05 M07 3166 REP 001 Rev O Shuttle Tanker FMEA

180 Clemenceau Avenue
03-03 Haw Par Centre

Singapore 239922
Phone +65 6505 1900
Fax +65 6356 7086
www.gl-nobledenton.com
SUNGDONG
"157K SHUTTLE TANKER"
FAILURE MODES AND EFFECTS ANALYSIS
OF THE DP SYSTEM
FEBRUARY 2013
4 March 2013
Update after FMEA proving trial
SP/TKT
CR
CR
14 Jan 2013
Update according to yards comments
SP
CR
CR
11 Jan 2013
SP
CR
CR
8 Jan 2013
SP/TKT
CR
CR
21 Dec 2012
SP/TKT
CR
CR
20 Dec 2012
Update according to DNV comments
SP/TKT
CR
CR
19 Dec 2012
Update according to DNV comments
SP/TKT
CR
CR
22 Aug 2012
Release for Client review
SP/LCH/CW
AM/LCH
Rev
Date
Description
By
Check
Approved
Document No. 05/M07/3166/Rep-001/Rev. O
GL Noble Denton
Page 1 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
SUMMARY
The Sungdong 157K Shuttle Tanker has DNV Class and this Failure Modes and Effects Analysis forms
part of the document submissions required for vessels with DP Dynpos-AUTR notation. The design of the
DP system has been analysed and the failure effects compared against the worst case failure design
intent.
The vessels worst case failure design intent (WCFDI) can be summarised as:No single failure (as defined for Dynpos AUTR) will lead to a failure effect exceeding:
Failure of up to two generators (No.1 DG and No.2 D/G or No.3 DG and No.4 DG)
Failure of one common 6.6kV bus MV 6.6kV MSB 1 or MSB2.
Failure of three thrusters one bow tunnel thruster (T1), one stern tunnel thruster(T5) and one
CPP (T6) or one bow tunnel thruster (T2), one forward azimuth thruster(T3) and one stern
azimuth thruster(T4).
Worst Case Failure: From the desktop analysis, there are no single failure as defined for DP Equipment
Class 2 has been identified that has an effect exceeding the Worst Case Failure Design Intent.
GL Noble Denton
Page 2 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
TABLE OF CONTENTS
1
INTRODUCTION .......................................................................................................................................... 9
1.1
1.2
1.3
1.4
1.5
1.6
1.7
Background ................................................................................................................................................................................ 9
Acknowledgements ..................................................................................................................................................................... 9
Vessel Particulars ..................................................................................................................................................................... 10
FMEA Analysis ......................................................................................................................................................................... 12
FMEA Procedure and Methodology .......................................................................................................................................... 13
Operational Configuration of the DP System ............................................................................................................................. 14
Redundancy Concept ............................................................................................................................................................... 15
ENGINES AND AUXILIARY SERVICES ......................................................................................................... 18
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
Engines..................................................................................................................................................................................... 18
Main Engine Systems ............................................................................................................................................................... 19
auxiliary diesel generator system .............................................................................................................................................. 24
Engine Control System and Safety Shutdowns ......................................................................................................................... 28
Fuel oil system .......................................................................................................................................................................... 34
Lubrication System ................................................................................................................................................................... 45
Seawater Cooling System ......................................................................................................................................................... 48
Fresh Water Cooling Systems................................................................................................................................................... 52
Compressed Air System ........................................................................................................................................................... 66
Ventilation System .................................................................................................................................................................... 70
emergency generator ................................................................................................................................................................ 75
POWER GENERATION ............................................................................................................................... 77
3.1
3.2
3.3
3.4
Generators ................................................................................................................................................................................ 77
Automatic Voltage Regulator..................................................................................................................................................... 79
Engine Governor ....................................................................................................................................................................... 79
6.6kV Switchgear ...................................................................................................................................................................... 79
POWER MANAGEMENT ............................................................................................................................. 83
4.1
Introduction ............................................................................................................................................................................... 83
POWER DISTRIBUTION ............................................................................................................................. 87
5.1
5.2
5.3
5.4
5.5
Overview of the power distribution system ................................................................................................................................ 88

6.6kV Distribution System ......................................................................................................................................................... 91
LV Distribution System .............................................................................................................................................................. 93
220V Distribution System ........................................................................................................................................................ 104
24Vdc Power distribution ........................................................................................................................................................ 106
THRUSTERS .......................................................................................................................................... 111
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
Introduction ............................................................................................................................................................................. 111

Thruster Mechanical Components and Motor .......................................................................................................................... 113
Tunnel Thruster Cooling System ............................................................................................................................................. 114
Azimuth THruster Cooling system ........................................................................................................................................... 116
Main Propulsion Controllable Pitch Propeller and Steering Gear ............................................................................................. 120
Thruster Electrical Systems..................................................................................................................................................... 126
Azimuth Thrster electrical systems .......................................................................................................................................... 128
Propulsion Controllable Pitch Propeller Control System .......................................................................................................... 132
Steering Gear Control System ................................................................................................................................................ 134
Thruster Emergency Stops ..................................................................................................................................................... 137
K-CHIEF 600 INTEGRATED CONTROL AND MONITORING SYSTEM ............................................................... 139
7.1
7.2
7.3
7.4
7.5
General ................................................................................................................................................................................... 139

K-Chief 600 Operator Stations: ............................................................................................................................................... 141
K-Chief 600 Distributed Processing Units (DPUs) and DPU Cabinets: .................................................................................. 143
K-CHief 600 Network Communications ................................................................................................................................... 146
K-CHief 600 Un-interuptable power supplies ........................................................................................................................... 149
DP CONTROL SYSTEM ............................................................................................................................ 151
8.1
8.2
8.3
8.4
8.5
System Diagram and Overview ............................................................................................................................................... 151

DP Changeover Switch ........................................................................................................................................................... 154
DP Operator Stations .............................................................................................................................................................. 154
DPC-2 Controller .................................................................................................................................................................... 156
DP System Sensors MRU Anemometer - Gyrocompass ................................................................................................... 163
GL Noble Denton
Page 3 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.6
8.7
8.8
8.9
8.10
DP Position Reference Sensors DGPS, Fanbeam, and artemis ........................................................................................... 168

cJoy Independent Joystick System ......................................................................................................................................... 175
BLOM PMS ............................................................................................................................................................................. 176
DP Uninterruptible Power Supplies ......................................................................................................................................... 177
DP Communications ............................................................................................................................................................... 179
EMERGENCY SHUTDOWN (ES) SYSTEM ................................................................................................... 181
9.1
ES System .............................................................................................................................................................................. 181
10
CONCLUSIONS AND RECOMMENDATIONS................................................................................................ 185
10.1
10.2
Conclusions ............................................................................................................................................................................ 185

Concerns ................................................................................................................................................................................ 185
TABLES
Table 2-1
Table 2-2
Table 2-3
Table 2-4
Table 2-5
Table 2-6
Table 2-7
Table 2-8
Table 2-9
Table 2-10
Table 2-11
Table 2-12
Table 2-13
Table 2-14
Table 2-15
Table 2-16
Table 2-17
Table 2-18
Table 2-19
Table 4-1
Table 5-1
Table 5-2
Table 5-3
Table 5-4
Table 5-5
Table 5-6
Table 5-7
Table 5-8
Table 6-1
Table 6-2
Table 6-3
Table 7-1
Table 7-2
Table 7-3
Table 8-1
Table 8-2
Table 8-3
Table 8-4
Table 8-5
Table 8-6
Table 8-7
Table 9-1
ME LO pump power sources ...................................................................................................................................... 20

Main Engine Shutdown............................................................................................................................................... 28
Main Engine Alarms and slowdown setting ................................................................................................................. 29
Auxiliary Engine Shutdowns Alarm setting.................................................................................................................. 32
Auxiliary Engine Alarm setting .................................................................................................................................... 32
FO Storage Tank Volumes ......................................................................................................................................... 35
FO Crossover Valve Configuration During DP ............................................................................................................ 37
Quick Closing Valves Grouping .................................................................................................................................. 39
ME FO pump power sources ...................................................................................................................................... 40
GE FO pump power sources ...................................................................................................................................... 42
Central FW & ME CFW pump power sources ............................................................................................................. 55
Auxiliary Freshwater Cooling System DP Associated Equipment................................................................................ 57
Forward Freshwater Cooling System DP Related Equipment ..................................................................................... 61
GE 1/2 Freshwater Cooling System DP Related Equipment ....................................................................................... 63
No.3/4 GE Freshwater Cooling System DP Related Equipment.................................................................................. 65
DP Related Equipment supplied from the Control and GS Air System ........................................................................ 68
Ventilation system power sources .............................................................................................................................. 70
Engine Room Fire Dampers ....................................................................................................................................... 71
HVAC Unit Power Supplies ........................................................................................................................................ 73
PMS software Interlock functionality ........................................................................................................................... 83
Power supplies for the essential equipments .............................................................................................................. 89
Distribution of MV generators and consumers ............................................................................................................ 91
440V feeder panel: LV1 and LV2 ................................................................................................................................ 94
440V Group Starter Panels ........................................................................................................................................ 95
Emergency Power Distribution ................................................................................................................................... 99
220V feeder panel No.1 and No.2 ............................................................................................................................ 104
220V Distribution Panel ............................................................................................................................................ 105
24Vdc Supplies to Engine Junction Boxes ................................................................................................................ 107
Tunnel Thruster Motor Particulars ............................................................................................................................ 112
Tunnel Thruster Motor Details .................................................................................................................................. 113
Azimuth Thruster Motor Specifications ..................................................................................................................... 113
Operating Stations Power Supply ............................................................................................................................. 142
DPUs Location and Power Supplies ........................................................................................................................ 143
K-Chief UPS Distribution .......................................................................................................................................... 149
DP Power Supply Matrix........................................................................................................................................... 153
RSER/RMP Module Assignments for Ref Sys/Sensors ............................................................................................ 160
RMP Module Assignments for Thrs/machinery ......................................................................................................... 161
Power supplies for Gyros ......................................................................................................................................... 163
Power supplies for MRUs ......................................................................................................................................... 164
Power supplies for wind sensor ................................................................................................................................ 165
DP UPS Distribution ................................................................................................................................................. 178
ES System ............................................................................................................................................................... 181
FIGURES
Figure 1-1
Figure 1-2
Figure 1-3
Figure 2-1
Figure 2-2
Figure 2-3
Figure 2-4
Figure 2-5
Figure 2-6
Figure 2-7
Figure 2-8
Figure 2-9
Figure 2-10
GL Noble Denton
General Arrangement 157K Shuttle Tanker ................................................................................................................ 10

Thruster Arrangement ................................................................................................................................................ 15
Power Distribution ...................................................................................................................................................... 17
Main Engine Freshwater Cooling System ................................................................................................................... 19
Main Engine Lubrication System ................................................................................................................................ 20
Main Engine Compressed Air System ........................................................................................................................ 21
7-9H32/40 Engine Lubricating System........................................................................................................................ 24
Auxiliary Engine Freshwater Cooling System ............................................................................................................. 25
7-9H32/40 Engine Compressed Air System................................................................................................................ 26
Fuel Oil Transfer System ............................................................................................................................................ 34
Fuel Oil Purification System and Settling System ....................................................................................................... 36
Fuel Oil Distribution System ....................................................................................................................................... 38
Pneumatic Fuel Oil Quick Closing Valve System ........................................................................................................ 39
Page 4 of 185
05-M07-3166-Rep-001
SUNGDONG
Figure 2-11
Figure 2-12
Figure 2-13
Figure 2-14
Figure 2-15
Figure 2-16
Figure 2-17
Figure 2-18
Figure 2-19
Figure 2-20
Figure 2-21
Figure 3-1
Figure 5-1
Figure 6-1
Figure 6-2
Figure 6-3
Figure 6-4
Figure 6-5
Figure 6-6
Figure 6-7
Figure 6-8
Figure 6-9
Figure 7-1
Figure 7-2
Figure 8-1
Figure 8-2
Figure 8-3
Figure 8-4
Figure 8-5
Figure 8-6
GL Noble Denton
157K SHUTTLE TANKER
DP SYSTEM FMEA
Main Engine Fuel Oil System ..................................................................................................................................... 40

Diesel Generator Fuel Oil System .............................................................................................................................. 41
Lubricating Oil System................................................................................................................................................ 45
Aft Seawater Cooling System ..................................................................................................................................... 48
Forward Seawater Cooling System ............................................................................................................................ 49
Auxiliary Freshwater Cooling System ......................................................................................................................... 54
Main Engine Freshwater Cooling System ................................................................................................................... 55
Forward FW cooling System....................................................................................................................................... 59
No. 1/2 GE FW cooling system ................................................................................................................................... 62
No.3/4 GE FW cooling System ................................................................................................................................... 64
Compressed Air System ............................................................................................................................................. 67
Single Line Diagram for 6.6kV .................................................................................................................................... 77
Simplified Single Line Drawing of Power Distribution .................................................................................................. 87
Arrangement of Thrusters ......................................................................................................................................... 111
Tunnel Thruster Hydraulics....................................................................................................................................... 115
Azimuth Thruster Hydraulic System .......................................................................................................................... 117
Propulsion Controllable Pitch Propeller Hydraulic Diagram ....................................................................................... 121
Steering Gear ........................................................................................................................................................... 123
Thruster Remote Control System ............................................................................................................................. 126
Azimuth Thruster Remote Control System ................................................................................................................ 129
Propulsion CPP Control System ............................................................................................................................... 133
Steering Gear Control System .................................................................................................................................. 135
General Architecture of K-Chief 600 System ............................................................................................................ 140
157K Shuttle Tanker K-Chief Networks .................................................................................................................... 147
Simplified Drawing of DP Control System ................................................................................................................. 152
DPC-2 Simplified Drawing ........................................................................................................................................ 158
Variation of wind Speed with elevation above sea level ............................................................................................ 168
Simplified calculation of relative DARPS data ........................................................................................................... 170
Principle of standard Artemis .................................................................................................................................... 172
Principle of Artemis Beacon system ......................................................................................................................... 173
Page 5 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
ABBREVIATIONS
AC
ACB
ACU
AHU
ICMS
AVR
BAZ
BTH
BT
BTL
CB
CCU
CFW
CMF
CPP
CPU
CT
DB
DC
DG
DGPS
DI
DNV
DO
DP
DPC
DPO
DPS
DPU
ECC
ECR
ECS
ECU
EG
EICU
EMCY
ER
ESB
ESD
FAD
FMEA
FO
FW
FWD
G / GE
GS
GL Noble Denton
Alternating Current
Air Circuit Breaker
Auxiliary Control Unit
Air Handling Unit
Integrated Control and Monitoring System
Automatic Voltage Regulator
Bow Azimuth Thruster
HV Bus Tie
Bow Tunnel Thruster
LV Bus Tie
Circuit Breaker
Cylinder Control Unit
Cooling Fresh Water
Common Mode Failure
Controllable Propeller Pitch
Central Processing Unit
Current Transformer
Distribution Board
Direct Current
Diesel Generator
Differential Global Positioning System
Digital Input
Det Norske Veritas
Diesel Oil
Dynamic Positioning
Dynamic Positioning Controller
Dynamic Positioning Operator
Dynamic Positioning System
Distributed Processing Units
Engine Control Console
Engine Control Room
Engine Control System
Engine Control Unit
Emergency Generator
Engine Interface Control Unit
Emergency
Engine room
Emergency Switchboard
Emergency Shut Down
Free Air Delivery
Failure Mode and Effect Analysis
Fuel Oil
Fresh Water
Forward
Generator
Gas Station
Page 6 of 185
05-M07-3166-Rep-001
SUNGDONG
GSP
GPS
HFO
HPP
HPU
HV
HVAC
HT
HTFW
ICMS
IJS
IP
IMCA
IMO
I/O
kVA
kVAr
kW
LAN
LO
LSHFO
LSDO
LSMDO
LT
LTFW
LV
mA
MBC
MCC
MDO
ME
MGO
MGPS
MOP
MRU
MSB
MSC
MV
MVAr
MW
NDC
NDU
NET
OS
P
PA
PC
PCU
GL Noble Denton
157K SHUTTLE TANKER
DP SYSTEM FMEA
Group Starter Panel

Global Positioning System
Heavy Fuel Oil
Hydraulic Power Pack
Hydraulic Power Unit
High Voltage
Heating, Ventilation and Air Conditioning
High Temperature
High Temperature Fresh Water
Integrated Control and Monitoring System
Independent Joystick System
Internet Protocol
International Marine Contractors Association
International Maritime Organisation
Input/Output
Kilo Volt Ampere
Kilo Volt Ampere Reactive
Kilowatt
Local Area Network
Lube Oil
Low Sulphur Heavy Fuel Oil
Low Sulphur Diesel Oil
Low Sulphur Marine Diesel Oil
Low Temperature
Low Temperature Fresh Water
Low Voltage
Milliamps
Micro Biological Contamination
Motor Control Centre
Marine Diesel Oil
Main Engine
Marine Gasoline Oil
Marine Growth Plant System
Main Operating Panel
Motion Reference Unit
Main Switchboard
Maritime Safety Committee
Medium Voltage
Mega Volt Ampere Reactive
Megawatt
Noble Denton Consultants
Network Distribution Unit
Network
Operator Station
Port
Public Address or Power Available
Personal Computer
Propulsion Control Unit
Page 7 of 185
05-M07-3166-Rep-001
SUNGDONG
PLC
PME
PMS
PRS
PSU
QC
QCV
RC
RCU
RIO
RPM
RTCM
S
SAZ
SBC
ST
SW
SWBD
T
TQ
UPS
VAr
VCB
VRCS
VRU
VT
WCF
WCFDI
GL Noble Denton
157K SHUTTLE TANKER
DP SYSTEM FMEA
Programmable Logic Controller

Position Measuring Equipment
Power Management System
Position Reference System
Power Supply Unit
Quick Closing
Quick Closing Valve
Remote Control
Remote Controller Unit
Remote Input Output
Revolutions per Minute
Radio Technical Commission for Maritime Services
Starboard
Stern Azimuth Thruster
Single Board Computers
Stern Tunnel Thruster
Sea Water
Switchboard
Thruster
Technical Query
Uninterrupted Power Supply
Volt Ampere Reactive
Vacuum Circuit Breakers
Valve Remote Control Station
Vertical Reference Unit
Voltage Transformer
Worst Case Failure
Worst Case Failure Design Intent
Page 8 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
INTRODUCTION
1.1
BACKGROUND
1.1.1
Instructions
1.1.1.1
GL Noble Denton was requested by Sungdong Shipbuilding and Marine Engineering Company Ltd to
prepare a Failure Modes and Effects Analysis (FMEA) of the DP system for the dynamically position 157K
Shuttle Tanker. The request was made by Mr. J.G Yi and confirmed with the signing of a contract for
FMEA by Chris Richardson of Noble Denton Singapore. The work was carried out under GL Noble Denton
reference number 05-M07-3166.
1.1.2
Scope of work
1.1.2.1
GL Noble Denton scope of work for this project is outlined in its contract with Sungdong Shipbuilding and
Marine Engineering Company Ltd .
1.1.3
Conduct of the work
1.1.3.1
The work was carried out by Engineers Satheesh Prabhakaran and Leong Cheong Heng.
1.1.3.2
The analysis work is based on desktop studies of information provided by Sungdong Shipbuilding and
Marine Engineering Company Ltd , and by equipment vendors.
1.1.3.3
The vessels redundancy concept was assessed against the following rules and guidelines:
1.
IMO MSC 645, Guidelines for Vessels with Dynamic Positioning Systems 1994.
2.
DNV Rules for Classification of Ships July 2010, Part 6, Chapter 7.
3.
IMCA document M04/04, Establishing the Safety and Reliability of Dynamic Positioning Systems
was used as the guide to systems and their boundaries Appendices D & E in particular.
4.
IMO International Code of Safety for High Speed Craft, Annex 4, Procedures for Failure Mode
and Effects Analysis, 2000 was used for reference.
5.
IMCA Guidelines on Failure Modes & Effects Analyses M166, 2002.
1.1.4
FMEA Document history
1.1.4.1
A draft FMEA, Document No 05-M07-3166 Rep-001 Rev A was produced based on documents and
drawings supplied during the build phase and prior to FMEA proving trials.
1.2
ACKNOWLEDGEMENTS
1.2.1.1
Thanks are due to the assistance of the design team for their response to technical queries.
GL Noble Denton
Page 9 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
1.3
VESSEL PARTICULARS
1.3.1
General
1.3.1.1
The vessel was built at Sungdong Shipbuilding and Marine Engineering Company Ltd. Figure below
shows the general arrangement of the Shuttle Tanker.
1.3.1.2
The vessel has Class Notation:DNV 1 A1, Tanker for oil ESP, CSR, E0, DYNPOS-AUTR, OPP-F, BOW LOADING, TMON, NAUTOC, BIS, BWM-E(S), SPM, VCS-2, COAT-PSPC(B), CLEAN
Figure 1-1
GL Noble Denton
General Arrangement 157K Shuttle Tanker
Page 10 of 185
05-M07-3166-Rep-001
SUNGDONG
1.3.2
DP SYSTEM FMEA
Principal dimensions:Length overall
1.3.3
157K SHUTTLE TANKER
278.50 m
Length between perpendiculars :
264.00 m
Breadth moulded
48.00 m
Depth
23.10 m
Designed Draught
16.00 m
Machinery and DP equipment list:Main Engine

: MAN B&W 6S70ME-C8.2 TIER II
Main Generators (Engine)
Main Generators
Hyundai Himsen 7H32/40 (No.1 and No.4)
Hyundai Himsen 9H32/40 (No.2 and No.3)
HSJ7 805-10P (No.1 and No.4) - 2 x 3300 kW
HSJ7 913-10P (No.2 and No.3) - 2 x 4300 kW
Emergency Generator (Engine) :
Doosan AD180TI
Emergency Generator
Leroy Somer M 47.2 S4 1 x 350 kW
Thrusters
2 x Bow Tunnel Thrusters Brunvoll FU-100-LTC-2750 2200 kW CPP
Stern Tunnel Thruster Brunvoll FU-100-LTC-2450 2200 kW CPP
Bow and Stern Azimuth Thruster Brunvoll AR-100-LNC-2600

2 x2500 kW CPP
Main Propulsion
Berg BCP 2000 CPP
Steering gear (Rudder Rolls Royce IRV 4200-2)
Becker Rudder
DP Control System
Kongsberg K Pos DP-22
Vessel Management
K-Chief 600
1.3.4
FMEA proving trials
1.3.4.1
DP FMEA proving trials have not been carried out at this time.
GL Noble Denton
Page 11 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
1.4
FMEA ANALYSIS
1.4.1
Objectives of FMEA
1.4.1.1
To identify any single failures of the DP system of the Shuttle Tanker that may lead to a significant loss of
position by drift off or drive off. Failure criteria are as defined in DNV Rules for Classification of Ships
July 2010, Part 6, Chapter 7.
1.4.1.2
The following 9 strategic areas have been addressed in the preparation of this analysis:
1.
System description and redundancy concept review:

Description of redundant system type and classification.
Formal definition of the overall DP system redundancy concept.
Determine the nature of the redundancy concept, i.e. high levels of commonality between systems
with dependence on protective functions versus duplication with clear segregation and
independence.
Identify aspects of the design that are common to redundant systems and consider failures at these
common points.
2.
Single point failures:

Using the FMEA tool as a structured means of identifying failures.
3.
Acts of maloperation:
IMO guidance and DNV rules require consideration of a single act of maloperation if such an act is
reasonably foreseeable. The FMEA will check that such acts are guarded against.
4.
Potential common mode failures that affect seemingly redundant components:

Typically:Ventilation and environmental control.
Spikes/voltage excursions/elevated voltage on common primary power supplies.
Failure of common back-up supplies to an elevated voltage or voltage spikes.
Voltage decrement during electrical fault clearance To be proven by others.
Auxiliary systems which are likely to be subject to common mode failures such as MBC in fuel.
5.
Standby redundancy:
Level of availability of offline equipment high probability that it will operate on demand?
All such required functions identified?
All such functions exercised with suitable frequency?
Identify failure modes associated with switched redundancy e.g. updating back-up systems with
correct data.
6.
Protective functions for redundancy concept:

All identified?
All adequately exercised?
Sufficient protection?
Disabled by non self revealing faults?
Inappropriate protection (may cause DP incident if operates or fails).
GL Noble Denton
Page 12 of 185
05-M07-3166-Rep-001
SUNGDONG
7.
157K SHUTTLE TANKER
DP SYSTEM FMEA
Hidden failures non self revealing faults:

Alarms for hidden failures all relevant practical alarms installed?
Periodic testing in place where alarms are not practical?
8.
Investigation into effect of total system failure:

This may not be a DP Class 2 requirement but does give a valuable insight into a system and may
provide additional confidence if the failure effect is not catastrophic.
Blackout restart is not a DP Class 2 requirement but should be considered as a risk reduction
measure - Review of equipment required for blackout restart.
9.
Specific power plant and control system failure modes

Information and experience from DP incident data.
1.4.2
Limitations of the analysis
1.4.2.1
As with any analysis, certain limitations exist. The structure of the vessel is assumed to have been
assessed by others.
1.4.2.2
Although the FMEA attempts to confirm that the design of systems is compatible with the redundancy
concept, it does not confirm that systems have been properly designed or that they will meet their design
expectations in terms of performance. The sea trials programme and FMEA proving trials may provide
some evidence that this is the case but such assessments should be made on the basis of suitable design
reviews.
1.4.2.3
It is accepted by Class that a DP system FMEA does not verify the quality or integrity of control system
software. The same exemption is applied to the internal workings of other automation systems such as
power management and Alarm Monitoring and Control System (PMS/ICMS). The analysis also assumes
that the owner has adequate controls in place in relation to management of change of software updates
for control systems. It also assumes that all changes are adequately tested and that vessel operators and
engineers receive adequate training in dealing with the effects of these updates.
1.4.2.4
It is assumed that the vessel is operated by competent personnel and, although acts of maloperation are
discussed as part of the analysis, it will not consider wilful, deliberate or malicious acts.
1.5
FMEA PROCEDURE AND METHODOLOGY
1.5.1
Approach
1.5.1.1
Two different approaches are used within the analysis. Where the number of system components is
relatively small, such as Engine Auxiliary Services, the failures of individual components such as pumps,
and coolers are considered within a system. Where the system under investigation is complex or contains
a significant software element, the functionality of the system is considered when discussing failure
modes.
GL Noble Denton
Page 13 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
1.5.2
Structure of the FMEA narrative
1.5.2.1
The following headings are used in the FMEA narrative. The purpose of these is to ensure that all rule
requirements with respect to fault tolerant systems are adequately addressed:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
References
System description and redundancy concept
Location
Configuration for DP
Failure modes of the system single failures only
Failure effects of the system effects of single failures
Hidden system failures
Common mode failure
System configuration errors that could defeat redundancy hidden acts of maloperation only if
reasonably likely
Maloperation of the system only if reasonably foreseeable
Worst case failure Summary
1.6
OPERATIONAL CONFIGURATION OF THE DP SYSTEM
1.6.1
System configuration
1.6.1.1
The vessel normally operates on DP with the following system configuration:

1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
GL Noble Denton
All four generators online; Gen1, 2 feed to MV MSB 1; Gen 3, 4 feed to MV MSB 2
MV 6.6 kV bus ties No.5 VCB 3P and No.7 VCB 3P open (MV MSB 1 and MV MSB 2 split)
440V busties No.5 ACB 3P Bus Tie open (440V LMSB 1 and 440V LMSB 2 split)
Breakers MSB1 and MSB2 are closed and MSB3 and MSB4 are opened so that No.2 AC 220V
Feeder Panel and No.1 AC 200V Feeder panel are fed from MSB 2 and MSB 1 respectively.
Emergency switchboard to be supplied from MSB1, No. 4 ACB 3P and No. 7 ACB 3P to be kept
open.
All the ME essential pumps to be supplied from the 440Vac MSB 1 (Please refer to the words in
bold in table 5-1)
GE No.1 & 2 essential pumps to be supplied from the 440Vac MSB 1 (Please refer to the words in
bold in table 5-1)
GE No.3 & 4 essential pumps to be supplied from the 440Vac MSB 2 (Please refer to the words in
bold in table 5-1)
Thruster 1, 5 and 6 essential pumps to be supplied from 440Vac MSB 1 (Please refer to the words
in bold in table 5-1)
Thruster 2, 3 and 4 essential pumps to be supplied from 440Vac MSB 2 (Please refer to the words
in bold in table 5-1)
MDO Service tank supplies GE No.3 and No.4.
MGO Service tank supplies GE No.1 and No.2
HFO Service tank to be supplied to ME
Normally open valves for the FO system: F209V, F304V, F330V, F353V, F354V
Normally closed valves for the FO system F210V, F239V, F303V, F324V
The seawater systems are configured as follows. On the aft seawater system, one port high sea
chest and one starboard low sea chest are in service. The seawater supply manifolds supply
various sub systems which are equipped with a redundant number of pumps on a standby start
configuration. Forward Sea water system is fault tolerant operated from a single sea chest but
operator intervention may be required in the event of a fault.
Page 14 of 185
05-M07-3166-Rep-001
SUNGDONG
17.
18.
19.
20.
21.
22.
157K SHUTTLE TANKER
Aux, No.1 & 2 DG, No.3 & 4 DG, and FWD freshwater cooling systems are operated with their own
sets of circulating pumps configuration.
In FWD freshwater cooling systems, there are two fresh water circulating system with isolation
valves is normally close during DP operation. The normally close valves are FW049 & FW048 while
the normally open valves are FW076 & FW075.
Both DGPSs, Fanbeam and Artemis MK5 are selected to DP control system
All three gyros and MRUs are selected.
Wind sensors are selected at operator discretion.
Both Steering gears No.1 and No.2 operating
1.6.2
WCFDI
1.6.2.1
No single failure (as defined for Dynpos AUTR) will lead to a failure effect exceeding:
DP SYSTEM FMEA
Failure of up to two generators (No.1 DG and No.2 D/G).

