Free Article: System redundancy on cruise ships and DP vessels

29 Jun 2022 Institute News

Comparing the DP and SRtP goals and redundancy requirements, and their effectiveness at preventing blackouts

Nic Gardener - MNI

When entering port in a vessel with 7,000 passengers on board, how many escort tugs should you use? Given that the regulations already mandate machinery redundancy for passenger vessels, do these vessels even need escort tugs? These can be contentious questions; however, following several high-profile incidents involving blackouts, loss of propulsion, or loss of control on board large passenger ships, we must consider them.

According to a paper from classification society DNV this April, in 2018, the media reported just four full or partial cruise ship blackouts in transit or manoeuvring in; in 2019, this increased to 12. But weren’t the redundancy requirements in the SOLAS Safe Return to Port (SRtP) regulations meant to reduce blackouts? Unfortunately, it’s not that simple. Fortunately, another set of regulations outperforms SRtP when it comes to blackout prevention and recovery: dynamic positioning (DP). This article considers the differences between the DP and SRtP goals and redundancy requirements, and compares their effectiveness at preventing blackouts.

Fortunately, another set of regulations outperforms SRtP when it comes to blackout prevention and recovery: dynamic positioning (DP). This article considers the differences between the DP and SRtP goals and redundancy requirements, and compares their effectiveness at preventing blackouts.

‘Safe Return to Port’?
SOLAS states that the focus of the SRtP regulations is to, ‘...establish design criteria for a ship’s safe return to port under its own propulsion after a casualty that does not exceed the casualty threshold...and also [provide] functional requirements and performance standards for safe areas.’ Notably, it doesn’t mention prevention of loss-of-propulsion/

For spaces protected by a fixed fire-extinguishing system, the casualty threshold is the loss of the space of origin to the nearest class A boundaries; for spaces without a fixed fire-extinguishing system, the casualty threshold includes loss of surrounding spaces as well.

If a fire doesn’t exceed the casualty threshold, or flooding remains within a single compartment, the ship should be able to return to port under her own power. If an entire main fire zone is lost, SRtP ships should be able to maintain some essential systems for three hours to allow an ‘orderly evacuation.’

Machinery redundancy requirements for SRtP?
To return to port after a casualty, the following systems must be operational:

  • Steering, propulsion, and fuel systems;
  • Navigational systems;
  • Key internal and external communication systems;
  • Fire fighting and detection systems;
  • Bilge, ballast system, and flooding-detection systems;
  • Power-operated watertight and semi-watertight doors;
  • Systems to support ‘safe areas’;
  • Other systems vital to damage control efforts.
  • To achieve this, ship designers build in redundancy on certain systems, and the system redundancy must be maintained throughout the life of the ship.

 


How is SRtP approved?
At a high level, SRtP approval is based on Classification Societies’ guidelines on how to meet the goal-based criteria set out in the regulations.

The DNV Class Guidelines for SRtP, section 3.4 notes that, ‘The design criteria for the system restoration is that it shall be possible to complete within one hour.’ They go on to explain that, ‘...a wide range of technical solutions could be used to comply with the rules, from system designs that depend fully on manual actions by the crew to fully redundant systems that allow for remote and quick restoration after a casualty.’ While DNV’s Guidelines do cover fully redundant systems with remote recovery, many ships rely on SRtP systems that depend on manual actions by the crew. This extends the time required for recovery and requires extra documentation and crew training.

Do the SRtP regulations prevent blackouts?
It’s a common misconception that SRtP aims to prevent blackouts and loss of power. While SRtP does require redundancy, operational reliability and redundancy are separate and distinct concepts.

Redundancy simply means the vessel is fitted with multiple systems for a particular service, such as propulsion or electrical power; operational reliability refers to the ability to maintain that service, thereby preventing blackouts. Operational reliability usually requires redundancy, but redundancy alone does not guarantee operational reliability. Despite this, redundancy and segregated machinery arrangements can increase the reliability of the systems involved, but only if properly configured.

