RULES FOR

CLASSIFICATION OF

SHIPS / HIGH SPEED, LIGHT CRAFT AND

NAVAL SURFACE CRAFT

NEWBUILDING

MACHINERY AND SYSTEMS

MAIN CLASS

PART 4 CHAPTER 9

INSTRUMENTATION AND AUTOMATION

JANUARY 2003

CONTENTS PAGE
Sec. 1 General Requirements ................................................................................................................ 5
Sec. 2 Design Principles ..................................................................................................................... 12
Sec. 3 System Design ......................................................................................................................... 14
Sec. 4 Additional Requirements for Computer Based Systems ......................................................... 17
Sec. 5 Component Design and Installation ......................................................................................... 20
Sec. 6 User Interface .......................................................................................................................... 25

DET NORSKE VERITAS

Veritasveien 1, N-1322 Høvik, Norway Tel.: +47 67 57 99 00 Fax: +47 67 57 99 11
CHANGES IN THE RULES
General
This booklet is a reprint of the previous edition and apart from clari-
fications of text and the inclusion of amendments and corrections,
published in the July 2002 edition of Pt.0 Ch.1 Sec.3, no other chang-
es have been made.
This chapter is valid until superseded by a revised chapter. Supple-
ments will not be issued except for an updated list of minor amend-
ments and corrections presented in Pt.0 Ch.1 Sec.3. Pt.0 Ch.1 is
normally revised in January and July each year.
Revised chapters will be forwarded to all subscribers to the rules.
Buyers of reprints are advised to check the updated list of rule chap-
ters printed in Pt.0 Ch.1 Sec.1 to ensure that the chapter is current.

Comments to the rules may be sent by e-mail to [email protected]

For subscription orders or information about subscription terms, please use [email protected]
Comprehensive information about DNV and the Society's services is found at the Web site http://www.dnv.com
© Det Norske Veritas
Computer Typesetting (FM+SGML) by Det Norske Veritas
Printed in Norway

If any person suffers loss or damage which is proved to have been caused by any negligent act or omission of Det Norske Veritas, then Det Norske Veritas shall pay compensation to such person
for his proved direct loss or damage. However, the compensation shall not exceed an amount equal to ten times the fee charged for the service in question, provided that the maximum compen-
sation shall never exceed USD 2 million.
In this provision "Det Norske Veritas" shall mean the Foundation Det Norske Veritas as well as all its subsidiaries, directors, officers, employees, agents and any other acting on behalf of Det
Norske Veritas.
 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Contents – Page 3

CONTENTS

SEC. 1 GENERAL REQUIREMENTS .......................... 5 SEC. 4 ADDITIONAL REQUIREMENTS FOR

COMPUTER BASED SYSTEMS .................... 17
A. Classification..........................................................................5
A 100 Rule applications...............................................................5 A. General Requirements ....................................................... 17
A 200 Classification principles....................................................5 A 100 System dependency.........................................................17
A 300 Alterations and additions ..................................................5 A 200 Storage devices ...............................................................17
A 400 Assumptions......................................................................5 A 300 Computer usage ..............................................................17
A 400 System response and capacity.........................................17
B. Definitions ..............................................................................5 A 500 Temperature control........................................................17
B 100 General terms ....................................................................5 A 600 System maintenance........................................................17
B 200 Terms related to computer based system ..........................6 A 700 System access..................................................................17

C. Documentation ......................................................................6 B. System Software ................................................................. 17

B 100 Software requirements ....................................................17
C 100 General ..............................................................................6 B 200 Software manufacturing..................................................18
C 200 Documentation types ........................................................7
C 300 Type approved products....................................................8 C. User Interface ..................................................................... 18
C 400 Plans and particulars, ships ...............................................8 C 100 General............................................................................18
C 500 Plans and particulars, HS, LC and NSC ...........................9 C 200 Illumination.....................................................................18
C 300 Colour screens.................................................................18
D. Tests......................................................................................10
D 100 General ............................................................................10 D. Data Communication Links .............................................. 18
D 200 Software module testing .................................................10 D 100 General............................................................................18
D 300 Integration testing ...........................................................11 D 200 Local area networks ........................................................19
D 400 System testing .................................................................11 D 300 Local area networks designed with redundancy ............19
D 500 On-board testing..............................................................11 D 400 Instrument net .................................................................19
D 500 Interconnection of networks ...........................................19
SEC. 2 DESIGN PRINCIPLES .................................... 12 SEC. 5 COMPONENT DESIGN AND
A. System Configuration ........................................................12 INSTALLATION ............................................... 20
A 100 General ............................................................................12 A. General ................................................................................ 20
A 200 Field instrumentation ......................................................12 A 100 Environmental strains .....................................................20
A 300 System.............................................................................12 A 200 Materials .........................................................................20
A 400 Integrated system ............................................................12 A 300 Component design and installation.................................20
A 500 Redundancy.....................................................................12 A 400 Maintenance, checking ...................................................20
A 600 Additional requirements for HS, LC and NSC ...............12 A 500 Marking...........................................................................20
A 600 Standardising...................................................................20
B. Maximum Unavailable Time..............................................12
B 100 General ............................................................................12 B. Environmental Conditions, Instrumentation .................. 20
B 200 Continuous availability (R0)...........................................12 B 100 General............................................................................20
B 300 High availability (R1) .....................................................13 B 200 Electric power supply .....................................................21
B 400 Manual system restoration (R2)......................................13 B 300 Pneumatic and hydraulic power supply ..........................21
B 500 Repairable systems (R3) .................................................13 B 400 Temperature ....................................................................21
B 500 Humidity .........................................................................21
C. Response to Failures ...........................................................13 B 600 Salt contamination ..........................................................21
C 100 Failure detection..............................................................13 B 700 Oil contamination............................................................21
C 200 Fail-to-safety ...................................................................13 B 800 Vibrations........................................................................21
B 900 Inclination .......................................................................22
D. Emergency Operation.........................................................13 B 1000 Electromagnetic compatibility ........................................22
B 1100 Miscellaneous .................................................................23
D 100 Local control ...................................................................13
D 200 Manual emergency operation..........................................13 C. Electrical and Electronic Equipment ............................... 23
C 100 General............................................................................23
SEC. 3 SYSTEM DESIGN ............................................ 14 C 200 Mechanical design, installation.......................................23
C 300 Protection provided by enclosure....................................23
A. System Elements .................................................................14 C 400 Cables and wires .............................................................23
A 100 General ............................................................................14 C 500 Cable installation ............................................................23
A 200 Automatic control ...........................................................14 C 600 Power supply...................................................................23
A 300 Remote control................................................................14 C 700 Fibre optic equipment .....................................................23
A 400 Safety ..............................................................................14
A 500 Alarms.............................................................................14 SEC. 6 USER INTERFACE ......................................... 25
A 600 Pre-warning.....................................................................15
A 700 Indication ........................................................................15 A. General ................................................................................ 25
A 800 Planning and reporting ....................................................15 A 100 Application......................................................................25
A 200 Introduction.....................................................................25
A 900 Calculation, simulation and decision support .................15
A 300 Definitions.......................................................................25
B. General Requirements........................................................15 B. Workstation Design and Arrangement ............................ 25
B 100 System operation and maintenance.................................15 B 100 Location of visual display units and user
B 200 Power distribution...........................................................15 input devices ...................................................................25
B 200 Allocation of functions to screen based systems ............26
C. Additional Requirements for System Design of HS, LC
and NSC ...............................................................................16 C. User Input Device and Display Unit Design .................... 26
C 100 Safety ..............................................................................16 C 100 User input devices...........................................................26
C 200 Alarm ..............................................................................16 C 200 Visual display units.........................................................26

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Contents – Page 4

C 300 Colours ............................................................................26 F. Work Environment for Permanently Manned

C 400 Requirements for preservation of night vision................27 Workstations .......................................................................27
F 100 Vibration .........................................................................27
D. Additional Requirements to Screen Based Systems ........ 27 F 200 Noise ...............................................................................28
D 100 Computer dialogue ..........................................................27 F 300 Lighting...........................................................................28
D 200 Application screen views ................................................27 F 400 Temperature ....................................................................28
F 500 Ventilation.......................................................................28
E. Design of Workplace for Permanently Manned F 600 Surfaces...........................................................................28
Workstations ....................................................................... 27 F 700 Colours ............................................................................29
E 100 General ............................................................................27 F 800 Safety of personnel..........................................................29

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 5

SECTION 1
GENERAL REQUIREMENTS

A. Classification A 300 Alterations and additions

301 When an alteration or addition to the approved system(s)
A 100 Rule applications is proposed, plans are to be submitted for approval. The alter-
101 The requirements of this chapter, with the exception of ations or additions are to be carried out under survey and the
Sec.6, are to apply to all instrumentation and automation re- inspection, testing and installation are to be to the surveyor's
quired by the rules. satisfaction.
Guidance note: A 400 Assumptions
Additional requirements for specific applications will be given
under rules governing those applications. 401 The rules of this chapter are based on the assumptions
that the personnel using the equipment to be installed on board
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- is familiar with the use of, and able to operate this equipment.
Guidance note:
With regards to requirements related to electromagnetic radia-
tion, a general reference is made to Classification Note 45.1. B. Definitions
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
B 100 General terms
102 All instrumentation and automation systems installed, 101 Alarm is for warning of an abnormal condition and is a
but not necessarily required by the rules, that may have an im- combined visual and audible signal, where the audible part
pact on the safety of main functions (listed in Pt.1 Ch.1 of the calls the attention of personnel, and the visual part serves to
Rules for Classification of Ships), are to meet the requirements identify the abnormal condition.
of this chapter, with the exception of Sec.6.
102 A pre-warning indicates an equipment under control
103 The requirements in Sec.6 only apply if referred to in the (EUC) or system state that needs attention.
additional class notations. 103 Safety shutdown is a safety action that will be initiated
104 Text quoted from the International Code of Safety for upon EUC failure and is to result in the shutting down of the
High-Speed Craft (HSC Code) is printed in italics. EUC or part of the EUC in question.
A 200 Classification principles 104 A system includes all components necessary for moni-
toring, control and safety, including sensors and actuators. As
201 Classification of instrumentation and automation sys- used in this chapter, system is short for instrumentation and au-
tems is generally to be according to the following principles: tomation system. A system includes all resources required to
support one specific function, including:
— document assessment
— on-board inspection (visual inspection and functional test- — the field instrumentation of one or more process segments
ing). — all necessary resources needed to maintain the function in-
cluding system monitoring and adequate self-check
Guidance note: — all user interfaces.
The approval may be either case-by-case approval for each unit,
or type approval as specified in Certification Notes 1.2 and 2.4. 105 An essential instrumentation and automation system
(hereafter called essential system) is a system supporting
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
equipment which needs to be in continuous operation for main-
202 Essential and important computer based systems are taining the vessel's propulsion and steering functions. The def-
normally to be provided with a product certificate. Exemption inition essential system may also apply to other functions when
is given for type approved systems unless required in the type these are defined in the rules, e.g. the emergency shut-down
approval certificates. The certification procedure normally (ESD) system for a floating production vessel.
consists of: 106 An important instrumentation and automation system
(hereafter called important system) is a system supporting
Approval equipment which need not necessarily be in continuous opera-
— document evaluation tion, but which is necessary to maintain the vessel's main func-
— approval of performance according to functional require- tions as defined in Pt.1 Ch.1 Sec.2 of the Rules for
ments based on approved test programs (Approval test of Classification of Ships or which according to these rules is
application software) subject to approval when installed.
— verification of correct implementation of the plan for soft- 107 Non-important instrumentation and automation systems
ware manufacturing (hereafter called non-important systems) are systems support-
— issue Approval test of application software statement ing functions for which the Society has no requirements ac-
cording to relevant definitions in the rules.
Manufacturing survey 108 Field instrumentation comprises all instrumentation that
— survey of hardware and software forms an integral part of a process segment to maintain a func-
tion.
— issue certificate.
The field instrumentation includes:
Guidance note:
Type approval of systems includes hardware and application — sensors, actuators, local control loops and related local
software. processing as required to maintain local control and mon-
itoring of the process segment
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- — user interface for manual operation (when required).