Failure of one common 6.6kV bus MV 6.6kV MSB 1.
Failure of three thrusters one bow tunnel thruster (T1), one stern tunnel thruster(T5) and one
main CPP (T6).
1.7
REDUNDANCY CONCEPT
1.7.1
Vessel overview
BT1
T1
BT2
T2
BAZ3
T3
SAZ4
T4
ST5
T5
CPP6
T6
Figure 1-2
GL Noble Denton
Thruster Arrangement
Page 15 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
1.7.1.1
The 157K Shuttle Tanker is a tanker for Oil ESP. The vessels power and propulsion system is diesel
electric with four generators and six thrusters which are two bow tunnel thrusters, one BAZ3, one stern
azimuth thruster, one stern tunnel and one engine driven CPP.
1.7.2
Power system configuration
1.7.2.1
The redundancy concept at the power generation level is based on the distribution at the 6.6kV MV-level.
During DP operation the thrusters are configured as follows:
6.6kV MSB 1:- Bow tunnel thruster (T1), stern tunnel thruster (T5) and main propulsion CPP(T6)
pumps (hyd pump No.1 and hyd pump No.3).
6.6kV MSB 2:- Bow tunnel thruster (T2), BAZ3 (T3), stern azimuth thruster (T4) and main
propulsion CPP(T6) pumps (hyd pump No.2 and hyd pump No. 3).
1.7.2.2
The worst case failure for the power system is loss of three thrusters which are one bow tunnel thruster
(T1), one stern tunnel thruster (T5) and one main CPP (T6)
1.7.2.3
The main CPP (T6) is considered to fail upon loss of MSB1 as the M/E pumps are supplied from MSB 1.
1.7.2.4
Failure of 6.6Kv MSB No.2 results in loss of BAZ3 (T3). This thruster is also fed from the 6.6kV MSB No.1
and can be manually transferred over in order to improve the position keeping of the vessel.
1.7.3
DP control system
1.7.3.1
The Shuttle Tanker is fitted with a Kongsberg Maritime DP Duplex control system. The DPC-2 controller
cabinets are located in the electrical equipment room, with the two DP operator stations (K-Pos OS1 KPos OS2) located in the integrated wheelhouse console. Kongsberg cJoy system (joystick) has an
independent hardwired connection to each thruster field station. Hard wired analogue signals are provided
for thruster torque (command & feedback), azimuth (command & feedback) and thruster system request
and ready. The cJoy cC-1 controller cabinet is located in the Converter Room. The cJoy can be used as a
manual joystick with auto heading mode but has no DP capability. The worst case single failure effects of
the DP control system are limited to loss of redundancy including reduced availability of DP controllers,
vessel sensors and reference systems, but no single hardware failure as defined for Dynpos AUTR should
lead to a loss of position or heading.
1.7.4
Redundancy in marine auxiliary systems
1.7.4.1
There are five engines in the engine room. There are two types of fuels used for supplying the engines;
these are marine diesel oil (MDO) and Marine Gas Oil MGO or heavy fuel oil (HFO) and low sulphur heavy
fuel oil. The service tanks for all types of fuel are located on different decks. The fuel oil service tanks are
located on the aft 2nd deck.
1.7.4.2
The seawater cooling system is essentially a forward and aft split. The forward system serves the forward
thrusters and other forward machinery fresh water cooling systems. The aft seawater system serves the aft
thrusters, main engines coolers and other aft machinery fresh water cooling systems. There is redundancy
in the provision of seawater pumps which serve the various sub systems that draw from the common
seawater supply manifold. There is sufficient redundancy in the seawater system to ensure that a single
failure as defined for Dynpos AUTR will not lead to a loss of thrusters or engines, but will result in a loss of
fault tolerance.
1.7.4.3
There are four independent fresh water cooling system these are the auxiliary fresh water cooling system,
No.1 & 2 DG fresh water cooling system, No.3 & 4 DG fresh water cooling system and Fwd Service fresh
water cooling system. Each fresh water cooling system consists of two fresh water cooling pumps. There is
sufficient redundancy in the fresh water cooling.
1.7.4.4
The compressed air system is used for engine starting, engine remote control valve actuation, fire damper
and quick closing valve actuation. In general, failure of any part of the compressed air system to low
pressure (which is the most likely failure mode) will not exceed worst case failure design intent.
1.7.4.5
The starting air system is equipped with two air receivers. The air receivers are supplied with air from two
main air compressors. The compressors are supplied from different 440V switchboards.
GL Noble Denton
Page 16 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER

No.5 ACB 3P
(LBT)
NO
No.4 ACB 3P
(EB1)
NO
EMCY SWBD(440V)
EG 350 kW
No.6 ACB 3P
(EB4)
NC
No.1EmCy
Transformer
430V / 230V
Power Supply Unit for No 3 & 4 D/G
EMCY 220V Feeder

Batt. Charger for EG
ELD-1 Panel (Accom.)
ELD-2 Panel (E/R)
Main TR No.2
6.6KV / 450V
Main TR No.1
6.6KV / 450V
BT1
HR2
No.2 Group Starter Panel

No.2 Main L.O P/P
No.2 Stern Tube LO P/P
No.2 M/E F.O circ. P/P
No.2 M/E F.O supply P/P
No.3 G/E D.O supply P/P
No.2 M/E Jacket C.F.W P/P
No.3 G/E C.S.W P/P
No.4 G/E C.S.W P/P
No.2 Central C.F.W P/P
No.3 G/E C.F.W P/P
No.4 G/E C.F.W P/P
Fwd Sec 2 Thruster C.S.W Pump (1)
Fwd Sec 2 Thruster C.F.W Pump (1)
ST5
CPP
6.6kV MSB 2
No.3 VCB 3P
(D3)
NC
DG4
3300kW
6.6kV MSB 1
No.5 VCB 3P
(MBT)
NO
No.2 VCB 3P
(D2)
NC
MCCB-3
NO
440 MSB 1
No.1 Thruster HPP Starter (A7)
No.1 Main L.O P/P
No.3 Thruster HPP Starter for Circ.(A9)
No.5 Thruster HPP Starter for Servo Pump (1)
No.1 Service Air Compressor
No.2 Main Air Compressor
PD-1 (E/R 440V Feeder Panel)
No.1 G/E C.S.W P/P
No.1 M/E Hyd Start-up P/P Starter
No.2 G/E C.S.W P/P
No.1 UPS for MVSB
No.1 G/E C.F.W P/P
No.2 G/E C.F.W P/P
(PD-2)
-No.1 Hyd. Pump For CPP
-No.3 Hyd. Pump for CPP
No.1 VCB 3P
(D1)
NC
DG3
DG3
DG2
DG2
DG1
4300kW
4300kW
3300kW
Figure 1-3
GL Noble Denton
NO
SAT4
No.4 VCB 3P
(D4)
NC
Electrical interlock
NO.1 main L/V

Transformer
440 V/230V
LR1
BAT3
440 MSB 2
(PD-3)
-No.4 Oil Filtration P/P
MCCB-1
NC
HR1
BT2
LR2

No.3 Thruster oil filtration P/P
No.2 Serv Air Compressor
Contrl Air Compressor
PD-3 (E/R 440V Feeder panel)
No.1 Steering Gear Starter
No.2 M/E hyd start-up P/P
No.4 thruster HPP starter (A7)
No.4 thruster circ pump (A9)
No.1 AC 220V
Feeder Panel
Power supply unit for No.1 and No.2 DG

Nav. Light control panel
E.C.C (UPS for No.2 ICMS)
LD-4 panel
No.1 Accom. AC 220V section Board (LD-1,LD-3)
No.2 EmCy
Transformer
430V /230V
NO.2 main L/V

LD-5 Panel
MSB Bus Tie Panel No.2 section
Transformer
MCCB-2
440 V/230V
NC
MCCB-4
NO
No.3 ACB 3P
(EB3)
NC
No.7 ACB 3P
(EB2)
NO
No. 2 Steering Gear

No. 2Main Air Comp. (Starter in LGSP-5)
No.1 DC 110V & 24V Batt Ch.
Emcy CPP Hyd. Pump Starter
Emcy CPP Hyd Filter
No.2 AC 220V
Feeder Panel
DP SYSTEM FMEA
Power Distribution
Page 17 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
ENGINES AND AUXILIARY SERVICES
2.1
ENGINES
2.1.1
Reference
DP SYSTEM FMEA
A14-405593-3 Specification of main engine

Specification for Emergency diesel generator set- Rev.1
Working Drawing of Diesel Generator Engine (9H32/40 and 7H32/40)
APP-11RAH086-Rev. 2 Specification for Synchronous Generator
Specification of Generator
2.1.2
Location
2.1.2.1
The main engine is located in the engine room between frames 14 and 54. Auxiliary engines, other
machinery and air compressors are largely located in the engine room on the 3rd deck between frames 14
and 54. The HFO / LS HFO service and settling tanks are located on the port side of the 2nd deck level of
the engine room. The MDO / MGO storage tanks are located at the 3rd deck where MDO storage tank
locate at the port side while MGO storage tank locate at the starboard side. The MDO / MGO service tank
is located port side of 2nd deck level of the purifier room.
2.1.3
Engine Configuration
2.1.3.1
The following machinery is installed on this vessel:

Main Engine
MAN B&W 6S70ME-C8.2 TIER II
Diesel Generator Engine
2 x 3300kW, 720RPM Hyundai Himsen 7H32/40 (No.1 and No.4)
2 x 4300kW, 720RPM Hyundai Himsen 9H32/40 (No.2 and No.3)
2 x 4125kVA, 6.6kV, 3ph, 60 Hz, HSJ7 805-10P (No.1 and No.4)
2 x 5375kVA, 6.6kV, 3ph, 60Hz, HSJ7 913-10P (No.2 and No.3)
Alternators
Emergency Generator (Engine) :
1 x 350 kW, 1800RPM, Doosan AD180TI
Emergency Alternator
1 x 437.5kVA, Leroy Somer M 47.2 S4,
2.1.3.2
The normal configuration is to run the required generators connected to the associated switchboard with
the bus tie breakers open.
2.1.3.3
Each 6.6kV bus bar is powered from an associated 5375 kVA diesel generator (DG No.2 or No.3) and a
4125kVA diesel generator (DG No.1 or No.4). Diesel generators No.1 and No.2 supply 6.6kV MSB No.1
and diesel generators No.3 and No.4 supply 6.6kV MSB No.2.
GL Noble Denton
Page 18 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.2
MAIN ENGINE SYSTEMS
2.2.1
Main Engine Description and Redundancy Concept
2.2.1.1
There is one main engine located in the engine room to drive the propeller. The MAN B&W 6S70ME-C8.2
TIER II is a two stroke, single acting (non-reversible), crosshead type marine diesel engine with constant
pressure turbo charging.
2.2.1.2
The main engine drives a Berg BCP 2000 CPP propeller via a hydraulic pressure controlled shafting
system to the reduction gearbox. Mechanical or electrical failure of the main engine, would result in the
loss of the propulsion CPP, this would reduce the redundancy of the vessel but will not affect the vessels
position keeping capability as long as it operates within its environmental capabilities.
2.2.2
Main Engine Freshwater Cooling System Description

Cooling FW EXP.
Tk.
FW Generator
ME Jacket CFW
Pumps
No.1
ME Jacket W.
Preheater
De-Aeration
Tank
W003V
W001V
W004V
W002V
W012V
Main Engine (B&W 6S70ME-C8.2)
M/E Jacket F.W

Cooler
ME Jacket CFW
Pumps
No.2
Figure 2-1
2.2.2.1
Main Engine Freshwater Cooling System
Refer to figure 2-1, the main engine fresh water cooling systems forms a part of the auxiliary FW cooling
system. Circulation of coolant through the main engine fresh water cooling system is carried out through a
motor driven main engine jacket cooling pumps. Only one pump is in operation during passage or on DP.
The pumps are configured for standby starts and are monitored on the ICMS. Please refer to table 2-11,
for main engine jacket water cooling pump power supplies. Coolant circulated from the de-aeration tank to
the ME Jacket FW pre-heater via the ME Jacket water cooling fresh water pump. Coolant after pre-heat is
then distributed to the main engine auto venting unit, and scavenge air cooler. The outlet is directed
through the freshwater generator for the production of potable water. Coolant from the water maker is
directed through an electro pneumatic controlled 3 way temperature control valve. This adjusts flow to the
ME Jacket Fresh Water cooler or to de-aerator before it is circulated back to the jacket water pumps. The
outlet temperature from the jacket water system is maintained at 90C. Coolant from the low temperature
freshwater cooling components like the lube oil cooler and main engine air cooler are cooled separately in
the auxiliary freshwater cooling system.
GL Noble Denton
Page 19 of 185
05-M07-3166-Rep-001
SUNGDONG
2.2.3
157K SHUTTLE TANKER
DP SYSTEM FMEA
Main Engine Lubricating Oil System Description
No.2
Main LO
Cooler
(50%)
Main LO
Auto
filter
No.1
Main LO
Cooler
(50%)
L204V
Turbocharger
Sludge
Checker
Main
Bearing
Crosshead
bearing &
Piston
Thrust
Bearing
Main LO
Pump
No.2
Main LO
Pump
No.1
Main LO Sump Tank
Figure 2-2
Main Engine Lubrication System
2.2.3.1
Refer to figure 2-2, the main engine lubricating oil system is equipped with a 38.2m 3 main LO sump tank
and two motor driven 400m3/H main lube oil pumps.
2.2.3.2
The main engine LO pumps draw lubricating oil from the sump tank and is directed to both main lube oil
coolers. Both main engine LO coolers are using 50% cooling capacity. Both main engine LO coolers are
cooled by the auxiliary FW cooling system. From the main LO cooler lube oil is passed through the main
LO Auto filter via the electro-pneumatic 3 way temperature control valve where the temperature is set to
45C. From the filter the lube oil is directed to the inter thrust bearing, main bearing, crosshead bearing
and piston, and turbocharger unit.
2.2.3.3
Refer to the table below for the power sources for Main Engine LO Pumps.
Table 2-1
ME LO pump power sources
Pumps
ME LO Pump No.1
ME LO Pump No.2
GL Noble Denton
Power supply
440Vac GSP No.1
440Vac GSP No.2
Page 20 of 185
05-M07-3166-Rep-001
SUNGDONG
2.2.4
157K SHUTTLE TANKER
DP SYSTEM FMEA
Main Engine Starting Air and Control Air Description
Main Starting
Valve
Starting air
30bar
Air Reduction
unit
Slow Turning
Gear
Starting Valves
Control air
7bar
Safety Valve
relief
Turning Gear
Exhaust Valve
Connected to
oil mist
detector
Connected to
oil filter
Air reservoir
40L
Figure 2-3
Main Engine Compressed Air System
2.2.4.1
The compressed air system comprises of two main air receivers (No.1 and No.2) with a working pressure
of 3.0 Mpa. Starting air for the main engine is supplied from the main air receivers via a common line
connecting both air receivers.
2.2.4.2
The compressed air from the receivers is fed at 3.0 Mpa directly to the starting air inlet. Refer to figure 2-3,
once the starting air solenoid valve has been activated. The 30 bar air from starting air inlet is also directed
to the air reduction unit to produce 7 bar control air.
2.2.4.3
Once in operation there is no requirement for starting air for running of the main engines however, control
air is required to control the running speed of the main engine.
2.2.4.4
Control air to the engines is fed from a starting air inlet. The air is then reduced to 0.7 mpa through a
pressure reducing unit. The air at the outlet of the pressure reducing unit is connected to the oil mist
detector, safety relief valve, oil filter and air reservoir which is for exhaust valve operating mechanism.
GL Noble Denton
Page 21 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.2.5
Main Engine Fuel Oil System Description
2.2.5.1
Fuel can be drawn from the HFO, LSHFO, or the MDO/MGO service tank by one of the two motor driven
ME FO supply pumps which in turn feeds one of the two ME FO circulating pumps. These pumps are
assumed to operate on a standby start configuration. FO from the circulating pump is passed through a
main engine fuel oil heater to attain the correct viscosity. FO is then directed through the viscorater unit (for
measurement and control of the heaters) and filtered through the bypass filter before it is directed to the
engine.
2.2.5.2
From the engine fuel oil manifold, it is distributed to all the hydraulic cylinder units for supply to the fuel
injectors. Excess fuel from the hydraulic cylinder units, injectors and relief valve on the supply manifold is
returned to the associated HFO service tank through the fuel oil return manifold.
2.2.5.3
During DP operations the main engine normally uses HFO or MDO from the respective service tank.
2.2.6
Failure Modes of the Main Engine
2.2.6.1
The significant failure modes of the main engine are taken to be: 1.
2.
3.
4.
5.
6.
7.
8.
9.
Engine stops during operation (No structural failure of major engine components).
Engine runs at lower speed than required during operation.
Engine runs at higher speed than required during operation.
Unforeseen catastrophic failure of a component part (manufacturers component fails within its
expected lifespan).
Blocked Lube Oil Filter
Oil Mist Detector Failure
Failure of main lube oil pump
Viscosity Controller failure (Vicosity controller not required when using MDO)
Failure of fuel oil pump
2.2.7
Failure Effects of the Main Engines
2.2.7.1
Engine stops during operation: Loss of propulsion power, leading to loss of CPP. Vessel maintains position
with remaining thrusters.
2.2.7.2
Engine runs at lower speed than required during operation: Inability to maintain desired output from
engine. Propeller will operate at a lower speed than required. The other thrusters will be required to
increase output to compensate in order to maintain position
2.2.7.3
Engine runs at higher speed than required during operation: Inability to maintain desired output from the
engine. Propeller will operate at higher speeds than required. The remaining thrusters will be required to
increase or decrease output to compensate. There is a potential to overload the engine which could cause
the engine to trip on over speed. If the engine trips, leading to loss of CPP, vessel still able to maintain
position with remaining thrust.
2.2.7.4
Unforeseen catastrophic failure of a component part: On failure of an external component, the engine may
stop, but can usually be restarted when the part has been replaced. On failure of an internal component,
the engine may stop due to catastrophic failure of other parts damaged by initial breakage. As above there
will be a sudden step load to surviving thrusters online at the time.
2.2.7.5
Blocked lube oil filter: A blocked main lube oil auto filter will result in a fall in lube oil pressure. Back
flushing of the filter is activated on detection of high differential pressure across the filter. A differential
pressure device installed on the back flush filter will trigger an alarm on the ICMS on the onset of a blocked
filter. This filter is also fitted with a manual by pass filter to allow for maintenance on the auto filter.
2.2.7.6
Oil mist detector failure: This is understood to generate an alarm if air pressure fails, or if there is power
failure to the equipment, but spurious shutdown of engine cannot be ruled out due to some internal fault.
2.2.7.7
Failure of main lube oil pump: The failure of the main lube oil circulating pump would result in a fall in lube
oil pressure; this would initiate a low lubricating oil pressure alarm on the engine control system and ICMS.
It would also trigger an automatic start of the standby pump. This should not affect the operation of the
main engine.
GL Noble Denton
Page 22 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.2.7.8
Viscosity Controller Failure: Failure of viscosity will lead the heavy fuel oil viscosity and affect the fuel oil
flow rate and may lead the main engine to fail. Proper maintenance has to be in place to ensure correct
operation of the viscosity controllers.
2.2.7.9
Failure of Fuel Oil Pump: Failure of a fuel oil pump will result in reduced or no fuel to the engine, as there is
a standby pump for the supply and circulating system this should start and resume fuel supply and
generate an alarm.
2.2.8
Hidden Main Engine Failures

1.
Manufacturing defects in engine components.
2.
Contamination of lubricating oil.
3.
Fuel oil supply pump automatic start failure when it is required.
4.
Fuel oil circulating pump automatic start failure when it is required.
5.
Lube oil standby pump automatic start failure.
6.
Any pressure switch failure.
7.
Any pressure alarm failure.
2.2.9
Common Mode Failures Affecting the Main Engine
2.2.9.1
Most common mode failures affecting the engine would be related to the auxiliary systems that support
them such as fuel, compressed air, combustion air, lube oil, cooling water and control power supply. These
systems are discussed in the appropriate section of the FMEA.
2.2.10
Configuration Errors That Could Defeat Redundancy Main Engine
2.2.10.1 There are no known alternative configurations that could defeat redundancy as there is one main engine
driving the propulsion CPP.
2.2.11
Maloperation of the Engines
2.2.11.1 There are no known single acts of maloperation that could defeat the redundancy concept.
2.2.12
Worst Case Failure of the Main Engine
2.2.12.1 The worst case failure identified in this analysis will result in the loss of the main engine, leading to failure
of the propulsion CPP. Such failures are unlikely in a well maintained plant and should not exceed the
worst case failure design intent.
GL Noble Denton
Page 23 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.3
AUXILIARY DIESEL GENERATOR SYSTEM
2.3.1
Aux. Engine Fuel Oil System Description
2.3.1.1
There are two different auxiliary engines installed on board. These are Hyundai 7H32/40 and 9H32/40. The
difference between both engines are the number of cylinders and therefore power generated in the
auxiliary engines, otherwise the systems in the engines are identical.
2.3.1.2
Hyundai Himsen 7-9H32/40: Fuel oil to the engine is strained through a 34 duplex fuel oil filter prior to
being fed to the engine. Fuel is then directed to the fuel injection pumps. The excessive fuel oil from the
filter will drain to the fuel oil leakage tank. Fuel from the injector pump supplies its associated fuel injector
through a high pressure pipe. Excess fuel from the fuel injection system is collected in a fuel oil return
manifold. From the fuel return manifold the excess fuel is directed to the associated fuel oil tank. Fuel oil
leak off from the jacketed high pressure piping collects in a manifold and directed to a drain tank which is
monitored and alarmed for level on the ICMS.
2.3.1.3
During DP operations, the isolation valve F303V has to be normally closed and the auxiliary engines are
configured to use certain types of fuel oil. These are indicated below:-
2.3.2
Marine Diesel Oil service tank supply GE No.3 and No 4.
Marine Gasoline service tank supply GE No.1 and No.2.
Auxiliary Engine Lubricating Oil System

Lub. Oil Fine
Filter
Turbo Charger
Alternator
LO Cooler
Alternator
Bearing
Lub. Oil
Cooler
Aux.
Gear
El. Motor preLub. Oil Pump
Timing
Gear
Engine Drive
Lube Oil
Pump
Cam Shaft Bearing
Governor
Drive
Oil Mist Detector

Centrifugal
Filter
Figure 2-4
2.3.2.1
7-9H32/40 Engine Lubricating System
Hyundai Himsen 7-9H32/40: Figure 2-4 shows the engine has a self-contained lubricating system with an
engine driven pump, an oil cooler, a Lube oil fine filter and cylinder lube oil pump. Oil is drawn from the
lube oil sump by the engine driven LO pump. The LO is then fed to the LO cooler, the excess LO will be
returned back to the LO sump tank via the centrifugal filter. The temperature of the inlet oil to the engine is
regulated by the 3-way temperature control valve before passing through the filter by adjusting the flow of
lube oil to the internal lube oil system and oil cooler. The set point of the lube oil inlet temperature is 6069C. After the cooler or TCV, lube oil is strained through duplex 15 filters. Each filter is equipped with a
bypass valve which lifts at 0.2Mpa. From the duplex filters, lube oil is supplied to the main lubricating bore.
GL Noble Denton
Page 24 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.3.2.2
The main lubricating oil bore distributes lube oil to the various engine lubricating points; (the turbocharger,
main bearings, fuel oil pumps, piston assembly, rocker arms, and camshafts bearings, cylinder oil pump
etc).
2.3.2.3
Each engine is equipped with a motor driven pre-lube oil pump. No.1 and 3 GE pre-lub oil pump is
electrically supplied from the 440Vac Emergency switchboard while No.2 and No.4 GE pre-lub pump is
supplied from 440Vac No.2 Feeder panel. If the lube oil pressure drops below low level pressure, the
pressure switch will trigger the standby pump. The low lube oil pressure trip will activate if the pressure
drops below the low-low level of pressure.
2.3.3
Auxiliary Engine Fresh Water Cooling System

7-9H32/40
Charge Air
Cooler
LO Cooler
TCV
LT FW
Inlet
Cyl.1
Fresh
Water
outlet to
cooler
Cyl.N
Elect.
Heater
Alternator
Engine
Driven HT
Pump
LT FW
Outlet
Figure 2-5
Auxiliary Engine Freshwater Cooling System
2.3.3.1
The 7-9H32/40 engines freshwater cooling systems comprise of a LTFW cooling circuit and HTFW cooling
circuit. Diesel generators No.1 and No.2 form part of the No.1 & No.2 GE freshwater cooling system and
Diesel generators No.3 and No.4 form part of the No.3 & No.4 GE Freshwater Cooling System. Both
generator fresh water cooling systems are identical.
2.3.3.2
The engine LTFW cooling circuit comprises of the LT charge air cooler (2nd stage) and engine lube oil
cooler. The circulation of coolant through this system is provided by GE freshwater cooling pumps No.1 or
No.2. From the lube oil cooler, coolant is either returned to the GE fresh water cooling system or the
engine driven HT cooling pump.
2.3.3.3
The HTFW cooling circuit comprises of the HT charge air cooler (1st stage) and jacket water system. The
engine driven HT cooling water pump circulates coolant through the HT charge air cooler and engine
jacket water cooling systems before it is directed to a 3-way pneumatic temperature control valve. The
temperature control valve maintains the outlet HT fresh water system temperature at 79/88C before it is
returned to the central freshwater cooling system.
2.3.3.4
LTFW coolant supplied through the alternator lube oil cooler, LT air cooler (2 nd stage), alternator L.O
cooler and alternator air cooler is also supplied by the GE freshwater cooling pumps.
2.3.3.5
Pre-heating unit is allocated in the HT engine fresh water cooling system before the 3-way temperature
control valve. Please refer to the figure 2-5.
GL Noble Denton
Page 25 of 185
05-M07-3166-Rep-001
SUNGDONG
2.3.4
157K SHUTTLE TANKER
DP SYSTEM FMEA
Auxiliary Engine Compressed Air system
Turbo Charger
On-off Valve for DAI System
Air Starting
Vavle
Air Starting
Vavle
Compress Air Inlet

Main Starting
Valve
Air filter
First Fuel
Pump Drive
Last Fuel
Pump Drive
Emergency Stop
Cylinder
Starting Solenoid
Valve
3/2 Way
solenoid
Valve
Turning Gear
Pressure
Reducing
Valve
Normal/
Emerg.
Stop
valve
Oil Mist
Detector
To Lambda
Cylinder
Figure 2-6
7-9H32/40 Engine Compressed Air System
2.3.4.1
All four diesel generator engines are air started and are part of the compressed air system.
2.3.4.2
Please refer to Figure 2-6. The 7-9H32/40 engines are supplied with starting air at 3.0 Mpa from the main
air receivers. From the air inlet, compressed air is directed to the main starting valve, on/off valve for the
jet assist system, 3/2 way solenoid valve for the normal stop/ emergency stop, and turning gear.
Compressed air at the inlet to the engine is also diverted to an allocated pressure reducing station to
provide control air at 8 bars. Control air for the engines is directed to the pneumatic cooling valve, 3/2 way
valve for normal stop/emergency stop (pneumatic pressure to assist in pushing the fuel rack to zero), 3/2
way solenoid valve for Lambda Cylinder and the oil mist detector.
2.3.4.3
From the compressed air inlet, the air is supplied to Lambda cylinder through a 3/2 way solenoid valve for
fuel oil limiting for charging air purpose. The charge air intake is taken from the engineroom through a filter
fitted on the turbocharger for the jet system. A sufficient volume of air has to be supplied to the
turbocharger, therefore each turbocharger is installed with an air duct.
2.3.4.4
Emergency shut off fire dampers in the engineroom are air actuated to close the damper therefore loss of
control air will not affect the closure of the fire dampers. Maloperation by activating the closure of the fire
damper cannot be ruled out; assumption can be made that adequate protection have been applied to the
control station. Failure mode effect for the fire dampers are further described in the section 2.10.
2.3.5
Failure Modes of the Auxiliary Engines
2.3.5.1
The significant failure modes of the engines are taken to be: 1.

2.
3.
GL Noble Denton

expected lifespan).
Page 26 of 185
05-M07-3166-Rep-001
SUNGDONG
4.
5.
6.
7.
8.
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure of engine pre-lube/ standby pump.