Dynamic Positioning (DP)?
MSC 1580 defines dynamic positioning (DP) as, ‘A unit or vessel, which automatically maintains its position and/or heading...by means of thruster force.’ Logically, it follows that a DP system is, ‘The complete installation necessary for dynamically positioning a vessel comprising, but not limited to, the following sub systems: power system, thruster system, and DP control system.’

A DP system is complex, using a range of sensors and computer controlled thrusters to constantly counter the effects of wind, waves, and currents, holding the DP vessel in a pre-programmed position and orientation, moving it along a pre-planned path, or following a particular moving target.

DP Classes
The IMO describes DP systems as DP1, DP2, or DP3, where DP1 is the simplest, and DP3 the most complex.

  • DP Class 1: A DP1 vessel can hold station, but has no particular redundancy or operational reliability requirements.
  • DP Class 2: A DP2 vessel meets the DP1 requirements, but has improved redundancy and operational reliability: even if an active component fails, a DP2 vessel can hold station for long enough to safely stop any work in progress
  • DP Class 3: DP3 expands on DP2, with improved redundancy and physical separation of redundant systems. Even if an active component fails or an entire compartment is lost due to fire or flooding, a DP3 vessel can hold station and continue operations – any damage to one system must not affect the backup system. Classification Societies approve DP systems and installations, with a strong focus on physical testing and demonstration. DNV lists five phases before final approval:

   1.Factory acceptance test. 
   2. Mechanical completion.
   3. Pre-commissioning, including loop testing.
   4. Commissioning.
   5. Testing, including proving the failure mode effect analysis (FMEA)

to demonstrate:

     a. the redundancy concept;
     b. effectiveness of protective functions;
     c. stability of the system under the full range of load/operational conditions;
     d. monitoring functions; e.degraded and failure conditions.

Failure Mode Effect Analysis
Failure Mode Effect Analysis (FMEA) of DP vessels and systems assesses single-point failures that could affect the vessel’s station keeping ability. FMEA considers worst-case scenarios where each component and subsystem – including the human operator – is assumed to fail, one probable cause or single act at a time. And it’s not just obvious failures: FMEA also accounts for hidden failures, such as those which don’t activate an alarm; and considers the impact of having equipment down for routine maintenance.

Unlike the SRtP requirements, DP2 and DP3 systems are designed around operational reliability. In particular, the machinery segregation requirements for DP3 are planned so that even multiple active system failures should not result in a blackout or loss-of-position.

 


Blackouts and loss of propulsion/position
As cruise ships carry the general public on board, short blackouts that would not be reported by the media or officially investigated if they occurred on any other type of ship tend to be widely reported. This makes the media and Twitter good sources of information about the frequency of cruise ship blackouts. The downside of that is that the media rarely reports on the technical details of interest to mariners, often leaving us to speculate on the facts of the case.

By contrast, blackouts on other merchant ships – including DP vessels – can often fly under the radar. To prevent this, the International Marine Contractors Association (IMCA) collects reports and publishes anonymised reports of blackouts and loss-of-position on DP ships, allowing other vessels and companies to learn from each other’s experiences.

Even with the machinery redundancy required by SRtP, including multiple generators running, certain failure/configuration combinations can lead to blackouts on today’s passenger ships. In the report on passenger ship blackouts cited above, DNV identified four categories of common-mode failures that can lead to passenger ship blackouts, including:

  • Auxiliaries and sub-system failures, such as:
    •  Clogged fuel filters;
    •  Loss of lube oil suction or cooling water; and
    •  Fuel management.
  • Maintenance failures across multiple pieces of equipment, such as:
    • Wrong lube oil or grease used in all diesel generators;
    • Valves in the wrong position after routine maintenance on all generators
  • Operational failures, such as mistakes in:
    • Starting and stopping sub-systems;
    • Valve operations;
    • Fuel changeover;
  • Software-related failures, such as:
    • Defects introduced by software or hardware updates;
    • Inadequate integration between multiple systems;
    • Unsupported/out of date operating systems;
    • Overwritten or reset vessel parameters; and
    • Functionality errors or poor logic, leading to unexpected system behaviour

Case studies – Before SRtP

Carnival Triumph 2013

At 05:30 on 10 February 2013, a leaky fuel line started a fire in the aft engine room of the 1999-built cruise ship Carnival Triumph (now Carnival Sunrise). It was automatically extinguished, with no injuries to passengers or crew, but the ship lost all power and propulsion.