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 6

Other equipment items do not, whether they are implemented is displayed including indicator lamps or panels, instruments,
locally or remotely, belong to the field instrumentation. This mimic diagrams, Light emitting diode (LED) display, Cathode
applies to data communication and facilities for data acquisi- ray tube (CRT), and Liquid crystal display (LCD).
tion and pre-processing of information utilised by remote sys- 206 User input device (UID) is any device from which a user
tems. may issue an input including handles, buttons, switches, key-
109 A process segment is a collection of mechanical equip- board, joystick, pointing device, voice sensor and other control
ment with its related field instrumentation, e.g. a machinery or actuators.
a piping system. 207 A unit is an entity of hardware, software, or both.
Process segments belonging to essential systems are referred 208 A software module is an assembly of code and data with
to as essential. a defined set of input and output, intended to accomplish a
110 An integrated system is a combination of computer function and where verification of intended operation is possi-
based systems which are interconnected in order to allow com- ble through documentation and tests.
mon access to sensor information and/or command and con- 209 Basic software is the software necessary for the hard-
trol. ware to support the application software.
111 User is any human being that will use a system or de- Guidance note:
vice, e.g. captain, navigator, engineer, radio operator, stock-
Basic software normally includes the operating system and addi-
keeper, etc. tional general software necessary to support the general applica-
112 Workstation is a position at which one or several func- tion software and project application software.
tions constituting a particular activity are carried out. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
113 Maximum unavailable time is the maximum duration of
time the function is allowed to be unavailable, i.e. the maxi- 210 General application software is computer software per-
mum permissible time lag involved in restoring lost function forming general tasks related to the EUC being controlled or
upon failure. monitored, rather than to the functioning of the computer itself.
114 Equipment under control (EUC) is the mechanical 211 Project application software is computer software per-
equipment (machinery, pumps, valves, etc.) or environment forming tasks related to the actual EUC for a specific project.
(smoke, fire, waves, etc.) monitored and/or controlled by an in- 212 A computer task is, in a multiprocessing environment,
strumentation and automation system. one or more sequences of instructions treated by a control pro-
115 Process is the result of the action done by the EUC. gram as an element of work to be accomplished by a computer.
116 Indications are the visual presentation of values for the 213 Data communication links includes point to point links,
EUC or system status to a user (lamps, dials, VDU displays, instrument net and local area networks, normally used for in-
etc.). ter-computer communication on board vessels.
117 Uninterruptible power supply (UPS) is a device supply- A data communication link includes all software and hardware
ing output power in some limited time period after loss of input necessary to support the data communication.
power with no interruption of the output power. Guidance note:
118 Independent systems: see Sec.2 A201. For local area networks, this includes network controllers, net-
work transducers, the cables and the network software on all
119 Redundancy in systems: see Sec.2 A501. nodes.
120 "Remote control systems" comprise all equipment nec- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
essary to operate units from a control position where the oper-
ator cannot directly observe the effect of his actions. 214 A node is as process segment or a part of the system con-
(HSC Code 11.1.1) nected as part of the data communication link.
121 "Back-up control systems" comprise all equipment nec- 215 A point to point link is used for data communication be-
essary to maintain control of essential functions required for the tween two dedicated nodes.
craft's safe operation when the main control systems have
failed or malfunctioned. 216 A local area network is used for data communication be-
tween the field instrumentation and the other parts of a system,
(HSC Code 11.1.2) and between different systems.
B 200 Terms related to computer based system 217 An instrument net is used for data communication with-
201 A complex system is a system for which all functional in the field instrumentation connecting instruments in a net-
and failure response properties for the completed system can- work.
not be tested with reasonable efforts. Units and systems han- 218 Multifunction VDUs and UIDs are VDUs and UIDs that
dling application software belonging to several functions, and are used for more than one essential and/or important function
software that includes simulation, calculation and decision for both control and monitoring, e.g. VDUs and UIDs used for
support modules are normally considered as complex. integrated computer systems.
202 Computer includes any programmable electronic sys-
tem, including main-frame, mini-computer or micro-compu-
ter.
C. Documentation
203 Computer based system serving an essential or impor-
tant function: The function can be in operation without support C 100 General
from the computer system, i.e. the computer is not part of the 101 The documentation listed in 102 to 104 is to be submit-
function. ted as detailed in 400 to 600. The documentation is to be sub-
204 Computer based system as part of an essential or impor- mitted in triplicate for approval, except the manuals marked
tant function: The function can not be in operation without with *, where one copy is to be submitted for information only.
support from the computer system, i.e. the computer is part of 102 Documentation required to describe each instrumenta-
the function. tion system is to be selected from the documentation types list-
205 Visual display unit (VDU) is any area where information ed below:

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 7

— functional description (documentation type 040) (T)

— system block diagrams Drawings showing the major inter-relationships between all
— system diagrams (Piping and Instrument Diagrams parts (units, modules) of the system and interfaces with other
(P&IDs), Duct and Instrument Diagrams (D&IDs), etc.) systems.
— user interface documentation* For computer based system, independence for systems and
— power supply arrangement sensors is to be shown, when such independence is required.
— arrangement and layout
— cable routing layout drawing 205 System diagrams (P&IDs, D&IDs, etc.)
(documentation type 050) (T)
— instrument and equipment list Schematic drawings showing the layout of the process includ-
— data sheets with environmental specifications ing all instruments and control devices.
— data sheets with performance and accuracy specifications
— operation manual* 206 User interface documentation
— installation manual* (documentation type 060)
— maintenance manual*. A drawing showing the physical layout and dimensions of each
control station. A description of the functions allocated to each
103 Additional requirements for computer based systems: keyboard and screen. A description of individual screen views
(schematics, colour prints, etc.). A description of how menus
— system philosophy (integrated system only) etc. are operated. A list of all alarms and operator messages.
— failure mode description Where the alarms or messages are not self-explanatory addi-
— test program for software at the manufacturer. tional explanations are to be included.
207 Power supply arrangement
104 A description of all tests that are to be carried out at the (documentation type 070) (T)
harbour and sea trials, together with the acceptance criteria for A drawing showing the power supply from main and back-up
each test, is to be submitted to the local DNV station. See also source (if provided).
subsection D.
105 Additional requirements for High Speed, Light Craft — electrical supply: diagram showing connection to distribu-
and Naval Surface Craft: tion board(s), batteries, converters or UPS, cable type and
cross sectional area, and fuse sizes
— failure mode and effect analysis (FMEA). — pneumatic supply: diagram showing connection to com-
pressor(s), accumulators, reduction valves, dust filter and
106 The documentation is to be limited to describe and ex- moisture filter, pipe ratings and dew point
plain the relevant aspects governed by the rule requirements. — hydraulic supply: diagram showing connection to hydrau-
Guidance note: lic power unit(s), accumulators, pumps and filters, and
A document may cover more than one instrumented system. A pipe ratings.
document may cover more than one documentation type.
208 Arrangement and layout
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- (documentation type 080) (T)
Drawings showing the physical location of all key components
107 Symbols used are to be explained, or reference to a in the system.
standard code is to be given.
209 Cable routing layout drawing
C 200 Documentation types (documentation type 090) (T)
201 General A drawing showing the physical routing of all cables being a
The documentation type number together with identification of part of the system. Where relevant, the drawing is also to show
the instrumentation system (see 400 to 600) can be used as a how the requirements to ensure electromagnetic compatibility
unique identifier for the document. The "T" indicates that the (EMC) stated in Sec.5 are implemented with respect to cable
documentation type is required also for instrumentation sys- shielding, separation and routing.
tems where type approved components or software modules 210 Instrument and equipment list
are used (see 300). (documentation type 100)
202 System philosophy A list stating for each key component as applicable:
(documentation type 020) (T)
A document describing the purpose of the system and the prin- — system
ciples that will be used in the technical implementation of the — name of manufacturer
system. — type etc., necessary to identify the component
203 Functional description — working range
(documentation type 030) — set points
— cross reference identification (tag number) to "system dia-
— a description of all functions incorporated in the system grams (P&IDs, D&IDs, etc.)"
— a description of all interfaces towards other systems, in- — reference to type approval certificate
cluding the information carriers' characteristics
— reference to Ex certificate
— one-line diagrams for systems that are not computer based
— safe installation distance to magnetic compass (bridge
Additionally for computer based systems: mounted equipment only)
— for computer based systems: I/O module number.
— a description of the communication software installed on
nodes in a network 211 Data sheets with environmental specifications
— switching mechanisms for systems designed with redun- (documentation type 110)
dancy. Data sheets showing for each key component conformance
with the requirements for environmental conditions stipulated
204 System block diagrams in Sec.5.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 8

212 Data sheets with performance and accuracy specifica- 217 Installation manual*
tions (documentation type 170)
(documentation type 115) A document providing information about the installation pro-
Data sheets showing for each key component performance and cedures.
accuracy specifications. 218 Maintenance manual
213 For ships: Failure mode description (documentation type 180)
(documentation type 130) (T) A document intended for regular use on board providing infor-
A document describing the effects due to failures in the sys- mation about:
tems (not failures in the equipment supported by the systems).
The following aspects are to be covered: — maintenance and periodical testing
— acceptance criteria
— a list of failures which are subject to assessment, with ref- — fault identification and repair
erences to the system documentation — list of the suppliers' service net.
— a description of the system response to each of the above
failures 219 For ships: Cause and effect diagram
— a comment to the consequence of each of these failures. (documentation type 190) (T)
A matrix showing all inputs (causes) to a system and all corre-
Guidance note: sponding outputs (effects). This documentation type is rele-
It is recommended to do this description in two steps: vant for safety shutdown systems. Where more than one sheet
is necessary for the matrix, the cause and effect diagram is to
a) System level: Units, as shown in a system block diagram, be organised according to physical areas of the vessel. All
should be identified. Each unit should be allocated a set of causes and effects are to be given a descriptive text, and are to
properties to reflect their expected response in case of sys- be easily traceable to the corresponding arrangement and lay-
tem failures. The total system failure response to various outs, system diagrams (P&IDs, D&IDs, etc.) or electrical sin-
failures to be described based on these unit descriptions. gle line diagrams. Information about fail-safe mode is to be
b) Unit level: Essential units should be subject to separate as- included for all input and output lines, see also "Schematic di-
sessment, with the purpose to verify that they, in case of fail- agrams of input and output circuits".
ures, respond according to their expected failure response.
220 For ships: Schematic diagrams of input and output cir-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
cuits
(documentation type 200) (T)
214 For HS, LC and NSC: Failure mode and effect analysis For each type of input and output device, a typical electrical
(FMEA) (documentation type 135) (T) schematic drawing. For each individual input and output de-
See Rules for Classification of High Speed, Light Craft and vice, information about fail-safe mode (normally energised or
Naval Surface Craft, Pt.0 Ch.4 Sec.2. normally deenergised operation) and what kind of line moni-
toring that is implemented (line break, short circuit and/or
215 Test program for application software at manufacturer earth fault).
(documentation type 140 (T)
A description of all tests that are to be carried out at the manu- C 300 Type approved products
facturer's works on the software together with acceptance cri- 301 For type approved components or software modules,
teria for each test. The tests are to cover all functions identified reference is to be made to the type approval certificate number,
in the documentation related to software and all normal failure the manufacturer's name and product type identification.
modes. See also subsection D.
Guidance note:
216 Operation manual* Documentation that has been approved during the type approval
(documentation type 160) process is not to be submitted, unless it has been revised.
A document intended for regular use on board, providing in-
formation as applicable about: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