Failure of engine driven main lube oil pump.
Failure of piping leakage of the compress air system to auxiliary engines.
Failure of HT temperature control valve for engine.
Restricted or no fuel supply.
2.3.6
Failure Effects of the Auxiliary Engines
2.3.6.1
Engine runs at lower speed than required during operation: Inability to maintain power supply at required
frequency (single engine operation only); inability to load share effectively (sheds load). Temporary loss of
spinning reserve, may trip on under frequency or eventually low voltage (single engine operation only).
2.3.6.2
Engine runs at higher speed than required during operation: Inability to maintain power supply at required
frequency (single engine operation only); inability to load share (grabs loads in parallel operation) potential
to overload engine, potential to overspeed engine or trip on overspeed protection (single engine operation
only), potential to cause irreversible damage to engine.
2.3.6.3
Unforeseen catastrophic failure of a component part: On failure of an external component, the engine may
stop, but can usually be restarted when the part has been replaced. On failure of an internal component,
the engine may stop due to catastrophic failure of other parts damaged by initial breakage. This will result
in a reduction in the available load in the power plant and possibly stopping of associated thrusters, as
above there will be a sudden step load to surviving thrusters online at the time.
2.3.6.4
Failure of engine pre-lube/ standby pump: Failure of pre lube pump will not affect running engine but may
inhibit the starting of an engine on standby.
2.3.6.5
Failure of engine driven main lube oil pump: The failure of the engine driven main lube oil pump would
result in a fall in lube oil pressure which would first initiate a low lubricating oil pressure alarm and will
trigger the automatic start of standby pump (pre-lube pump). The standby pump will resume the required
lube oil pressure or the engine may trip on low lube oil pressure.
2.3.6.6
Failure of piping leakage of the compress air system to auxiliary engine: The pipe leakage of air to the
auxiliary engines will not stop the engines but may remove the safety systems required to stop the engine.
A low starting air/control air pressure alarm will be initiated at the local engine panel and ICMS.
2.3.6.7
Failure of HT temperature control valve for engine: This may cause the temperature control valve will fail
as set. If the valve fails to bypass the cooler, it will cause the engine to be tripped in the high temperature
operating. If the valve fail to full cooling, it will have no effect on the engine
2.3.6.8
Restricted or no fuel supply: Each pair of diesel engines has a common fuel supply with a self-cleaning
filter, a choked filter could restrict fuel supply to the two diesel engines and result in uneven operation or
stopping of the engines. This would equal the vessels worst case failure. In mitigation the filter is
monitored and has a bypass that would allow the operator to resume normal supply in the event of a
restriction.
2.3.7
Hidden Auxiliary Engine Failures

1.
Manufacturing defects in engine components this would normally be restricted to a single engine
but the resulting effect could impact that section of the power system.
2.
Contamination of lubricating oil this would be restricted to a single engine
3.
Fuel oil standby pump automatic start failure when it is required this could impact two diesel
engines
4.
Lube oil standby pump automatic start failure - this would be restricted to a single engine
5.
Any pressure switch failure - this would be restricted to a single engine
6.
Any pressure alarm failure - this would be restricted to a single engine
2.3.8
Common Mode Failures Affecting the Auxiliary Engines
2.3.8.1
Most common mode failures affecting the engines would be related to the auxiliary systems that support
them such as fuel, compressed air, combustion air, lube oil, cooling water and control power supply.
These systems are discussed in the appropriate section of the FMEA.
GL Noble Denton
Page 27 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.3.1
Configuration Errors That Could Defeat The Redundancy- Engines
2.3.1.1
There are very few user selectable configurations for the engine skids other than those selected during
commissioning of the control unit. Most opportunities for configuration error lie in the arrangement of
engine auxiliaries and power management system.
2.3.1.2
Running insufficient number of engines to maintain adequate spinning reserve.
2.3.1.3
Operating all the engines from a single fuel oil day tank.
2.3.2
Maloperation of the Engines
2.3.2.1
There are few credible operator actions that could defeat the redundancy concept, other than those that
would prevent a standby engine if any from starting and connecting, e.g. engine is inadvertently left on
manual instead of automatic standby; however that is not consider for this configuration.
2.3.3
Worst Case Failure of the Engines
2.3.3.1
The worst case failure identified for failure of an auxiliary diesel engine would be a single engine but as
DGs 1 & 2 and DGs 3 & 4 share common auxiliaries in the form of cooling and fuel oil this could result in
loss of up to two diesel engines.
2.4
ENGINE CONTROL SYSTEM AND SAFETY SHUTDOWNS
2.4.1
Drawing reference
Man B&W 6S70ME-C8.2 electric connection diagram A14-436372-3
2.4.2
Main Engine Controls
2.4.2.1
The engine control system manages the operation of the engine. It controls the starting, stopping and
speed setting of the main engine. This system is provided with a safety system which may automatically
slow down or trip the engine if abnormal conditions and engine parameters are detected. A manual
emergency stop is provided at the engine as a backup in case of failure of the remote control system.
2.4.2.2
The Man B&W engine 6S60ME-C8 two stroke marine diesel engines incorporates an electronically
controlled hydraulic system which provides the required flexibility to form the core of the ME Engine
Control System. The system has dual power supply fed from two UPS then is converted to 24Vdc at the
power supply unit. The both supplies also have battery backup supplies. The system consists of:1.
Auxiliary Control Unit (ACU)
2.
Cylinder Control Unit (CCU)
3.
Engine control unit (ECU)
4.
Engine interface control unit (EICU)
5.
Main operating panel (MOP)
2.4.2.3
The ECS performs all the control functions; it receives control signals from the controller through the
interface panel. It is through the interface panel that the 24Vdc is supplied. This 24Vdc is supplied by GE
1/2 PSU (for engines 1 and 2) and GE 3/4 PSUs (for engines 3 and 4). These are powered from
220VacMSB/ESB and there is a built in UPS and batteries inside the PSU for providing the backup power
supply in the event of failure of main input supplies. Various sensors are allocated to the ECS to monitor
engine performance and protective data.
2.4.3
Engine shutdowns and alarms
2.4.3.1
The engine shutdowns and alarms which protect the engine are listed below.
Table 2-2
Main Engine Shutdown
Engine Shutdowns
Engine overspeed
ME LO low pressure
Non- cancellable signal from ECS-A/B
GL Noble Denton
Settings
89.4rpm (109% of MCR)
1.4 kg/cm2
Page 28 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Pump inlet oil pressure low

Hydraulic low pressure sensors failed
Hydraulic high pressure fails during running
engine
Cancellable signal from ECS A/B
Leakage from hydraulic unit, high level
Thrust bearing segment high temperature
T/C LO low pressure
2.4.3.2
DP SYSTEM FMEA
90 C
0.4 kg/cm2
The following abnormal conditions will initiate an alarm at the ECR and ICMS, it will also activate an
automatic main engine slow down to a pre-set speed.
Table 2-3
Main Engine Alarms and slowdown setting
Engine Alarms
Cylinder Exh. Gas Aft Exh. V/V high temp.
Cylinder Exh. Gas Aft Exh. V/V Deviation high temp.
Scavenge air box - fire detection high temp.
T/C L.O outlet high temp.
T/C L.O inlet low pressure
Cylinder Jacket CFW outlet high temp.
L.O inlet high temp.
Jacket CFW inlet low pressure
Jacket CFW inlet low temp.
Jacket CFW inlet high temp.
Piston C.O. high temp.
Piston C.O. non flow
Thrust bearing segment high temp.
L.O inlet low pressure
Axial vibration high
Crankcase oil mist high density
Bearing Wear Monitoring Sys. Abnormal
ECS A&B Slowdown
Stern Tube Bearing high temp.
Interm. Shaft Bearing high temp.
Exh. Gas Econ. feed pump low pressure
Main Bearing high temp.
Crankpin Bearing hight temp.
T/C Exh. Gas outlet high temp.
T/C Exh. Gas intlet high temp.
F.O inlet high low&high temp.
Scavinge Air Receiver high temp.
Water mist catcher water high level
L.O inlet high water
Cylinder lubrication high temp.
F.O inlet low pressure
Air Cylinder for Exh. V/V low pressure
Starting Air inlet low pressure
Control Air inlet low pressure
Air Cooler C.W outlet high temp.
Air Cooler C.W inlet low&high pressure
Leakage From high pressure pipes
Leakage oil from hyd. Cyl. Unit
GL Noble Denton
Slowdown Settings
Alarm:430 C Slowdown:450C
Alarm: Mean value50C Slowdown: Mean
value 60C
Alarm:80C Slowdown:120C
Alarm:0.6kg/ cm2Slowdown:0.6kg/ cm2
Alarm:4.0kg/ cm2 Slowdown:3.5kg/ cm2
Slowdown:98C
Alarm & Slowdown
Alarm & Slowdown
Alarm & Slowdown
Slowdown
Slowdown
Slowdown:70C
Slowdown:70C
Alarm:350C
Alarm:520C
Alarm:120C(Low) / 150C(High)
Alarm:55C
Alarm:70C
Alarm:6.5kg/ cm2
Alarm:5.5kg/ cm2
Alarm:15kg/ cm2
Alarm:5.5kg/ cm2
Alarm:70C
Alarm:1.0kg/ cm2 (Low) / 5.5kg/ cm2 (High)
Page 29 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Engine Alarms
Vibration system/power fail
Power supply A&B fail
Hyd. Oil filter Diff. high pressure.
T/C RPM high
EICU A & B fail
Cylinder Heat. Unit L.O low level
Hyd. Pump starter abnormal
Aux. Blower abnormal
2.4.3.3
2.4.4
DP SYSTEM FMEA
Slowdown Settings
The main engine safety monitoring system will initiate a Safety System Abnormal alarm on the ECR
Panel in the event of the following conditions:1.
Micro computer CPU hard abnormal.
2.
15V line electric source failure.
3.
Communication abnormal.
4.
Revolution signal (For safety system) Abnormal.
5.
Manual emergency shutdown switch circuit disconnection.
6.
Emergency shutdown override switch circuit disconnection.
7.
Emergency slow down override switch circuit disconnection.
8.
Automatic emergency shutdown sensor circuit disconnection.
9.
Automatic emergency slow down sensor circuit disconnection.
10.
Emergency shutdown reset signal circuit disconnection.
Failure modes of the main engine control system and safety shutdowns
1.
Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and thrust
pad high temperature sensors.
2.
Failure of the 24Vdc supply from the power supply unit.
3.
Failure of the Engine interfase control unit panel.
4.
Failure of Auxiliary Control Unit.
5.
Failure of Engine Control Unit.
6.
Failure of Cylinder Control Unit.
7.
Failure of Main operating panel.
2.4.5
Failure effect of the engine control system and safety shutdowns
2.4.5.1
Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and thrust pad
high temperature sensors: Generally the same as for performance sensors. However, if the sensor fails to
a voltage / current corresponding to a value which initiates the shutdown, an engine shutdown will occur.
2.4.5.2
Failure of one of the 24Vdc supply from the power supply unit to ECS: The engine control system has a
dual 220Vac power supply from the UPS. It is through the power supply unit that it is converted to 24Vdc.
Failure of the main 24Vdc supply would result in a bumpless transfer to the backup power supply, this will
be initiated as an alarm at the ICMS or ECR panel.
2.4.5.3
Failure of the one of the Engine interface control unit panel: The failure will not affect the main engine as it
is backed up by the second engine interface control unit panel.
2.4.5.4
Failure of one of the Auxiliary Control Unit: The failure will not affect the main engine as it is backed up by
the second Auxiliary control unit.
2.4.5.5
Failure of one of the Engine Control Unit: The failure will not affect the main engine as it is backed up by
the second engine control unit.
GL Noble Denton
Page 30 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.4.5.6
Failure of Cylinder Control Unit: This failure will results loss of data for the particular cylinder as each
cylinder has its own cylinder control unit. This will not have a direct effect on the main engine.
2.4.5.7
Failure of one of the Main operating panel: This will result loss of control from the main operating panel,
however the main engine still continue to run.
2.4.6
Hidden failures of the engine control system and safety shutdowns
2.4.6.1
All protection systems are potential hidden failures. It is acceptable to mitigate the risk by testing such
functions periodically.
2.4.7
Maloperation of the engine control system and safety shutdowns
2.4.7.1
All such acts should lead to loss of main engine resulting in the loss of the CPP (T6). Vessel still maintains
position with remaining thrusters.
2.4.8
Common mode failure associated with the engine control system and safety shutdowns
2.4.8.1
There are no known common mode failures as there is only one main engine driving the CPP.
2.4.9
Engine control system and safety shutdowns configuration errors that could defeat redundancy
2.4.9.1
There are no known opportunities for alternative configurations in the set up for a single engine.
2.4.10
Worst case failure
2.4.10.1 The worst case failure of the engine control system will be failure of the protective sensors which may
cause the engine to shutdown. However this will only affect one engine.
GL Noble Denton
Page 31 of 185
05-M07-3166-Rep-001
SUNGDONG
2.4.11
157K SHUTTLE TANKER
DP SYSTEM FMEA
Auxiliary Engine Management system
2.4.11.1 Drawing Reference

B94-082252-0 Technical Engine Specification for Diesel Generator engine
2.4.11.2 Description: The diesel generator engine control is initiated in both the 7-9H32/40 engine control system.
The engines are equipped with temperature sensors and pressure sensors on an engine monitoring panel
and remote reading on ships system.
2.4.11.3 Transmission of the data to the alarm system is via MODBUS communication. The following section looks at
the engine auxiliary systems which may affect power generation of an engine and their ability to sustain DP
operations. The following sections considers failures of the engine auxiliary systems that would:
1.
Initiate a diesel generator safety stop.
2.
Inhibit a standby engine start.
3.
Initiate an alarm on a running engine such that a standby machine is started.
4.
In the event of a blackout, initiate restart of engines.
2.4.11.4 Diesel generator safety stops: There are alarm conditions which could lead to the initiation of a diesel
generator safety stop. Please refer to Table 2-4 and Table 2-5
Table 2-4
Auxiliary Engine Shutdowns Alarm setting
Auxiliary Engine Shutdowns
Alarm Setting
Low-Low lubrication oil pressure inlet.
3 kg/cm3
High-high HTFW cooling water temperature

outlet.
95C
High-high oil mist in crankcase.
High-high engine overspeed
Shutdown: 828 rpm
2.4.11.5 The following abnormal condition will initiate an alarm at the ECR.
Table 2-5
Auxiliary Engine Alarm setting
Auxiliary Engine Alarms
Alarm Setting
Pickup for turbocharger RPM
7H: 29520 RPM

9H 28500 RPM
HT Water low pressure, engine inlet
0.4 kg/cm3
LT Water low pressure, engine inlet
0.4 kg/cm3
LO low pressure, engine inlet
3.5kg/cm3
FO low pressure, engine inlet
HFO: 6kg/cm3
MDO: 1kg/cm3
Starting air low pressure, engine inlet
GL Noble Denton
15kg/cm3
Page 32 of 185
05-M07-3166-Rep-001
SUNGDONG
2.4.12
2.4.13
157K SHUTTLE TANKER
Diff. Pressure high for LO filter
1.5kg/cm3
Diff. Pressure low for FO filter
1.5kg/cm3
LO low pressure T/C inlet low
1.1kg/cm3
Pre-lub pressure engine inlet low
0.08kg/cm3
Cylinder Exhaust Gas temperature
530C
High HTFW cooling water temperature

outlet.
90C
LT water temperature Air cooler inlet
45C
FO temperature Engine inlet
HFO: 150 C
High engine overspeed
No Alarm
DP SYSTEM FMEA
Failure modes of the auxiliary engine management system and safety shutdowns
1.
Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and fresh
water high temperature sensors.
2.
Failure of one of the 24Vdc power supply to DG control and safety system
3.
Failure of the 24Vdc power supply safety system
4.
Failure of the 24Vdc power supply alarm system.
Failure effect of the engine control system and safety shutdowns
2.4.13.1 Failure of protective sensors such as lube oil pressure sensors, oil temperature sensors and fresh water
high temperature sensors: Generally the same as for performance sensors. However, if the sensor fails to a
voltage / current corresponding to a value which initiates the shutdown, an engine shutdown will occur.
2.4.13.2 Failure of one of the 24Vdc power supply to DG control and safety system: There are dual 24Vdc power
supplies. These are supplied to the control and monitoring system and safety system. Both 24Vdc power
supplies are supplied from the ships supply. Both 24Vdc power supplies are redundant to each other. After
the power supply is rectified, the 24Vdc is supplied to No.1 & No.2 DG control and safety system as well as
No.3 & No. 4 DG control and safety system which have same systems. Failure of one of the power supplies
will generate an alarm in the ICMS and will not affect the DP operation.
2.4.13.3 Failure of the 24Vdc power supply safety system: Failure of 24Vdc power supply to safety system will lead
to loss of safety shutdown to the engine and it may lead to loss of particular engine. This to be proven
during the sea trial.
2.4.13.4 Failure of the 24Vdc power supply alarm system from the ship supply: Failure of 24Vdc power supply to
alarm system will not lead to loss of engine just the monitoring system.
2.4.14
Hidden failures of the engine control system and safety shutdowns
2.4.14.1 All protection systems are potential hidden failures. It is acceptable to mitigate the risk by testing such
functions periodically.
2.4.15
Maloperation of the engine control system and safety shutdowns
2.4.15.1 All such acts should lead to loss of one auxiliary engine resulting in reduced power available to the
switchboard.
2.4.16
Common mode failure associated with the engine control system and safety shutdowns
2.4.16.1 Two generators control power supply are connected to the same power sources. Failure of the supply may
lead to loss of two generators and loss of that particular switchboard.
GL Noble Denton
Page 33 of 185
05-M07-3166-Rep-001
SUNGDONG
2.4.17
157K SHUTTLE TANKER
DP SYSTEM FMEA
Engine control system and safety shutdowns configuration errors that could defeat redundancy
2.4.17.1 There are no known opportunities for alternative configurations in the set up for a single engine.
2.4.18
Worst case failure
2.4.18.1 The worst case failure would be loss of two associated diesel engines DG 1 & 2 or DG 3 & 4 that share
common control power supplies. .
2.5
FUEL OIL SYSTEM
2.5.1
Fuel Oil Storage, Transfer and Distribution System
2.5.2
Drawing reference
1.
200M241001MB - FO System (Filling and Transfer System)
2.
200M241001MB - HFO System Purifying System
3.
200M241001MB ME FO Service System
4.
200M241001MB GE FO Service System
2.5.3
2.5.3.1
In normal operations, only fuel that has been sampled and tested is considered for transfer into the settling
tanks.
2.5.4
Fuel Oil Storage and Transfer System
2.5.5
Location
2.5.5.1
Please refer to table 2-7, for the locations of the storage tanks.
2.5.6
Description
No.2 HFO
Bunker Tank
(P)
No.1 HFO
Bunker Tank
(P)
No.1 LS HFO
Bunker Tank
(S)
No.2 LS HFO
Bunker Tank
(S)
MDO
Transfer
Pump
HFO Transfer
Pump
HFO Serv.
Tank
HFO Sett.
Tank
LS HFO Serv.
Tank
Figure 2-7
GL Noble Denton
MDO Storage MGO Storage

Tank
Tank
LS HFO Sett.
Tank
MDO Serv.
Tank
MGO Serv.
Tank
Fuel Oil Transfer System
Page 34 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.5.6.1
Station keeping integrity depends heavily on assuring a clean supply of fuel to the engines. This section
discusses the arrangement of storage tanks and fuel purification equipment which provides fuel to the
service tanks. There are four types of fuel oil used on board which are Marine Diesel Oil (MDO), Marine
Gasoline Oil (MGO), Heavy Fuel Oil (HFO) and Low Sulphur Heavy Fuel Oil (LSHFO).
2.5.6.2
Refer to figure 2-7, the vessel has four heavy FO bunker tanks installed two Port and two Starboard, one
marine gasoline oil storage tank and one marine diesel oil storage tank. Fuel can be loaded into any of
these tanks from the port or starboard bunker station. In normal operations, fuel is transferred to the port or
starboard heavy fuel oil settling tanks from the bunker tanks.
2.5.6.3
The fuel oil system has one HFO Transfer Pump and one MDO Transfer pump. Both pumps have a flow
rate of 40m3/h x 3KPa. The MDO and HFO Transfer Pump are fed from the 440Vac LGSP No.3.
Table 2-6
FO Storage Tank Volumes
Storage Tanks
Volume
Location
MGO service tank
49.5
Fr 49 Fr 53
MDO Service tank
46.4m3
Fr 49 Fr 54
HFO Service tank
111.6m3
Fr 36 Fr 42
LS HFO Service tank
73.8m3
Fr 27 Fr 33
MDO Storage Tank
235.8m3
Fr 49 Fr 54
MGO Storage Tank
191.6m3
Fr 49 Fr 54
No.1 LS HFO Bunker tank (S)
950.8m3
Fr 54 Fr 60
No.2 LS HFO Bunker tank (S)
818.7m3
Fr 27 Fr 54
No.1 HFO Bunker tank (P)
950.8 m3
Fr 54 Fr 60
No.2 HFO Bunker tank (P)
636.2 m3
Fr 27 Fr 54
GL Noble Denton
Page 35 of 185
05-M07-3166-Rep-001
SUNGDONG
2.5.7
157K SHUTTLE TANKER
DP SYSTEM FMEA
Fuel Oil Purification System
LS HFO Sett. LS HFO Serv.

Tank
Tank
HFO Sett.
Tank
No.1 HFO
Purifier
Supply
Pump
No.2 HFO
Purifier
Supply
Pump
HFO Serv.
Tank
MDO Serv.
Tank
MGO Serv.
Tank
NC
F117V
F118V
NC
No.1
HFO
Purifier
Heater
No.2
HFO
Purifier
Heater
No.1
HFO
Purifier
Figure 2-8
GL Noble Denton
No.2
HFO
Purifier
Fuel Oil Purification System and Settling System
Page 36 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.5.7.1
Fuel Oil Purification and Settling System: Refer to figure 2-8 FO purification and settling system, the fuel oil
system consists of a MDO service tank, MGO service tank, LS HFO settling tank & Service tank and HFO
settling tank & Service tank. These are located between frames 27 to 54 and are equipped with pneumatic
actuated quick closing valves. The settling tanks are equipped with a level transmitter and are monitored
and alarmed on the ICMS.
2.5.7.2
There are a total of two HFO purifiers and two HFO purifier heaters in the fuel oil systems. HFO purifiers
No.1 and No.2 are supplied from 440Vac LGSP No.4 (Section 1) and 440Vac LGSP No.4 (Section 2)
respectively. In normal operations, one purifier is running to supply both HFO Service tanks. Fuel oil is
drawn from a settling tank by the attached feed pump and passed through a heater before feeding the
purifier. Each HFO purifier has a flow rate of 4600L/H.
2.5.7.3
As for the MDO and MGO FO, both service tanks use the common purifying system with the HFO purifiers.
MGO or MDO is drawn from the service tank by the attached feed pump no.2 and by passes the heater
before feeding the purifier. After purification the FO is returned to the MDO / MGO service tanks.
2.5.8
Fuel Oil Distribution System
2.5.9
Location
2.5.9.1
The fuel oil service tanks are located in the Port side of the engine room between frames 27 to 54.
2.5.10
2.5.10.1 Please refer to figure 2-8 for the crossover valve configuration.:1.
MDO service tank supply to Diesel generator no.3 and no.4.
2.
MGO service tank supply to diesel generator no.1 and no.2.
3.
HFO service tank supply to the main engine.
2.5.10.2 The maintenance crossover between the supply and return lines are normally closed. Refer to table below
for the crossover valve configuration during DP Operations:Table 2-7
Engines Valve Tag
FO Crossover Valve Configuration During DP

Normally Close
Normally Open
ME
F256V
From MDO & MGO
From HFO
GE No.1, GE No.2, GE No.3 and GE No.4

F303V
F304V
F330V
F324V
GL Noble Denton
F353V
F354V
Page 37 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
Return oil from No.3 & No.4 DG
F324V
NC
F354V
LS HFO
Serv.
Tank
F202V
HFO
Serv.
Tank
MDO
Serv.
Tank
F201V
F203V
F301V
F353V
Return oil from No.1 & No.2 DG
MGO
Serv.
Tank
F204V
F302V
F330V
To No.1 & No.2 DG
F303V NC
To No.3 & No.4 DG

F207V
F208V
F255V
F304V
F256V
Main Engine
Diesel Switch
Figure 2-9
To Main Engine
Fuel Oil Distribution System
2.5.10.3 Refer to figure 2-9; the fuel distribution system essentially consists of four different types of fuel oil with a
piping system that would allow access of these fuels to the five engines. In normal DP operations, the main
engine will be supplied from the HFO service tank but can be supplied from the MDO service tank if
required. The distribution of MDO whilst on DP is split into two separate systems; MDO service tank
supplies generator no.3 and no.4 whilst the MGO service tank supply generator no.1 and no.2. This split
aligns with the redundancy concept. There is a cross over between the two sides which is normally closed.
Fuel is supplied to the engines by the electrical driven FO supply pumps. Each side of the engines has two
pumps. The setting of the crossover valves can be referred to in figure 2-9.
2.5.10.4 This fuel oil distribution system consists of one MDO service tank 46.4m3, one MGO service tank 49.5m3,
one HFO service tank 111.6m3 and one LS HFO service tank 73.8m3. All the tanks are installed with
pneumatic quick closing valves. The service tanks are located port side of the engine room between frames
27 to 54. Auxiliary engines No.1 and No.2 run on Marine Gasoline Oil, auxiliary engines No.3 and No.4 run
on marine diesel fuel and the main engine runs on heavy fuel oil. The fuel oil service tanks are each
monitored by a single level transducer which provides a signal used to initiate a low level alarm and a high
level alarm on the ICMS. The HFO settling tanks are also monitored with a single level transducer for the
same values as the service tank, which also initiates a low level and high level alarm on the ICMS.
2.5.10.5 The fuel oil supply and return manifolds each have a selection of maintenance cross valves which are
normally closed to prevent cross contamination. Fuel oil contamination is controlled by daily drainage
checks at the settling and service tanks; early detection of contamination allows it to be controlled by dosing.
GL Noble Denton
Page 38 of 185
05-M07-3166-Rep-001
SUNGDONG
2.5.11
157K SHUTTLE TANKER
DP SYSTEM FMEA
Fuel oil QCVs for DO Service Tanks, Settling Tanks and Storage Tanks
To Fire Damper For ER No.1 Fan
ER Fan
Damper
Cont. Panel
To Fire Damper For Puri. Room Fan

To Funnel Fire Damper
NC Group 1
From
Compress
Air system
Incinerator
Incinerator
WO Serv.
DO Tank
Tank
To Funnel Fire Damper
NC Group 2
Incinerator No.1 HFO

Sett. Tank Tk (P)
Main LO LS. Cyl. Oil

Sett. Tank Meas. Tk.
No.2 HFO
Tk (P)
Cyl. Oil MDO Serv.

Meas. Tk.
Tank
Figure 2-10
LS HFO
Serv. Tk.
No.2 LS MGO Stor.

Tank
HFO Tk (S)
HFO Serv.
Tk.
LS HFO
Sett. Tk.
HFO Sett.
Tk.
MDO Stor. MGO Serv.

Tk.
Tank
No.1 LS
HFO Tk (S)
Pneumatic Fuel Oil Quick Closing Valve System
2.5.11.1 The pneumatic fuel oil quick closing valve system consists of an air receiver with a relief valve and low
pressure alarm. Refer to Figure 2-10 Compressed air at 0.7mPa is supplied to the Fire Control Station air
receiver from the Deck Service air reservoir. In the event the air pressure reaches the low level pressure,
alarm will be initiated on the ICMS. The quick closing valves require a supply of compressed air to close.
2.5.11.2 The pneumatic QCVs are operated manually through an isolating valve in the fire control station. When
opened, compressed air is directed to the quick closing valves for 12 FO storage tanks, main LO settling
tanks, LS cylinder oil measure tanks, cylinder oil measure tanks, incinerator DO tank, incinerator settling
tank and incinerator waste oil service tank. The 12 fuel oil tanks include the MDO Storage tank, MGO
storage tank, HFO storage tank, LS HFO storage tank, MDO Service Tank, MGO Service tank, HFO Service
tank and LS HFO Service tank. The distribution of the compress air from the fire control station is divided
into two groups. The grouping of the tanks are as follows:
Table 2-8
Quick Closing Valves Grouping
Group
Tanks
Incinerator DO tank, Incinerator Waste Oil service tank, Incinerator Settling tank, No.1
HFO Tank(P), No.2 HFO Tank (P), LS HFO Serv. Tank, HFO Serv. Tank, LSHFO
Settling tank, HFO Settling Tank, MDO Storage Tank, MGO Service tank.
Main LO Settling tank, LS Cyl. Oil Measure Tank, Cyl. Oil Meas. Tank, MDO Service
tank, No.2 LS HFO Tank (S), MGO Storage tank, No.1 LS HFO Tank (S),
2.5.11.3 These service tanks can be inadvertently closed through one control valve causing the running generators
and the main engine to shut down from fuel starvation. Adequate protection has to be applied to the system
to prevent inadvertently closing of two valves. The valves are set as normally close at the initial stage. When
there is emergency and need to shutdown all the engines, two valves has to be manually open before
activate the quick closing valves.
GL Noble Denton
Page 39 of 185
05-M07-3166-Rep-001
SUNGDONG
2.5.12
157K SHUTTLE TANKER
DP SYSTEM FMEA
Main Engine Fuel Oil Service System Description

ME FO Supply
P/p 1
ME/MGO
Chiller
ME FO Circ. P/p
1
From Diesel
Switch
From HFO
& MDO
Serv Tk
ME FO Supply
P/p 2
To LS HFO/HFO
Serv. Tank
ME FO Circ. P/p
2
ME FO
Venti.
Box
F238V
NC
F239V
To Overflow
Tank
No.1 ME HFO
Heater
ME FO Auto
Filter
ME MAN B&W
6S70ME-C8.2
Vicosity Sensor
No.2 ME HFO
Heater
Figure 2-11
Main Engine Fuel Oil System
2.5.12.1 Please refer to figure 2-11. Fuel can be drawn from the, MGO, MDO, HFO or LSHFO service tanks to the
diesel switch which can choose which fuel to be used for the main engine. If the diesel switch has been
blocked or failed the FO will by-pass the diesel switch and be directed to the main engine.
2.5.12.2 The FO is drawn by one of the two electrically driven ME FO supply pumps. Please refer to table 2-9 for the
power supplies. The fuel oil supply pumps and FO circulation pumps are configured for standby starts and
are monitored on the ICMS.
2.5.12.3 From the main engine fuel oil supply pumps, fuel oil is directed to the electrically driven ME FO circulation
pumps. There are two ME FO circulation pumps, these are configured for standby starts and are monitored
on the ICMS. From the circulation pump, fuel oil is passed through the fuel oil pre-heater and viscorator.
Regulation of the temperature and viscosity of the fuel oil, is monitored and controlled through the
viscorator. Fuel is then directed at low pressure through the ME FO auto fuel oil filter. From the filter, fuel is
directed to the left and right bank fuel injectors. The excess fuel from the injectors will be directed back to
the M/E fuel oil venting box through the FO return line.
2.5.12.4 During the DP operation, HFO or LS HFO can be used to supply to the main engine and the crossover
configuration can be refer to table 2-9.
Table 2-9
GL Noble Denton
ME FO pump power sources
Pumps
Power supply
ME FO Supply Pump No.1

ME FO Supply Pump No.2
ME FO Circulation Pump No.1
ME FO Circulation Pump No.2
440Vac No.1 GSP

440Vac No.2 GSP
440Vac No.1 GSP
440Vac No.2 GSP
Page 40 of 185
05-M07-3166-Rep-001
SUNGDONG
2.5.13
157K SHUTTLE TANKER
DP SYSTEM FMEA
Diesel Generators Fuel Oil Service System Descriptions

No.1 / 2GE MGO
Supply P/P 1
From
MGO
Serv.
Tank
No.1/2 GE MGO
Supply P/P 2
No.1 GE
MGO
Chiller
GE MGO
Flushing P/P 1
Return to
MGO Serv.
Tank
No.1 GE Auto
Filter
No.1 GE
No.2 GE
No.3 /4 GE MDO
Supply P/P 1
From
MDO
Serv.
Tank
No.3/4 GE MDO
Supply P/P 2
No.2 GE
MDO
Chiller
GE MDO
Flushing P/P 2
Return to
MDO Serv.
Tank
No.2 GE Auto
Filter
No.3 GE
No.4 GE
Figure 2-12
Diesel Generator Fuel Oil System
2.5.13.1 Refer to Figure 2-12, MDO and MGO fuels are used to feed the four auxiliary generators. However during
DP operations, the following fuels are used for the auxiliary engines and the FO supply crossover valve
F303V and return crossover valve F324V will be normally closed. The configuration can be found in table 28.
Marine Diesel Oil service tank supplies GE No.3 and No.4.
Marine Gasoline Oil service tank supplies GE No.1 and No.2.
2.5.13.2 GE No.1 and No.2: The MGO is drawn by the GE MDO supply pumps no.1 or no.2. From the supply pumps,
MGO is circulated through the associated MGO cooler and strained through the GE 1 FO Auto filter. From
the auto filter, fuel oil is directed to both engines. The return fuel from the engines is circulated back to the
respective FO tanks through the flow meter. There is a crossover valve F324V at the return line, the valve
will be set to normally close.
2.5.13.3 GE No.3 and No.4:- The fuel oil supply pumps draw MDO from the respective service tank to supply to the
associated MGO cooler and circulating the FO strained through the GE 2 FO Auto filter. From the auto filter,
fuel oil is directed to both engines. The return fuel from the engines is re-circulated back to the MDO service
tank.
2.5.13.4 Each engine FO inlet is fitted with the quick closing valve; this valve is using air to activate. Therefore in the
event low air pressure to the QCV will not cause the quick closing valve to close position.
2.5.13.5 Please refer to table 2-10 for the pump power supplies.
GL Noble Denton
Page 41 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 2-10
2.5.14
2.5.15
DP SYSTEM FMEA
GE FO pump power sources
Pumps
Power supply
No.1/2 GE FO supply pump no.1

No.1/2 GE FO supply pump no.2
No. 3/4 GE FO supply pump no.1
No. 3/4 GE FO supply pump no.2
GE No. 1/2 FO Auto filter
GE No. 3/4 FO Auto filter
440Vac No.1 GSP