Some shipboard functions were partially restored the following day. The official investigation found the vessel susceptible to a complete loss of power resulting from damage to a single area of the electrical system in the aft engine room

Although Carnival Triumph was not an SRtP-compliant vessel, DNV’s recent report found that SRtP ships are vulnerable to blackouts caused by similar failures, so while SRtP may not have prevented the blackout, the required redundancy and procedures may have facilitated the recovery.

Coral Princess 2020

On 10 August 2019, the 2002-built cruise ship Coral Princess left the dock at 20:41. Six minutes later, at 20:47, it blacked out and started drifting towards a vessel at another berth. The crew started a gas turbine and restored propulsion at 20:55.

Speaking to Alaska Public Media, a Coast Guard investigator blamed the blackout on contaminated lube oil, and an improperly configured second generator. As the vessel is electric propulsion-driven, no generators mean no propulsion.

Would SRtP have helped in this case? Possibly not, as contaminated lube oil is a common-mode failure that, even under SRtP, can cause a blackout. Even though it was built eight years before the SRtP regulations came into force, Coral Princess managed to recover from the blackout in eight minutes, well below the one hour criterion required by SRtP.

Case studies – after SRtP

Viking Sky 2019

Built six years after SRtP came into force, the 228 metre cruise ship Viking Sky complies with the SRtP rules. On 23 March 2019, a fire in the aft engine room shut down all three operational diesel generators. Given the weather and the ship’s position, the resulting blackout and loss of propulsion prompted the captain to issue a Mayday a few minutes later, at 14:00. 40 minutes later and only around 100 metres from shore, the crew were able to start one engine. Combined with the anchors, that stopped the vessel’s drift towards land.

At around 20:50, crew weighed one anchor, cut loose the other, and proceeded towards safer waters under one engine. Two tugs took the ship under tow at 08:18 the next morning, and the Mayday was cancelled at 15:11.

Working on the assumption that the ship was surveyed, in class, and complied with the SRtP regulations, it doesn’t appear that the SRtP requirements were adequate to either prevent or recover from the incident. As DNV identified, a single-point failure combined with routine equipment maintenance can cause a blackout in certain equipment configurations, which appears to be what happened here.

Nieuw Statendam 2019

Delivered in late 2018, the Nieuw Statendam ‘...experienced a technical issue with one of the diesel generators, causing a short black out…’ during a cruise on 23 March 2019. While there are few details available about this blackout, based on the timing of tweets from a passenger on board, the vessel appears to have recovered power within a few minutes.

Writing on his personal blog, Holland America’s Fleet Master described the Nieuw Statendam blackout drill/test during construction. The emergency generator starts automatically, within 10 seconds, operating key equipment including elevators and lights. If the emergency generator fails, the battery backup keeps ‘...emergency lighting and other important equipment going for about 30 minutes over the whole ship…’ to allow for abandoning ship if required.

In this case, given that power and propulsion were apparently restored within minutes, the system appears to have worked as intended.

DP vessel blackouts and loss-of-position
Despite the stringent redundancy requirements, DP loss-of-position incidents do still happen.

In a typical IMCA report from 2002, a DP vessel suffered a brief blackout to all systems at 02:56. 11 minutes later, at 03:07, the crew regained control of the vessel; by 03:11, all services had been restored. In the interim, the vessel had moved 190 metres from its original position.