— operation mode for normal system performance, related to 302 For systems where type approved components or soft-
normal and abnormal performance of the EUC ware modules are incorporated, only the documentation types
— operating instructions for normal and degraded operating marked with "T" in 200 are to be submitted. However, docu-
modes mentation types not marked with "T" is also to be submitted if
— details of the user interface their contents vary for different deliveries of the component or
— transfer of control software module.
— redundancy 303 For type approved systems, where different options exist
— test facilities for the configuration, the type approval certificate is to be com-
— failure detection and identification facilities (automatic pleted with information about the components and software
and manual) modules that are incorporated.
— data security
C 400 Plans and particulars, ships
— access restrictions
— special areas requiring user attention 401 For ✠ 1A1 ships, documentation is to be submitted ac-
— procedures for start-up cording to Table C1. The upper row of Table C1 refers to the
— procedures for restoration of functions documentation types defined in 200.
— procedures for data back-up 402 Requirements for documentation of additional class no-
— procedures for software re-load and system regeneration. tations are stated in Pt.5 and Pt.6.

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 9

Table C1 Requirements for documentation of ✠ 1A1 ships

020 030 040 050 060 070 080 090 100 110 115 120 130 140 150 160 170 180 190 200
AUX X X X X X X
BOC X X X X X X X
ICM X X X X X
MAS X X X X X X X X
LKA X X X
MCH X X X X X X X X
MCR X X X X X X X X
PMS X X X X X
SGC X X X X X X X X X
SID X X X X X X X
TEL X X X
TRU X X X X X X X X X X
WDO X X X X X

Instrumentation systems: Documentation types:

AUX Auxiliary engine control and monitoring 020 System philosophy (T)
BOC Oil-fired boilers, thermal oil heaters and water heaters con- 030 Functional description
trol and monitoring 040 System block diagrams (T)
ICM Incinerators control and monitoring 050 System diagrams (P&IDs, D&IDs, etc.) (T)
LKA Leak detection system 060 User interface description
MAS Main alarm, control and monitoring system 070 Power supply arrangement (T)
MCH Propulsion control and monitoring 080 Arrangement and layout (T)
MCR Remote control of propulsion 090 Cable routing layout drawing (T)
PMS Power management system 100 Instrument and equipment list
SGC Steering gear control and monitoring 110 Data sheets with environmental specifications
SID Side (auxiliary) thrusters control and monitoring 130 Failure mode description (T)
TEL Internal communication systems 140 Test program for application software at manufacturer (T)
TRU Propulsion thrusters control and monitoring
WDO Watertight doors and hatches control and monitoring
T Required also for type approved systems

C 500 Plans and particulars, HS, LC and NSC The upper row of Table C2 refers to the documentation types
501 For ✠ 1A1 High Speed, Light Craft and Naval Surface defined in 200.
Craft, documentation is to be submitted according to Table C2. 502 Requirements for documentation of additional class no-
tations are stated in Pt.5 and Pt.6.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 10

Table C2 Requirements for documentation for ✠ 1A1 High Speed, Light Craft and Naval Surface Craft
020 030 040 050 060 070 080 090 100 110 115 120 135 140 150 160 170 180
AUX X X X X X X
DSY X X X X X X X X
FDO X X X X X
GAL X X X X X X
MAS X X X X X1) X X X
MCH X X X X X X X
MCR X X X X X X X
PMS X X X X X
SID X X X X X X X
SSY X X X X X X X X
TEL X X X X
TVS X X X X
WDO X X X X
In addition for class notation E0:
BIC X X X
BLC X X X
EPC X X X X X
FUO X X
HYD X X
LUO X X
PNE X X
SWC X X

Instrumentation systems Documentation types

AUX Auxiliary engine control and monitoring 020 System philosophy (T)
BIC Bilge system control and monitoring 030 Functional description
BLC Ballast system control and monitoring 040 System block diagrams (T)
DSY Directional control system control and monitoring 050 System diagrams (P&IDs, D&IDs, etc.) (T)
EPC Generator and electrical power system control and mon- 060 User interface description
itoring 070 Power supply arrangement (T)
FDO Fire doors control and indication system 080 Arrangement and layout (T)
FUO Fuel oil system control and monitoring 090 Cable routing layout drawing (T)1)
GAL General alarm / public address system 100 Instrument and equipment list
HYD Hydraulic power system control and monitoring 110 Data sheets with environmental specifications
LUO Lubricating oil system control and monitoring 135 Failure mode and effect analysis (FMEA) (T)
MAS Main alarm, control and monitoring system 140 Test program for application software at manufacturer (T)
MCH Propulsion control and monitoring
MCR Remote control of propulsion
PMS Power management system
PNE Pneumatic control and monitoring system
SID Side (auxiliary) thrusters control and monitoring
SSY Stabilisation system control and monitoring
SWC Sea and fresh water system control and monitoring
TEL Internal communication systems
TVS Television surveillance system
WDO Watertight doors and hatches control and monitoring
T Required also for type approved systems
1) Network cables only

D. Tests 103 The tests and visual examinations are to verify that all
relevant rule requirements are met. The tests are only to cover
D 100 General requirements given by these rules. The test programs are to
specify in detail how the various functions are to be tested and
101 All tests are to be according to test programs approved what is to be observed during the tests.
by the Society.
104 Failures are to be simulated as realistically as possible,
102 Approval tests according to 200, 300 and 400 are to be preferably by letting the monitored parameters exceed the
performed at the manufacturers works. alarm and safety limits. Alarm and safety limits are to be
checked.
The following is to be evaluated during approval test of appli-
cation software: 105 It is to be verified that all automatic control functions are
working satisfactorily during normal load changes.
— tools for system set-up and configuration of the EUC
— plan for software development and production, see also D 200 Software module testing
Sec.4 B200. 201 Documentation of compliance with software module

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.1 – Page 11

testing according to requirements for software manufacturing units. The tests may also include several systems.
as described in Sec.4 B200 is to be available in connection with 402 System tests are to be done with the software installed
survey at manufacturers' works.
on the actual systems to be used on board, interconnected to
D 300 Integration testing demonstrate the functions of the systems with several units and
/ or the functions of several systems.
301 Integration tests includes integration of hardware com-
ponents into hardware units and integration of software mod- Guidance note:
ules in the same hardware unit. The tests may be done on a representative test system if the com-
puter hardware is type approved.
302 Integration tests are to be done with the actual software
and hardware to be used on board and are to include: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

a) Hardware tests 403 The tests are to include those tests which were not /
could not be completed on unit level.
— hardware failures.
D 500 On-board testing
b) Basic software tests
501 The tests are to include:
— basic software failures.
a) During installation the correct function of individual
c) Application software tests. equipment packages, together with establishment of cor-
rect parameters for alarm, control and safety (time con-
stants, set points, etc.).
d) Function tests of normal system operation and normal
EUC performance, in accordance with the rules. Function
tests are also to include a degree of performance testing b) During installation and sea trials, the correct function of
outside of the normal operating parameters. systems and integration of systems, including the ability of
the control systems to keep any EUC within the specified
e) User interface tests. tolerances.

Guidance note:
The tests may be done on a representative test system if the com- c) The correct protection and capacity of power supplies.
puter hardware is type approved.
502 A copy of the approved test programme is to be kept on
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- board. It is to be completed with final set points and endorsed
by the surveyor.
D 400 System testing 503 The test program for harbour and sea trials is to be ap-
401 System tests includes the entire system, integrating all proved by the local DNV station.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.2 – Page 12

SECTION 2
DESIGN PRINCIPLES

A. System Configuration 404 At least two interchangeable multifunction VDUs and

UIDs are to be available at each control station.
A 100 General Guidance note:
101 Whenever possible, essential and important systems are The number of units at control stations are to be sufficient to en-
to be so arranged that a single failure in one system of one unit sure that all functions may be provided for with any one unit out
cannot spread to another unit (e.g. by use of selective fusing of of operation, taking into account any functions which are re-
electrical distribution systems). quired to be continuously available.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
A 200 Field instrumentation
201 The field instrumentation belonging to separate essential A 500 Redundancy
process segments are to be mutually independent.
501 Redundancy, e.g. manual operating facilities, is to be
Guidance note: built in to the extent necessary for maintaining the safe opera-
System B is independent of system A when any single system tion of the vessel. Changeover to systems, designed with re-
failure occurring in system A has no effect on the maintained op- dundancy, is to be simple even in cases of failure to control and
eration of system B. A single system failure occurring in system monitoring systems.
B may effect on the maintained operation of system A.
Guidance note:
Two systems are mutually independent when a single system
failure occurring in either of the systems has no consequences for Redundancy is defined as two mutually independent systems that
the maintained operation of the other system according to above. can maintain a function. The two systems may be of a different
Redundancy may provide the necessary independence. See 400. type or have different functionality. See also definition in Ch.1 of
the Rules for Classification of Ships.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- Due regard should be taken as to manning levels when consider-
ing the extent and availability of spare parts and the degree of re-
202 The alarm system, automatic control system and safety dundancy to be employed. This is in order to ensure continuity of
shutdown system are to be designed mutually independent un- operation upon failure of the instrumentation equipment.
less redundancy is provided and an alarm is given when the re-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
dundancy is lost.
203 When the field instrumentation of a process segment is 502 Automatic switching between two systems is not to be
common for several systems, and any of these systems is es- dependent on only one of the systems.
sential, failures in any of the systems are not to affect this field
instrumentation. A 600 Additional requirements for HS, LC and NSC
204 When manual emergency operation of an essential proc- 601 Failure of any remote or automatic control systems
ess segment is required, the field instrumentation required for should initiate an audible and visual alarm and should not pre-
the manual emergency operation is to be independent of other vent normal manual control.
parts of any system. (HSC Code 11.2.1)
205 When traditional mechanical components are replaced 602 Manoeuvring and emergency controls should permit the
by electronic components, these components are to have the operating crew to perform the duties for which they are respon-
same reliability as the mechanical component being replaced. sible in a correct manner without difficulty, fatigue or excessive
concentration.
Guidance note:
(HSC Code 11.2.2)
Electronic governors should have their power supply independ-
ent of other consumers and maximum unavailable time of R0.
Governors, which keep the last position upon power failure, are
regarded as fulfilling the above. Speed sensor cabling should be
mechanically well protected. B. Maximum Unavailable Time
Electric and electronic fuel injectors should be designed to per-
mit the necessary functionality, in case of the most probable fail- B 100 General
ures. 101 The time needed to bring a system back in operation
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
upon a failure condition, is to be adapted to the redundancy re-
quirements imposed on the system served (see Ch.1 Sec.3 B of
the Rules for Classification of Ships).
A 300 System
102 Typical maximum unavailable times for the different
301 For an essential system having more than one process categories are found in Table B1.
segment, failure in the field instrumentation of one process
segment is not to result in failure for the remaining parts of the Table B1 Maximum unavailable time
system.
R0 None
A 400 Integrated system R1 30 s
401 Essential systems, excluding common process seg- R2 10 minutes
ments, are to be independent of other systems. R3 3 hours
402 Non-important systems or parts of non-important sys- 103 The requirements in 200 to 500 only apply for systems
tems which may affect essential or important systems are to of maximum unavailable time category R0, R1, R2 or R3.
meet the requirements for important systems.
403 UIDs for control are only to be available on workstations B 200 Continuous availability (R0)
from where control is permitted. 201 A system serving a function that is to be continuously

