3 Remote control. 251.4 Protective safety system.25Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 5Part 4 Chapter 9 ContentsCONTENTS
1.6 Indication.281.7 Planning and reporting. 281.8 Calculation, simulation and decision support.292 General requirements. 292.1 System operation and maintenance.292.2 Power supply requirements for control, monitoring and safetysystems. 29Section 4 Additional requirements for computer based systems. 311 General requirements. 311.1 Assignment of responsibility for the integration of control systems.311.2 Back-up means of operation. 311.3 Computer design principles. 311.4 Storage devices. 311.5 Computer usage. 321.6 System response and capacity. 331.7 Temperature control. 331.8 System maintenance. 331.9 System access.332 System software. 342.1 Software requirements. 342.2 Software development. 363 Control system networks and data communication links. 363.1 General.363.2 Network analysis. 383.3 Network test and verification.393.4 Network documentation requirements. 393.5 Wireless communication. 393.6 Documentation of wireless communication. 41Section 5 Component design and installation. 421 General. 421.1 Environmental strains. 421.2 Materials. 421.3 Component design and installation.421.4 Maintenance, checking.431.5 Marking. 431.6 Standardising. 432 Environmental conditions, instrumentation. 43Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 6Part 4 Chapter 9 Contents1.5 Alarms.26
2.2 Electric power supply. 442.3 Pneumatic and hydraulic power supply. 452.4 Temperature. 452.5 Humidity. 452.6 Salt contamination. 452.7 Oil contamination.452.8 Vibrations.452.9 Inclination. 462.10 Electromagnetic compatibility. 462.11 Miscellaneous.483 Electrical and electronic equipment. 483.1 General.483.2 Mechanical design, installation.493.3 Protection provided by enclosure. 493.4 Cables and wires. 493.5 Cable installation. 493.6 Power supply.503.7 Fibre optic equipment.50Section 6 User interface.511 General. 511.1 Introduction. 512 Workstation design and arrangement.512.1 Location of visual display units (VDUs) and user input devices (UIDs).513 User input device and visual display unit design. 523.1 User input devices. 523.2 Visual display units. 533.3 Colours. 533.4 Requirements for preservation of night vision (UIDs and VDUs forinstallation on the navigating bridge).534 Screen based systems. 544.1 General.544.2 Computer dialogue.544.3 Application screen views. 55Changes – historic. 56Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 7Part 4 Chapter 9 Contents2.1 General.43
1 Classification1.1 Rule applications1.1.1 The requirements of this chapter apply to all control, monitoring and safety systems required by therules.Guidance note:Additional requirements for specific applications may be given under rules governing those o-t-e---1.1.2 All control, monitoring and safety systems installed, but not necessarily required by the rules, that mayhave an impact on the safety of main functions (see Pt.1 Ch.1 Sec.1 [1.2]), shall meet the requirements ofthis chapter.1.2 Classification principles1.2.1 Control, monitoring and safety systems belong to three different system categories as shown in Table 1in accordance with the possible consequence a failure may inflict on the vessels manoeuverability in regard topropulsion and steering, see Ch.8 Sec.13.Table 1 System categoriesServiceEffects upon failureSystem functionalityNon-importantFailure of which will not lead to dangeroussituations for human safety, safety of thevessel and/or threat to the environment— Monitoring function for informational/administrative tasksImportantFailure could eventually lead to dangeroussituations for human safety, safety of thevessel and/or threat to the environmentEssential services andsafety functionsFailure could immediately lead to dangeroussituations for human safety, safety of thevessel and/or threat to the environment— Alarm and monitoring functions— Control functions which are necessary tomaintain the ship in its normal operationaland habitable conditions— Control functions for maintaining the vessel’spropulsion and steering— Safety functionsGuidance note:The machinery arrangement and eventual system redundancy, eventual additional notations and possible means for alternativeback-up control beyond main class may affect the system category.These system categories are equivalent to those defined in IACS UR .2.2 Classification of control, monitoring and safety systems shall be according to the following principles:— type approval— certification of control, monitoring and safety systems— onboard inspection (visual inspection and functional testing).Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 8Part 4 Chapter 9 Section 1SECTION 1 GENERAL REQUIREMENTS
The main principle is that control system components shall be type approved and that control systems shall be -e---1.3 Type approval1.3.1 The main hardware components for essential and important control, monitoring and safety systemscovered by the rules of this chapter (see [1.4.2] guidance note) shall be type approved.Guidance note:The requirement normally applies to the following components:—controllers, PLC’s—I/O cards, communication cards—operator stations, computers—network switches, routers, firewalls—other components that may be essential for the control system functionality.Case-by-case approval of the components may, based on suitable documentation, be accepted as an alternative to the typeapproval.See IACS UR (E22, M3, M29, M44, M67) for type approval or documented evidence of compliance according to IACS UR .4 Required compliance