440Vac No.1 GSP
440Vac No.2 GSP
440Vac No.2 GSP
440Vac LGSP No.4 section 1
440Vac LGSP No.4 section 2
Failure modes of the fuel system

1.
MDO/HFO transfer pump failure.
2.
HFO Purifier failure.
3.
Pipe work leakages, leakage from filters and ruptured service tank.
4.
Blocked auto back flush fuel oil filter for the diesel generators.
5.
Low air pressure to QCV
6.
QCV fails to the closed position.
7.
Failure of one of the GE No.1/2 FO supply pump.
8.
Failure of one of the GE No. 3/4 FO supply pump.
9.
Failure of Diesel Switch to Main Engine
10.
Blocked auto back flush fuel oil filter for the main engine.
11.
Failure of electric driven main engine fuel oil circulation pump.
12.
Failure of electric driven main engine fuel oil supply pump.
Failure effects of the fuel system
2.5.15.1 MDO / HFO transfer pump failure: The failure of one fuel oil transfer pump would remove redundancy and
the fuel oil transfer system will no longer be fault tolerant as there is only one fuel pump left available. This
will not affect the engines and DP operation.
2.5.15.2 HFO Purifier failure: The failure of a single HFO purifier would leave the HFO system with no redundancy as
there are only two units available for service. No effect on DP.
2.5.15.3 Pipe work leakages, leakage from filters and ruptured service tank: Failure of fuel oil system pipe work is
considered for DNV Dynpos AUTR. Pipe work leakages from filters and a ruptured fuel oil service tank is an
unusual occurrence given that the medium being transported is not corrosive in nature. It generally occurs
as a result of mechanical damage and thus can be controlled by proper workplace management. Depending
on where the failure is located, two generators on the same power system could shed load and trip on under
frequency. It may be possible in some circumstances to recover operation by use of the maintenance cross
over. However, it is important to establish the reason for engine failure before cross connecting the fuel
systems.
2.5.15.4 Blocked auto fuel oil filter for the diesel generators: A pressure transmitter and pressure switch is installed
on the GE FO Auto filters to monitor the differential pressure across the filter. High differential pressure from
the onset of a blocked filter will trigger an alarm on the ICMS and initiate back flushing of the FO filter.
2.5.15.5 Low air pressure to QCV: Low air pressure to the QCV will not affect the QCV to close position. This is due
to QCVs using air to activate the valves, without the air the valve will remain as set.
2.5.15.6 QCV fails to the closed position: Failure of a QCV to the closed position could lead to the rapid loss of two
engines or main engine. A low fuel oil pressure alarm for each engine would precede an engine shutdown.
The QCV is held open by a spring and closed by the application of pneumatic pressure. It is unlikely for this
type of valve to fail to the closed position, but Dynpos AUTR requires consideration of the failure of remotely
controlled valves and some faults cannot be ruled out. Failure of QCV does not exceed the worst case
failure intent.
GL Noble Denton
Page 42 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.5.15.7 Failure of one of the GE No.1/2 fuel oil supply pump: The failure of the one of the GE No.1/2 fuel oil supply
pumps would result in a fall in fuel oil pressure which would first initiate a low fuel oil pressure alarm and will
trigger the automatic start of the standby pump. The standby pump will resume with the required fuel oil
pressure.
2.5.15.8 Failure of one of the GE No.3/4 fuel oil supply pump: Same as for Failure of GE No. 1/2 fuel oil supply
pump.
2.5.15.9 Failure of Diesel Switch to Main Engine: normal operation is for use of HFO during DP Operations with
supply from the MDO or MGO service tanks isolated. Failure of the switch could result in loss of fuel supply
to the main engine and loss of the main CPP; this is within the worst case failure concept. It is possible that
the HFO could be bypassed following a failure and return supply to the main engine.
2.5.15.10 Blocked auto fuel oil filter for the main engine: A pressure transmitter and pressure switch is installed on the
ME FO Auto flush filter to monitor the differential pressure across the filter. High differential pressure from
the onset of a blocked filter will trigger an alarm on the ICMS and initiate back flushing of the FO filter.
2.5.15.11 Failure of electric driven main engine fuel oil circulation pump: The failure of the electrical driven fuel oil
pump would result in a fall in fuel oil pressure; this would initiate a low fuel oil pressure alarm on the engine
control system and ICMS. It would also trigger an automatic start of the standby pump. This should not
affect the operation of the main engine.
2.5.15.12 Failure of electric driven main engine fuel oil supply pump: The failure of the electrical driven fuel oil supply
pump would result in a fall in fuel oil pressure to the fuel oil circulating pumps; this would initiate a low fuel oil
pressure alarm on the engine control system and ICMS. It will also trigger the automatic start of the standby
pump. This should not affect the operation of the main engine.
2.5.16
Hidden engine fuel system failures
2.5.16.1 Hidden failure of the standby FO supply pump would result a fall in fuel oil pressure and lead to loss of two
engines due to fuel starvation.
2.5.16.2 This is mitigated if the pumps are rotated regularly to reduce the possibility of a hidden failure resulting from
a breakdown of a standby pump.
2.5.16.3 ME Fuel oil supply pump automatic start failure when it is required.
2.5.16.4 ME Fuel oil circulating pump automatic start failure when it is required.
2.5.17
Common mode failures affecting the fuel system
2.5.17.1 Water Contamination: This can, in severe cases, result in water carry over to the service tanks and
subsequent engine problems as a result. Commonly, water in the settling tanks can be removed by regular
operation of the tank sludge cocks and separation through the purifiers. High water content is monitored and
alarmed at the purifier discharge by a water detection unit. The water in the service tanks would be regularly
monitored and drained through the tank sludge cocks. Water can also greatly increase the possibility of
microbe contamination of the fuel. There is a possibility of affecting of five engines if the fuel oil system
crossover valves are in the open position; however, these occurrences can be controlled if proper fuel
management procedures are being followed.
2.5.17.2 Bacterial Contamination: This condition develops because of waterborne microbes multiplying in fuel
when stored within the correct temperature range. Generally, the warmer the storage conditions the greater
the reproductive rate. The sludge produced by the microbes can easily block fuel filters and, if not promptly
treated, will stop engines due to fuel starvation. This condition can be controlled by proper biocide dosing.
2.5.17.3 In mitigation, identification of particle contamination should occur before it reaches the engines through a
planned maintenance procedure which requires regular sampling and visual checks through draining of the
settling and service tanks and cleaning of fuel oil filters. In the current configuration, there is a possibility of
affecting up to two generators, if MDO service tank or MGO tank were contaminated, however these failures
are equal or less than the worst case design failure intent. There is also a possibility of affecting the main
engine if the LS HFO or HFO service tank were contaminated.
GL Noble Denton
Page 43 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.5.17.4 The pneumatic quick closing valves (QCV) are operated through a control valve in the fire control station.
When opened compressed air is directed to the quick closing valves for 12 FO tanks, main LO settling
tanks, cylinder oil storage tanks, LS cylinder oil storage tanks, incinerator DO tank, incinerator settling tank
and incinerator waste oil service tank. The 12 fuel oil tanks include the MDO Service Tank, MGO Service
tank, HFO Service tank and LS HFO Service tank. These service tanks can be inadvertently closed through
one control valve causing the running generators and the main engine to shut down from fuel starvation. It
was found during the proving trials that he control valves are placed in a cabinet where inadvertent
operation of the valves is not possible.
2.5.18
Fuel system configuration errors that could defeat redundancy
2.5.18.1 Loading new fuel into all main storage tanks simultaneously (danger of microbe contamination in all tanks).
2.5.18.2 The operation of all engines from one fuel oil service tank with the fuel cross over valves open could result in
blackout if the supply from the tank is inadvertently stopped or if the fuel oil in that service tank becomes
contaminated. It is a DNV requirement that these valves are closed and fuel oil should be supplied to the
two sets of two diesel generator engines and the main propulsion engine from the associated fuel oil service
tanks.
2.5.18.3 Using HFO Purifier No.2 to supply the MDO service tank and MGO service tank simultaneously from a MDO
service tank could contaminate the MGO service tank and vice versa if the MGO service tank is used. In the
worst case contaminated fuel could be introduced to both service tanks.
2.5.19
Maloperation of the fuel system
2.5.19.1 Operating all diesel engines from a common fuel service tank. Set up to be followed as per the vessel
configuration.
2.5.19.2 Irregular or non-operation of settling tank and service tank sludge cocks for the main engine HFO system.
2.5.19.3 Irregular or non-operation of the service tank sludge cocks for the generator diesel oil system.
2.5.20
Worst case failure - Fuel system
2.5.20.1 The worst case failure in the FO system will be loss of 6.6KV MSB 1 which affected by loss of two
generators DG1 and DG2 due to FO contamination. In mitigation, identification of particle contamination
should occur before it reaches the engines through a planned maintenance procedure which requires
regular sampling and visual checks through draining of the settling and service tanks and cleaning of fuel oil
filters. In the current configuration, there is a possibility of affecting up to two generators, if MDO service
tank or MGO tank were contaminated, however these failures are equal or less than the worst case design
failure intent. There is also a possibility of affecting the main engine if the HFO or LS HFO service tank were
contaminated.
GL Noble Denton
Page 44 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
2.6
LUBRICATION SYSTEM
2.6.1
Drawing reference:
DP SYSTEM FMEA
200M241001MB LO Filling & Transfer System

200M241001MB LO Purifying system
200M241001MB ME LO Service System
2.6.2
Redundancy concept
2.6.2.1
As far as the redundancy concept is concerned, it is the lubrication of the engine and alternator bearings
that are critical. Loss of lubrication pressure or flow through failure of a pump or loss of lubricating quality
through contamination of the oil can lead to an engine seizing in extreme circumstances. Alarms, shutdowns
and monitoring of oil quality must be in place and tested periodically to ensure the probability of this type of
failure is acceptably low.
2.6.3
Location
2.6.3.1
The generator lubricating storage tank and the main LO storage tank are located in the engine room.
2.6.4
2.6.4.1
A clean oil distribution system and dirty lube oil system for the engines exists to ease oil changing and
pollution control but each system is normally isolated during DP operation.
GE LO
Storage
Tank
ME LO ME LO
Sett. Storage
Tank
Tank
No.1 Main LO
Puri. Heater
No.1 GE LO Puri.
Heater
No.2 Main LO
Puri. Heater
No.1 DG
No.2 GE LO Puri.
Heater
GE LO
Puri.
Supply
P/P 2
GE LO
Puri.
Supply
P/P 1
A
ME LO
Puri.
Supply
P/P 1
No.2 DG
L120V
No.1 Main
LO Purifier
ME LO
Puri.
Supply
P/P 2
No.2 Main
LO Purifier
No.2 Main
LO Purifier
L122V
L121V
No.1 Main
LO Purifier
No.3 DG
B
B
A
ME LO Sump
Tank
No.4 DG
L123V
Figure 2-13
GL Noble Denton
Lubricating Oil System
Page 45 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.6.5
Lubricating Oil Storage and Purification System
2.6.5.1
Please refer to figure 2-13 LO system. The Lubricating system comprises of the main LO storage tank, main
LO settling tank, GE LO storage tank, Turb. Oil storage tank, LS Cyl. Oil Storage tank, and Cyl. Oil Storage
tank.
2.6.5.2
Generator Engine Lubricating Oil Storage System: The clean oil distribution system for the generators
consists of GE lube oil storage tanks with a volume of 32.9 m3. The content in these tanks is used to
replenish or replace the lubricating oil for the four of engines by gravity from a common lube oil pipeline. The
sump tanks for the generator engine is fitted with a low level and high level switch and a dip stick.
2.6.5.3
Generator Engine Lube Oil Purification System: The generator engines are equipped with their own
lubricating oil purification system which consists of a lubricating oil purifier and a Generator LO Purifier Feed
Pump. The No.1 GE Lubricating Oil Purifier; is powered from the 440Vac LGSP No.4 Section 1 and No.2
GE Lubricating Oil Purifier is powered from 440Vac LGSP No.4 Section 2.
2.6.5.4
The No.1 Generator Lubricating Oil Purifier feed pump is powered from 440Vac LGSP No.4 Section 1 and
No.2 Generator Lubricating Oil Purifier feed pump is powered from 440Vac LGSP No.4 Section 2. The
engine lubricating oil purifier is operational when the engines are running; however, only one engine is
processed at any time. Lubricating oil is drawn from the engine sump to the lubricating oil purifier feed
pump; where it is fed to the purifiers before being returned to the engine. It is important only one set of inlet
and outlet valves to a generator sump is opened to avoid cross contamination.
2.6.5.5
Main Engine Lubricating Oil Storage System: The clean oil distribution system for the main engine consists
of the main lube oil storage tank with a volume of 68.8 m3. The content of this tank is used to replenish or
replace the lube oil for the main engine. The main lube oil storage tanks supplies the main engine LO sump
tank via gravity through a separate line from the generators. The sump tank is fitted with a level indicator
and low level switch.
2.6.5.6
Main Engine Lubricating Oil Purification System: There are two main LO purifier systems each consisting of
a main lube oil purifier and the associated feed pump allocated to the main engine. Main lube oil purifier
No.1 and No.2 are powered from (440Vac LGSP No. 4 Section1) and (440Vac LGSP No. 4 Section2)
respectively. The No.1 and No.2 main lube oil purifiers feed pumps are powered from (440Vac LGSP No. 4
Section1) and (440Vac LGSP No. 4 Section 2) respectively. In normal operations, one main lube oil purifier
feed pump/purifier would process lube oil from main engine sump tank. If contaminated oil from the main
engine sump is transferred to the main lube oil settling tank, the second purifier can be allocated to clean the
contents of that tank. No.2 main lube oil purifier and feed pump is also configured through a series of
isolation valves to process lube oil from the generator engines sumps.
2.6.5.7
Cylinder Lubricating Oil for the Main Engine: Cylinder oil is supplied by gravity from the cylinder oil storage
tank (80 m3) or the LS cylinder oil storage tank (51.2m3) to a cylinder oil day tank via duplex filters. The type
of cylinder oil used is dependent on the type of fuel oil used.
2.6.6
Main Engine and Generator Oil Mist Ventilation System
2.6.6.1
Generator Engine Crankcase Ventilation System: The crankcase oil mist ventilation system for the diesel
generator engines is individually piped from the engine to oil mist manifold located in the engine room
casing. There are two sections in the oil mist manifold and is found that each section is 300A and fitted with
flame screen to prevent the flame spreading. GE No.1 and GE No.2 oil mist piping are connected in the oil
mist manifold section 1 while GE No.3 and GE No.4 oil mist piping are connected to the oil mist manifold
section 2.
2.6.6.2
Main Engine Oil Mist Ventilation System: The three oil mist ventilation lines for the main engine crankcase,
turbocharger and scavenge space is individually piped to the exhaust funnel. Each line is fitted with a flame
screen in the funnel.
GL Noble Denton
Page 46 of 185
05-M07-3166-Rep-001
SUNGDONG
2.6.7
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure modes of the lubricating oil system

1.
Failure of main LO purifier
2.
Failure of generator LO Purifier
3.
Failure of Main LO purifier feed pump
4.
Failure of GE LO purifier feed pump
5.
Rupture of the supply line to the engine
6.
Leakage from the dirty oil transfer line from the engines
7.
Blockage of the filter screen on the vent piping from a diesel generator to the oil mist vent box
8.
Blockage of the filter screen for the single vent from the oil mist vent box at the funnel top
2.6.8
Failure effects of the lubricating oil system
2.6.8.1
Failure of main LO purifier: As there are only two main LO purifiers, loss of one purifier means the engine
lube oil purification system is no longer fully fault tolerant. No effect on DP.
2.6.8.2
Failure of generator LO purifier: There is only one dedicated generator lube oil purifier, however, loss of this
purifier means the generator lube oil purification system is no longer in service. This will have no immediate
effect on the generators or DP.
2.6.8.3
Failure of Main LO purifier feed pump: There are two main LO purifier feed pumps which are allocated to
specific main lube oil purifiers. The failure of the running feed pump will stop the supply of lube oil to the
associated main lube oil purifier. However, the second feed pump and associated heater can be configured
to feed the running purifier through a cross-over valve between both purifier inlets. It is more likely, that the
failed feed pump and associated purifier would be swapped over to the standby units. This will have no
immediate effect on the main engine or DP.
2.6.8.4
Failure of GE LO purifier feed pump: There is one dedicated GE LO purifier and feed pump for the generator
lubrication system. Loss of the feed pump will stop flow of lube oil to the purifier. This will have no immediate
effect on the generators or DP.
2.6.8.5
Rupture of the lube oil supply line to the engines: This would not affect the DP system directly. It would
however, limit the ability to replenish engine lube oil when required. Failure of lube oil pipe work is generally
exempted from consideration for DYNPOS-AUTR.
2.6.8.6
Leakage from the dirty oil transfer line from the engines: This would not affect the DP system directly. It
would however, limit the ability to remove used lube oil from the engines. The usual exemption for pipe
work is applicable under DYNPOS-AUTR.
2.6.8.7
Blockage of the filter screen on the vent piping from a diesel generator to the oil mist vent box. Blockage of
the filter screen on the vent piping from a diesel generator to the oil mist vent box, could induce an oil mist
detection alarm. If not rectified would cause the affected generator to trip from a high oil mist detection
shutdown. This failure will lead to loss of two generators and is within the WCFDI.
2.6.9
Hidden lubricating oil system failures
2.6.9.1
Gradual blockage of the filter screen for the individual vent piping for the engines.
2.6.9.2
Contamination of the diesel generator sumps and main engine sumps. This is avoided by regular sampling
of the sump tanks to observe contamination and / or emulsification in the lube oil. Samples of the lubricating
oil should be sent away for analysis to verify for any contamination as part of the ships Planned
Maintenance System
2.6.10
Common mode failures affecting the lubrication oil system
2.6.10.1 The loading of contaminated lubricating oil or the wrong grade of oil into the generator lube oil storage tank
could potentially contaminate all the engines when periodic replenishing of the sump is required. This is
avoided by regular sampling of the storage tank to observe for contamination, emulsification of the lube oil
and for water removal. A sample of the batch of lubricating oil should be sent for analysis to verify the grade
and quality of the oil.
GL Noble Denton
Page 47 of 185
05-M07-3166-Rep-001
SUNGDONG
2.6.11
157K SHUTTLE TANKER
DP SYSTEM FMEA
Lubricating oil system configuration errors that could defeat redundancy
2.6.11.1 Leaving an engine filling line open. If unchecked this could result in the simultaneous filling of more than one
engine sump when lube oil is replenished in another engine. This should be monitored by the high level
alarm on the engine sump.
2.6.11.2 Leaving more than one engine filling line open whiles purifying lube from one engine could introduce cross
contamination of lube oil and eventually reduce the quantity of lube oil returned to the engine sump. The
reverse would apply if more than one outlet valve is opened.
2.6.12
Maloperation of the lubricating oil system
2.6.12.1 Failure to take regular samples of the engine sump tanks to observe for contamination, emulsification of the
lube oil and for water removal.
2.6.13
Worst case failure - Lubricating oil system
2.6.13.1 The loading of contaminated lubricating oil or the wrong grade of oil into the generator and main lube oil
storage tanks could potentially contaminate all the engines when periodic replenishing of the sump is carried
out. It is unlikely that the effects would affect all engines simultaneously.
2.7
SEAWATER COOLING SYSTEM
2.7.1
Reference
200M241001MB Main Cooling SW System
2.7.2
Redundancy concept
2.7.2.1
The sea water system is a forward and aft split. This arrangement introduces commonality between
thrusters at the same end of the vessel which are otherwise separate and redundant with respect to each
other.
2.7.2.2
The forward sea water cooling systems cools the forward thrusters and deck machinery systems while aft
seawater system cools the aft thrusters, all five engines, and other machinery.
2.7.3
Location
2.7.3.1
There is one sea chest suctions for the forward seawater cooling system. These are located in the bow
thruster room. The aft sea water cooling system has two sea chest suctions. The high and low sea chest
suctions are located outboard port and starboard.
2.7.4
Description
Overboard
No.2 GE FW Cooler
No.1 GE FW Cooler
No.1 Central FW
Cooler 75%
No.2 Central FW
Cooler 50%
Air Ejector
Cond. For
Copt
1
GE. CSW
Pump
Aux. CSW
Pump
Main /
Vacuum
Condenser
Cool. SW
Pump 2
Main /
Vacuum
Condenser
Cool. SW
Pump 1
Copt
Vacuum
Condenser
High
Sea
Chest
Low Sea
Chest
Figure 2-14
GL Noble Denton
Aft Seawater Cooling System
Page 48 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.7.4.1
Aft Sea Water Cooling System: The aft seawater cooling system is located in the engine room. In terms of
the redundancy concept and sources of supply for pumps, this is still essentially a common system with a
port and starboard split in electrical supply.
2.7.4.2
In normal operations seawater is supplied from either the port or starboard sea chests. The port suction is a
high sea chest while the starboard suction is a low sea chest. Each sea chest has a suction strainer which is
assumed to be regularly cleaned and maintained. Local pressure indicator monitors the condition of the
suction strainers.
2.7.4.3
There is only one overboard discharge valve for the Aft seawater cooling system and has a manual valve
with extended spindle located above the damage waterline. This is fitted with a pressure transducer to
indicate discharge pressure on the ICMS.
2.7.4.4
The aft sea water supply manifold supplies sea water cooling for a number of systems. These include:
1.
The sea water cooling system for the No.1 & No.2 central FW coolers.
2.
The sea water cooling system for the No.1 and No.2 GE FW coolers.
3.
The sea water cooling system for the Copt Vacuum Condenser and Air Ejector Conditioning for Copt.
2.7.4.5
Main/Vacuum Cool S.W. Pumps No.1 and No.2 are used to circulate coolant through both central FW
coolers; these pumps are powered from 440Vac GSP No.1 and 440Vac GSP No.2 respectively. In normal
operations, only one pump is kept on duty while the other pump remains on standby. Each pump has a
capacity of 1120m3/hr.
2.7.4.6
The primary roles for four GE cooling SW pumps are to circulate coolant through the GE FW Coolers. No.1
GE FW Cooler is fed by No.1 and No.2 GE CSW pump while No.2 GE FW Cooler is fed by No.3 and No.4
GE CSW pump. GE cooling seawater pumps No.1 and No.2 are fed from 440Vac GSP No.1 and 440Vac
GSP No.2 respectively. In normal operations, only one pump is kept on duty while the other remains on
standby. Each pump has a capacity of 380m3/hr.
Sec.2 SW Pump No.1
Sec. 2 Fwd Thruster FW

Cooler
Sea Chest
Sec.2 SW Pump No.2
Overboard
Sec.1 SW Pump No.1
Sec.1 SW Pump No.2
Sec. 1 Fwd Thruster FW

Cooler
Figure 2-15
Forward Seawater Cooling System
2.7.4.7
Forward Sea Water Cooling System: The forward seawater cooling system is located in the bow thruster
room. There are four CSW pumps that supply both FWD thruster FW Coolers where two pumps are used for
each cooler. At each CSW section only one of the CSW pump will be operational at a time. This is due to
the FWD fresh water cooling system is running in two cooling loops.
2.7.4.8
Seawater is supplied from one sea chest. The sea chest is located at the lower bottom level in bow thruster
room. The system is designed with two sea strainers, one in service and one on standby. Each strainer has
local pressure gauges to monitor the condition of the strainer.
2.7.4.9
The forward section 1 sea water cooling pumps circulates coolant through No.1 Forward fresh water
coolers; while section 2 sea water cooling pumps circulates coolant through No.2 Forward fresh water
coolers. Both coolers support a number of freshwater cooling systems. These include:
GL Noble Denton
Page 49 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
1.
The No.1 and No.2 forward tunnel thrusters coolers.
2.
The forward azimuth thruster coolers.
3.
Power pack oil cooler for deck machinery.
DP SYSTEM FMEA
2.7.4.10 Sec 1 CSW Pumps No.1 and No.2 are supplied from 440Vac GSP No.1 a while Sec 2 CSW Pumps No.1
and No.2 are supplied from 440Vac GSP No.2.
2.7.4.11 There are two overboard discharge valves for the Forward thruster sea water cooling system. The manual
valves have an extended spindle that is located above the damage waterline.
2.7.5
Freshwater generator
2.7.5.1
The fresh water generator is used to make potable water. The capacity of the water maker is 35 tons a day.
Seawater from the aft seawater cooling system is supplied to the water maker by an FW Gen.
2.7.6
Failure modes of the seawater cooling system
2.7.6.1
Only the GE Seawater Cooling Pumps, Main Seawater Cooling Pumps and Aux. Seawater cooling pump
are considered in the aft seawater cooling system while only Sec1 and Sec 2 FWD Cooling Seawater
pumps are considered in the FWD seawater cooling system.
1.
Blocked FWD seawater cooling system overboard
2.
Blocked forward seawater cooling system sea strainer.
3.
Failure of one of the Section 2 forward SW cooling pump
4.
Failure of one of the section 1 forward SW cooling pump
5.
System pipe work failure, leaking sea strainer.
6.
Blocked aft seawater cooling system sea strainer.
7.
Blocked aft seawater cooling system overboard.
8.
Failure of one aft main cooling seawater cooling pump.
9.
Failure of one GE Cooling Seawater pump for No.1 GE FW Cooler
10.
Failure of one GE Cooling Seawater pump for No.2 GE FW Cooler.
11.
Failure of the FW Generator SW ejector pump.
12.
Failure of the vacuum in the water maker.
2.7.7
Failure effects of the sea water cooling system
2.7.7.1
Blocked FWD seawater cooling system overboard: This would effectively reduce the flow to the running
forward seawater cooling pump suction and associated heat exchangers. If not corrected, this would over
time be indicated as a high hydraulic oil temperature alarm for the forward thrusters and/or high operating
temperature alarm for the forward thruster drive motors. This may be due to maloperation or lack of
maintenance for the fwd seawater cooling system. Therefore proper maintenance requires to be in place to
make sure the overboard valve and the piping system is operating well.
2.7.7.2
Blocked forward seawater cooling system sea strainer: This would effectively reduce the flow to the running
forward seawater cooling pump suction and associated heat exchangers. The standby pump would start to
compensate for the loss in pressure; this fall in pressure and starting of the standby pump is alarmed on the
ICMS. If not corrected, this would over time be indicated as a high hydraulic oil temperature alarm for the
forward thrusters and/or high operating temperature alarm for the forward thruster drive motors. The worst
case of this failure could lead to the loss of the three forward thrusters. There are local pressure gauges
installed on the sea suction strainers to indicate fouling of a strainer and if these are regularly checked it
would allow the operator to change over to the standby strainer prior to any reduction in performance.
2.7.7.3
Failure of one of the Section 2 forward SW cooling pumps: The loss of a single sea water cooling pump
should not inhibit the cooling capability of the system as there is a standby pump available. As there are only
two Sec 2 forward cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.
GL Noble Denton
Page 50 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.7.7.4
Failure of one of the Section 1 forward SW cooling pumps: The loss of a single sea water cooling pump
two Sec 1 forward cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.
2.7.7.5
System pipe work failure, leaking sea strainer in the forward seawater cooling system: Failure of well
protected seawater pipework is not considered for Dynpos AUTR. Pipework failure and damage to strainers
would generally occur as a result of mechanical damage and thus can be controlled by proper workplace
management. Pipework failure would cause flooding of the affected compartment and require rapid shut
down of the system in the space to contain and repair any breach of the system prior to restarting.
2.7.7.6
Blocked aft seawater cooling system sea strainer: This would effectively reduce the flow to the various
pump suctions. A blocked strainer would be indicated on the local pressure gauges located on each strainer.
If the pressure were to fall; the standby pumps and running pumps would alternate between starting and
stopping. The automatic start of the standby pumps and low system pressure alarms would be alerted on
the ICMS as an indication to the operator to swap over sea chests.
2.7.7.7
Blocked aft seawater cooling system overboard: This would effectively reduce the flow to the running aft
seawater cooling pump suction and associated heat exchangers. If not corrected, this would over time be
indicated as a high hydraulic oil temperature alarm for the thrusters and/or high operating temperature alarm
for all the engines. This may be due to maloperation or lack of maintenance for the aft seawater cooling
system. The overboard system is fitted with a flow indicator monitored on the ICMS that will alarm if the rate
reduces.
2.7.7.8
Failure of one aft seawater pump: The loss of a single sea water cooling pump should not inhibit the cooling
capability of the system as there is a standby pump available. As there are only two aft main cool seawater
pumps, loss of one pump means the system is no longer fully fault tolerant.
2.7.7.9
Failure of one GE cool seawater pump for No.1 GE FW Cooler: The loss of a single sea water cooling pump
two aft main cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.
2.7.7.10 Failure of one GE cool seawater pump for No.2 GE FW Cooler: The loss of a single sea water cooling pump
two aft main cool seawater pumps, loss of one pump means the system is no longer fully fault tolerant.
2.7.7.11 Failure of the FW Generator SW ejector pump: The failure of the ejector pump would stop seawater
circulation through the water maker and thus limit the ability to maintain a vacuum. This would not affect the
main engine cooling systems.
2.7.7.12 Failure of the vacuum in the water maker: A failure of the vacuum in the water maker would result in
reduced production of potable water depending on the severity of the breach. This would have no effect on
the engine cooling systems. A loss of vacuum is alarmed on the water maker panel.
2.7.8
Hidden seawater cooling system failures
2.7.8.1
Excessive corrosion of SW strainers; seizure of pumps due to lack of maintenance or rotation of standby
duty. Failure of Non Return Valves such that they allow back flow could result in reduced efficiency and
redundancy in the system
2.7.9
Common mode failures affecting the seawater cooling system
2.7.9.1
Sudden blockage of system by plankton shoals or schools of small fish: As the sea chests at the forward
and aft sea water cooling systems are in continuous use there is a possibility that both sea strainers could
become blocked simultaneously. With this in mind, the sea strainers should be monitored and maintained
frequently by the ships crew.
2.7.9.2
Sudden blockage / maloperation of the FWD overboard valve: As there are two overboard valves for the fore
seawater cooling system, there is a very limited possibility that the overboard valves could become blocked
simultaneously and could affect all and the FWD thrusters at the same time. Therefore the overboard valves
should be frequently monitored and maintained by the ships crew.
GL Noble Denton
Page 51 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.7.9.3
Sudden blockage / maloperation of the AFT overboard valve: As there is only one overboard valve for the
aft seawater cooling systems, there is a possibility that the overboard valve could become blocked and
could affect all engines and aft thrusters at the same time. Therefore the overboard valve should be
frequently monitored and maintained by the ships crew. The differential pressure sensors will indicate a
reduction in flow and allow the operators to take appropriate action.
2.7.9.4
Although the failure modes identified above are not common, they have occurred regularly enough in the
past to be worthy of mention, and has been known to cause severe operational problems in relation to
maintaining plant stability.
2.7.9.5
The forward seawater cooling system is supplied from the forward sea chest. Thrusters No.1, No.2 and No.3
are part of the forward freshwater cooling system associated with the forward seawater cooling system.
2.7.10
Seawater cooling system configuration errors that could defeat redundancy
2.7.10.1 Leaving the seawater pumps set for manual operation instead of auto standby. In mitigation, the ICMS does
indicate that standby consumers are not ready or in local control.
2.7.10.2 The use of both upper and lower sea chests for the aft sea water cooling system simultaneously, could
increase the probability of a sudden blockage of both sea chests at the same time, leaving the system
without a back up. The situation is more critical for the forward seawater cooling system as there is only one
sea chest intake.
2.7.11
Maloperation of the seawater cooling system
2.7.11.1 As most of the seawater systems are equipped with two or more seawater pumps; the pumps should be
rotated regularly to reduce the possibility of a hidden failure resulting from a breakdown of a standby pump.
This normally is an automatic function maintained by the ICMS.
2.7.12
Worst case failure Seawater cooling system
2.7.12.1 Blocked forward seawater cooling system sea chest:: This would effectively reduce the flow to the running
forward seawater cooling pump suction and associated heat exchangers. The standby pump would start to
compensate for the loss in pressure; this fall in pressure and starting of the standby pump is alarmed on the
ICMS. If not corrected, this would over time be indicated as a high hydraulic oil temperature alarm for the
forward thrusters and/or high operating temperature alarm for the forward thruster drive motors. In the worst
case, this could lead to the loss of three forward thrusters. As the sea chest is considered a static
component DNV do not require to consider failure of this.
2.7.12.2 Sudden blockage / maloperation of the AFT overboard valve: As there is only one overboard valve for the
aft seawater cooling systems, there is a possibility that the overboard valve could become blocked
simultaneously and could affect all engines and aft thrusters at the same time.
2.8
FRESH WATER COOLING SYSTEMS
2.8.1
Drawing Reference:
200M241001MB Main Cooling FW system
200M241001MB Auxiliary Cooling FW system
200M241001MB No.1 & No.2 GE Cooling FW system
200M241001MB No.3 & No.4 GE Cooling FW system
2.8.2
Redundancy concept
2.8.2.1
There are five different fresh water cooling systems on the shuttle tanker. These are the:
1.
Aux. Cooling FW system.
2.
ME Cooling FW System
3.
No.1/2 GE FW Cooling system
4.
No.3/4 GE FW Cooling system
5.
Fwd Fresh Water service cooling system
GL Noble Denton
Page 52 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.2.2
157K SHUTTLE TANKER
DP SYSTEM FMEA
The DP equipment that requires fresh water cooling are:

1.
Thrusters No.1, No.2 and No.3 from the Fwd Fresh Water service cooling system.
2.
Thruster No.5 from the No.1/2 GE FW Cooling system
3.
Thruster No.4 from the No.3/4 GE FW Cooling system
4.
Aux Engine No.1 and No.2 from the No.1/2 GE freshwater cooling system
5.
Aux Engine No.3 and No.4 from the No.3/4 GE freshwater cooling system
6.
Main engine (T6) from the Aux. cooling FW system and ME Cooling FW system
7.
Packaged A/C units for the switchboard room, ECR and accommodation A/C unit from the Aux.
Cooling fresh water system
2.8.2.3
Each fresh water system operates independently supplying the associated engines and thruster units.
2.8.2.4
The main cooling fresh water expansion tank distributes the coolant to main cooling FW system, Auxiliary
cooling FW system, No.1 & No.2 GE FW cooling system, No.3 & No.4 GE FW cooling system. The 3.1m 3
volume expansion tank is separated into three divisions by the plate separators to distribute to the
respective cooling fresh water systems. The separation for fresh water distribution are as follows:
Section 1: Main cooling FW system & Auxiliary cooling FW system
Section 2: No1 & No.2 GE FW Cooling system
Section 3: No.3 & No.4 GE FW Cooling system
2.8.3
2.8.3.1
The fresh water systems operate independently, where one fresh water pump is in use at all times with the
second pump configured to be on standby for an immediate start.
GL Noble Denton
Page 53 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.4
157K SHUTTLE TANKER
DP SYSTEM FMEA
Aux Cooling FW System

No.2 Central
FW Cooler
50%
No.2 ECR Air Cond. Unit
ME Air
Cooler
No.1 ECR Air Cond. Unit

No.1 Swbd air-con Unit
ME Air
Cooler
No.2 Swbd air-con Unit
W107V
No.1 S/Gear P. Pack

No.1
Main LO
Cooler
No.1 Central
FW Cooler
75%
No.2 S/Gear P. Pack
ST LO
Cooler
No.2
Main LO
Cooler
ME
Jacket
Water
Cooler
From
FW Exp.
Tank
No.1 Service Air

Compressor
No.2 Service Air
Compressor
CPP Hyd. Oil

Cooler
Figure 2-16
Auxiliary Freshwater Cooling System
2.8.4.1
Auxiliary fresh water cooling system Refer to Figure 2-16 . This system serves the main engine (T6),
steering gear power pack, CPP Hyd. Oil, packaged A/C units for the switchboard room, ECR, and
accommodation A/C condensers.
2.8.4.2
Coolant for the Auxiliary FW cooling system is circulated by central FW pump No.1 and No.2. These pumps
have separate sources of power and are operated on a duty/standby configuration. Please refer to table 211 for power supplies. The flow rate for the system is maintained at 850 M3/H. In the event that the running
pump is unable to maintain the required pressure in the system, the system will automatically start the
standby pump.
2.8.4.3
The Auxiliary Fresh water cooling system receives coolant from main cooling fresh water expansion tank
with a volume of 3.1m3. The tank level is monitored by a level switch and alarmed on the ICMS. The
Auxiliary freshwater cooling system is equipped with two plate type central freshwater coolers. In normal
operations both coolers are placed online with No.1 cooler with the capacity of 75% while No.2 cooler with
the capacity of 50%. Coolant temperature is supplied to the various consumers and is maintained by an
electro-pneumatic 3-way temperature control valve. The TCV unit is pneumatic control valve where the
control air is fed from the control air system with the air flow rate of 100m3/H. The loss of control air unit
would cause the 3-way valve to fail to operate effectively and allow full cooling as verified during the proving
trials,
GL Noble Denton
Page 54 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.5
157K SHUTTLE TANKER
DP SYSTEM FMEA
Main Engine Freshwater Cooling System Description

Cooling FW
Expansion tank
To
From
No.1/2 No.1/2
GE
GE
CFW
CFW
Syst
Syst
To
Aux
CFW
Syst
ME Jacket cooling
FW Pump 1
ME Jacket FW
Preheater
To
From
No.3/4 No.3/4
GE
GE
CFW
CFW
Syst
Syst
DeAeration
Tank
FW Generator
ME B&W
6S70ME-C8.2
ME Jacket cooling
FW Pump 2
ME Jacket FW
Cooler
Figure 2-17
Main Engine Freshwater Cooling System
2.8.5.1
The main engine fresh water coolant is fed from a 3.1 m3 main cooling freshwater expansion tank. Refer to
figure 2-17, The water level in the expansion tank is monitored through a level gauge and low level alarm on
the ICMS.
2.8.5.2
Coolant is circulated through the main engine by two electrically driven jacket water pumps. Coolant from
the main engine is circulated through the FW generator where it is directed to the engine jacket water
cooling system by an electro-pneumatic controlled 3-way temperature control valve (W012V). From the
temperature control valve, coolant is passed through the main engine aeration tank before it is directed to
the jacket water pumps for circulation. The main engine circulating system is equipped with two motor driven
jacket water pumps; only one pump is in operation on DP. The pumps are configured for standby starts and
are monitored on the ICMS. Refer to table 2-11, for main engine jacket water cooling pump power supplies
2.8.5.3
The main engine air cooler and LO cooler are cooled separately by the Auxiliary FW cooling system.
Table 2-11
Pumps
Central CFW Pump No.1
Central CFW Pump No.2
ME Jacket CFW Pump No.1
ME Jacket CFW Pump No.2
GL Noble Denton
Central FW & ME CFW pump power sources

Power supply
440Vac GSP No.1
440Vac GSP No.2
440Vac GSP No.1
440Vac GSP No.2
Page 55 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.6
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure modes of the main / auxiliary fresh water cooling system

1.
Central cooling freshwater pump failure.
2.
Spurious start of the stand by pump.
3.
Failure of the main engine jacket cooling freshwater pump
4.
By failure of power supply or loss of pneumatic control or mechanical failure of the 3- way
thermostatic control valve (W107V) for the central freshwater cooler by
5.
Failure of the 3-way thermostatic valve (W107V) to full cooling for the central freshwater cooler
6.
Failure of the 3-way thermostatic valve (W107V) to bypass the coolers for the central freshwater
cooler
7.
By failure of power supply or loss of pneumatic control or mechanical failure of the 3- way
thermostatic control valve (W012V) for the main engine Jacket CFW system.
8.
Failure of the 3-way thermostatic valve (W012V) to full cooling for the main engine Jacket CFW
system
9.
Failure of the 3-way thermostatic valve (W012V) to bypass the coolers for the main engine Jacket
CFW system
10.
Fouled central freshwater cooler
11.
Pipe work leaks in the central fresh water cooling system.
12.
Burst central freshwater cooler
13.
Jacket water leakage on the high temperature fresh water circuit in the water maker
2.8.7
Failure effects of main / auxiliary fresh water cooling system faults
2.8.7.1
Central cooling freshwater cooling pump failure: Failure of one pump in the central fresh water cooling
system would reduce the redundancy, but should not affect DP as the standby pump starts on low system
pressure.
2.8.7.2
Spurious start of the stand-by pump: The flow rate for the system is 850m3/h. A spurious start of the standby
pump should have no effect on the heat exchangers.
2.8.7.3
Failure of one of the engine jacket cooling freshwater pump: Failure of one main engine jacket cooling water
pump in the main engine fresh water cooling system would reduce the redundancy, but should not affect the
running of the engine as the standby pump starts on low system pressure. This would be alarmed on the
ICMS.
2.8.7.4
By failure of power supply or loss of pneumatic control or mechanical failure of the 3-way thermostatic control
valve (W107V) for the central freshwater cooler: In the event of power supply failure / loss of pneumatic
control / mechanical failure to the electro-pneumatic unit, the 3-way temperature control valve will fail safe to
full cooling. This will have no effect on the equipment it supplies.
2.8.7.5
Failure of the 3-way thermostatic valve (W107V) to full cooling for the central freshwater cooler: Failure of the
3-way thermostatic valve to full cooling, would have no effect on the central fresh water cooling system.
2.8.7.6
Failure of the 3-way thermostatic valve (W107V) to bypass the coolers for the central freshwater cooler :
Failure of the 3-way temperature control valve to bypass the cooler would initiate a rapid rise in coolant
temperature; this is indicated as a central fresh water cooling system high water temperature alarm on the
ICMS. If it is set up as per the configuration during trials, it is not expected to be an issue.
2.8.7.7
By failure of power supply or loss of pneumatic control or mechanical failure of the 3-way thermostatic control
valve (W012V) for the main engine Jacket CFW system: In the event of power supply failure / loss of
pneumatic control / mechanical failure to the electro-pneumatic unit, the 3-way temperature control valve will
fail to full cooling. This will have no effect on the main engine jacket CFW system.
2.8.7.8
Failure of the 3-way thermostatic valve (W012V) to full cooling for the main engine Jacket CFW System:
Failure of the 3-way thermostatic valve to full cooling would have no effect on the main engine.
GL Noble Denton
Page 56 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.7.9
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure of the 3-way thermostatic valve (W012V) to bypass the coolers for the main engine Jacket CFW
System: Failure of the 3-way temperature control valve to bypass the cooler would initiate a rapid rise in
coolant temperature; this is indicated as a main engine FW high temperature alarm on the ICMS. If not
corrected it could result in the shutdown of the main engine and eventually will lead to loss of T6. As long as
the coolers are not bypassed and configured as per the trials configuration, this is not expected to be an
issue.
2.8.7.10 Fouled central freshwater cooler: The fouling of the operating plate cooler would reduce the efficiency of the
seawater cooling system and thus affect the freshwater cooling system. The high differential pressures
across the inlet and outlet on the seawater side of the coolers would be noted by the engineers. The cooling
system has the back flushing arrangement therefore maintenance of these coolers, would require that one is
bypassed from the auxiliary freshwater cooling system. However, with both coolers normally online, the
cooling of the plant no.1 central cooler would be using up to 75% capacity, whilst no.2 central cooler will be
using 50% capacity .
2.8.7.11 Pipe work leaks in the auxiliary fresh water cooling system: Pipework failure and damage to strainers would
generally occur as a result of mechanical damage and thus can be controlled by proper workplace
management. Minor leaks in the system can be revealed by the need to regularly top up the expansion tank
and should be rectified when possible. Adequate pipework protection will reduce the risk of pipework leaks
in the fresh water cooling system. The final effect for pipe work leaks in the Auxiliary fresh water cooling
system will be loss of T6 which is not exceeding WCFDI.
2.8.7.12 Burst central freshwater cooler: The central fresh water coolers provide cooling for the following equipment
as part of the central fresh water cooling system. Please refer to the table 2-12
2.8.7.13 Jacket water leakage on the high temperature fresh water circuit in the water maker: There would be
leakage in the engine jacket water circulating side of the water maker from damaged seals which would
result in a fall of coolant levels for the main engine expansion tank. This over time would be observed as an
expansion tank low level alarm for the main engine, as the leaked coolant will be removed from the water
maker by the ejector pump. If the leaks are more severe this could result in the filling of the void space in
the water maker, however, this is not a large volume and thus would not result in tripping of the main engine
due to jacket water temperatures.
Table 2-12
Auxiliary Freshwater Cooling System DP Associated Equipment
Central Freshwater Cooling System DP Associated Equipment

M/E air cooler
Packaged air con unit for the switchboard room
M/E lube oil cooler
Packaged air con for the ECR
ME Jacket Water cooler
No.1 & No.2 Main Air Compressors
CPP Hydraulic Cooler (T6)
No.1 & No.2 Service Air Compressors
Stern Tube Cooler (T6)
Control Air Compressor
No.1 & No.2 S/Gear Power Pack
2.8.7.14 A ruptured central fresh water cooler resulting in the loss of water from the system, there will be limited
circulation of coolant for the above listed components in Table 2-12, it could result in the tripping of the main
engine T6. However, proper maintenance has to be in place in order to make sure the system well maintain,
fresh water pressure and level alarms should appear on the local panel or ICMS
2.8.8
Hidden failures of the Main / Auxiliary Freshwater Cooling System
2.8.8.1
Fouling of the seawater side of the central fresh water coolers.
2.8.8.2
Seizure of the standby pumps due to lack of maintenance. This is easily avoided by rotating the pumps for
duty and regular PMS.
GL Noble Denton
Page 57 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.8.9
Common mode failures affecting redundancy of the Main / Auxiliary Fresh Water Cooling System
2.8.9.1
Chemical overdose: Chemical dosing of the system in the correct quantities is beneficial as it prevents
corrosion of the metal components in the system. However, overdosing can in some cases cause chemical
attack in the system requiring regular monitoring of the system is essential to ensure that the correct levels
of chemical dosing is maintained.
2.8.10
Configuration errors affecting the redundancy of the Main / Auxiliary Fresh Water Cooling System
2.8.10.1 Inadvertently leaving the central freshwater cooling pumps on manual after maintenance.
2.8.11
Maloperation of Main / Auxiliary Fresh Water Cooling System
2.8.11.1 If chemical sampling and dosing are not carried out as required on the various fresh water cooling systems,
it could result in failure to detect an imbalance in the alkalinity/acidity of the coolant eventually resulting in
scale build up and / or corrosion within the system.
2.8.12
Worst case failure Main / Auxiliary Freshwater Cooling System
2.8.12.1 A ruptured central fresh water cooler resulting in the loss of water from the system, there will be limited
circulation of coolant for the above listed components in Table 2-12; it could result in the tripping of the main
engine (T6) and eventually will lead to loss of T6; this does not exceed the WCF. However, proper
maintenance is required to be in place, in order to make sure the system is well maintained, the fresh water
pressure and level alarms should activate the local panel or ICMS,
GL Noble Denton
Page 58 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.13
157K SHUTTLE TANKER
DP SYSTEM FMEA
Forward FW Service Cooling System

No.1 Bow Tunnel
Thruster Elec. Motor
NC
FW048
NC
FW049
Bow Azimuth
Deck Mach. Hyd.
Pump
Bow Azimuth
Thruster Hyd. Pack
NO
FW075
NO
FW076
No.2 Bow Tunnel
FW Exp. Tank
Sec.2 FWD
Thruster FW
Cooler
Sec.2 FW
Pump 1
FW046
Sec.2 FW
Pump 2
Sec.1 FW
Pump 1
FW045
Sec.1 FW
Pump 2
Sec.1 FWD
Thruster FW
Cooler
Figure 2-18
Forward FW cooling System
2.8.13.1 Forward fresh water cooling system refers to Figure 2-18. This cooling water system serves thrusters 1, 2
and 3 motor cooler, T3 and Deck machinery hydraulic power packs.
2.8.13.2 The forward fresh water service cooling system consists of two cooling loops with isolating valves FW049
and FW048 in normally close during DP operation. Section 2 cooling loop is to cool No.2 Bow thruster
electric motor, BAZ3 hydraulic power pack, and BAZ3 electric motor while section 1 cooling loops will cool
BT1 electric motor.
GL Noble Denton
Page 59 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.8.13.3 Coolant in the Forward FW Service cooling systems is circulated through the cooling loops by two fresh
water cooling pumps No.1 and No.2. These pumps have separate sources of power and are in operation at
all times. Please refer to Table 5-3 for power supplies. Both pumps are in operation at all times.
2.8.13.4 The Forward FW service cooling system has one expansion tank with a volume of 1.0m 3 and there is
partition which separates the tank into two cooling loops. The tank level is monitored by a level transducer.
The forward freshwater cooling system is equipped with two plate type freshwater coolers with a capacity of
100%. In normal operations both coolers are placed online, temperature of the coolant supplied to various
consumers is maintained by an allocated electro pneumatic 3-way temperature control valve allocated to
each cooler. The loss of power or control air supply to the 3-way valve unit would cause the 3-way valve to
fail to the full cooling delivery, and this in turn would not have any effect on the thrusters.
2.8.14
2.8.15
Failure modes of the forward fresh water service cooling system

1.
Failure of one of the section 1 freshwater cooling pump
2.
Failure of one of the section 2 freshwater cooling pump
3.
Failure of the 3- way thermostatic control valve (FW045)
4.
Failure of the 3-way thermostatic valve (FW045) to full cooling
5.
Failure of the 3-way thermostatic valve (FW045) to bypass the coolers
6.
Failure of the 3- way thermostatic control valve (FW046)
7.
Failure of the 3-way thermostatic valve (FW046) to full cooling
8.
Failure of the 3-way thermostatic valve (FW046) to bypass the coolers
9.
Fouled forward freshwater cooler
10.
Pipe works leaks in the Forward FW cooling system
11.
Burst forward fresh water cooler
Failure effects of forward fresh water service cooling system faults
2.8.15.1 Failure one of the section 1 freshwater cooling pump: Depending on which pump in the section 1 forward
fresh water cooling system fails, it in turn will remove the redundancy. Failure of either pump would not
affect the DP system because the standby pump would be initiated once the system detects low pressure of
the fresh water system.
2.8.15.2 Failure one of the section 2 freshwater cooling pump: The effects are same in the section 2.8.15.1.
2.8.15.3 Failure of the 3-way thermostatic control valve (FW045): In the event of power supply or control air failure to
the electro-pneumatic unit, the 3-way temperature control valve will fail to the full cooling delivery. This will
have no effect to the BT1 system.
2.8.15.4 Failure of the 3-way thermostatic valve (FW045) to full cooling: Failure of the 3-way thermostatic valve
(FW045) to full cooling would have no effect on the BT1 system.
2.8.15.5 Failure of the 3-way thermostatic valve (FW045) to bypass the coolers: Failure of the 3-way temperature
control valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated as
higher operating temperature for the associated machinery. If not corrected it could result in the shutdown of
the BT1 system.
2.8.15.6 Failure of the 3-way thermostatic control valve (FW046) : In the event of power supply or control air failure to
the electro-pneumatic unit, the 3-way temperature control valve will fail to full cooling. This will have no
effect on the Bow Azimuth and BT2s.
2.8.15.7 Failure of the 3-way thermostatic valve (FW046) to full cooling: Failure of the 3-way thermostatic valve to full
cooling would have no effect on the bow azimuth and BT2s system.
2.8.15.8 Failure of the 3-way thermostatic valve (FW046) to bypass the coolers: Failure of the 3-way temperature
control valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated as
higher operating temperature for the associated machinery. If not corrected it could result in the shutdown of
the bow azimuth and BT2s system.
GL Noble Denton
Page 60 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.8.15.9 Fouled forward freshwater cooler: The fouling of both plate coolers would reduce the efficiency of the
seawater cooling system and thus affect both freshwater cooling systems separately. The high differential
pressures across the inlet and outlet on the seawater side of the coolers would be noted by the engineers.
This is remedied by cleaning one fouled cooler at a time. In mitigation the seawater cooling system is
equipped with an MGPS system.
2.8.15.10 Pipe work leaks in the forward fresh water cooler: Failure of well protected freshwater pipework is not
considered for Dynpos AUTR. Pipework failure and damage to strainers would generally occur as a result of
mechanical damage and thus can be controlled by proper Planned Maintenance System. Minor leaks in the
system can be realised by the need to regularly top up the expansion tank and should be rectified when
possible.
2.8.15.11 Burst forward fresh water cooler: The forward fresh water coolers provide cooling for the following
equipment as part of the forward fresh water cooling system. The fresh water circulation loop is separated
independently by the isolation valve (FW049/FW048).
Table 2-13
Forward Freshwater Cooling System DP Related Equipment
Forward Freshwater Cooling System DP Related Equipment

Freshwater Cooler No.1
Freshwater Cooler No.2
BT1 electric motor
BT2 electric motor

Bow Azimutht thruster Hyd. Power pack
BAZ3 Electric Motor
2.8.15.12 A ruptured No.2 forward fresh water cooler would result in the loss of water from the system, where limited
circulation of coolant for the above listed components in Table 2-13, could result in the tripping of BT2 and
BAZ3 T3. This would not affect the operation of forward freshwater circuit No.1. However, proper
maintenance has to be in place in order to make sure the system well maintain, the fresh water pressure
and level alarms should appear in the local panel or ICMS
2.8.15.13 A rupture in the No.1 forward fresh water cooler would result in the loss of water from the system, where
limited circulation of coolant for the above listed components in Table 2-13; could result in the tripping of
azimuth thruster T1 from high operating temperatures. This would not affect the operation of forward
freshwater circuit No.2. However, proper maintenance has to be in place in order to make sure the system
well maintain, the fresh water low level and low-low level alarms should appear in the local panel or ICMS
2.8.16
Hidden failures of the Forward Freshwater Cooling System
2.8.16.1 Fouling of the seawater side of the forward fresh water coolers
2.8.17
Common mode failures affecting redundancy of the Forward Fresh Water Cooling System
2.8.17.1 Chemical overdose: Chemical dosing of the system in the correct quantities is beneficial as it prevents
2.8.18
Configuration errors affecting the redundancy of the Forward Fresh Water Cooling System
2.8.18.1 Operating the forward freshwater cooling system with isolating valves FW049/FW048 in the normally open
position would result in a more severe failure mode compared to the WCFDI should a ruptured forward fresh
water cooler occur.
2.8.19
Maloperation of Forward Fresh Water Cooling System
2.8.19.1 If chemical sampling and dosing are not carried out on the various fresh water cooling systems, this could
result in failure to detect an imbalance in the alkalinity/acidity of the coolant eventually resulting in scale
build up or corrosion in the system
GL Noble Denton
Page 61 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.20
157K SHUTTLE TANKER
DP SYSTEM FMEA
Worst case failure Fwd Fresh water service cooling system
2.8.20.1 The worst case failure will be loss of the forward fresh water service cooling system No.2 forward fresh
water cooler would result in the loss of water from the system, where limited circulation of coolant for the
above listed components in Table 2-13, could result in the tripping of BT2 and BAZ3. This would not affect
the operation of forward freshwater circuit No.1. However, proper maintenance has to be in place in order to
make sure the system is well maintain, the fresh water pressure and level alarms should appear on the local
panel or ICMS once there is any leakage or rupturing of the cooler in the central fresh water cooling system.
2.8.21
No.1/2 GE FW Cooling System

No.1 GE
MGO
Cooler
Alternator
Air Cooler
LO
Cooler
No.1 GE 7H32/40
No.1 GE
FW Cooler
W205V
Stern Tunnel
Alternator
Air Cooler
LO
Cooler
No.2 GE 9H32/40
No.1/2
GE CFW
Pump
No.2
No.1/2
GE CFW
Pump
No.1
From FW
Expansion tank
Figure 2-19
No. 1/2 GE FW cooling system
2.8.21.1 No.1/2 GE FW cooling system refer to Figure 2-19. This cooling water system serves the stern tunnel
thruster T5plus generators No.1 and No.2.
2.8.21.2 Coolant for the No.1/2 GE FW cooling systems is circulated by No.1/2 GE cooling FW pumps No.1 and
No.2. These pumps have separate sources of power and are operated on a duty/standby configuration.
Refer to Table 5-3 for power supplies. The flow rate for the system is maintained at 300m3/H In the event
the running pump is unable to maintain the required pressure in the system the standby pump should auto
start.
2.8.21.3 The No.1/2 GE FW cooling system coolant is delivered from the main cooling FW expansion tank. The
No.1/2 GE freshwater cooling system is equipped with plate type freshwater cooler with a capacity of 100%.
The coolant is supplied to various consumers and is maintained by an electro-pneumatic 3 way temperature
controlled valve. The loss of power supply or control air supply to the electro-pneumatic unit would cause
the 3-way valve to fail to the full cooling delivery.
2.8.22
Failure modes of the No.1/2 GE FW cooling system

1.
No.1/2 GE cooling freshwater pump failure.
2.
3.
Failure of the 3- way thermostatic control valve (W205V).
4.
Failure of the 3-way thermostatic valve (W205V) to full cooling delivery
5.
Failure of the 3-way thermostatic valve (W205V) to bypass the coolers
6.
Fouled No.1 GE freshwater cooler
7.
Pipe works leaks in the No.1/2 G/ E fresh water cooling system.
8.
RupturedNo.1 GE freshwater cooler.
GL Noble Denton
Page 62 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.23
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure effects of No.1/2 GE FW cooling system faults
2.8.23.1 No.1/2 GE cooling freshwater pump failure: Failure of one pump in the No.1/2 GE fresh water cooling
system would remove the redundancy, but should not affect DP assuming the standby pump starts when
there is a low system pressure alarm.
2.8.23.2 Spurious start of the stand-by pump: A spurious start of the standby pump should have no effect on the heat
exchangers.
2.8.23.3 Failure of the 3-way thermostatic control valve (W205V): In the event of power supply or control air failure to
the electro-pneumatic unit, the 3-way temperature control valve will fail to full cooling. This will have no
effect on the generator no.1 & no.2 and the stern tunnel thruster.
2.8.23.4 Failure of the 3-way thermostatic valve (W205V) to full cooling: Failure of the 3-way thermostatic valve to full
cooling would have no effect on the No.1/2 GE fresh water cooling system as the valve will fail as set .
2.8.23.5 Failure of the 3-way thermostatic valve (W205V) to bypass the coolers: Failure of the 3-way temperature
control valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated as No.
1/2 GE fresh water cooling system high water temperature alarm on the ICMS. If not corrected it could
result in the shutdown of Generators No.1 / 2 and the stern tunnel thruster. This resulting t loss of thruster
No.1 and No.5 which is equal to WCFDI.
2.8.23.6 Fouled No.1 GE freshwater cooler: The fouling of the operating plate cooler would reduce the efficiency of
the seawater cooling system and thus affect the freshwater cooling system. The high differential pressures
across the inlet and outlet on the seawater side of the coolers would be noted by the engineers. This is
easily remedied by switching over to the cooler on standby whilst the fouled cooler is bypassed and cleaned.
In mitigation the seawater cooling system is equipped with an MGPS system.
2.8.23.7 Pipe work leaks in the forward fresh water cooler: Failure of well protected freshwater pipework is not
considered for Dynpos AUTR. Pipework failure and damage to strainers would generally occur as a result of
mechanical damage and thus can be controlled by proper workplace management. Minor leaks in the
system can be revealed by the need to regularly top up the expansion tank and should be rectified when
possible.
2.8.23.8 Burst No.1 GE freshwater cooler: The No.1 GE fresh water cooler provide cooling for the following
equipment as part of the No.1/2 GE fresh water cooling system.
Table 2-14
GE 1/2 Freshwater Cooling System DP Related Equipment
No.1/2 GE Fresh Water Cooling System DP Related Equipment

Generator No.1 freshwater cooling system
Stern Tunnel Thruster Electric Motor
2.8.23.9 A ruptured or burst fresh water cooler for No.1 GE would result in the loss of water from the system, there
will be limited circulation of coolant for the above listed components in Table 2-14; it could result in the
tripping of stern tunnel thruster T5. It would also result in failure of generators No. 1 and No. 2 due to high
operating temperatures. Reportedly MSB 1 supplies T1 and T5. With the loss of T1 and T5, this is equal to
the WCFDI. However, proper maintenance has to be in place in order to make sure the system well
maintain, the fresh water pressure and level alarms should appear on the local panel or ICMS
2.8.24
Hidden failures of the No.1/2 G/E Freshwater Cooling System
2.8.24.1 Fouling of the seawater side of the No.1/2 G/E fresh water coolers.
2.8.24.2 Seizure of the standby pumps due to lack of maintenance. This is easily avoided by rotating the pumps for
duty and regular Planned Maintenance System.
GL Noble Denton
Page 63 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.25
157K SHUTTLE TANKER
DP SYSTEM FMEA
Common mode failures affecting redundancy of the No.1/2 G/E Fresh Water Cooling System
2.8.26
Configuration errors affecting the redundancy of the No.1/2 G/E Fresh Water Cooling System
2.8.26.1 Inadvertently leaving the No.1/2 GE cooling pumps on manual after maintenance.
2.8.27
Maloperation of No.1/2 G/E Fresh Water Cooling System
build up and / or corrosion in the system.
2.8.28
Worst case failure No.1/2 GE Fresh water cooling system
2.8.28.1 A ruptured fresh water cooler forNo.1 GE would result in the loss of water from the system, there will be
limited circulation of coolant for the above listed components in Table 2-14, it could result in the tripping of
stern tunnel thruster T5. It would also result in failure of generators No. 1 and No. 2 due to high operating
temperatures. Reportedly MSB 1 supplies T1 and T5. With the loss of T1 and T5, this is equal to the
WCFDI. However, proper maintenance has to be in place in order to make sure the system well maintain,
the fresh water pressure and level alarms should appear on the local panel or ICMS
2.8.29
No.3/4 G/E F.W Cooling System

No.2 GE
MGO
Cooler
Alternator
Air Cooler
LO
Cooler
No.4 GE 7H32/40
No.2 GE
FW Cooler
W305V
LO
Cooler
No.3 GE 9H32/40
Stern Azimuth
Stern Azimuth Hyd.