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.2 – Page 13

available is to be designed to provide no interrupts of the func- detect the most probable failures that may cause reduced or er-
tion neither in normal operation modes nor in case of a single roneous system performance.
system failure.
102 The self-check facilities are to cover at least, but not lim-
202 Changeover between redundant systems is to take place ited to; the following failure types:
automatically and with no disturbances for the continuous op-
eration of the function in case of system failure. User requested — power failures
changeovers are to be simple and easily initiated and take place — sensor and actuator failures.
with no unavailable time for the function.
203 User interfaces of redundant systems are to allow super- And additionally, for computer based systems:
vision of both systems from the same position.
— communication errors
B 300 High availability (R1) — computer hardware failures
301 A system serving a function that is to have high availa- — software execution failures
bility, is to be designed to provide continuous availability in — software logical failures
normal operation modes. — for essential systems: Loop failures (at least broken con-
302 In case of system failures, changeover between redun- nections and short circuit).
dant systems is to take place automatically if redundancy is re-
quired. User requested changeover in normal operation is to be 103 Adequate failure detection may be obtained by combin-
simple and easily initiated and take place within the same max- ing two mutually independent systems, which together provide
imum time. the required failure detection properties, e.g. an automatic con-
303 User interfaces of redundant systems are to be located trol system together with an independent alarm system.
close to each other and changeover between the systems is to 104 Detection of failures in essential and important systems
have no significant effect on the user's maintained execution of is to initiate an alarm.
other tasks.
C 200 Fail-to-safety
B 400 Manual system restoration (R2)
401 A system serving a function that requires manual system 201 The most probable failures, e.g. loss of power or wire
restoration is to be designed to provide restoration of the func- failure, are to result in the least critical of any possible new
tion within a maximum time specified for R2, in case of system conditions.
failures. Guidance note:
Guidance note: Total loss of power to any single control system should not result
Restoring a function may involve a limited number of simple in loss of propulsion or steering.
manual actions.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
User interfaces of redundant systems may be designed for man-
ning of normally unattended workstations when required, pro-
vided such manning is immediately available.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
D. Emergency Operation
B 500 Repairable systems (R3) D 100 Local control
501 A system serving a function of category R3 is to be de-
signed to provide restoration of the function within a maxi- 101 It shall be possible for all machinery essential for the
mum time specified for R3 in case of system failures. safe operation of the ship to be controlled from a local position,
even in the case of failure in any part of the automatic or re-
Guidance note: mote control systems.
Restoring a function may involve a number of manual opera-
tions, including minor replacements or repair of equipment. (SOLAS Reg. II-1/49.4). See also Ch.1 Sec.3 B300 of the
Rules for Classification of Ships.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
D 200 Manual emergency operation
201 For functions where manual emergency operation is re-
C. Response to Failures quired, this is to be used to maintain a minimum functionality
in case of major system failures.
C 100 Failure detection 202 This system is to be installed as an integral part of the
101 Essential and important systems are to have facilities to mechanical equipment.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.3 – Page 14

SECTION 3
SYSTEM DESIGN

A. System Elements 307 Control system elements are to include safety interlocks
when the consequence of erroneous user actions may lead to
A 100 General major damage or loss of essential or important functions.
101 A system consists of one or several system elements 308 Safety interlocks in different parts of the systems are not
where each system element serves a specific function. to conflict with each other.
102 System elements belong to the following categories: Basic safety interlocks are to be hardwired and are to be active
during remote and local operation.
— automatic control
— remote control Guidance note:
— alarm Hardwired safety interlocks should not be overridden by pro-
— safety grammable interlocks.
— indications ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
— planning and reporting
— calculation, simulation and decision support. A 400 Safety
A 200 Automatic control 401 A safety system element is to be arranged to automati-
201 Automatic control is to keep process equipment varia- cally take safety actions on occurrence of predefined abnormal
bles within the limits specified for the process equipment (e.g. process equipment states. The corresponding system element
the machinery) during normal working conditions. includes all resources required to execute these actions.
202 The automatic control is to be stable over the entire con- 402 The safety system element is to be so designed that the
trol range. The margin of stability is to be sufficient to ensure most probable failures, e.g. loss of power supply or wire fail-
that variations in the parameters of the controlled process ure, result in the least critical of any possible new condition
equipment that may be expected under normal conditions, will (fail to safety) taking into consideration the safety of the ma-
not cause instability. The automatic control system element is chinery itself as well as the safety of the vessel.
to be able to accomplish the function it is to serve. 403 Automatic safety actions are to give alarm at predefined
203 Automatic control such as automatic starting and other workstations.
automatic operations are to include provisions for manually 404 When the safety system element stops a unit, the unit is
overriding the automatic controls unless designed according to not to start again automatically.
Sec.4 A101 or safe manual operation is not feasible. Failure of
any part of such systems is not to prevent the use of the manual 405 When a safety system element is made inoperative by a
override. manual override, this is to be clearly indicated at predefined
workstations.
A 300 Remote control
406 When the safety system element has been activated, it is
301 At the remote command location, the user is to receive to be possible to trace the cause of the safety action by means
continuous information on the effects of his orders. of central or local indicators.
302 One command location is to be designated as the main
command location. The main command location is to be inde- A 500 Alarms
pendent of other command locations. 501 Alarms are to be visual and audible and are to indicate
303 When control is possible from several locations, only abnormal conditions only. In areas where the audible signal
one is to be in control at a time. may not be heard due to background noise, additional visual
and audible display units are to be installed.
304 Actual control is not to be transferred before acknowl-
edged by the receiving command location unless the command Guidance note:
locations are located close enough to allow direct visual and Several suitably placed low volume audible alarm units should
audible contact. Transfer of control is to give audible pre- be used rather than a single unit for the whole area. A combina-
warning. The main command location is to be able to take con- tion of audible signals and rotating light signals may be of advan-
tage.
trol without acknowledgement.
Guidance note: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
There may be several main command locations on different lev-
els. For example for remote control of propulsion machinery, the 502 Visual alarms are to be easily distinguishable from other
engine room is the main station. For offshore bow loading the indications by use of colour and special representation.
navigating bridge is the main location. This implies that the com- Guidance note:
mand location at navigating bridge may take control without ac-
knowledgement from the bow command location, and the engine In view of standardising, visual alarm signals should preferably
room may take command without acknowledgement from the be red. Special representation may be a symbol.
command location at the navigating bridge or from the bow com- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
mand location.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 503 Audible alarms are to be readily distinguishable from
signals indicating normal conditions, telephone signals, differ-
305 Means are to be provided to prevent significant altera- ent alarm systems and noise.
tion of process equipment parameters when transferring con- 504 Responsibility for alarms is not to be transferred before
trol from one location to another. acknowledged by the receiving location. Transfer of responsi-
306 On each alternative command location, it is to be indi- bility is to give audible pre-warming. On each alternative loca-
cated when this location is in control. tion, it is to be indicated when this location is in charge.

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.3 – Page 15

505 Presentation and acknowledgement of alarms are only to A 800 Planning and reporting
be possible at the workstation(s) dedicated to respond to the Guidance note:
alarm.
Planning and reporting functions are used to present a user with
Guidance note: information to plan future actions.
Alarm lists may be available on any workstation. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
801 Planning and reporting system elements are to have no
outputs for real-time process equipment control during plan-
506 Alarms at workstations are normally to be manually ac- ning mode.
knowledged in two steps:
Guidance note:
1) silencing audible signal and additional visual signal (e.g. The output may however be used to set up premises for process
rotating light signals) leaving the visual signal on the equipment control, e.g. route plan used as input to an auto- pilot
workstation unchanged. After acknowledgement, the au- or load plan used as input for automatic or user assisted sequence
dible signal is to operate for any new failure. control of the loading.

2) acknowledging the visual alarm. Alarms, including the de- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

tection of transient faults, are to be maintained until ac-
knowledgement of the visual indication. The visual A 900 Calculation, simulation and decision support
indications of individual alarms are to remain until no ab- 901 Output from calculation, simulation or decision support
normal condition is being detected. Acknowledged alarms modules is not to suppress basic information necessary to al-
are to be clearly distinguishable from unacknowledged low safe operation of essential and important functions.
alarms. Flashing is, when used, to indicate unacknowl-
edged alarms. Guidance note:
Output from calculation, simulation or decision support modules
507 Acknowledgement of visual signals is to be separate for may be presented as additional information.
each signal or common for a limited group of signals. Ac- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
knowledgement is only to be possible when the user has visual
information on the alarm condition for the signal or all signals
in a group.
508 Local audible signal for an alarm included in a central- B. General Requirements
ised alarm handling system is to be suppressed when localised
in the same workplace as the centralised alarm handling sys- B 100 System operation and maintenance
tem. 101 Start-ups and restarts are to be possible without special-
509 Permanent suppression of alarm units shall not to be ised system knowledge. On power-up and restoration after loss
possible. In particular cases, however, manual suppression of of power, the system is to be restored and resume operation au-
separate alarms may be accepted, when this is clearly indicated tomatically.
at all times. 102 Testing of essential systems and alarm systems is to be
510 Sufficient information is to be provided to ensure opti- possible during normal operation. The system is not to remain
mal alarm handling. Alarm text is to be easily understood. in test mode unintentionally.
511 The more frequent failures within the alarm system, Guidance note:
such as broken connections to measuring elements, are to re- Automatic return to operation mode or alarm should be arranged.
lease alarm. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
512 Interlocking of alarms is to be arranged so that most
probable failures in the interlocking system, e.g. broken con- B 200 Power distribution
nection in external wiring, does not prevent alarms. 201 Independent systems designed with redundancy are to
513 Blocking of alarm and safety functions in certain operat- have separate supplies from the distribution system and sepa-
ing modes (e.g. during start-up) is to be automatically disabled rate circuit protection.
in other modes. 202 Systems designed with redundancy are, if connected to
514 It is to be possible to delay alarms to prevent false alarms the same distribution switchboard, to be supplied from at least
due to normal transient conditions. two power sources with independent supply to the distribution
switchboard.
A 600 Pre-warning Guidance note:
601 Pre-warnings are to be acknowledged. Pre- warnings are The second source may be a battery.
to be distinguishable from alarms. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