documentation1.4.1 Essential and important control, monitoring and safety systems, as specified in the rules, shall meetthe required compliance documentation unless— exemption is given in a Society issued type approval certificate, or— the logic is simple, failure mechanisms easily understood and adequate assessment is possible during planapproval.The compliance documentation procedure consists of:1)plan approval— assessment of manufacturer documentation in accordance with the documentation requirements inthe rules— issuance of approval letter.2)manufacturing survey— visual inspection— verification/witness test of performance according to functional requirements based on approved testprograms— verification/witness test of failure mode behaviour— verification of implementation software quality plan covering life cycle activities, if applicable.3)issuance of compliance documentRules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 9Part 4 Chapter 9 Section 1Guidance note:
The plan approval normally includes case-by-case document assessment of each delivery, alternatively partly covered bytype approval as specified in class programme DNVGL-CP-0338 Type approval scheme, and class guideline DNVGL-CG-0339Environmental test specification for electrical, electronic and programmable equipment and systems.Manufacturers that are certified according to the approval of manufacturer (AoM) class program for 'System and softwareengineering' (see DNVGL-CP-0507) are considered as pre-qualified for the software development aspects of the manufacturingsurvey. The verification of the software quality plan is therefore omitted from the --1.4.2 The control, monitoring and safety systems that are required to be certified are given in the applicablerules.1.4.3 In addition to the specific certification requirements given in the various rules, the control, monitoringand safety systems listed in Table 2 shall be certified, if fitted.Table 2 Compliance documents required for control systemsObjectCompliancedocumenttypeIssued byMain alarm systemPCSocietyIntegrated control systemPCSocietyCompliancestandard*Additional description* Unless otherwise specified the compliance standard is the rules.Guidance note:For general compliance documentation requirements, see DNVGL-CG-0550 Sec.4.For a definition of the compliance document types, see DNVGL-CG-0550 Guidance Other control, monitoring and safety systems may, when found to have an effect on the safety of the ship, berequired to be certified.Guidance note:This may e.g. be different management systems, see definition in Table 3. For such systems, documentation according to Table 5shall be submitted for approval. During the approval, it will be decided whether or not certification is e---1.5 Software and hardware change handling1.5.1 The requirements in this section apply to software and hardware changes done after the certification,i.e. changes done after approval and issuance of the certificate.Guidance note:Manufacturers that are certified according to DNVGL-CP-0507 System and software engineering are considered pre-qualified forthe requirements of this t-e---1.5.2 Manufacturers or system suppliers shall maintain a system to track changes as a result of defectsbeing detected in hardware and software, and inform users of the need for modification in the event ofdetecting a defect.Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 10Part 4 Chapter 9 Section 1Guidance note:
1.5.4 Software versions shall be identifiable as required in Sec.4.1.5.5 A procedure for how to handle changes (e.g. corrections, modifications, upgrades) in both basic- andapplication software shall be submitted for approval when requested. The procedure shall describe how toensure traceability in the software change handling process for any changes that may be done after thecertification of the system. The general principles of a change handling procedure are illustrated in Figure 1.The procedure shall cover the necessary steps to ensure compliance with at least the following principles:— major modifications which may affect compliance with the rules shall be described and submitted to theSociety for evaluation before the change is implemented onboard— no modification shall be done without the acceptance and acknowledgment by the responsible person onboard— the modified system shall be tested and demonstrated for the responsible person on board— the modification shall be documented (including objective/reason, specification/description, impactanalysis, relevant authorizations, implementation and test procedure, relevant signatures and dates, newincremented SW revision etc.)— a test program for verification of correct installation and correct functioning of the applicable functionsshall be applied— in case the new software upgrade has not been successfully installed, the previous version of the systemshall be available for re-installation and re-testing.Figure 1 General principles of a change handling procedure.1.5.6 If the control system is intended for remote software support from outside the vessel (e.g. remotemaintenance), the functionality shall be described in the system documentation as required in Table 5.Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 11Part 4 Chapter 9 Section 11.5.3 Major changes or extensions in hardware or software of approved systems shall be describedand submitted for evaluation. If the changes are deemed to affect compliance with rules, more detailedinformation may be required submitted for approval and a survey may be required to verify compliance withthe rules.