Power Pck
Alternator
Air Cooler
No.3/4
GE CFW
Pump
No.4
No.3/4
GE CFW
Pump
No.3
From FW
Expansion tank
Figure 2-20
No.3/4 GE FW cooling System
2.8.29.1 No.3/4 GE FW cooling system refer to Figure 2-20 for the simplified drawing. This cooling water system
serves the stern azimuth thruster plus generators No.3 and No.4.
2.8.29.2 Coolant for the No.3/4 GE FW cooling systems is circulated by No.3/4 GE cooling FW pumps No.1 and
No.2. These pumps have separate sources of power and are operated on a duty/standby configuration.
Refer to Table 5-5 for power supplies. The working pressure for the system is maintained at 300m3/H. In the
event the running pump is unable to maintain the required pressure in the system the standby pump will
auto start.
2.8.29.3 The No.3/4 GE FW cooling systems coolant is delivered from the cooling main FW tank. The GE No.3/4
freshwater cooling system is equipped with plate type freshwater cooler with a capacity of 100%. In normal
operations one cooler is placed online, coolant temperature supplied to various consumers and is
maintained by an electro pneumatic 3-way temperature controlled valve.
GL Noble Denton
Page 64 of 185
05-M07-3166-Rep-001
SUNGDONG
2.8.30
2.8.31
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure modes of the No.3/4 GE FW cooling system

1.
No.3/4 GE cooling freshwater pump failure.
2.
3.
Failure of the 3- way thermostatic control valve (W305V).
4.
Failure of the 3-way thermostatic valve (W305V) to full cooling delivery
5.
Failure of the 3-way thermostatic valve (W305V) to bypass the coolers
6.
Fouled No.2 GE freshwater cooler
7.
Pipe works leaks in the No.3/4 G/ E fresh water cooling system.
8.
Ruptured No.2 GE freshwater cooler.
Failure effects of No.3/4 GE FW cooling system faults
2.8.31.1 No.3/4 GE cooling freshwater pump failure: Failure of one pump in the GE 3/4 fresh water cooling system
would remove the redundancy, but should not affect DP if the standby pump starts on low system pressure.
2.8.31.2 Spurious start of the stand-by pump: A spurious start of the standby pump should have no effect on the heat
exchangers.
2.8.31.3 Failure of the 3-way thermostatic control valve (W305V): In the event of power supply or control air failure to
the electro-pneumatic unit, the 3-way temperature control valve will fail to the full cooling delivery. This will
have no effect on Generator No.3 & No.4 plus the Stern Azimuth Thruster.
2.8.31.4 Failure of the 3-way thermostatic valve (W305V) to full cooling delivery: Failure of the 3-way thermostatic
valve to full cooling would have no effect on the GE No.3/4 fresh water cooling system as the valve will fail
to the way it is set.
2.8.31.5 Failure of the 3-way thermostatic valve (W305V) to bypass the coolers: Failure of the 3-way temperature
control valve to bypass the cooler would initiate a rapid rise in coolant temperature; this is indicated as a GE
3/4 fresh water cooling system high water temperature alarm on the ICMS. If not corrected it could result in
the shutdown of the Generator No.3 / 4 and the stern azimuth thruster. This would result to a loss of
thrusters No.2, No.3 and No.4.
2.8.31.6 Fouled No.2 GE freshwater cooler: The fouling of the operating plate cooler would reduce the efficiency of
the seawater cooling system and thus affect the freshwater cooling system. The high differential pressures
across the inlet and outlet on the seawater side of the coolers would be noted by the Duty Engineers. This
can be easily remedied by switching over to the cooler on standby so the fouled cooler is bypassed and then
can be cleaned. Be advised the seawater cooling system is equipped with an MGPS system.
2.8.31.7 Pipe work leaks in the forward fresh water cooler: Failure of well protected freshwater pipe work is not
considered for Dynpos AUTR. Pipework failure and damage to the strainers would generally occur as a
result of mechanical damage and thus can be controlled by Planned Maintenance System. Minor leaks in
the system are revealed by the need to regularly top up the expansion tank and should be rectified when
possible.
2.8.31.8 Ruptured No.2 GE freshwater cooler: The No.2 GE fresh water cooler provide cooling for the following
equipment as part of the No.3/4 GE fresh water cooling system.
Table 2-15
No.3/4 GE Freshwater Cooling System DP Related Equipment
No.3/4 GE Fresh Water Cooling System DP Related Equipment

Stern Azimuth Thruster (T4) Hydraulic Power Pack
Stern Azimuth Thruster (T4) Motor Cooler
GL Noble Denton
Page 65 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.8.31.9 A ruptured fresh water cooler for No.2 GE would result in the loss of water from the system, there will be
limited circulation of coolant for the above listed components in Table 2-15, it could result in the tripping of
thruster T4. It would also result in failure of generators No. 3 and No. 4 due to high operating temperatures.
Reportedly MSB 2 supplies T2, T3 and T4. With the loss of T2, T3 and T4, this is still equal to the WCFDI.
However, proper maintenance has to be in place in order to make sure the system is well maintained, the
fresh water pressure alarm and water level alarms should appear on the local panel or ICMS
2.8.32
Hidden failures of the No.3/4 G/E Freshwater Cooling System
2.8.32.1 Fouling of the seawater side of the No.2 G/E fresh water coolers.
2.8.32.2 Seizure of the standby pumps due to lack of maintenance. This is easily avoided by rotating the pumps for
duty and regular PMS.
2.8.33
Common mode failures affecting redundancy of the No3/4 G/E Fresh Water Cooling System
2.8.34
Configuration errors affecting the redundancy of the No.3/4 G/E Fresh Water Cooling System
2.8.34.1 Inadvertently leaving the No.3/4 GE cooling pumps on manual after maintenance.
2.8.35
Maloperation of No.3/4 GE Fresh Water Cooling System
build up and / or corrosion in the system.
2.8.36
Worst case failure No.3/4 GE Fresh water cooling system
2.8.36.1 A ruptured water cooler for No.2 GE would result in the loss of water from the system, there will be limited
circulation of coolant for the above listed components in Table 2-15, it could result in the tripping of thruster
T4. It would also result in failure of generators No. 3 and No. 4 due to high operating temperatures.
Reportedly MSB 2 supplies T2, T3 and T4. With the loss of T2, T3 and T4, this is still equal to the WCFDI.
However, proper maintenance has to be in place in order to make sure the system is well maintained, the
fresh water pressure and level alarms should appear on the local panel or ICMS.
2.9
COMPRESSED AIR SYSTEM
2.9.1
Drawing reference
200M241001MB Compress Air system
2.9.2
Redundancy concept
2.9.2.1
Two compressors supply the starting air system and backup for the control air system in the engine room.
2.9.2.2
Two service air compressors supply the control air where one is operational and the other acts as standby
2.9.3
2.9.3.1
Both air receivers supply the main engine and four generators. The Main engine has an independent line
whilst four generators share a common aux. air reservoir. Two set generators will be sharing the common
starting air line from the aux. air receiver.
GL Noble Denton
Page 66 of 185
05-M07-3166-Rep-001
SUNGDONG
DP SYSTEM FMEA
No.1 GE MDO Auto filter
ME FO Auto filter
No.2 GE MDO Auto filter
No.1 GE FO Shut off V/V
ME JCFW TCV
Main CFW TCV
No.1,2 GE CFW TCV
Main LO CW TCV
30bar 7bar
A018V
NC
Aux. Air
Reservoir
No.1 Main Air

Reservoir
No.2 Main Air

Reservoir
No.2 GE
9H32/40
Service Air
Reservoir
Control Air
Reservoir
Deck Service
Air Reservoir
A019V
NC
No.1 GE
7H32/40
No.2 Ctrl Air

Dryer
No.1 Ctrl Air

Dryer
To Fire Control Station
ME LO Auto Filter
Compressed air system
No.3,4 GE CFW TCV
2.9.4
157K SHUTTLE TANKER
No.3 GE
9H32/40
Deck Service air

Compressor
Control Air
Compressor
No.1 Service
Air
Compressor
No.2 Service
Air
Compressor
ME B&W
6S70ME C8.2
No.1 Main Air

Compressor
No.2 Main Air

Compressor
No.4 GE
7H32/40
Figure 2-21
Compressed Air System
2.9.4.1
The compressed air system is equipped with two main air compressors with a capacity of 200m3/h at 30 bar.
Refer to Figure 2-21.
2.9.4.2
Main air compressor No.1 is fed from 440Vac LGSP -5 section 2 whilst main air compressor No.2 is fed from
the 440Vac emergency switchboard.
2.9.4.3
The main air compressors supply two main air receivers and an auxiliary air receiver with a working
pressure of 3.0MPa. The main air receivers have a volume of 4.5m3 respectively whilst the aux air receiver
has a volume of 0.5m3. Only the main air receivers are monitored and alarmed for low starting air pressure
at the ICMS. The air receivers are protected from over pressure with relief valves set at 3.3 mPa.
2.9.4.4
Compressed air from the main air receivers feed the main engine and generators. The aux. air receiver is
dedicated for four generators while the main engine starting air is delivered from the main air receivers. The
generators and main engines primarily use compressed air for starting and control air purposes.
2.9.5
Service air / Control air system
2.9.5.1
The service air system for the vessel can be supplied either from the main air reservoirs or from the No.1 &
No.2 Service air compressor. The No.1 & No.2 Service air compressors are fed through the service air
reservoir. The service air system air pressure from the main air receivers is reduced from 3.0MPa to 0.7MPa
through a pressure reducing unit. The pressure reducing unit is equipped with two sets of pressure reducing
valves and relief valves for redundancy purpose.
GL Noble Denton
Page 67 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.9.5.2
Service air from the service air compressors is stored in a service air reservoir with a volume of 2.0m 3. The
service air reservoir is protected from overpressure through a relief valve, set at 0.77mPa. Pressure in the
service air reservoir is monitored and alarmed on the ICMS. The compressed air from the service air
reservoir is distributed to other machinery equipment and to the control air system which is passed through
No.1 control air dryer.
2.9.5.3
There is a backup control air system supplied from the control air compressor. The air from the control air
compressor is stored in the control air reservoir and is distributed mainly to the control air system. The
compress air from the control air reservoir is passed through the No.2 control air dryer.
2.9.5.4
For DP related equipment supplied from the service and control air system refer to Table 2-16 Failure mode
for all the listed systems below to be identified.
Table 2-16
DP Related Equipment supplied from the Control and GS Air System
DP Related Equipment supplied from the Service / Control Air System

GE No.1 F.O Inlet shutoff Valve
ME F.O Auto Filter
ME Jkt Water CFW Temp Control Valve
M/E LO CW Temp Control Valve
M/E CFW CLR Temp Control Valve
No.1 GE MDO Auto Filter
No.3 & 4 GE CFW CLR TCV
No.2 GE MDO Auto Filter
ME LO Auto. Filter
2.9.6
Deck Service Air System
2.9.6.1
The deck service air system is supplied from the Deck service air compressor. The air compressor is fed to
the deck service air reservoir where the air pressure is 0.7MPa. There is an isolation valve (A019V) which is
normally set in the closed position, is used to separate between the service / control air system and deck
service air system.
2.9.6.2
The air from the deck service air compressor is stored in a deck service air reservoir with a volume of 2.0m 3.
The service air reservoir is protected from overpressure through a relief valve, set at 0.77MPa. Pressure in
the service air reservoir is monitored and alarmed to the ICMS. The compressed air from the deck service
air reservoir is distributed to the deck machinery equipment and the emergency shutoff valves.
2.9.6.3
It can also be backed-up by the service / control air system which is supplied from the service air
compressors.
2.9.7
Emergency Shut off Valve and Fire Damper Compressed Air System
2.9.7.1
The emergency shut off valve and fire damper control system consists of an air receiver located at the fire
control station. The air receiver is supplied from the deck service compressor at 0.7mPa from the deck
service compressed air system. The content in the fire control station air receiver is protected by a nonreturn valve at the compressed air inlet. The air receiver is protected from over pressure by a relief valve set
at 0.77MPa. The pressure in the air receiver is monitored and alarmed to the ICMS.
2.9.7.2
From the fire control station air receiver, there are two valves at the air receiver outlet supplied to two groups
of fire dampers which in normal operations are set to the closed position Refer back to figure 2-10
2.9.7.3
The fire control station air receiver supplies to the pneumatic quick closing valve system with the actuating
air to close the quick closing valves and actuating air to close the engine room fire dampers. Activation of all
the quick closing valves is achieved via a marked control lever located at the fire control station. For more
information refer to section 2.5.11. There is E/R fan damper control panel to manage all the fire dampers.
Therefore the control panel requires to be well indentified to inadvertently shutting down the wrong fire
damper at the same time.
GL Noble Denton
Page 68 of 185
05-M07-3166-Rep-001
SUNGDONG
2.9.8
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure modes of the compressed air system

1.
Main air compressor failure.
2.
Failure of the Control and GS Compressor.
3.
Failure of pipe work in the starting air system.
4.
Failure of pipework in the control and service air system
5.
Failure of pipework in control air system in main engine
6.
Failure of pipework in control air system in aux. engine
7.
Overpressure on the compress air system.
8.
Failure of pipework or leakage in the quick closing valve system
9.
Failure of pipework or leakage in the fire damper system
2.9.9
Failure effects of the compressed air system
2.9.9.1
Failure of one of the main air compressor: Main compressor failure will remove the redundancy but will not
affect the system completely as the compressed air system comes equipped with two main air compressors.
Failure of the air compressors is monitored and alarmed to the ICMS.
2.9.9.2
Failure of one of the service air compressors: Failure one of the service air compressors should not affect
the supply of compressed air to the service and control air system as the supply from the main compressed
air system through the pressure reducing stations would still be available.
2.9.9.3
Failure of pipe work in the starting air system: Pipe work failure is considered for Dynpos AUTR notation
(Pt.6 Ch.7 Sec.5 C301) if well protected, however leaks in the air system are relatively common. Major
pipework failure would remove the ability to start the main engine (if on standby) and reduce compressed air
pressure to the service and control air system. Starting air for the generators is supplied through the
auxiliary air receiver. Pipework damage on the supply to the air reservoirs would affect the air available in
the main and auxiliary air reservoirs; however, it should not affect the pressure in the auxiliary air receiver as
it is protected by a non-return valve. Pipework damage generally occurs as a result of mechanical damage
and thus can be controlled by proper workplace management. In mitigation, the low start air pressure alarm
at the main air reservoirs is set at 15 Kg/cm2 pressure to alert the ECR operators through the ICMS.
Consideration should be given to monitor the air pressure in the auxiliary air receiver.
2.9.9.4
Failure of pipework in the control and service air system: In the event pipe work failure or air leakage will not
affect the engines. The electro-pneumatic valves will fail to full cooling. Loss of service air will not have any
effect on any engine.
2.9.9.5
Failure of pipework in control air system to main engine : These will results main engine run in idle speed
and the CPP deselect from the DP system. The failure will not have effect on the engine upon loss of control
air.
2.9.9.6
Failure of control air pipework to the auxiliary engines : Loss of control air will not have any effect on the
running of all Auxiliary Engines. To be proven during the proving trials.
2.9.9.7
Overpressure on the compressed air system: The compressed air system is protected from over pressure
by a series of relief valves on the air receivers and pressure reducing stations.
2.9.9.8
Failure of pipe work or leakage in the quick closing valve system: Pipe work failure is well protected, but
however leaks in the air system are relatively common. Major pipe work failure would have no effect on the
quick closing valves as compressed air is required to activate closure of the valves. Pipe work damage
generally occurs as a result of mechanical damage and thus can be controlled by proper workplace
management. In mitigation, the low air pressure alarm for the fire control station reservoir is to alert the ECR
operators through the ICMS.
2.9.9.9
Failure of pipe work or leakage in the fire damper system: Pipe work failure is not to be considered for
Dynpos AUTR notation if well protected, however leaks in the air system are relatively common. Major pipe
work failure would stop air to the Engineroom fire dampers preventing them from closing. The fire dampers
would remain open and could not be closed from the fire control station.
GL Noble Denton
Page 69 of 185
05-M07-3166-Rep-001
SUNGDONG
2.9.10
157K SHUTTLE TANKER
DP SYSTEM FMEA
Hidden compressed air system failures
2.9.10.1 Deterioration of FAD may occur as a result of wear and tear in the mechanical components in the
compressors. This may only be noticed during the periods of high demand where the system may not be
able to sustain required pressure. The compressor coupling can fail on one unit but may still indicate that it
is running.
2.9.10.2 Blockage or failure of the operating pressure reducing unit is not indicated as an alarm, however it can be
observed through frequent running of the service compressor/s.
2.9.11
Common mode failure affecting the compressed air system
2.9.11.1 There is no common mode failure affecting the compress air system.
2.9.12
Compressed air system configuration errors that could remove the backup redundancy
2.9.12.1 As the air compressor system is an auto standby system, failure to switch the backup compressor to
standby start would reduce the number of available compressors to one.
2.9.13
Maloperation of the compressed air system
2.9.13.1 Inadvertent operation of closure control air lever to the quick closing valve would shut off one group of
valves to the respective fuel oil tanks. The QCV system is divided into two groups which has described in
the table 2-8.
2.9.13.2 Inadvertent operation of closure of group 1 valves will lead to loss of ME, No.1 & No.2 Diesel Generators.
The vessel would lose T1, T5 and T6.
2.9.13.3 Inadvertent operation of closure of group 2 valves will lead to loseNo.3 & No.4 Diesel Generators. The
vessel would lose T2, T3 and T4.
2.9.13.4 However if there is adequate identification and security to the valves at the fire control station, the risk can
be mitigated.
2.9.14
Worst case failure - Compressed air system
2.9.14.1 The worst case failure of compressed air system would be to lose control air to the main engine and this
would result in the main engine running at idle speed.
2.10
VENTILATION SYSTEM
2.10.1
Drawing reference
200F24100PB Air Venting / Sounding System
200F24100PB Compress Air System
2.10.2
Machinery space ventilation
2.10.2.1 The ventilation system includes ventilation of the engine room, bow thrusters room, steering gear room and
other machinery spaces.
2.10.2.2 Loss of ventilation to machinery spaces other than the engine room is less critical and will only result in
temperature rise in the affected compartment.
Table 2-17
GL Noble Denton
Ventilation system power sources
Page 70 of 185
05-M07-3166-Rep-001
SUNGDONG
2.10.3
157K SHUTTLE TANKER
DP SYSTEM FMEA
Ventilation Fans
Power Source
Space Ventilated
ER Supply Fan No.1 (Rev. Type)
440Vac ESB
Engine Room
ER Supply Fan No.2 (Rev. Type)
440Vac GSP No.1
Engine Room
ER Supply Fan No.3 ( Non- Rev. Type)
440Vac GSP No.1
Engine Room
E/R Supply Fan No. 4 (Non-Rev. Type)
440Vac GSP No.2
Engine Room
Steering Gear Supply Fan
440Vac ESB
Steering Gear Room
Bow Thruster Supply Fan
440Vac ESB
Bow Thruster Room
No.1 Pump room exhaust fan (Non-Rev.)
No.1 440Vac Feeder panel
Pump Room
No.2 Pump room exhaust fan (Non-Rev.)
No.2 440Vac Feeder panel
Pump Room
Engineroom ventilation
2.10.3.1 There are four single speed engine room supply fans allocated to the engine room. These fans are supplied
from the appropriate sides of the power distribution system as shown in Table 2-17.
2.10.3.2 Each duct is equipped with engine room surplus air exhaust through a pneumatic operated damper. The
main engine room is naturally vented through exhaust air outlets located on the port and starboard side of
the engine room. Exhaust air is directed to the E/R funnel dampers which are located in the funnel.
2.10.4
Steering Gear Room Ventilation system
2.10.4.1 The steering gear room ventilation system consists of single speed ventilation supply fan and natural
ventilator. The steering gear room supply fan is supplied from the power distribution system as shown in
Table 2-18. The supply fan is housed in the steering gear room mechanical supply air fan housing.
2.10.5
Bow thrusters room Ventilation system
2.10.5.1 The bow thrusters room ventilation system consists of a single speed ventilation supply fan and natural
ventilator. These fans are supplied from the appropriate sides of the power distribution system as shown in
Table 2-18. The supply fan is housed in the forward compartment mechanical supply air fan housing.
2.10.6
Engine Room Fire Dampers
2.10.6.1 The emergency shut off valve and fire damper control system consists of an air receiver located at the fire
control station. The air receiver is supplied with compressed air at 0.7mPa from the deck service air system.
The content in the fire control station air receiver is protected by a non-return valve at the compressed air
inlet. The fire control station air receiver supplies the engine room fire dampers through a manually operated
directional control valve. The directional control valves are located in the fire damper control panel at the fire
control station. The engine room fire dampers require compressed air to close the fire dampers. Refer to
Table 2-18 for the air distribution to the fire dampers.
Table 2-18
Engine Room Fire Dampers
Location of fire dampers

Damper for E/R supply fan No.1
Damper for E/R supply fan No.3
Damper for Purifier Rm Exh fan
Damper for E/R surplus air
2.10.7
Damper for E/R Supply Fan No.4

Damper for E/R Supply Fan No.2
Funnel Fire Damper
Funnel Fire Damper
Failure modes of the ventilation system

1.
Failure of one engine room supply fan (Non-Reversible Type).
2.
Failure of one engine room supply fan (Reversible Type).
3.
Failure of the steering gear room supply fan.
4.
Failure of the bow thrusters room supply fan.
GL Noble Denton
Page 71 of 185
05-M07-3166-Rep-001
SUNGDONG
2.10.8
157K SHUTTLE TANKER
DP SYSTEM FMEA
5.
Inadvertent operation of a manually operated directional control valve at the fire damper control
panel.
6.
Piping air leakage for group 1 and group 2 fire dampers
7.
Piping air leakage for group 3 fire dampers
8.
Leakage at the air receiver at the fire control station
Failure effects of the ventilation system
2.10.8.1 Failure of one engine room supply fan (Non-Reversible Type): A single supply fan failure through a wire
break or component failure would reduce redundancy in the number of operational fans available; however,
it should not affect the operation of the running engines as there are three other supply fans available.
Failure of a supply fan would be alarmed to the ICMS system.
2.10.8.2 Failure of one engine room supply fan (Reversible Type): A single supply fan failure through a wire break or
component failure would reduce redundancy in the number of operational fans available; however, it should
not affect the operation of the running engines as there are three other supply fans available. Failure of a
supply fan would be alarmed to the ICMS system.
2.10.8.3 Failure of the steering gear room supply fan: Failure of the steering gear room supply fan through a wire
break or component failure would not affect the operation of the steering gears, because there is a
mushroom type natural ventilator.
2.10.8.4 Failure of the bow thrusters room supply fan: Failure of the bow thrusters room supply fan through a wire
break or component failure would not affect the operation of the bow thrusters, because there still is a
mushroom type natural ventilator.
2.10.8.5 Inadvertent operation of a manually operated directional control valve on the fire damper control panel: As
the directional control valves will affect of all the engine room fire dampers, however, if there is adequate
identification and security from preventing these acts to be happen, the wrong adjustment of directional
control fire dampers would not happen.
2.10.8.6 Piping air leakage for fire dampers: The 4 fire dampers are supplied from the common pipeline outlet from
the fire control station air receiver. The fire dampers require air to close them therefore leakage at the
common pipeline to the fire dampers would not lead to any effect to the diesel engines in the engine room
as fire dampers would still remain open.
2.10.8.7 Leakage on the air receiver at the fire control station: Would lead to no effect of the fire dampers as the
pipeline is protected with the non-return valve. Low air pressure alarm will be tested during the proving trial
and the alarm will be shown on the ICMS system.
2.10.9
HVAC System
2.10.10
Drawing reference
200M241001MB Miscellaneous system
2.10.11
Description
2.10.11.1 Package air conditioning is provided at important locations containing sensitive equipment important to the
DP system. Table 2-19 below gives details of the location and source of supply. Location of air-conditioning
is not immediately critical and those working in that area should soon be aware that there is a problem but
temperature and humidity can reach unacceptable levels in tropical conditions if air conditioning is not
restored.
GL Noble Denton
Page 72 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 2-19
DP SYSTEM FMEA
HVAC Unit Power Supplies
Air conditioning unit
Power Source
Location
No.1 Air conditioner plant
No.1 440Vac Feeder Panel
No.2 Air conditioner plant
Package A/C for W/H No.1
No.1 440Vac Feeder Panel LGSP -6A
Wheel house
Package A/C for W/H No.2
No.2 440Vac Feeder Panel LGSP -6B
Wheel house
Package A/C for ECR No.1
ECR
Package A/C for ECR No.2
ECR
Package A/C No.1 for swbd room
Main switchboard room
Package A/C No.2 for swbd room
Main switchboard room
2.10.11.2 Wheelhouse and DP Control station: The wheelhouse is an air conditioned space cooled by one 440Vac
packaged air conditioning unit. .
2.10.11.3 Main Switchboard Room: The main switchboard room is an air conditioned space which is cooled by two
440Vac packaged air conditioning units. Both A/C units are running at all times. The A/C units are water
cooled condensing units fed from the central fresh water cooling system.
2.10.11.4 Engine Control Room: The ECR is an air conditioned space which is cooled by two 440Vac packaged air
conditioning units. The A/C units are water cooled condensing units fed from the central fresh water cooling
system.
2.10.12
Failure modes of the HVAC system
2.10.12.1 The resultant loss of A/C units for the various DP related spaces due to mechanical or electrical failures
could lead to higher compartment temperatures and related effects such as condensation on the equipment
in the space. It should be well noted that the equipment in these compartments is required by Class to
operate at the ambient conditions stated in DNV Rules for Classification of Ships, Newbuildings
Machinery Systems, General-January 2005 The below stated limits are well above the temperatures that
this equipment would normally be maintained.
Pt4 Ch.1 Sec.3, B 200 Environnemental conditions
Pt4. Ch.8.Sec.3 B300 Temperatures and humidity
Pt4. Ch.9 Sec.5B Environmental conditions, Instrumentation
Pt4 Ch.1 Sec.3 B 201 - All machinery, components and systems covered by the rules are to be designed to
operate under the following environmental conditions if not otherwise specified in the detailed requirements
for the machinery, component or system:
ambient air temperature in the machinery space between 0C and 55C,
relative humidity of air in the machinery space up to 96%,
sea water temperature up to 32C,
list, rolling, trim and pitch according to Table B1.
The Society may consider deviations from the angles of inclination given in the table, taking into
consideration the type, size and service conditions of the ship.
1.
Failure of one wheelhouse HVAC unit
2.
Failure of one water cooled condensing unit for the ECR / Main switchboard Room
3.
Failure of one main switchboard HVAC unit
GL Noble Denton
Page 73 of 185
05-M07-3166-Rep-001
SUNGDONG
2.10.13
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure effects of the HVAC system
2.10.13.1 Failure of wheelhouse HVAC unit: The loss of packaged unit for the wheelhouse should have no effect on the
equipment on the bridge as they are rated to operate in ambient temperature in excess of 55C. Failure of
one packaged unit would be alarmed on the ICMS and the local panel. The equipment in the space is
understood to be rated to operate in accordance with the DNV rules quoted above
2.10.13.2 Failure of one water cooled condensing unit for the ECR room: The failure of the water cooled condensing
unit for the ECR would not affect the equipment in the space. Failure of the packaged unit would be alarmed
on the ICMS and local panel. In addition the temperature in the space is also monitored on the local Temp
controller. The equipment in the space is understood to be rated to operate in accordance with the DNV
rules quoted above In the event failure of the package unit in the engine room, the ambient temperature
from the reference will be kept below 45 C.
2.10.13.3 Failure of one water cooled condensing unit for the main switchboard room: The failure of a water cooled
packaged unit for the main switchboard room would have no immediate effect on the equipment in the
space. Failure of one unit will be alarmed but there will be no effect as there is a secondary unit that is
cooling the switch board room. The A/C unit on the No. 1 GSP side is supplied by MSB 1 P-M1-17 whereas
the No. 2 A/C (closer to the No. 2 GSP) is supplied from MSB 2, P-M2-17. Each unit is capable of cooling
the entire room. Failure of either packaged unit would be alarmed on the ICMS and local panel. In addition
the temperature in the space is also monitored on the local Temp Controller. The equipment in the space is
understood to be rated to operate in accordance with the DNV rules quoted above. Likewise the M.V
transformers are also supplied by individual supply fans that are powered off the respective switchboards
(No. 1 M.V transformer supply fan supplied from MSB 1 and No. 2 M.V transformer supply fan supplied
from MSB 2).
2.10.14
Hidden failures of the HVAC
2.10.14.1 Failure of the standby unit for the main switchboard room would not be detected until there is a failure of the
packaged unit in operation. This is easily corrected by rotating the package units on duty. In mitigation
failure of both units in this case is not immediately critical.
2.10.15
Maloperation and configuration errors associated with HVAC
2.10.15.1 The circulation of coolant to the HVAC units for the main switchboard rooms and ECR is carried out by the
Auxiliary fresh water cooling system. Maloperation of these systems would include setting the auxiliary fresh
water cooling pumps to manual instead of auto/standby.
2.10.16
Common mode failures associated with ventilation
2.10.16.1 There is no common mode failure that has been identified during the analysis.
2.10.17
Ventilation or HVAC configuration errors that could defeat redundancy
2.10.17.1 Running both main switchboard packaged units at the same time should not be necessary as both units
cover 100% capacity.
2.10.18
Worst case failure
2.10.18.1 The worst case failure will be loss of No.1 440Vac feeder panel this would result in loss of one main
switchboard room air conditioning, ECR air conditioning units and accommodation condensing units. Losing
of single air conditioning units in the in the main switchboard room and ECR will have no noticeable effect
on the temperature as the second air conditioning unit is still running, this will not have immediate effect to
the relevant equipment or machinery and the ambient condition is fulfilled as stated in DNV class rules.
GL Noble Denton
Page 74 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
2.11
EMERGENCY GENERATOR
2.11.1
Drawing reference
DP SYSTEM FMEA
1. Specification for Emergency Diesel Generator Set.