A 700 Indication 203 Power for local emergency operation is to be derived

701 Indications sufficient to allow safe operation of essential from the mechanical system, or from a local dedicated source.
and important functions are to be installed at all control loca- 204 Systems that may be exposed to conducted electromag-
tions from where the function is to be accomplished. Alarms or netic interference exceeding their immunity level through their
pre-warnings are not considered as substitutes for indications electrical power supplies are to have provision for adequately
for this purpose. filtered power.
Guidance note: 205 Essential and important systems are to be continuously
It is advised that indicating and recording instruments are cen- powered and are to have an automatic change-over to a stand-
tralised and arranged to facilitate watch-keeping, e.g. by stand- by power supply in case of loss of normal power supply. The
ardising the scales, applying mimic diagrams, etc. stand-by power supply is to be from an uninterruptible power
supply (UPS). The UPS is to comprise of continuously charged
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- and dedicated accumulator batteries of an arrangement, loca-

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.3 – Page 16

tion and endurance equivalent to that of the emergency source cally reset to the normal operating condition. If an alarm has
of electrical power. been accepted and a second fault occurs before the first is rec-
tified, the audible and visual alarms should operate again.
Upon failure of the normal or the stand-by power supply, an
alarm is to be initiated. (HSC Code 11.4.1, first part)
Guidance note:
This requirement is in addition to the requirement found in A506.
C. Additional Requirements for System Design ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
of HS, LC and NSC
202 Alarm systems should incorporate a test facility.
C 100 Safety (HSC Code 11.4.1, last part)
101 When two or more safety actions are initiated by one 203 The alarm system element is to be continuously powered
failure condition (e.g. start of standby pump and stop of engine and is to have an automatic changeover to a stand-by power
at low lubricating oil pressure), these actions are to be activat- supply in case of loss of normal power supply. Upon failure of
ed at different levels. The least drastic action is to be activated the normal power supply, alarm is to be initiated.
first.
204 The alarm system should meet appropriate construction-
C 200 Alarm al and operational requirements for required alarms. (Refer to
the Code on alarms and indicators, 1995 adopted by the Or-
201 Alarms should be maintained until they are accepted and ganisation by resolution A.830(19).)
the visual indications of individual alarms should remain until
the fault has been corrected, when the alarm should automati- (HSC Code 11.4.2)

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.4 – Page 17

SECTION 4
ADDITIONAL REQUIREMENTS FOR COMPUTER BASED SYSTEMS

A. General Requirements A 500 Temperature control

501 Wherever possible, computers are not to have forced
A 100 System dependency ventilation. For systems where cooling or forced ventilation is
101 Where a computer based system is part of an essential required to keep the temperature at an acceptable level, alarm
function, a secondary means of operation is to be provided by for high temperature or maloperation of the temperature con-
either non-computer based system or by an independent com- trol function, is to be provided.
puter based system of appropriate diversity.
A 600 System maintenance
A 200 Storage devices 601 Integrated systems supporting one or more essential or
201 The on-line operation of essential functions is not to de- important function are to be arranged to allow individual units
pend on the operation of rotating bulk storage devices. to be tested, repaired and restarted without interference with
the maintained operation of the remaining parts of the system.
Guidance note:
This does not exclude the use of such storage devices for main- 602 Essential systems are to have diagnostic facilities to sup-
tenance and back-up purposes. port finding and repairs of failures.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- A 700 System access
202 Software and data necessary to ensure satisfactory per- 701 Access to system set-up or configuration functions for
formance of essential and important functions are to be stored the EUC is to be protected to avoid unauthorised modifications
in non-volatile memory (e.g. EPROM, EEPROM or FLASH). of the system performance. For screen based systems, tools are
Exception may be given for RAM with battery backup if the to be available to allow easy and unambiguous modification of
following three conditions are met: configuration parameters allowed to be modified under normal
operation.
— low battery voltage results in an alarm or visual indication Guidance note:
detectable by routine inspections As a minimum, this applies to:
— battery can easily be replaced by crew personnel without
danger of losing data - calibration data
- alarm limit modification
— battery failure is to have no influence on performance as - manual alarm inhibiting.
long as normal power supply is maintained.
The operator is only to have access to the application(s) related
A 300 Computer usage to the operation of the functions covered by the system according
to 301. Access to other applications or installations of such, are
301 Computers serving essential and important functions are to be prevented. Hot keys normally giving access to other func-
only to be used for purposes relevant to vessel operation. tions or program exits (Alt+Tab, Ctrl+Esc, Alt+Esc, double-
clicking in background, etc.) are to be disabled.
A 400 System response and capacity ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
401 Systems used for control and monitoring are to provide
response times compatible with the time constants of the relat- 702 Unauthorised access to essential and important systems
ed EUC (equipment under control). from a position outside the vessel is not to be possible.
Guidance note:
The following response times are applicable for typical EUC on
vessels: B. System Software
Data sampling for automatic control purposes (fast 0.1 s B 100 Software requirements
changing parameters)
Data sampling, indications for analogue remote 0.1 s 101 Basic software on processor systems running applica-
controls (fast changing parameters) tion software belonging to different functions, are to have fa-
cilities for:
Other indications 1s
Alarm presentations 2s — running several modules under allocated priorities
Display of fully updated screen views 2s — detection of execution failures of individual modules
Display of fully updated screen views including 5s — discrimination of faulty modules to ensure maintained op-
start of new application eration at least of modules of same or higher priority.
102 Individual application software modules allocated as
tasks under an operating system as specified above are not to
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
perform operations related to more than one function. These
402 System start-up and system restoration after power fail- modules are to be allocated priorities in accordance with the
ures is to take place with sufficient speed to comply with the relative priority between the functions they serve.
maximum unavailable time for the systems. The system is to 103 When hardware belonging to inputs, outputs, communi-
revert to a pre-defined state providing an appropriate level of cation links and user interface is configured to minimise the
safety. consequences of failures, the related software is to be separat-
403 System capacities are to be sufficient to provide ade- ed in different computer tasks to secure the same degree of sep-
quate response times for all functions, taking the maximum aration.
load and maximum number of simultaneous tasks under nor- 104 When calculation, simulation or decision support ele-
mal and abnormal conditions for the EUC into consideration. ments are used to serve essential functions, and a basic func-

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.4 – Page 18

tionality can be maintained without these elements, the 102 Alarm messages for alarms required in the rules (and re-
application software is to be designed to allow such simplified lated alarms) are, when initiated, to be given priority over any
operation. other information presented on the VDU. Such alarms are to be
105 System set-up, configuration of the EUC and the setting easily distinguishable from other alarms. The entire list of
of parameters for the EUC onboard are to take place without alarm messages is to be easily available.
modification of program code or recompilation. The Society is 103 Alarms are to be time tagged.
to be notified if such actions cannot be avoided. 104 Time tagging for all alarms is to be consistent through-
106 Means are to be provided to identify the software ver- out the system.
sion(s) of the software in use. Guidance note:
Guidance note: To handle inconsistency of time tagging when the same alarm is
available at several positions on the vessel.
- When the setting of parameters is equivalent to programming
then version identification of these settings is to be available. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Version identification may be a check sum.
- For integrated systems, identification is to be available in the 105 Full redundancy is to be provided for VDU's receiving
system overview. and displaying alarm presentations of essential screen based
- For any screen based system, identification is to be readily systems.
available on the VDU during normal operation.
- PROM's are to be labelled. Guidance note:
A printer or other equivalent means may provide the necessary
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- redundancy.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
B 200 Software manufacturing
201 All relevant actions are to be taken during manufactur- 106 UIDs are to be designed and arranged to avoid inadvert-
ing of software for a complex system to ensure that the proba- ent operation.
bility of errors to occur in the program code is reduced to an For essential and important systems, dedicated function key-
acceptable level. boards are to be used.
Relevant actions are at least to include: 107 Symbols and their associated information in a mimic di-
agram are to have a logical relationship.
— actions to ensure that the programming of applications is
based on complete and valid specifications 108 Means are to be provided to ensure that only correct use
— actions to ensure that software purchased from other par- of numbers and letters and only values within reasonable limits
ties has an acceptable track record and is subject to ade- will be accepted when data is entered manually into the sys-
quate testing tem.
— actions to impose a full control of software releases and If the user provides the system with insufficient input, the sys-
versions during manufacturing, installation onboard and tem is to request the continuation of the dialogue by means of
during the operational phase clarifying questions. Under no circumstances is the system to
— actions to ensure that program modules are subject to syn- end the dialogue incomplete without user request.
tax and function testing as part of the manufacturing proc-
ess C 200 Illumination
— actions to minimise the probability of execution failures. 201 Means are to be provided for adjustment of illumination
of all VDUs and UIDs to a level suitable for all applicable light
Guidance note: conditions. However, it is not to be possible to make adjust-
Typical execution failures are: ments down to a level making information belonging to essen-
- deadlocks tial and important functions unreadable.
- infinite loops Guidance note:
- division by zero Adjustments may be arranged by use of different sets of colours
- inadvertent overwriting of memory areas suited for the applicable light conditions.
- erroneous input data.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

202 The actions taken to comply with 201 are to be docu- C 300 Colour screens
mented and implemented, and the execution of these actions is 301 For cathode ray tubes (CRTs), colours used for essential
to be retraceable. The documentation is to include a brief de- information are not to depend on a single source of light.
scription of all tests that apply to the system (hardware and
software), with a description of the tests that are intended to be
made by sub-vendors, those to be carried out at the manufac-
turer's and those to remain until installation onboard. D. Data Communication Links
D 100 General
101 Failure in a node is not to have any effect on the remain-
C. User Interface ing part of the data communication link and vice versa.
C 100 General 102 Data communication links are to be automatically ini-
tialised on power on. After a power interruption the links are to
101 The status of the information displayed is to be clearly regain normal operation without manual intervention.
indicated.
103 The capacity of the data communication link is to be suf-
Guidance note: ficient to prevent overload at any time.
This applies to e.g. indications not being updated or indication of
blocked alarm. 104 The data communication link is to be self-checking, de-
tecting failures on the link itself and data communication fail-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- ures on nodes connected to the link. Detected failures are to

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.4 – Page 19

release an alarm on dedicated workstations. D 300 Local area networks designed with redundancy
105 For essential and important functions, means are to be 301 The requirements of 200 are to be complied with.
provided to prevent the acceptance of corrupted data at the re-
ceiving node. 302 Switching between the networks is to be automatic when
serving functions with category R0 and R1. Otherwise switch-
106 When two or more essential functions are using the same ing may be manual as long as the switching is simple and un-
data communication link, this link is to be designed with re- ambiguous.
dundancy.
107 Data communication links, designed with redundancy, D 400 Instrument net
are to be routed with as much separation as is practical. 401 Instrument nets are to meet the requirements of local
area networks.
D 200 Local area networks
201 Means are to be provided to monitor the usage and status D 500 Interconnection of networks
of the network. 501 Networks interconnected are to be mutually independ-
202 It is to be possible to remove and insert nodes without in- ent.
terrupting normal network operation. Guidance note:
203 When serving essential or important functions, facilities Means of interconnections may be routers, bridges or gateways.
are to be provided to ensure that a message is received within
a predefined time. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.5 – Page 20