In another report, a timer failure at 10:07 triggered a sequence of events that initiated the start/stop sequence for the thrusters. The crew stabilised the situation nine minutes later at 10:16, after moving a maximum of 40 metres from the intended location.

DP vs SRtP
While detailed public data is scarce for blackouts on both cruise and DP vessels that don’t trigger an official investigation, on the surface, there are two key differences between blackouts and machinery failures on DP vessels compared with SRtP vessels:

  • On average, recovery is faster for DP vessels than for SRtP vessels;
  • Human errors don’t cause DP system failures unless there is an underlying technical failure (Dong & Utne, 2017).

According to DNV, ‘Enhanced [DP] vessel capability...means a more fault tolerant/fault resistant DP system which minimises loss of positioning capability post worst case failure.’ In contrast, the SRtP regulations’ goal is, ‘…the ability to isolate the casualty and restore operation of the remaining part of the redundant system within a specified time [of 1 hour].

Given the disparate goals of the regulations, it’s unsurprising that the outcomes are likewise completely different. As the DP regulations are built around operational reliability, the requirement for FMEA on DP vessels forces operators to actively consider and document the causes and consequences of single point failures. This aims to proactively prevent them from occurring.

While SRtP does contribute something to operational reliability, that’s more of a side-effect: it focuses more on planning for post-blackout recovery rather than blackout prevention.

Improving on SRtP
As the MSC Opera demonstrated in Venice in 2020, when it struck a dock following system blackout, navigating in close quarters leaves little time for recovery from blackouts or control system failures – it certainly doesn’t take a ship an hour to get into trouble while entering or leaving a port. Here, operational reliability is more important than either redundancy or recovery.

When preparing for large passenger vessel movements in ports, channels, and other confined waters, stakeholders must consider the operational reliability of the vessel, rather than relying on the SRtP redundancy requirements.

Redundancy requirements. To make this easier, DNV has introduced two voluntary class notations:

  • Operational reliability (OR); and
  • Redundant propulsion (RP).

Drawing on DP principles and practices, the OR notation extends the SRtP requirements to address operational reliability, blackout prevention, and system recovery. It focuses on three areas:

1. Enhanced reliability and quick recovery of propulsion, steering and electrical power (ER);
2. Enhanced manoeuvring reliability (EMR) of thrusters and the DP system; and
3. Operational flexibility and predictability (OP) during machinery damage or maintenance.

The RP notations ensure redundant propulsion and steering systems are arranged so that, after a single failure, propulsion and steering can be recovered within a specified time. For the RP(2,x) notation, the failure modes include component failure, while RP(3,x) systems are segregated to cover fire and flooding. The additional ‘+’ qualifier indicates the systems are designed for continuous availability.

When manoeuvring in confined waters, OR and RP+ vessels may present lower risks than standard SRtP vessels. For ports and pilots, an understanding of the differences is critical when conducting risk assessments and setting port policies for entry and departure.

What’s the difference?
Although they have a superficial resemblance, SRtP and DP have different goals. Because of the nature of their work, a loss of position on a DP vessel can be immediately critical, so the goals and redundancy for DP are far more stringent than those for SRtP.

Today, a passenger ship in full compliance with the SRtP regulations can suffer a single-point failure of a critical system in a narrow channel or port approach in the same way as pre-SRtP. An hour to change-over to the backup system is plenty of time in open water; in most ports and approaches, an engine or steering failure can get a vessel into serious trouble in seconds or minutes, not hours.

On a DP2/3 vessel, the operating wind and current limits are based on their operating capabilities following a single-point failure. Given most passenger ships’ high windage, this approach could provide an extra layer of safety.

DNV’s OR and RP notations go some way to addressing this problem, giving crew, ports and pilots a better understanding of a particular vessel’s specific risks. Whatever the reason, the potential consequences of blackouts and loss of control during manoeuvring remain a problem that must be considered and addressed.

This article was first published in the professional journal of the Australasian Marine Pilots Institute and appears here with permission. A fully referenced version of the article is available on request from editor@nautinst.org

 

Return to listing