2.11.2
Redundancy concept
2.11.2.1 The vessel is installed with Doosan AD180TI engine and Leroy Somer M47.2 S4 alternator. The Emergency
Generator provides the usual services required by SOLAS but does not have a significant role to play in the
redundancy concept. Blackout recovery is possible without it provided that recovery takes place within the
expected time.
2.11.3
Location
2.11.3.1 The emergency generator room is located on the main deck. The auxiliary support systems such as the fuel
oil day tank are located in the emergency generator room.
2.11.4
2.11.4.1 The emergency generator would be placed on standby during normal operations as its purpose is assist in
the event blackout recovery does not work.
2.11.5
Description
2.11.5.1 This is a 4 stroke, in-line, water cooled direct injection diesel engine. There is an engine driven water pump
to direct the coolant to LO cooler, and Turbo charger exhaust manifold. After that the coolant will pass return
back to the cooling system or back to the top tank via the thermostat.
2.11.5.2 The coolant at the top tank will then be cooled through the radiator before it returns to the engine cooling
system.
2.11.5.3 There is fuel oil tank mounted with the engine. The fuel is filled manually. Therefore the Emergency
Generator fuel tank requires to be part of regular inspections when it is in use
2.11.5.4 The Emergency engine has its own Lubricating system which comprises with engine driven LO pump, oil
cooler, oil filter and oil strainer. The LO is drawn by the engine drive LO pump from the oil pan pass through
the oil strainer. The LO is then directed to the oil cooler and lube oil filter before entering cylinder block
2.11.5.5 From the cylinder block, the LO is then distributed to turbo charger, PTO, air compressor, crank journal, Rock
arm bush and oil spray nozzles.
2.11.5.6 The engine is electric start from a battery. The battery is charged from the 220Vac ESB.
2.11.6
2.11.7
Failure mode of the emergency generator engine

1.
Engine stops during operation. (No failure of engine components)
2.
3.
4.
Engine fails to start on demand.
5.
expected lifespan).
Failure effects of the emergency generator engine
2.11.7.1 Engine stops during operation (no failure of engine components): Loss of generation capacity leading to
breaker tripping on under frequency possibly leading to a blackout situation if the main generators have not
restarted.
2.11.7.2 Engine runs at lower speed than required during operation: Inability to maintain power supply at required
frequency; may trip on under frequency or eventually low voltage possibly leading to a blackout situation if
the main generators have not restarted.
GL Noble Denton
Page 75 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
2.11.7.3 Engine runs at higher speed than required during operation: Inability to maintain power supply at required
frequency; potential to over speed engine possibly leading to a blackout situation if the main generators
have not restarted.
2.11.7.4 Engine fails to start on demand: Inability to power up emergency switchboard in a blackout situation.
2.11.7.5 Unforeseen catastrophic failure of a component part (Manufacturers component fails within its expected
lifespan): External component - engine may stop but can usually be restarted when the faulty part has been
replaced; internal component- engine may stop commonly due to catastrophic failure of other parts
damaged by the initial breakage.
2.11.8
Hidden emergency generator failures
2.11.8.1 Failure to start - Manufacturing defects in engine components.

2.11.8.2 Fuel contamination of lubricating oil. Mitigated by the fact that oil sampling is carried out regularly
2.11.9
Common mode failure affecting the E-Gen fuel system
2.11.9.1 There are no known common mode failures.

2.11.10
Maloperation of the emergency generator
2.11.10.1 There are interlocks such as check sync relays to prevent all obvious acts that could affect the main power
system.
2.11.11
Emergency generator configuration errors that could defeat redundancy
2.11.11.1 Leaving the system in manual control could prevent the start of the engine following a failure although this
would not have an immediate impact on the station keeping capability of the vessel if all systems were
operational and configured correctly.
2.11.12
Worst case failure - Emergency generator
2.11.12.1 As the emergency generator is normally in standby during DP operations there is little opportunity for failures
to occur in such a way that they affect DP operations. There is a possibility of causing disruption of
consumers on the emergency switchboard during load testing
GL Noble Denton
Page 76 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
POWER GENERATION
3.1
GENERATORS
3.1.1
References
DP SYSTEM FMEA
Specification for Synchronous Generator:- APP-11RAH086-Rev.2

Specification of Generator
Working Drawing of Diesel Generator Engine
UG-25+ Governor Manual 26330 (Rev G)
K-Chief 600 Power Management System 1221635 Rev A
HDEC 1000 Users Manual
3.1.2
BT1
BT2
BAZ3
NO
SAZ4
ST5
CPP
6.6kV MSB 2
No.4 VCB 3P
D4
NC
No.5 VCB 3P
(MBT)
NO
No.3 VCB 3P
D3
NC
DG4
3300kW
No.2 VCB 3P
D2
NC
No.1 VCB 3P
D1
NC
DG3
DG3
DG2
DG2
DG1
4300kW
4300kW
3300kW
Figure 3-1
GL Noble Denton
6.6kV MSB 1
Single Line Diagram for 6.6kV
Page 77 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
3.1.2.1
The 6.6kV switchboard layout is illustrated in the simplified drawing in figure 3-1.
3.1.2.2
The normal configuration while in DP is to run the vessel with a two-way split. Please refer to the
simplified diagram above. The position of breakers is given below:
1.
All the generators online.
2.
Breaker No.5 VCB 3P is opened so that 6.6kV switchboard 1 and 2 are disconnected.
3.
Breaker No.7 VCB 3P is opened and No.10 VCB 3P is closed such that BAZ 3 is supplied from
MSB No.2
4.
Breaker No.1 VCB 3P is closed.
5.
6.
7.
8.
BAZ3 is supplied from 6.6KV MSB No.2.
3.1.3
Redundancy concept
3.1.3.1
The redundancy concept at the power generation level is based on the distribution of 6.6kV level.
3.1.3.2
The thruster groups are:6.6kV MSB No.1: Bow Tunnel thruster (T1), Stern tunnel thruster (T5) and main CPP (T6)
6.6kV MSB No.2: Bow Tunnel Thrusters (T2), Bow and Stern Azimuth thrusters (T 3 and T4)
3.1.3.3
In the event of failure of the 6.6kV MSB 2, BAZ3 can be manually changed over to 6.6kV MSB 1 to
continue DP operation, and to increase DP capability. However, during the period of changeover, the
vessel will stay in position with the remaining thrusters should the vessel be operated within its
environmental limits as specified by its capability plots.
3.1.3.4
Worst Case Failure Design Intent:- The WCFDI due to a fault on the main switchboard will be loss of:6.6kV MSB 1: One Bow Tunel thruster (T1), Stern tunnel thruster (T5) plus the main CPP (T6).
Although the hydraulic pumps for the CPP (T6) are distributed between the 440VAC MSB 2 and 440VAC
MSB 1, it would not be possible to changeover the supply for this thruster as the pumps for the Main
Engine are supplied from MSB 1.
3.1.4
Description
3.1.4.1
The vessel has four diesel generators rated at 6.6kV, 60Hz:Aux. Diesel Generators: 2 x 5375KVA, 6.6kV, 3ph, 60Hz, HSJ7 913-10P driven by Hyundai Himsen
9H32/40 engine.
Aux. Diesel Generators: 2 x 4125KVA, 6.6kV, 3ph, 60Hz, HSJ 805-10P driven by Hyundai Himsen
7H32/40engine.
3.1.4.2
The generators are operated in adjustable droop mode for stability in speed control and active load
sharing. Droop mode is used for voltage regulation, which controls the reactive load power sharing.
3.1.4.3
In its operating mode, the alternator converts mechanical energy from the diesel engine into electrical
energy and supplies alternating current to the power distribution system at a constant voltage and
frequency. Active and reactive power demand is shared with other online generators through the engine
governors and AVRs. In most cases, the alternator operates in synchronisation with other online
generators. This synchronisation is maintained by the synchronising torque experienced by each
generator rotor though the interaction of stator and rotor field which is dependent upon the voltage at the
alternator terminals.
3.1.4.4
In normal operations, the generator incomer section will be selected to remote control and the
synchronising function will be initiated by the ICMS.
GL Noble Denton
Page 78 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
3.2
AUTOMATIC VOLTAGE REGULATOR
3.2.1.1
The Automatic Voltage Regulators (AVR) are responsible for maintaining system voltage at nominal 6.6kV
and ensuring that each generator carries an equal share of the reactive power.
3.2.1.2
Each generator is fitted with a HDEC-1000 AVR which is used to regulate the level of excitation supplied
to the field of a conventional, brushless, synchronous generator. Regulation is achieved by sensing the
generator output voltage, converting it to a dc signal, and comparing the signal to a reference voltage. An
error signal is developed and used to control the dc field power in order to maintain a constant generator
output.
3.2.1.3
Each regulator includes frequency compensation with selectable slope, inverse-time over excitation
shutdown, build up circuitry, three phase voltage sensing, three phase shunt or permanent magnet
generator power input, parallel droop compensation and an accessory input.
3.3
ENGINE GOVERNOR
3.3.1.1
The vessel is installed with four generators and each generator is fitted with the Woodward UG-25+
Governor which is used to convert electrical input signal to a proportional hydraulic output shaft position to
control engine fuel flow.
3.3.2
Generator Protection
3.3.3
Reference
1.
20114235MHS067-8 6.6kV Switchboard
2.
Protective Relay Setting Report
3.3.4
Description
3.3.4.1
Electrical protection for the 6.6kW switchboards uses microprocessor-based multifunction digital protection
relay, the Hyundai HIMAP-BCG.
3.3.4.2
The HIMAP - BC provides a number of protective functions that are self-resetting once the fault has
cleared. These functions include:
1.
ANSI-25/25A Synchronizing check relay
2.
ANSI-27/59 - Under/over Voltage
3.
ANSI-32 - Reverse Power
4.
ANSI-40 - Loss of excitation relay
5.
ANSI-46 - Negative sequence relay
6.
ANSI-47 - Phase sequence voltage relay
7.
ANSI-50/51 - Overcurrent Protection Relay (Time Delayed)
8.
ANSI 67G - Directional ground relay
9.
ANSI-81 - Frequency relay
10.
ANSI 87 Generator differential protection relay
11.
ANSI-95i - Inrush blocking relay
12.
ANSI-64 Overvoltage ground relay
3.4
6.6KV SWITCHGEAR
3.4.1
Configuration
3.4.1.1
The 6.6kV switchgear can be configured for remote auto or local manual operation.
3.4.2
Description
3.4.2.1
There are two 6.6kV switchboards and is separated by a bus tie and are equipped with withdrawable type
vacuum circuit breakers (VCBs) 12kV 1250A, HVF2042, Hyundai.
GL Noble Denton
Page 79 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
3.4.2.2
The spring loading mechanism of the VCBs requires a 110Vdc supply. The 110Vdc are also used for
switchgear control logic, protection relays and indication.
3.4.2.3
Generator controls can be set to LOCAL / REMOTE by a push button on the local D/G control panels,
where engine ENG RUN / ENG SHUTDOWN facilities, voltage / frequency RAISE / LOWER switches
and a protection alarm reset push buttons will be available.
3.4.2.4
Voltage and current transformers will be equipped for protection, instrumentation and control.
3.4.2.5
For indication to the operator, the following interface signals are received by the ICMS via RS-485 serial
communication from the MV MSB:
1.
Generator voltage
2.
Generator frequency
3.
Power factor
4.
Generator current
3.4.2.6
Each switchboard (MSB 1 and MSB 2) has two generator sections and one synchronising section with all
the necessary controls and instrumentation within the switchboard.
3.4.2.7
Generator circuit breakers can be operated in remote and local modes. The remote/local selector
switch is located on the generator section of the switchboard.
1.
Remote (Automatic): The generator circuit breaker is controlled (opened / closed) by the ICMS and
synchronisation is carried out automatically be the HIMAP-BC for the respective generator.
2.
Local (Manual): The generator speed and volts are controlled by local operation in front of the
switchboard by using the frequency meter, voltage meter, synchroscope and RAISE / LOWER
pushbuttons. When the volts and frequency are within tolerance to the bus and the check sync
relay in the synchronising section confirms synchronisation, the generator CLOSE pushbutton can
be operated to close the breaker.
3.4.3
Failure Modes of the Generator and Switchboard
3.4.3.1
The significant failure modes of the generator are taken to be:

1.
Severe line and or phase voltage imbalance.
2.
Severe line current imbalance.
3.
Under voltage.
4.
Over voltage.
5.
Under frequency.
6.
Over frequency.
7.
Earth fault.
8.
Loss of synchronisation pole slipping.
9.
Spurious operation
10.
Failure to open the breaker under remote or manual control
11.
Failure to zero or insufficient excitation
12.
Failure to full or excess excitation
13.
Failure of governor to zero or insufficient fuel
14.
Failure of governor to full or excess fuel
GL Noble Denton
Page 80 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
3.4.4
Failure Effects of the Generator and the switchboard
3.4.4.1
Severe line / phase voltage imbalance: This failure mode could be caused by a severe phase to phase
short circuit within the stator winding or similar electrical fault. The generator should be tripped by the overcurrent protection but the remaining generator on the main switchboard (operating open bus) will
experience a very severe voltage dip. There is possibility of tripping on the remaining generator and might
blackout one main switchboard
3.4.4.2
Severe line current imbalance: This could occur as a result of a broken terminal within the generator
terminal box. Such a fault will cause an imbalance in the line currents supplied by any generators
operating in parallel with the faulty set. Broken conductors are an unlikely failure mode in a MV power
system and when they do occur they may well cause other failure effects which would lead to tripping of
generators and loads.
3.4.4.3
Under voltage: A sustained under-voltage should not occur as the result of a fault within a single generator
when generators are operating in parallel but may occur when only one generator is operating on one
main switchboard. The generator automatic voltage regulators (AVRs) should maintain the power plant at
a constant voltage and have their own in-built protection. Should a prolonged under voltage occur,
generators connected to that switchboard section will be tripped by their under voltage protection.
3.4.4.4
Over voltage: This condition may occur in extreme cases even when the generators are operating in
parallel. It will usually be associated with a failure of the automatic voltage regulator. Generators are
equipped with over-voltage protection. This may blackout one switchboard section.
3.4.4.5
Under frequency: This condition should not occur as the result of a fault within a single generator when the
set is operating in parallel with others but may occur when the generator is operating on its own. If a
prolonged under frequency event occurs when generators are operating in parallel, all generators
connected to that switchboard will be tripped.
3.4.4.6
Over frequency: This condition could occur in very severe cases if the governor on one engine failed to
the excess fuel condition. This may result in blackout of the switchboard section.
3.4.4.7
Earth fault: This could occur as the result of an electrical fault within the generator and / or its cables. The
faulty generator should be tripped offline by its directional earth fault protection.
3.4.4.8
Loss of synchronism Pole slipping: This failure effect normally occurs in machines with weak excitation
which would be detected by the generator protection. However, it may also occur as the result of a severe
mechanical problem in the alternator or engine which causes the rotor to lose synchronism with the stator
field. The effect would be large voltage and current fluctuations. Loss of more than one generator or
blackout of one main switchboard cannot be ruled out without more detailed study but the probability of
this type of failure is generally considered to be remote in a well maintained plant.
3.4.4.9
Spurious operation: The effect of spurious operation of protection depends on the protective function. If
protection spuriously trips a generator offline, the effect should not affect station keeping. If only one DG is
connected this could blackout one switchboard section.
3.4.4.10 Failure to open under remote or manual control could occur due to bad connection, but would not lead
immediately to a loss of position. There is a monitoring relay on the closing coil, which reduces the
probability of this occurring but a mechanical/trip circuit problem cannot be ruled out.
3.4.4.11 Failure to zero or insufficient excitation: This would generally cause the alternator to shed VARs or draw
VARs from the network with the potential to trip other generators on over current. The AVR and the
generator control and protection relay have facilities to trip the CB when the failures are detected. This
protection will trip the generator off line in the event that the excitation system fails to low output. Any
number of faults can lead to this failure mode. Imbalance faults will be detected by VMS and cause the
engine to be taken off line manually after another set has been started.
3.4.4.12 Failure to full or excess excitation: would generally cause the generator to take reactive power from the
other generators and has the potential to force healthy generators to trip on loss of excitation protection
depending on the level of reactive load present at the time of failure. Whether the faulty generator actually
has the capacity to acquire the total system reactive power and force the healthy generators to the
operating point of their loss of excitation, protection depends on the operating power factor of the plant.
GL Noble Denton
Page 81 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
3.4.4.13 Failure of governor to zero or insufficient fuel: This would require the electronic governor to fail to minimum
output signal to shut down fuel admission. Such a failure could potentially occur in the actuator drive
circuit. This will result the generator would trip off line and initiate the PMS connection of a standby
generator. Provided the vessel was operating with adequate spinning reserve, the loss of one generator
should not lead to loss of position although it could lead to high loading on the other online generator
resulting in load shedding functions.
3.4.4.14 Failure of governor to full or excess fuel: This would require the electronic controller to fail to maximum
output or for engine fuel system to fail high. However this will be unlikely happen. If the controller failed in
such a way that the faulty generator was carrying more load than others but still responding to low load
changes then the faulty engine may overload before the full capacity of other generators is reached. This
may cause imbalance load sharing and would lead the healthy generator to shed load and cascade fail
therefore a blackout cannot be ruled out.
3.4.5
Common Mode Failures Affecting Generators and switchboard
3.4.5.1
For all the generators connected to a common bus, there is the potential for them to be affected by way of
that common bus. For example: short circuit, load sharing failure or overload. The vessels power plant is
configured with a two-way split while operating in DP. Therefore in the event of common mode failure of
the protection system, the effect could not exceed loss of half of the power plant.
3.4.5.2
All generators are in a common engine room so they share ventilation and the maximum power capability
may be affected by air pressure reduction due to ventilation shutdown. Refer to section 2.10 for more
details.
3.4.6
Hidden failure affecting Generators and switchboard
3.4.6.1
This section considers the potential effect of failure of the protection to operate. The effect will depend on
the protective function that fails to operate and the nature of the failure. Routine testing of protection
equipment is acceptable mitigation for all the failures.
3.4.6.2
As circuit breakers operate infrequently, faults may only be revealed when the circuit breaker is ordered to
open/close or trip. The following failure modes could remain hidden until the switchgear is required to be
operated:
1.
Failure to open under remote or manual control.
2.
Failure to close under remote or manual control.
3.
Failure to trip under protection control.
3.4.7
Configuration Errors That Could Defeat Redundancy
3.4.7.1
Putting the 6.6KV bus tie in close position will be a configuration error that could defeat the redundancy
concept.
3.4.8
Maloperation of the Generator Protection and Controls
3.4.8.1
The correct operation of the generator protection depends on correct design and periodic checking.
Provided the protection devices are programmed correctly there are few possibilities for maloperation. It is
assumed that the vessel is being operated by competent engineers and will be tested with sufficient
regularity to provide confidence that they will work when required.
3.4.9
Worst Case Failure
3.4.9.1
Generator failure may cause severe disruption to the power supply to the thrusters on individual bus
section. The worst case failure will be the alternator failure which will not exceed loss of more than one
individual 6.6kV switchboard as the switchboard is configured to operate in split bus bar.
GL Noble Denton
Page 82 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
POWER MANAGEMENT
4.1
INTRODUCTION
4.1.1
Reference
4.1.1.1
1221635 Rev A - Functional Description K-Chief 600 Power Management System
4.1.2
Description
4.1.2.1
The Power Management System (PMS) is a programmable hardware module integrated within the system
ICMS Integrated Control and Monitoring System. The C4 modules are programmable units for controlling
generator plants with various switchboard configurations.
4.1.2.2
It is designed for remote operation of auxiliary engines with generators, breakers in the MSB, shaft
generators and heavy consumers to control the power plant in such a way that there is sufficient power
available for consumers while at the same time making adequate contingency for increasing load or loss of
generating capacity.
4.1.2.3
In the event that the vessel blacks out, the PMS is programmed to restore the power supply as rapidly as
possible so that any loss of position as a result of the full or partial blackout is minimised.
4.1.3
Power management system functionality
4.1.3.1
The PMS has the following functions:

1.
Remote start/stop of auxiliary engine, both in auto and semi-auto modes.
2.
Remote and automatic control of generator breakers; connect, unload and disconnect, as well as
synchronizing
3.
Remote and automatic control of bus tie breakers; connect, disconnect and synchronizing.
4.
Frequency and load control (increase/decrease) of generators in auto mode.
5.
Symmetric and asymmetric load sharing between generators in auto mode.
6.
Load dependent start and stop of stand-by generators.
7.
Automatic stop after cooling down time of DGs.
8.
Changeover function from a faulty DG to a stand-by DG by change over alarms.
9.
Automatic start and connect at blackout.
10.
Control of heavy consumers, start request and start granted.
11.
Stand-by selection and auto-start/connection of DGs.
12.
Calculation of generator values (kW, kVA, kVAr, cos).
4.1.4
Interlocks
4.1.4.1
If the breaker has a local/remote signal, the CB will be interlocked to connect and disconnect when the CB
is set to local.
4.1.4.2
If the CB does not have local/remote switch, PMS will consider the CB as remote.
4.1.4.3
The table below shows the interlocks included in the PMS software (with reference to Figure 1-3):
Table 4-1
O
GL Noble Denton
PMS software Interlock functionality
Interlock with 10sec delay, to connect all bus ties and

transformers breakers in close loop. It is possible to
connect all CBs. However, the system will disconnect the
last connected CB within 10sec, if another CB is not
disconnected before.
Page 83 of 185
MBT, HR1, LR1, LBT, HR2, LR2
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
LR1
Interlocked when HR1 opened
LR2
Interlocked when HR2 opened
LBT
Interlocked when bus synchronisation necessary
CB not
ready
In case CB is in test position or has tripped, MSB sets CB

Not ready signal to true and PMS uses that status for CB
interlock
DP SYSTEM FMEA
MTB, HR1, HR2, STERN A,

BOWT1, BOWT2, BOW A1,
BOW A2, STERN T
4.1.4.4
The starting of an Auxiliary Engine (AE) is blocked if local control is selected for the engine, if a shut down
condition is detected for the actual generator engine or other start interlocks are included.
4.1.5
Load Dependent Start / Stop
4.1.5.1
In general, this vessel is configured that all the generators are running during DP operation.
4.1.5.2
Therefore load dependent start/stop function is not applicable.
4.1.6
Balanced / Unbalanced Load Sharing
4.1.6.1
The power management system can be operated in three modes of load distribution between the
generators.
1.
Balanced load sharing. (Symmetric load sharing)
2.
Unbalanced mode. (Asymmetrical load sharing)
4.1.6.2
Balanced load sharing is the mode that both generators have the same percentage load set point. When
in this mode, the load of each generator in parallel running has the same power ratio. Symmetric load
sharing is the default setting in the PMS.
4.1.6.3
Unbalanced Mode (Asymmetrical load sharing) is the mode when only two generators are connected to
the network. This function will run one generator at high load (70%) for 20 minutes, while the second
generator is operating at low load (minimum 20%, adjustable limits). After 20 minutes the generators
switch load set-point.
4.1.6.4
During DP operation, the MV switchboard bus tie is open and each bus bar is powered by two generators.
Therefore balanced load sharing mode could be chosen so that both generators share the same load.
4.1.7
Frequency Control
4.1.7.1
The governors are usually set to droop mode. PMS sends increase or decrease signals to the governor to
control frequency and load for the DGs. Outputs from PMS can be connected to the motor potentiometer
in the MSB or directly to the digital input on the electronic speed governor. All governors must have the
same droop settings.
4.1.8
Blackout Prevention
4.1.8.1
A blackout condition is defined as no voltage ( 10%) being measured on the bus bars in the MSB with all
generator breakers disconnected.
4.1.8.2
The main purpose of any power management system is to ensure that the operation of the power plant is
safe and reliable. Maintaining a stable source of power for the electrically driven thrusters is of particular
concern for a DP vessel. Prevention of blackouts is the main objective of any PMS on a DP vessel
4.1.8.3
The ICMS PMS system offers a number of functions to achieve this objective, including:
1.
Non essential trip by the PMS.
2.
Load reduction / limitation by the DP system.
3.
Heavy consumer start blocking.
GL Noble Denton
Page 84 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
4.1.9
Non essential trip
4.1.9.1
Trip of non essential consumers will be executed if one of the below conditions are true:
DP SYSTEM FMEA
1. If the bus bar frequency is below 55 Hz (delay 10sec).

2. If generator load (kW or current) is above 100% of nominal load/current (delay 20 sec).
3. If generator load (kW or current) is above 107% of nominal load/current (instantaneous trip).
4. If a generator trips during parallel run and the remaining gets overloaded.
4.1.10
DP System Power Limitation
4.1.10.1 The DP system will limit the thruster speed orders in case the load on the corresponding bus section
exceeds the user-defined setpoint. This function uses the status of all the switchboard tie-breakers and
generator power readings to determine power available for each thruster. It is set up to limit thrusters when
reaching 100% of the maximum available load on a power bus.
4.1.10.2 Note that this function will not be able to handle very quick load variations; the PMS is designed to limit the
power in the ship load faster. This system will work in both the dynamic position automatic control mode
as well as the DP manual thruster control mode (joystick control). An event alarm on the DP system will
be given when the load limitation has been activated.
4.1.11
Heavy Consumer Start Blocking
4.1.11.1 Upon a start request from the ICMS system, the PMS will check whether the available power is sufficient to
allow starting of an electric motor. If not, a standby generator start request is given. When the capacity of
the power plant is sufficient and other start conditions are fulfilled, electric motor start order is given. If
sufficient capacity is not reached within time out specified time, the motor start order is timed out.
4.1.11.2 The heavy consumer start block function is included in PMS function fundamentally therefore there is no
selection for this.
4.1.12
Blackout Restart
4.1.12.1 In the event of a blackout on either MV MSB No.1 or MV MSB No.2, all outgoing feeders to thruster,
distribution transformers will trip by under voltage protection. The bustie breakers of the 6.6kV
switchboards remain opened as DP configuration.
4.1.12.2 6.6kV switchboard reconnection: The PMS system will restore power after a blackout situation in a
predetermined sequence. All available diesel generators will be started in a sequence. The first generator
to start will be the first to connect, independent of standby number. After the switchboards are powered up
again, the reconnection of 6.6kW feeder breakers will be automatically initiated.
4.1.12.3 Theoretically, a blackout exceeds the WCFDI and consideration of this scenario is out with the scope of a
DP system FMEA. Blackout recovery should only ever need to operate on one switchboard section.
4.1.13
4.1.14
Failure Modes of the PMS

1.
Failure of load sharing function
2.
Failure of PMS
3.
Spurious disconnection of a running generator.
Failure Effects of the PMS
4.1.14.1 Failure of load sharing function: Failure of load sharing function might result unbalanced load and has
possibility that the generator will operate in reverse power and trip the breaker. This could lead to loss of
one of the MV MSBs, either No.1 or No.2 which would not exceed the worst case failure design intent.
4.1.14.2 Failure of PMS: In the event of failure of the PMS this will not result in any breaker tripping and it will not
blackout the switchboard or bring any effect to the vessel. An alarm will be initiated upon failure of the
PMS.
4.1.14.3 Spurious disconnection of a running generator or thruster: Choosing a different mode during DP
operations could cause spurious disconnect of an online generator or thruster. This could lead to loss of
one of the MV MSB either No.1 or No.2 which would not exceed the WCFDI
GL Noble Denton
Page 85 of 185
05-M07-3166-Rep-001
SUNGDONG
4.1.15
157K SHUTTLE TANKER
DP SYSTEM FMEA
Hidden Failures of PMS
4.1.15.1 As with any protective function there may be no warning that anything is wrong until the function fails to
operate on demand.
4.1.16
Maloperation and Configuration Errors of the PMS
4.1.16.1 PMS control mode is chosen based on the operation. Spuriously choosing the mode may cause to tripping
of the breakers
4.1.17
Worst Case Failure - Power Management System
4.1.17.1 Most failures associated with the power management functions of the ICMS are failure to perform its
function or having a counter-productive interaction with the functions of other equipment.
4.1.17.2 The worst case failure identified in this analysis would not affect position keeping if the vessel is operated
within its environmental limitations.
GL Noble Denton
Page 86 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
POWER DISTRIBUTION
No.5 ACB 3P
(LBT)
NO
No.4 ACB 3P
(EB1)
NO
EMCY
NO.2 main L/V

Transformer
440 V/230V
MCCB-2
NC
No.1EmCy
Transformer
430V / 230V
Power Supply Unit for No 3 & 4 D/G

LD-5 Panel
MSB Bus Tie Panel No.2 section
No.2 NID
MCCB-4
NO
EG 350 kW
No.6 ACB 3P
(EB4)
NC
No.7 ACB 3P
(EB2)
SWBD(440V)
NO
No. 2 Steering Gear

No. 2Main Air Comp. (Starter in LGSP-5)
Emcy CPP Hyd. Pump Starter
Emcy CPP Hyd Filter
No.2 AC 220V
Feeder Panel
No.3 ACB 3P
(EB3)
NC
EMCY 220V Feeder

Batt. Charger for EG
ELD-1 Panel (Accom.)
ELD-2 Panel (E/R)
Power supply unit for No.1 and No.2 DG

Nav. Light control panel
LD-4 panel
No.1 Accom. AC 220V section Board (LD-1,LD-3)
No,1 NID
No.2 EmCy
Transformer
430V /230V
Main TR No.2
6.6KV / 450V
Main TR No.1
6.6KV / 450V
BT1
HR2
NO.1 main L/V

Transformer
440 V/230V
MCCB-3
NO
LR1
BAT3
440 MSB 2
No.2 Main L.O P/P
No.3 G/E C.S.W P/P
No.4 G/E C.S.W P/P
No.3 G/E C.F.W P/P
No.4 G/E C.F.W P/P
NO
SAT4
ST5
CPP
6.6kV MSB 2
No.4 VCB 3P
(D4)
NC
Electrical interlock
DG4
Figure 5-1
6.6kV MSB 1
No.5 VCB 3P
(MBT)
NO
No.3 VCB 3P
(D3)
NC
3300kW
GL Noble Denton
MCCB-1
NC
HR1
BT2
LR2

No.3 Thruster oil filtration P/P
No.2 Serv Air Compressor
Contrl Air Compressor
PD-3 (E/R 440V Feeder panel)
No.2 M/E hyd start-up P/P
No.4 thruster circ pump (A9)
No.2 UPS for MVSB
(PD-3)
-No.4 Oil Filtration P/P
No.1 AC 220V
Feeder Panel
No.2 VCB 3P
(D2)
NC
440 MSB 1
No.1 Main L.O P/P
No.5 Thruster HPP Starter for Servo Pump (1)
No.1 G/E C.S.W P/P
No.1 M/E Hyd Start-up P/P Starter
No.2 G/E C.S.W P/P
No.1 UPS for MVSB
No.1 G/E C.F.W P/P
No.2 G/E C.F.W P/P
(PD-2)
No.1 VCB 3P
(D1)
NC
DG3
DG3
DG2
DG2
DG1
4300kW
4300kW
3300kW
Simplified Single Line Drawing of Power Distribution