— a particular procedure for the remote SW maintenance operation shall exist— no remote access or remote SW modification shall be possible without the acceptance andacknowledgement by the responsible person on board— the security of the remote connection shall be ensured by preventing unauthorized access, e.g. password,and other means of verification, and by protecting the data being transferred (e.g. by encryptionmethodologies)— before the updated software is put into realtime use, the integrity of the new software shall be verified byappropriate means— the remote session shall be logged in accordance with the above procedure for change handling, see[1.5.5].1.6 Assumptions1.6.1 The rules of this section are based on the assumptions that the personnel using the equipment to beinstalled on board are familiar with the use of, and able to operate this equipment.2 Definitions2.1 General termsTable 3 Definitions – General termsTermDefinitionalarmfor warning of an abnormal condition and is a combined visual and audible signal, wherethe audible part calls the attention of personnel, and the visual part serves to identify theabnormal conditionback-up control systemscomprise all equipment necessary to maintain control of essential functions required forthe craft's safe operation when the main control systems have failed or malfunctioned(HSC Code 11.1.2)includes all components necessary for control and monitoring, including sensors andactuators.control and monitoringsystemIn this section, the term or is short for control and monitoring system. A system includesall resources required, including:— the field instrumentation of one or more process segments— all necessary resources needed to maintain the function including system monitoringand adequate self-check— all user interfaces.is an alarm system, which shall be provided to operate from the engine control room orthe maneuvring platform, as appropriate, and shall be clearly audible in the engineers'accommodationengineers' alarmSee SOLAS Ch. II-1/38Guidance note:The engineers' alarm is normally an integrated part of the extension alarm system, but maybe a separate --Rules for classification: Ships — DNVGL-RU-SHIP Pt.4 Ch.9. Edition July 2020Control and monitoring systemsDNV GL ASPage 12Part 4 Chapter 9 Section 1The following requirements apply supplementary to [1.5.5], and shall be part of the procedure required in[1.5.5]:
essential control andmonitoring systemis the mechanical equipment (machinery, pumps, valves, etc.) or environment (smoke,fire, waves, etc.) monitored and/or controlled by a control and monitoring systemis a system which needs to be in continuous operation for maintaining the vessel'spropulsion and steering. Examples of services are given in Ch.8 Sec.13. Additional classnotations may extend the term essential services. Such extensions, if any, can be found inthe relevant rule sections (hereafter called essential system).Guidance note:The objective for an essential function is that it should be in continuous operation. Howeverthe rules do not in all respects fulfil this objective as single failures may lead to unavailabilityof a e---comprises all instrumentation that forms an integral part of a process segment to maintaina function.The field instrumentation includes:field instrumentation— sensors, actuators, local control loops and related local processing as required tomaintain local control and monitoring of the process segment— user interface for manual operation (when required).Other equipment items do not, whether they are implemented locally or remotely, belongto the field instrumentation. This applies to data communication and facilities for dataacquisition and pre-processing of information utilised by remote systems.important control andmonitoring systemis a system supporting services which need not necessarily be in continuous operationfor maintaining the vessel's manoeuvrability, but which are necessary for maintaining thevessels functions as defined in Pt.1 Ch.1 Sec.1 [1.2], or other relevant parts of the rules.Additional class notations may extend the term important services. Such extensions, ifany, can be found in the relevant rule sections (hereafter called important system).independent systemssee Sec.2 [1.2.1]is a combination of computer based systems which are interconnected in order to allowcommon access to sensor information and command/control functions.An integrated control system may contain any combination of monitoring, alarm, controland safety functions.Guidance note:integrated control systemA system containing only monitoring and alarm functions is normall
This document supersedes the July 2019 edition of DNVGL-RU-SHIP Pt.4 Ch.9. Numbering and/or title of items containing changes are highlighted in red colo