SECTION 5
COMPONENT DESIGN AND INSTALLATION

A. General Guidance note:

The installation should as far as possible be built up from easily
A 100 Environmental strains replaceable units and designed for easy troubleshooting, check-
ing and maintenance. When a spare unit is mounted, only minor
101 Instrumentation equipment is to be suitable for marine adjustments or calibrations of the unit should be necessary.
use, and is normally to be designed to operate under environ- Faulty replacements should not be possible.
mental conditions as described in B, unless means are provided
to ascertain that the equipment parameters are not exceeded. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
These means are subject to approval on case-by-case basis.
102 Data sheets, sufficiently detailed to ensure proper appli- A 500 Marking
cation of the instrumentation equipment, are to be available. 501 All units and test points are to be clearly and permanent-
103 Performance and environmental testing may be required ly marked. Transducers, controllers and actuators are to be
to ascertain the suitability of the equipment. marked with their system function, so that they can be easily
and clearly identified on plans and in instrument lists. See also
A 200 Materials Ch.8 Sec.3 E.
201 Explosive materials and materials which may develop Guidance note:
toxic gases, are not to be used. Covers, termination boards, The marking of system function should preferably not be placed
printed circuit cards, constructive elements and other parts that on the unit itself, but adjacent to it.
may contribute to spreading fire, are to be of flame-retardant ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
material.
Guidance note: A 600 Standardising
Materials with a high resistance to corrosion and ageing should
be used. Metallic contact between different materials should not Guidance note:
cause electrolytic corrosion in a marine atmosphere. As base ma- Systems, components and signals should be standardised as far
terial for printed circuit cards, glass-reinforced epoxy resin or as practicable.
equivalent should be used.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

A 300 Component design and installation

301 Component design and installation are to facilitate oper-
ation, adjustment, repair and replacement. As far as practica- B. Environmental Conditions, Instrumentation
ble, screw connections are to be secured.
302 Mechanical resonances with amplification greater than B 100 General
10 are not to occur. 101 The environmental parameters given in 200 to 1100, in-
303 Electric cables and components are to be effectively sep- cluding any of their combinations, represent “average adverse”
arated from all equipment, which, in case of leakage, could conditions, which will cover the majority of applications on
cause damage to the electrical equipment. In desks, consoles board vessels. Where environmental conditions will exceed
and switchboards, which contain electrical equipment, pipes those specified, special arrangements and special components
and equipment conveying oil, water or other fluids or steam will have to be considered.
under pressure are to be built into a separate section with drain-
age. Table B1 Parameter class for the different locations on board
Parameter Class Location
304 Means are to be provided for preventing moisture (con-
densation) accumulating inside the equipment during opera- Temperature A Machinery spaces, control rooms,
accommodation, bridge
tion and when the plant is shut down.
B Inside cabinets, desks. etc. with temperature
305 Differential pressure elements (dp-cells) are to be able to rise of 5°C or more installed in location A
sustain a pressure differential at least equal to the highest pres- C Pump rooms, holds, rooms with no heating
sure for the EUC (equipment under control).
D Open deck, masts and inside cabinets, desks
306 Thermometer wells are to be used when measuring tem- etc. with a temperature rise of 5°C or more
perature in fluids, steam or gases under pressure. installed in location C
307 The installation of temperature sensors is to permit easy Humidity A Locations where special precautions
dismantling for functional testing. are taken to avoid condensation
B All locations except as specified for
308 Clamps used to secure capillary tubes are to be made of location A
a material that is softer than the tubing. Vibration A On bulkheads, beams, deck, bridge
A 400 Maintenance, checking B On machinery such as internal combustion
engines, compressors, pumps, including
401 Maintenance, repair and performance tests of systems piping on such machinery
and components are as far as practicable to be possible without C Masts
affecting the operation of other systems or components. Electro-mag- A All locations except as specified for bridge
Provisions for testing, (e.g. three-way cocks) are to be ar- netic compati- and open deck
ranged in pipes connecting pressure switches/transducers to bility (EMC) B All locations including bridge and open
EUC normally in operation at sea. deck

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.5 – Page 21

Components and systems designed in compliance with IEC en- B 300 Pneumatic and hydraulic power supply
vironmental specifications for ships, Publication No. 60092- 301 Nominal pressure ±20% (long and short time devia-
504 (1994), and for EMC, IEC Publication No. 60533, may be tions).
accepted after consideration.
Guidance note: B 400 Temperature
For details on environmental conditions for instrumentation, see 401 Class A:
Standard for Certification 2.4. Ambient temperatures +5°C to +55°C.
Navigation and radio equipment is to comply with IEC Publica- 402 Class B:
tion No. 60945, Marine navigational equipment - General re- Ambient temperatures +5°C to +70°C.
quirements.
For EMC only, all other bridge-mounted equipment; equipment 403 Class C:
in close proximity to receiving antennas, and equipment capable Ambient temperatures -25°C to +55°C.
of interfering with safe navigation of the ship and with radio- 404 Class D:
communications is to comply with IEC Publication No. 60945 Ambient temperatures -25°C to +70°C.
(1996) Clause 9 (covered by EMC class B).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- B 500 Humidity
501 Class A:
B 200 Electric power supply Relative humidity up to 96% at all relevant temperatures, no
condensation.
201 Power supply failure with successive power breaks with
full power between breaks. 502 Class B:
Relative humidity up to 100% at all relevant temperatures.
— 3 interruptions during 5 minutes
— switching-off time 30 s each case. B 600 Salt contamination
601 Salt-contaminated atmosphere up to 1 mg salt per m3 of
202 Power supply variations for equipment connected to air, at all relevant temperatures and humidity conditions.
A.C. systems:
B 700 Oil contamination
— combination of permanent frequency variations of ±5%
and permanent voltage variations of ±10% of nominal 701 Mist and droplets of fuel and lubricating oil. Oily fin-
gers.
— combination of frequency transients (5 s duration) ±10%
of nominal and voltage transients (1.5 s duration) ±20% of B 800 Vibrations
nominal.
801 Class A:
203 Power supply variations for equipment connected to
D.C. systems: Frequency range 3 to 100 Hz.
Amplitude 1 mm (peak value) below 13.2 Hz.
— voltage tolerance continuous ±10% of nominal Acceleration amplitude 0.7 g above 13.2 Hz.
— voltage transients cyclic variation 5% of nominal. 802 Class B:
— voltage ripple 10%.
Frequency range 3 to 100 Hz.
204 Power supply variations for equipment connected to bat- Amplitude 1.6 mm (peak value) below 25 Hz.
tery power sources: Acceleration amplitude 4.0 g above 25 Hz.
— +30% to -25% for equipment connected to battery during 803 Class C:
charging
— +20% to -25% for equipment connected to battery not be- Frequency range 3 to 50 Hz.
ing charged Amplitude 3 mm (peak value) below 13.2 Hz.
— voltage transients (up to 2 s duration) ±25% of nominal. Acceleration amplitude 2.1 g above 13.2 Hz.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.5 – Page 22

Table B2 Minimum immunity requirements for equipment

Port Phenomenon Basic Standard Performance Test value
criteria
A.C. power Conducted low frequency IEC 60945 A 50 - 900 Hz: 10% A.C. supply voltage
interference 900 - 6000 Hz: 10 - 1% A.C. supply voltage
6 - 10 kHz: 1% A.C. supply voltage
Electrical fast transient (Burst) IEC 61000-4-4 B 2 kV 3)
Surge voltage IEC 61000-4-5 B 0.5 kV 1) /1 kV 2)
Conducted radio frequency IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz
interference sweep rate ≤ 1.5 x 10-3 decade/s 7)
modulation 80% AM (1 kHz)
D.C. power Conducted low frequency IEC 60945 A 50 Hz - 10 kHz : 10% D.C. Supply voltage
interference
Electrical fast transient (Burst) IEC 61000-4-4 B 2 kV 3)
Surge voltage IEC 61000-4-5 B 0.5 kV 1) /1 kV 2)
Conducted radio frequency IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz
interference sweep rate ≤ 1.5 x 10-3 decade/s 7)
modulation 80% AM (1 kHz)
I/O ports, sig- Electrical fast transient (Burst) IEC 61000-4-4 B 1 kV 4)
nal or control Conducted radio frequency IEC 61000-4-6 A 3 Vrms 3); (10 kHz)6) 150 kHz - 80 MHz
interference sweep rate ≤ 1.5 x 10-3 decade/s 7)
modulation 80% AM (1 kHz)
Enclosure Electrostatic discharge (ESD) IEC 61000-4-2 B 6 kV contact/8 kV air
Electromagnetic field IEC 61000-4-3 A 10 V/m5) 80 MHz-2 GHz
sweep rate ≤ 1.5 x 10-3 decade/s 7)
modulation 80% AM (1 kHz)
1) line to line
2) line to ground
3) capacitive coupling
4) coupling clamp
5) special situations to be analysed
6) test procedure to be described in the test report
7) for equipment installed in the bridge and deck zone (EMC Class B) the test levels are to be increased to 10 Vrms for spot frequencies in accordance with
IEC 60945 at 2/3/4/6.2/8.2/12.6/16.5/18.8/22/25 MHz. For screened cables, a special test set-up is to be used enabling the coupling into the cable screen.

Performance criterion A: The equipment under test (EUT) is to continue to operate as intended during and after the test. No degradation of performance or
loss of function is allowed as defined in the relevant equipment standard and in the technical specification published by the manufacturer.
Performance criterion B: The EUT is to continue to operate as intended after the test. No degradation of performance or loss of function is allowed as defined
in the relevant equipment standard and in the technical specification published by the manufacturer. During the test, degradation or loss of function or perform-
ance that is self recoverable is however allowed but no change of actual operating state or stored data is allowed.

Table B3 Maximum emission requirements for equipment

Class Location Port Frequency Range (Hz) Limits
150k – 30M 80 – 50 dBµV/m
Enclosure 30 – 100M 60 – 54 dBµV/m
(Radiated Emission) 100M – 2G 54 dBµV/m
All locations except except:
A bridge and open deck 156 – 165M 24 dBµV/m
Power (Conducted Emis- 10 – 150k 120 – 69 dBµV
sion) 150 – 500k 79 dBµV
500k – 30M 73 dBµV
150 – 300k 80 – 52 dBµV/m
Enclosure 300k – 30M 52 – 34 dBµV/m
(Radiated Emission) 30M – 2G 54 dBµV/m
All locations including except:
B bridge and open deck 156 – 165M 24 dBµV/m
Power (Conducted Emis- 10 – 150k 96 – 50 dBµV
sion) 150 – 350k 60 – 50 dBµV
350k – 30M 50 dBµV
B 900 Inclination Guidance note:
901 For ships, see Rules for Classification of Ships Pt.4 Ch.1 Electrical and electronic equipment should be designed to func-
tion without degradation or malfunction in their intended electro-
Sec.3 B200. For HS, LC and NSC, see Rules for Classification magnetic environment. The equipment should not adversely
of HS, LC and NSC Pt.4 Ch.1 Sec.1 A200. affect the operation of, or be adversely affected by any other
equipment or systems used on board or in the vicinity of the ves-
B 1000 Electromagnetic compatibility sel. Upon installation, it may be required to take adequate meas-
ures to minimise the electromagnetic noise signals, see
1001 The minimum immunity requirements for equipment Classification Note No. 45.1. Such measures may be in form of a
are given in Table B2, and the maximum emission require- list of electromagnetic noise generating- and sensitive equip-
ments are given in Table B3. ment, and an estimate on required noise reduction, i.e. an EMC

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.5 – Page 23

management plan. Testing may also be required to demonstrate Guidance note:

electromagnetic compatibility. Components weighing more than 10 grams (0.35 oz), should not
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- be fastened by their connecting wires only.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
B 1100 Miscellaneous
1101 In particular applications other environmental parame- C 300 Protection provided by enclosure
ters may influence the equipment, e.g.: 301 Enclosures for the equipment are to be made of steel or
other flame retardant material capable of providing EMC pro-
— acceleration tection and satisfy the minimum requirements of Table C1.
— fire The required degree of protection is specified in IEC 60529
— explosive atmosphere (International Electrotechnical Commission, Publication No.
— temperature shock 60529).
— wind, rain, snow, ice, dust
— audible noise Table C1 Minimum requirements for enclosures
— mechanical shock or bump forces equivalent to 20 g of 10 Class Location Degree of
ms duration protection
— splash and drops of liquid A Control rooms, accommodation, bridge IP 22
— corrosive atmospheres of various compositions, (e.g. am- B Machinery space IP 44
monia on an ammonia carrier).
C Open deck, masts, below floor plates in IP 56
1102 Acceleration caused by the ship's movement in waves. machinery space
Peak acceleration ±1.0 g for ships with length less than 90 m, D Submerged application IP 68
and ±0.6 g for ships of greater length. Period 5 to 10 s. Guidance note:
Automation equipment of class A and B that is to be in operation
during emergency situations, located in areas exposed to wash
down, should have IP 55 protection.
C. Electrical and Electronic Equipment
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
C 100 General
101 Fused isolating transformers are to be fitted between the C 400 Cables and wires
main power supply and the different units or systems. 401 Cables and wires are to comply with the requirements in
102 Switching of the power supply on and off is not to cause Ch.8 Sec.9.
excessive voltage or other strains that may damage internal or
external components. C 500 Cable installation
103 Units requiring insulating resistance in cables and wir- 501 Cable installations are to comply with the requirements
ing higher than 200 kΩ are normally not to be used. Exceptions in Ch.8 Sec.10 and Ch.8 Sec.3 D300.
can be made for special cable arrangements. C 600 Power supply
104 Key components of computer based systems necessary 601 When using low voltage battery supply, the charging
for maintaining essential and important functions are to be sub- equipment, batteries and cables are to keep the voltage at
jected to burn-in for 72 hours at 70°C (temperature in environ- equipment terminals within +25% to -20% of the nominal volt-
ment), or an equivalent screening procedure. Power is to be age during charging and discharging.
supplied to the devices during burn-in.
Provisions are to be made for preventing reverse current from
Guidance note: the battery through the charging device.
Examples of equivalent screening procedure:
602 Systems including a standby battery connected for con-
- use of components subjected to burn-in by the manufacturer tinuous charging are not to be disturbed in any way by discon-
- operation for 1000 hours at 20°C. nection of the battery.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 603 Battery installations are to be in accordance with Ch.8
Sec.10 B300.
C 200 Mechanical design, installation 604 Regulated rectifiers are to be designed for the variations
Guidance note: in voltage and frequency stated in B.
Circuits should be designed to prevent damage of the unit or ad- 605 Different system voltages are to be supplied through dif-
jacent elements by internal or external failures. No damage ferent cables.
should occur when the signal transmission lines between meas-
uring elements and other units are short-circuited, grounded or 606 Terminal lists are to be clearly marked. Various system
broken. Such failures should lead to a comparatively safe condi- voltages are to be distinguished.
tion (fail to safe).
607 Uninterruptible power supplies are to be according to
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- the requirements given in Ch.8 Sec.2 A200.
Guidance note: C 700 Fibre optic equipment
The equipment should preferably function without forced cool- 701 Fabrication and installation of fibre optic cables are to
ing. Where such cooling is necessary, precautions should be tak-
en to prevent the equipment from being damaged in case of comply with the requirements of Ch.8.
failure of the cooling unit. Guidance note:
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- The construction of fibre optic devices is generally to comply
with relevant specifications of IEC Publications.
201 The components are to be effectively secured to avoid ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
mechanical stressing of wires and soldered joints through vi-
brations and mechanical shock. 702 Power budget calculation is to be used to:

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.5 – Page 24

— determine the length between I/O units, Guidance note:

— select components to obtain a safe reliable transmission It is advised to use equipment with 'built-in' safety, e.g. interlock
system, and the power to the light sources with the covers, possible to discon-
nect/lock parts of the system under service, screen laser beams.
— to demonstrate that adequate power reserve has been pro-
Safe distance between the light source or fibre end and the eye of
vided. the operator may be determined by applying the formulae:
After installation, optical time domain reflectometry (OTDR) ( P n + 10 )
measurements for each fibre are to be used to correct and re- L safe = -----------------------
2
evaluate the power budget calculations.
Safe distance: L (cm) ; Pn: Nominal power (mW)
703 The safety of personnel and operations is to be consid- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
ered in the installation procedures. Warning signs and labels
giving information to the operators are to be placed where haz- 704 Fibre optic systems using standard single- and multi-
ard exists. Care must be taken to prevent fibres from penetrat- mode fibres to be used for intrinsically safe circuits in hazard-
ing eyes or skin. ous areas are to have a power level below 10 mW.

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.6 – Page 25

SECTION 6
USER INTERFACE

A. General
A 100 Application
101 The rules of this section apply when the section is spe-
cifically referred to by relevant requirements.

A 200 Introduction
201 The location and design of the user interface are to give
consideration to the physical capabilities of the user and com-
ply with accepted ergonomic principles.
202 This section gives requirements for the user interface to
ensure a safe and efficient operation of the systems installed
according to the following objectives:

— controlled work load adapted to the user(s) in all modes,

including for system degradation
— ensure fast and correct decisions
— ensure fast and correct user actions Fig. 2
— avoid unnecessary stress. UID arrangement parameters.

A 300 Definitions
303 An object is any item that may change state or value, e.g.
301 Automation level is divided into three classes, reflecting a measurement indication or a valve symbol.
the work load for the user:

ALF: Fully-automatic,- the task requires occasional attention

and action when requested by the system. B. Workstation Design and Arrangement
ALS: Supervised-automatic,- the task requires frequent mon- B 100 Location of visual display units and user input
itoring and occasional user input. devices
101 Workstations are to be arranged according to Table B1
ALM: Manual and semi-automatic operation,- the task re- to provide the user with easy access to UIDs, VDUs and other
quires continuous attention and/or user input. facilities required for the operation.

Table B1 Location of VDUs and UIDs

302 Workstation arrangement parameters are: Essential functions
For UIDs: WReach: within reach Auto- Alarm Control Start Indication Down-
mation actuators stop for graded
EsAccess: easily accessible level config monitoring control
Avail: available ALF EsRead - EsAccess EsRead Avail
ALS ImRead WReach EsAccess ImRead Avail
For VDUs: ImRead: immediately readable
ALM ImRead WReach EsAccess ImRead Avail
EsRead: easily readable
Avail: available Important functions
Auto- Alarm Control Start Indication Down-
mation actuators stop for graded
Within reach and immediately readable is within the normal level config monitoring control
posture and normal line of sight for the user. Available is when ALF EsRead - Avail Avail -
the user must leave the normal work position. Refer to figures ALS EsRead EsAccess Avail EsRead -
1 and 2 below. ALM EsRead EsAccess Avail EsRead -
Legend: See A301 and A302
- not applicable

102 UIDs operated frequently or continuously are to be po-

sitioned in a normal working height.
103 Related UIDs and VDUs are as far as possible to be ar-
ranged and grouped together.
104 When more than one user are to have simultaneous ac-
cess to the same VDUs and UIDs, these are to be duplicated or
located to give the required access from all user positions.
Fig. 1 105 The space between individual UIDs is to be large
VDU arrangement parameters. enough to avoid inadvertent operation.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.6 – Page 26

106 Each VDU is to be placed with its face normal to the us- - for moving index on circular scale, all pointers should
er's line of sight, or to the mean value if the user's line of sight occupy the same angular position, preferably the «12
varies through an angle. o'clock» position, when indicating normal status.
For an index moving relative to a circular scale, the index should
107 When UIDs and VDUs are operated in a given sequence, move clockwise (or the scale anti-clockwise) for increased read-
they are to be arranged in that sequence. ings.
B 200 Allocation of functions to screen based systems For an index moving relative to a linear scale, the scale should be
horizontal or vertical and the pointer should move to the right or
201 Workstations for integrated systems are to be configured upwards for increased readings.
to provide the user with simultaneous access to monitoring and There may be special cases where these guidelines do not apply;
control functions. for example, where the readings may be positive or negative, or
202 The control system element with related indications and where depth is indicated.
indications for monitoring for essential functions is to be con- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
tinuously available.
203 Manual request of a function is not to intervene with 202 The scale resolution on a VDU is not to be higher than
continuously available functions. the accuracy of the measured values.
204 One user shall under no circumstances need to operate 203 Numbers on digital displays are not to change faster than
more than two computer consoles simultaneously to perform a twice per second.
set of related functions. 204 Each process is to have a graphical representation in-
cluding indications giving an overview of the process equip-
ment.
C. User Input Device and Display Unit Design Guidance note:
This may be arranged as a graphical representation on a computer
C 100 User input devices screen or a mimic diagram with instruments fitted to represent
the position of the sensors or actuators.
101 The shape of mechanical UIDs is to indicate the method
of operation of the control. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

102 The direction of UID movements is to be consistent with 205 VDUs used for essential and important functions are to
the direction of associated process response and display move- be readable from the operating position of the workstation they
ment. are providing information to.
103 The operation of a UID is not to obscure indicator ele- Guidance note:
ments where observation of these elements is necessary for ad- VDUs used in connection with UIDs should be readable from a
justments. distance of at least 1000 mm. All other VDUs should be readable
from a distance of at least 2000 mm.
104 UIDs or combined UIDs/indicating elements are to be
visually and tactually distinguishable from elements used for Character height in mm should be not less than three and a half
indication only. times the reading distance in meters. Character width should be
between 60% to 80% of the letter height, e.g.: character height
Guidance note: for reading distance 2m: 2 x 3.5 = 7 mm, with resulting minimum
Rectangular buttons should be used for UID elements, and round character size: 7 mm x (approximately) 5 mm.
lights for VDU elements. For screen based systems, a suitable ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
framing method should be chosen.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- 206 VDU letter type is to be of simple, clear-cut design.
105 UIDs are to allow one hand single action operation. Re- 207 Indication of set point for slow changing objects is to be
quirements for fine motoric movements is to be avoided. displayed.
106 UIDs demanding fine adjustment are to be shaped and 208 The indication pointer in a circular or linear scale is not
located to allow operation equally well by either hand. to hide scale labels.
209 For VDUs subject to strong light, means are to be pro-
C 200 Visual display units vided to minimise glare or reflection.
201 The information presented is to be clearly visible to the Guidance note:
user and permit easy and accurate reading at a practicable dis-
tance in the light conditions normally experienced on the loca- a) All VDUs should be placed in position relative to the user,
tion of the workstation by day and by night. taking into consideration the surrounding light sources.
Guidance note: b) Where a transparent cover is fitted over a VDU, it should
minimise reflection.
a) Quantitative and comparative readings should be presented c) In rooms with windows, sun curtains should be installed to
by means of: prevent direct sun light on VDUs.
- digital counter, if subject to rare changes
- clockwise moving index on circular scale or horizontally ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
moving index on linear scale, if subject to frequent
changes. C 300 Colours
b) Qualitative readings should be presented by means of:
301 Information is not to be dependent of the use of colours
- vertically moving index on linear scale to indicate trend alone, but is to be distinguishable in a black and white repre-
changes sentation.
- clockwise moving index on circular scale to indicate
speed changes. 302 The use of colours is to be consistent for all systems.
c) Control readings should be presented by means of: 303 Colour coding of functions and signals is to be in ac-

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.6 – Page 27

cordance with Table C3. Guidance note:

If data is previously entered for a data element, this should be the
Table C3 Colour coding default, else a value representative for the data element should be
Function Colour code default.
Danger, Alarm, Emergency Red ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Attention, Pre-warning, Yellow
Caution, Undefined 108 The systems are to indicate the acceptance of a control
action to the user without unnecessary delay.
Status of normal, safe situation Green
109 Confirmation of a command is only to be used when the
Guidance note: action requested may have a critical irreversible consequence.
Inactive components should be represented by a colour or colour 110 It is to be possible for the user to recognise whether the
pair which is not distinctive, e.g. grey on white. system is busy executing an operation, or waiting for addition-
al user action. When the system is busy, buffering of more than
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
one user input is not allowed. It is to be possible to interrupt
time-consuming operations.
C 400 Requirements for preservation of night vision 111 The user is to have available means to return to a known
401 Warning and alarm indicators are to show no light in safe state with a single action.
normal position (indication of a safe situation). Guidance note:
402 All UIDs and VDUs are to be fitted with permanent in- A default set of information should be available by e.g. pressing
ternal or external light source to ensure that all necessary infor- a dedicated button.
mation is visible at all times. ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
403 Means are to be provided to avoid light and colour 112 Procedures for controlling objects are to be the same.
changes upon, e.g. start-up and mode changes, which may af-
fect night vision. D 200 Application screen views
404 All information is to be presented on a background of 201 For integrated systems, all windows to be called to the
high contrast, emitting as little light as possible by night. VDU are to have a similar representation of all components
(menus, buttons, symbols, colours, etc.).
Guidance note:
202 Objects affected by a failed object are to indicate the
All vessel's bridge instruments should show a light text on a dark
non-reflecting background at night. The contrast should be with- state of the failed object.
in 1:3 and 1:10. Guidance note:
An alarm due to failure of e.g. a sensor should give alarm indica-
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- tion for all objects being directly or indirectly dependent of the
failed sensor.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

D. Additional Requirements to Screen Based 203 Alarms are to be displayed in the order in which they oc-
Systems cur.
204 Alarms are to be traceable.
D 100 Computer dialogue Guidance note:
101 Menus are to be as shallow as possible. Printed alarm lists or access to an event log is acceptable.
Guidance note: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Wherever practical, single action toggle buttons should be used.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
E. Design of Workplace for Permanently
102 Frequently used operations are to be available in the up-
per menu level, on dedicated software or hardware buttons. Manned Workstations
103 All menus and displays are to provide a self-explanatory E 100 General
interface to the user. 101 To be defined.
Guidance note:
If the complexity of the operation is such that further help is re-
quired, it will be accepted to have help function available with a F. Work Environment for Permanently Manned
single user action.
Workstations
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
F 100 Vibration
104 When in dialogue mode, update of essential information 101 Uncomfortable levels of vibration causing both short
is not to be blocked. and long term effects are to be avoided.
105 Terms used in a dialogue are to be adapted to the normal Guidance note:
users. Abbreviations and terms used in electronic data process- Bridge equipment:
ing are to be avoided. The workplace should ideally be sited clear of the nodes and an-
106 It is to be up to the user to start, interrupt, resume and tinodes of the fundamental mode of vertical hull vibration in or-
end a dialogue. der to avoid longitudinal and vertical vibration.
The fundamental frequency of vibration of the superstructure
107 Whenever necessary to ensure safe and efficient entry of block should not be close to the propeller blade frequency or its
data, the user is to be prompted with a default. harmonics at service speed.

DET NORSKE VERITAS

Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.6 – Page 28

Table F1 lists the vibration ranges which should be avoided.

Table F1 Vibration ranges Table F2 Recommended illumination

Range Effect Place Colour or illumination
0.1 to 0.5 Hz Motion sickness, particularly Workstation area White, variable from 0 to 500 lx.
around 0.25 Hz Bridge, night Red, continuously variable from 0 to 10 lx.
1.5 to 30 Hz Vision blur, particularly 10 to 25 Hz
Vision in dim light has the following characteristics:
10-20 Hz Involuntary increase in muscle tone, lead-
ing to difficulty in controlling posture and - perception of detail and colour is affected
movement - the eye becomes more sensitive to the blue end of the light
Sum: 0 to 30 Hz Magnitude of effects depends upon vi- spectrum
major source of bration amplitude - peripheral vision is enhanced.
problems Adaptation to darkness is important to ensure a good visual look-
out at night. It takes 30 to 40 minutes for complete adaptation to
darkness.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

F 200 Noise 304 During hours of darkness, it is to be possible to discern

control devices and read displayed information.
201 Uncomfortable levels of noise, or noise that may affect Guidance note:
safe and efficient operation, is not to occur. Both short and
long term effects are to be avoided. Bridge equipment can be lit by internal or externally located
lighting.
Guidance note: Except at the chart table, red light should be used whenever pos-
Bridge equipment sible in areas or on items of equipment requiring illumination in
the operational mode, including instruments on the bridge wing.
The noise level for the workplace should not exceed 65 dB(A) in
good weather, with workplace instruments in operation. Indirect low level red lighting should be available at deck level,
especially for internal doors and stair-cases where, preferably,
Noise from ventilation and air intake fans and other noise sources each step should be lit separately.
should be excluded from the workplace by suitable siting of the
fans and associated trunking. Provision should be made to prevent red lights from being visible
outside the vessel.
The vessel's sirens or whistles should be placed as high as prac-
ticable and, if possible, forward of any workplace, so that the ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
noise level does not exceed 100 dB(A).
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
F 400 Temperature
401 The workplace is to be equipped with an adequate tem-
F 300 Lighting perature control system.
Guidance note:
301 A satisfactory level of lighting facilitating the perform-
ance of all workplace tasks at sea and in port, daytime and The temperature range for the workplace should not exceed 16°C
to 26°C, and should preferably be within 19°C to 23°C for an ex-
night time, is to be provided. ternal temperature range of -10°C to 35°C. The temperature gra-
Guidance note: dient from floor level up to 2 m should be within 3 to 4°C.
Individual task areas should have a greater luminance than the ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
general lighting level.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- F 500 Ventilation
501 A sufficient range of air movement is to be available to
302 Care is to be taken to avoid glare and stray image reflec- the personnel.
tions in the workplace environment.
Guidance note:
Guidance note: Bridge equipment:
High contrast in brightness between work areas and surroundings In general, the air movement should be 0.05 m/s to 1.2 m/s, var-
should be avoided. ying with the different temperatures for the workplace: the higher
Non-reflective or matt surfaces should be used to reduce indirect the temperature, the greater the air movement needed for com-
glare to a minimum. fort.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- With temperature maintained in the range 18°C to 23°C, the air
movement should be 0.3 m/s to 0.5 m/s.
303 A satisfactory degree of flexibility within the lighting The recommended rate of air change for enclosed spaces is 6
system is to be available to enable the personnel to adjust light- complete changes per hour.
ing intensity and direction as required in the different areas of Used air should be changed with fresh conditioned air or recircu-
the workplace and at individual instruments and controls. lated reconditioned air.
Guidance note: Air should not be blown directly at personnel.
Vision in dim light has the following characteristics: ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
- perception of detail and colour is affected
- the eye becomes more sensitive to the blue end of the light F 600 Surfaces
spectrum
601 The workplace surface finishes are to be considered an
- peripheral vision is enhanced.
integral part of the structure, layout and environment design.
- Table F2 lists the recommended general illuminations directly
below the light source at working level. 602 All prepared surfaces are to be glare free.

DET NORSKE VERITAS

 Rules for Ships / High Speed, Light Craft and Naval Surface Craft, January 2003
Pt.4 Ch.9 Sec.6 – Page 29

Guidance note: Colour can provide a sense of warmth by the use of red/yellow,
To achieve a glare free, matt finish for front part of the deckhead, or coolness by the use of green/blue.
bulkheads, consoles, surfaces around and below windows and Table F4 indicates the reflectance range for some typical colour
other, short-haired fibre coating should be used. densities.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Table F4 Reflectance range
603 The workplace and surrounding area are to have a non- Reflectance range Typical colour densities
slip surface when wet or dry. 5% to 10% Dark Green or Blue or Brown
Guidance note: 15% to 30% Mid Green or Blue or Red
The level of friction on outdoor areas should not decrease by 50% to 60% Pale Green or Blue or Yellow
more than 10% between dry and wet conditions. 80% to 90% Off White or Pale Yellow
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---

604 All surfaces are to be robust enough to withstand the dai- ---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
ly wear of the marine environment and require a minimum of
cleaning whilst retaining a good appearance. F 800 Safety of personnel
Guidance note: 801 The workplace area is to be free of physical hazards to
All surfaces should be capable of withstanding without deterio- the personnel.
ration temperature ranges of -20°C to 70°C, sea water, oils and Guidance note:
solvent common to vessels, and ultra-violet light.
There should be no sharp edges or protuberances that could cause
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e--- injury to personnel.
The deck should be free of trip hazards, such as curled up carpet
F 700 Colours edges, loose gratings or equipment.
Means should be provided for properly securing portable equip-
701 Colours for bridge equipment are to be chosen to give a ment.
calm overall impression and minimise reflectance.
---e-n-d---of---G-u-i-d-a-n-c-e---n-o-t-e---
Guidance note:
Bright colours should not be used. Dark or mid green colours are 802 Sufficient hand or grab rails are to be fitted to enable
recommended, alternatively, blue or brown may be used. personnel to move or stand safely in bad weather. Protection of
Table F3 indicates the reflection range for some typical colour stairway openings is to be given special consideration.
densities.
803 All safety equipment on the workplace is to be clearly
marked and readily available and have its stowage position
Table F3 Reflectance range
clearly indicated.
Place Typical colour densities Reflectance
Deckhead, front part Grass green, dark grey 0% to 20%
Around windows White, light green 60% to 90%
Bulkhead Light green 30% to 60%
Decks Dark green, dark grey 5% to 30%
Consoles Grass green, slate grey 20% to 50%
Manoeuvring con- Light green, light grey 40% to 70%
trols
Other Grass green, light grey 20% to 50%

DET NORSKE VERITAS