Page 87 of 185
05-M07-3166-Rep-001
SUNGDONG
5.1
157K SHUTTLE TANKER
DP SYSTEM FMEA
OVERVIEW OF THE POWER DISTRIBUTION SYSTEM
5.1.1
References
1.
One Line Diagram, DWG No: 200E163040EB
2.
Electric Load Analysis DWG No: 200E163020EB
3.
Wiring Diagram Of Power System. DWG No: 200E163010EB
4.
High Voltage Switchboard DWG: 20114235 MHSO67-8
5.
Low Voltage Switchboard. DWG: 200114235MMS149-5
6.
Emergency Switch Board. DWG: 14235MEO158-9
5.1.2
Description:
5.1.2.1
Refer to figure 5-1, the 6.6kV bus consists of two main switchboard section, MV 6.6kV No. 1 and MV
6.6kV No.2, and is operated in split bus bar during DP operation. The power distribution configuration for
the thrusters are as follows:i.
6.6kV MSB No: 1:- Bow Tunnel thruster (BT1), Stern tunnel thruster (ST5)
ii.
6.6kV MSB No: 2:- Bow tunnel thruster (BT2), Bow Azimuth Thruster 3 (BAZ3, Stern azimuth
thruster (SAT4)
5.1.2.2
In the 440V LV switchboard a 2-way split exists, separated by a single bus tie into LV 440V No.1 and LV
440V No.2. LV 440V No.1 and No.2 are fed from their respective MV switchboard. The emergency
switchboard is fed from LV 440V No.1 or from LV 440V No.2.
5.1.3
Worst Case Failure Design Intent
5.1.3.1
The worst case failure will be the fault on the 6.6 KV main switchboards No.1 that will be loss of three
thrusters, which are one bow tunnel thruster, one stern tunnel thruster and the main propeller.
5.1.4
5.1.4.1
The normal configuration while in DP is to run the vessel with a two-way split. Please refer to the
simplified diagram in Figure 5-1 and the position of breakers is given as below:
1.
Bus tie MBT is opened so that switchboards 6.6kV MSB No.1 and 6.6kV MSB No.2 is
disconnected.
2.
Bus tie LBT is opened so that switchboards 440V MSB No.1 and 440V MSB No.2 is disconnected.
3.
Breakers EB3 and EB4 are closed so that 440Vac ESB is connected to 440Vac MSB No.1.
4.
The ME and engines pumps configuration for the DP mode are as below, Table 5-1, the words in
bold will the pump on duty during DP operation.
GL Noble Denton
Page 88 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 5-1
MV Switchboard
Service Tank
DG
Thrusters
LV switchboard
MCC Boards
Power supplies for the essential equipments

MV -1
MGO
DG1, DG2
BT1, ST5
LV -1
LGSP No.1A
LGSP No.2
LGSP No.3
LGSP No.4
LGSP No.5
LGSP No.6A
LGSP No.7
PD-1
PD-2
FW Cooling:
LV -1
No.1 ME Jacket CFW Pump (Duty)
No.1 Central Cool FW Pump (Duty)
No.1 GE CFW Pump (Duty)
No.2 GE CFW Pump (Standby)
Sec.1 FWD Thruster C.F.W Pump 1
(Duty)
(Standby)
SW Cooling:
LV -1
Aux.C.S.W.Pump
No.1 Main / Vac. Conditioning CSW
Pump
No.1 GE C.S.W Pump
No.2 GE C.S.W Pump
Sec.1 FWD Thruster C.S.W Pump No.1
LO
FO:
CA
Vent / HVAC
GL Noble Denton
DP SYSTEM FMEA
LV -1
No.1 Main LO Pump
No1,2,3 G/E L.O Priming Pump(EPD-1)
No.1 ME Hyd. Start up pump Standby
LV -1
No.1 ME FO Circulation Pump
No.1 ME FO Supply Pump
No.1 GE DO Supply Pump
LV -1
No.2 Main Air Compressor (ESB)
LV -1
No.2 E/R Vent. Fan (Reversible)
No.3 E/R Vent. Fan (Non-Reversible)
Page 89 of 185
MV -2
MDO
DG3, DG4
BT2, BAZ3, SAT4
LV -2
LGSP No.1B
LGSP No.3
LGSP No.4
LGSP No.5
LGSP No.6B
LGSP No.7
PD-3
LV -2
No.2 ME Jacket CFW Pump (Standby)
No.2 Central Cool FW Pump (Standby)
No.3 GE CFW Pump (Duty)
No.4 GE CFW Pump (Standby
(Duty)
(Standby)
LV -2
No.2 Main / Vac. Conditioning CSW
Pump
No.3 GE C.S.W Pump
No.4 GE C.S.W Pump
LV -2
No.2 Main LO Pump
GE No.4 LO Priming Pump (MSWB No.2
Feeder Panel)
No.2 ME Hyd. Start up pump Standby
LV -2
No.2 ME FO Circulation Pump
No.2 ME FO Supply Pump
LV -2
No.1 Main Air Compressor(LGSP-5B)
LV -2
No.2 ECR Package Air Cond Unit
No.2 Swbd Room Package Air
05-M07-3166-Rep-001
SUNGDONG
CPP
157K SHUTTLE TANKER
No.1 ECR Package Air Cond Unit

No.1 Swbd Room Package Air
Conditioning Unit
Bow Thruster room Supply Fan (ESB)
No.1 Pump Room Exh. Fan (Stbd)
(LGSP-6A)
No.1 WH Package Air Conditioning Unit
(LGSP-6A)
LV-1
Propeller CPP Hyd. Pump unit No.1
and No.3(PD-2)
No.2 Steering Gear (EMCY SWB)
EM,CY CPP Hyd Pump Sarter (EMCY
SWB)
EM,CY CPP Hyd Filter (EMCY SWB)
Stern tunnel
Stern Azi
LV-1
No.5 Stern Thruster HPP Starter For
Servo Pump No.1(A7,LGPS-2)
No.5 Stern Thruster HPP Starter For
Servo Pump No.2(A8,LGPS-2)
No.5 Stern Thruster Oil Filtration Pump
Unit (LGPS-2)
LV-1
Bow Azi
LV-1
No3 Thruster Oil Filtration Pump
( LGSP-1A)
No3 Thruster HPP Starter(A7,LGSP-1A)
No3 Thruster HPPCirc.
Starter(A9,LGSP-1B)
Bow tunnel 1 & 2
LV-1
No1 Thruster HPP Starter (A7) LGSP-1A
No1 Thruster HPP Starter (A8) LGSP-1A
No1 Thruster Ol Filtration Pump (A7)
LGSP-1A
GL Noble Denton
Page 90 of 185
DP SYSTEM FMEA
Conditioning Unit
No.4 E/R Vent. Fan (Non-Reversible)
No.2 Pump Room Exh. Fan (Port)
No.2 W/H Package Air Conditioning Unit
LV-2
Propeller CPP Hyd. Pump unit No.2 and
No.3 (PD-3)
LV-2
LV-2
No.4 Stern Azimuth Thruster HPP Starter
(A7)
No.4 Stern Thruster HPP Starter (A8)
SAZ4 Circ. Pump (A9)
LV-2
No3 Thruster Oil Filtration Pump
( LGSP-1B)
No3 Thruster HPP Starter(A7,LGSP1B)
No3 Thruster HPPCirc.
Starter(A9,LGSP-1B)
LV-2
No2 Thruster HPP Starter (A7) LGSP-1B
No2 Thruster HPP Starter (A8) LGSP-1B
No2 Thruster Ol Filtration Pump (A7)
LGSP-1B
05-M07-3166-Rep-001
SUNGDONG
5.2
5.2.1
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.6KV DISTRIBUTION SYSTEM

Reference
1.
2.
3.
Wiring Diagram of Power System. DWG No: 200E163010EB
4.
5.
6.
Emergency Switch Board. DWG: 14235MEO158-9Redundancy concept
5.2.1.1
The redundancy concept at the power generation level is based on the distribution 6.6kV MV-level. The
worst case failure is the loss of three thrusters due to failure of 6.6KV MSB No.2.
5.2.1.2
Table 5-2 shows the distribution of MV generators.

Table 5-2
Distribution of MV generators and consumers
Switchboard
Connected
Generator
Connected Thruster
Other Consumers
MV No.1
DG 1 & DG 2
BT1 (Bow Tunnel 1)
LV 440V No.1
BAZ3( Bow Azimuth Thr)(St:By)

ST5 (Stern Tunnel 1)
MV No.2
DG 3 & DG 4
BT2(Bow Azimuth Thr)
LV 440V No.2
BAZ3(Bow Azimuth Thr)(Main)

SAT4(Stern Azimuth Thr)
5.2.2
Loss of supply to LV Distribution
5.2.2.1
Loss of MV MSB 1 or MV MSB 2 causes the loss of a 440V auxiliary switchboard. Even though the vessel
has automatic changeovers for the engine and CPP pumps supplies, it has been recommended from the
Class to run all three (3) CPP pumps in DP mode (Cap: P1,P2=30% and P3=40%. P1 and P2 Variable
Displacement P3 fixed). In case of a drop of power to one of Main Engine CPP hydraulic pumps the CPP
may maintain operation. However, only steering gear pumps do not have auto changeover function but is
manually changeover. The configuration of the breakers for the bus tie, engine pumps and thrusters
pumps are stated in table 5-1. The words in bold will be the main pump while on the hand will be worked
as hot standby.
5.2.3
Loss of supply to thrusters
5.2.3.1
Loss of MV 6.6KV No.1 will lead to loss of BT1, ST5 and CPP6. The vessel is still able to maintain position
with remaining thruster and prevailing environment.
5.2.3.2
Loss of MV 6.6kV No.2 will lead to the loss of one BT2, BAZ3 and SAZ4. However, BAZ3 can be manually
changed over to MV 6.6kV No.1; during the process changeover, the vessel is still able to maintain
position with remaining thrusters: one bow thruster, one stern tunnel thruster, CPP and Rudder.
5.2.4
Failure Modes of the 6.6kV Distribution System
5.2.4.1
The significant failure modes of the 6.6kV distribution system are taken to be:
1.
Catastrophic electrical failure of the switchboard.
2.
Spurious trip of one thrusters feeder.
GL Noble Denton
Page 91 of 185
05-M07-3166-Rep-001
SUNGDONG
3.
157K SHUTTLE TANKER
DP SYSTEM FMEA
Spurious trip of one transformer feeder.
5.2.5
Failure Effects of the 6.6kV Distribution System
5.2.5.1
Catastrophic electrical failure of the switchboard: The MV switchboard operates in 2 way splits during DP
operation. Therefore catastrophic electrical failure of the switchboard will not exceed WCDFI.
Failure of MV No.1: Loss of BT1, ST5, secondary power supply to BAZ3 and 440Vac MSB 1 consumers.
Failure of MV No.2: Loss of BT2, BAZ3 and SAT4 and 440Vac MSB 2 consumers.
5.2.5.2
Spurious trip of one thrusters feeder: This should not lead to a critical situation as the vessel should
always be operated in such a way that the failure of a single thruster can be tolerated.
5.2.5.3
Spurious trip of main transformer No.1 feeder: Loss of power supply to 440V MSB No.1 should cause the
automatic changeovers of essential engines pumps however rudder standby hydraulic pump requires to
be manually changed over. If there is no manual intervention taken by the DP operator consideration may
be given to operate both steering gear pumps during the DP operation.
5.2.5.4
Spurious trip of main transformer No.2 feeder: Loss of power supply to 440V MSB No.2 should cause the
automatic changeovers of essential engines pumps and auto changeover of thrusters BAZ3 but rudder
standby hydraulic pump has to manually changeover. It is assumed that the thrusters still continue
operating. Therefore consideration may be given that both steering gear pumps are running during the DP
operation.
5.2.6
Hidden Failures of the 6.6kV Distribution System
5.2.6.1
Since the bus tie is opened in the 6.6kV distribution system, failure of the switchboard protection will not
exceed the results of the worst case of the design intent. However, periodical switchboard maintenance
and protection testing is sufficient mitigation against hidden failures of protective functions.
5.2.7
Common Mode Failures Affecting the 6.6kV Distribution System
5.2.7.1
Since the 6.6kV main switchboard is operating with an open bus tie, the only failures that have been
identified was only affect one of the 6.6kV MV switchboard section 2 which equal to WCFDI.
5.2.8
Worst Case Failure of the 6.6kV Distribution System
5.2.8.1
The worst case failure of the 6.6KV distribution system will be failure of 6.6KV MSB No.1 which is loss of
BT1, ST5 and CPP6. The vessel is still able to maintain the position but it depends on the prevailing
environment.
GL Noble Denton
Page 92 of 185
05-M07-3166-Rep-001
SUNGDONG
5.3
5.3.1
157K SHUTTLE TANKER
DP SYSTEM FMEA
LV DISTRIBUTION SYSTEM
Reference
1.
2.
3.
4.
5.
6.
5.3.2
Location
5.3.2.1
The main 440V switchboard is located in switchboard room.
5.3.2.2
The emergency switchboard is located in emergency genset room.
5.3.3
Redundancy Concept
5.3.3.1
The redundancy concept of the distribution system is based on a two way split, which LV 440Vac No.1
and LV 440Vac No.2 are supplied from 6.6kV switchboards No.1 and No.2 respectively. The WCFDI is the
loss of one of the 440Vac bus bar and loss of thrusters one of the hydraulic pump and engines main
pumps, however all the pumps are backup by standby pump from another bus bar. If failure of either 440V
switchboard the pumps will auto changeover except steering gear pumps.
5.3.4
440V Distribution
5.3.4.1
The 440V distribution system is based on a two-way split with LV 440Vac No.1 and LV 440Vac No.2 are
supplied from 6.6kV switchboards No.1 and No.2 respectively. Refer to Tables 5.3 and 5.4 for details of
the power distribution to the consumers.
5.3.4.2
The step down transformer for 6.6KV / 440V is used air cooled and the transformers are located in the
medium voltage transformer room.
5.3.4.3
The LV distribution supports the redundancy concept by supplying two pumps from separate sides of the
physical two-way split. Refer to Table 5-1 for the thruster and engine pump power supplies.
GL Noble Denton
Page 93 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 5-3
DP SYSTEM FMEA
440V feeder panel: LV1 and LV2
440V SWITCHBOARD LV1
440V SWITCHBOARD LV2
MAIN INCOMING POWER FROM TRANSFORMER MV 6.6KV
MAIN INCOMING POWER FROM TRANSFORMER MV 6.6KV
EMERGENCY SWITCHBOARD
NO.1 PACKAGED TYPE AIR-CON FOR ECR
EMERGENCY SWITCHBOARD
NO.2 PACKAGED TYPE AIR-CON FOR ECR
LGSP-1A
NO.1 PACKAGED TYPE AIR-CON FOR SWBD

ROOM
LGSP-1B
NO.2 PACKAGED TYPE AIR-CON FOR SWBD

ROOM
LGSP-2
NO.1 VACUUM PUMP FOR CARGO STRIPPING
LGSP-3SEC.2
NO.2 VACUUM PUMP FOR CARGO

STRIPPING
LGSP-3 SEC.1
NO.1 M/E HYD.START-UP PUMPSTARTER
LGSP-4
NO.2 M/E HYD.START-UP PUMPSTARTER
LGSP-4
NO.1 BOILER POWER PANEL
LGSP-5
NO.4 G/E L.O PRIMING PUMP
LGSP-5
NO.1 UPS FOR MSVB
LGSP-6B
NO.2 BALLAST PUMP
LGSP-6A SEC.1
E/R CRANE MAIN SWITCH BOX
LGSP-7
REMOTE V/V HYD. POWER UNIT
LGSP-7
NO.1 BALLAST PUMP
G-1 (GALLEY 440V FEEDER PANEL)
NO.2 AIR CONDITIONING PLANT

COMPRESSOR
PD-1 (E/R 440 FEEDER PANEL)
ODME SAMPLING PUMP
LOCAL FIRE FIGHTING PANEL
CYL. LUB. HEATING UNIT
PD-2 (E/R 440 FEEDER PANEL)
NO.1 AIR CONDITIONING PLANT COMPRESSOR
PD-3 (E/R 440V FEEDER PANEL)
PORT HOSE HAND. CRANE ST.
NO.1FWD. DECK MACHINERY
PROV. REF. PLANT COMP
NO.1 STEERRING GEAR STARTER
SAZ4 HPP STARTER(A7)
NO.1 AFT. DECK MACHINERY
STBD HOSE HAND. CRANE ST.
NO.2 FWD. DECK MACHINERY
SAZ4 HPP STARTER(A8)
BLS NO.1 HYD PUMP ST
INCENERATOR
BLS NO.2 HYD PUMP ST
SAZ4 CIRC. PUMP (A9)
NO.1 AUX BLOWER
W.O TANK CONTROL. PANEL
NO.2 AUX BLOWER
NO.2 AFT DECK MACHINERY
NO.1 INERT GAS BLOWER FAN
NO.2 G/E L.O PRIM PUMP ST.
NO.2 INERT GAS BLOWER FAN
NO.2 UPS FOR MVSB
NO.2 TRANSFORMER
NO.1 TRANSFORMER

GL Noble Denton
Page 94 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 5-4
DP SYSTEM FMEA
440V Group Starter Panels
440Vac GSP No.1
440Vac GSP No.2
INCOMING POWER FROM 440V FEEDER PANEL No.1
INCOMING POWER FROM 440V FEEDER PANEL No.2
MAIN LO PUMP NO.1
NO.1 G/E C.S.W PUMP
NO.2 MAIN LO PUMP
N0.2 CENTRAL C.F.W PUMP
NO.1 STERN TUBE LO PUMP
NO.2 G/E C.S.W PUMP
NO.2 STERN TUBE L.O PUMP
NO.3 G/E C.F.W PUMP
NO.1 M/E FO CIRCULATION PUMP
N0.1 CENTRAL C.F.W PUMP
NO.2 M/E F.O CIRCULATION PUMP
NO.4 G/E C.F.W PUMP
NO.1 M/E FO SUPPLY PUMP
NO.1 G/E C.F.W PUMP
NO.2 M/E F.O SUPPLY PUMP
M/E CHEM. CLEANING PUP
NO.1 G/E D.O.SUPP. PUMP
NO.2 G/E C.F.W PUMP
NO.4 E/R VENT. FAN (NON-REV)
NO.2 E/R VENT. FAN (REV)
NO.2 COPT CONDITIONING WATER PUMP
NO.1 BOILER FEED WATER PUMP
NO.3 E/R VENT. FAN (NON-REV)
NO.2 BOILER FEED WATER PUMP
NO.2 DECK W SEAL PUMP
NO.1 ECONIMIZER FEED W. PUMP
NO.2 ECONIMIZER FEED W. PUMP
FWD SEC.2 THRUSTER C.S.W PUMP (1)
NO.1 BOILER W. CIRC. PUMP
NO.1 COPT CONDITIONING WATER

PUMP
NO.1 DECK W SEAL PUMP
NO.2 BOILER W. CIRC. PUMP
NO.1 M/E JACKET C.F.W PUMP
NO.2 M/E JACKET C.F.W PUMP
FWD SEC.2 THRUSTER C.F.W PUMP (1)
NO.1 MAIN/VAC. COND C.S.W PUMP
NO.2 MAIN/VAC. COND C.S.W PUMP
AUX C.S.W PUMP
NO.3 G/E C.S.W PUMP
NO.4 G/E C.S.W PUMP
GL Noble Denton
Page 95 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
440Vac LGSP No.1A (SECTION

1)
440Vac LGSP No.1B (SECTION 2)
440Vac LGSP No.2 (SECTION 1)
440Vac LGSP No.3

(SECTION 1)
440Vac LGSP No.3 (SECTION 2)
BT1 HPP Starter (A7)
FCle Transformer
No.1 COPT L.O Prime Pump
N0.1 Bilge, Fire & G/S

Pump
NO.2 BILGE, FIRE & G/S PUMP
BT1BT1 HPP Starter (A8)
ICCP (FWD
IGG Scrub. C.S.W Pump
Bilge Circ Pump
MDO TRANS. PUMP
BT1BT1 Oil Filtration Pump
Bosun Store Supply Fan
C.O.P Drain Trans. Pump
Sludge Pump
HFO TRANS. PUMP
BAZ3 HPP Starter (A7)
BT2 HPP Starter (7)
F.W.Generator Unit
Oily Bilge Pump
OILY BILGE SEPARATOR
Servo Pump 1
BAZ3BAZ3 HPP Starter For Circ.
Pump (A9)
BT2 Oil Filtration Pump Unit
ST5 HPP St. For Servo Pump (1)
R.P For Elec. Arc Welder
No. 3 Thruster HPP Starter (A8)
ST5 HPP St. For Servo Pump (2)
Servo Pump 2
B.L.S Local Cont. Panel
BAZ3 HPP Starter For Circ. Pump (A9)
ST5 Oil Filtration Pump Unit
B.L.S crane
BAZ3 Oil Filtration Pump
L.O Transfer Pump
BT2 HPP Starter (8)

Servo Pump 2
GL Noble Denton
Page 96 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
440Vac LGSP -4 (SECTION 1)
440VacL GSP -4(SECTION 2)
No.1 H.F.O Purifier
No.2 H.F.O Purifier
No.1 H.F.O Puri. Sup. Pump
No.2 H.F.O Purifier. Sup. Pump
Deck Air Compressor
No.1 M/E L.O Purifier
No.2 M/E L.O Purifier
Vacuum Toilet System
No.1 Sup. Pump L.O Purifier
No.2 M/E L.O Puri. Sup. Pump
Sewage Treatment System
No.2 COPT Prim L.O Pump
No.1 G/E L.O Purifier
No.2 G/E L.O Purifier
Aft ICCP System
No.1 G/E Turning Gear
Purifier room Exh. Fan
No.2 G/E L.O Puri. Sup. Pump
No.2 Main Air Compressor (ESBD)
No.1 G/E D.O Auto Filter
No.2 G/E D.O Auto Filter
Calorifier
M.G.O Chiller Unit
No.2 G/E Turning Gear
No.1 G/E L.O Puri Sup. Pump
GL Noble Denton
Page 97 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
440Vac LGSP-6A (SECTION 1)
440Vac LGSP -6B (SECTION 2)
No.1 Pump Room. Fan (NonReversable)
Sanitary Space Exh. Fan
No.1 F.W Hyd. Pump
No.2 F.W Hyd. Pump
Air Handling Unit (1)
No.2 Pump Room Exh. Fan (Reversible)
No.1 D.W.Hyd. Pump
No.2 D.W Hyd. Pump
Life/Rescue Boat Davit
Gally Packed Air-Con
M/E L.O Auto Filter
Transformer Supp. Fan
No.1 Packed Type Air-Con. For W/H
No.2 W/H Packaged Air-Con
M/e F.o Auto Filter
Soot Blower Cont. Panel
BLS Foam System (W/H Monitoring)
Provision Crane
High Exp. Foam Panel
Galley Exh. Fan
Galley Supply Fan.
Air Handling Unit (1)
Prov. Ref. Plant Fan Control Panel
GL Noble Denton
Page 98 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
5.3.5
Emergency Power
5.3.5.1
The emergency distribution supplies AC power to steering gear, diesel generator LO priming pump, engine room supply fan and battery charger. Refer to Table 5.6 for
the emergency 440V power distribution.
5.3.5.2
The 440V 3-phase, 60Hz emergency switchboard is a single bus. Emergency switchboard primary connected from 440V Feeder Panel No.1 secondary from 440Vac
Feeder Panel No.2. The two breakers have interlock in order to prevent inadvertent operation. It also connected with the emergency generator of rating 350KW, 450V
3ph 60Hz.
5.3.5.3
The 220V emergency switchboard is a single bus connected to the emergency 440V switchboard via two stepdown transformers 60kVA 3 phase 430V/230V.
Table 5-5
Emergency Power Distribution
440V EMERGENCY SWBD

NO.2 STEERING GEAR
Deck Foam Pump Starter
EMCY CPP HydFilter
Steering Gear Room Supp. Fan

(Starter in LGSP-5)
No.1 DC 110V & 24V Batt. Ch.
LGSP-1E1 (Bow Th. Rm Supp.Fan,

Watchman Cab. Supp. Fan, BLS Foam P.)
Foam Room Exh. Fan
Elec. Whistle Relay Box
No.2 DC 110V & 24V Batt. Ch.
Paint Store Exh. Fan
Elevator Control Panel
S-Band Radar Control Unit
EPD-1 (No.1,2,and 3 G/E Lo.Prim. P, Hyd

Oil Auto Filt. Pan.
Emergency Fire Pump
High Foam Cont. Panel
EMCY CPP Hyd. Pump Starter
No.1 E/R Vent. Fan (Rev)
No.1 & 2 Emergency Transformer
Chemical Store Exh. Fan
No.1 & 2 UPS For MVSB

220V EMERGENCY MSBD
ELD-1 Panel (Accom)
No.2 NID Panel
EMCY D/G Room Light Relay Box For Auto

Tel.
Steering Gear Room Ligth
ELD-2 Panel (E/R)
FIRE ALARM PANEL
J/B for Life Rescue Boat Battery Charger

(Port)
Deep Fat Fryer Relay Box
Navigation Lighting Control Panel
Bridge Control Console
Public Addressor
LGSP-1E2 (Speed Log Trans. Unit, Auto Tel. For Bow

Thruster Room)
No.1 NID Panel
Batt. Ch For EMCY Generator
Cargo Cont. Console
Foam Room Lighting
GL Noble Denton
Page 99 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER

Coolant Heater For EMCY Generator
General R.P
DP SYSTEM FMEA
Relay Box for auto tel
GL Noble Denton
Page 100 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
5.3.6
Failure Modes of the 440V Distribution System
5.3.6.1
The significant failures of the 440V distribution system are taken to be:1.
Short circuit on main transformer no.1.
2.
Short circuit on main transformer no.2.
3.
Short circuit on 440V feeder panel1.
4.
Short circuit on 440V feeder panel 2.
5.
Failure of 440V auxiliary switchboard.
6.
Short circuit on 440V emergency switchboard.
DP SYSTEM FMEA
5.3.7
Failure Effects of the 440V Distribution System
5.3.7.1
Short circuit on main transformer T1: will result in loss of main transformer T1, the vessel will lose BT1 ,
ST5 and all consumers on LV 440V switchboard bus bar 1 listed in Table 5-3 and Table 5-4. All the
thrusters and engines pumps are backup each other, if the 440Vac feeder panel no.1 failure, all the
backup pumps will auto start. There is no effect for the thrusters BT2, BAZ3 and SAT4 and the CPP will
continue running when in DP mode due to the remaining two (2) hydraulic pumps is still engaged.
5.3.7.2
Short circuit on main transformer T2: will result in the loss of main transformer T2, the vessel will lose BT2,
BAZ3, SAT4 and all consumers on 440V switchboard bus bar 2. All the thrusters and engines pumps
backup each other, if the 440Vac feeder panel no.2 failure, all the backup pumps will auto start. Thrusters
BT1, ST5 should continue to operate.
5.3.7.3
Short circuit on 440V switchboard bus bar 1: Is a very unlikely failure mode; however, if it did occur, the
effect would be the same as short circuit on main transformer T1.
5.3.7.4
Short circuit on 440V switchboard bus bar 2: Is a very unlikely failure mode; however, if it did occur the
effect would be the same as short circuit on main transformer T2.
5.3.7.5
Failure of 440V auxiliary switchboard: Failure effect of either auxiliary switchboard should be less than
WCFDI. All the pumps for thrusters and main engine should back up each other,
1.
Failure of LGSP 1A: leading to loss of thruster no.1 and backup supply for thruster no.3. The
machinery that lose BT1 HP Starter Cab. Servo Pump 1 & 2, BT1 oil filtration pump, BAZ3 HPP
Starter Cab. Servo Pump 1 and BAZ3HPP Starter Cir. Pump 1. Failure of LGSP 1A will not exceed
the WCFDI.
2.
Failure of LGSP 1B: leading to loss of BT2 and main supply for BAZ3. In the event failure of main
supply to the BAZ3 the power supply of the BAZ3 can be manual changeover to LGSP 1A. The
machinery that losses are BT2 HP Starter Cab. Servo Pump 1 & 2, BT2 oil filtration pump, BAZ3
HPP Starter Cab. Servo Pump 2 and BAZ3 HPP Starter Cir. Pump 2. Although loss of BAZ3 but
this can be manual restore the BAZ3 and resume the DP operation again. Failure of LGSP 1B will
not exceed the WCFDI.
3.
Failure of LGSP 2:- leading to loss of Stern Tunnel Thruster No.5 which will lose power supplies to
ST5 HPP Starter Cab. Servo Pump No.1 & 2, ST5 Oil Filtration Pump and other auxiliary
machinery. Failure of LGSP 2 will not exceed the WCFDI.
4.
Failure of LGSP 3 section 1 :- LGSP No.3 section 1 is fed from LV 440Vac main feeder panel No.1.
Loss of LGSP 3 (section 1) will lead to loss of No.1 Bilge, Fire & GS Pump, and other non-DP
related machinery. This will have no effect on the DP operation.
5.
Failure of LGSP 3 (section 2):- LGSP No.3 section 2 is fed from LV 440Vac main feeder panel
No.2. Loss of LGSP 3 (section 2) will lead to the loss of No.2 Bilge, Fire & GS Pump, MDO
Transfer Pump, HFO Transfer Pump and other non-DP related machinery. This will have no effect
on the DP operation.
GL Noble Denton
Page 101 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.
Failure of LGSP 4 (section 1):- LGSP No.4 (section 1) is fed from LV 440Vac main feeder panel
No.1. Failure of GSP No.4 will lose power supplies to No.1 HFO purifier, No.1 HFO purifier supply
pump, No.1 main LO purifier, No.1 LO Purifier Supply Pump, No.1 GE LO purifier, No.1 GE LO
Purifier supply pump, No.1 GE DO auto filter and other non-DP related machinery. All the purifiers
and feed pumps in the LGSP 4 (section 1) are backup with the purifiers and feed pumps in the
LGSP 4 (section 2). Failure of LGSP 4 (section 1), will have no effect on the DP operation.
7.
No.2. Failure of LGSP No.4 will loss of power supplies to No.2 HFO purifier, No.2 HFO purifier
supply pump, No.2 main LO purifier, No.2 LO Purifier Supply Pump, No.2 GE LO purifier, No.2 GE
LO Purifier supply pump, No.2 GE DO auto filter and other non-DP related machinery. All the
purifiers and feed pumps in the LGSP 4 (section 2) will be backup by the purifiers and feed pumps
in the LGSP 4 (section 1). Failure of LGSP 4 (section 2), will have no effect on the DP operation.
8.
No.1. Failure of LGSP No.5 section 1 and will lose power supplies to No.1 Service Air Compressor
and other non relevant DP machinery and therefore will have no effect on the DP operation.
9.
No.2. Failure of LGSP No.5 section 2 will lose power supplies to No.1 Main Air Compressor, No.2
Service Air Compressor, Control Air Compressor and other non relevant DP machinery therefore
will have no effect on the DP operation.
10.
Failure of LGSP 5 (section ESB):- LGSP No.5 section ESB is fed from LV 440Vac ESB. Failure of
LGSP No.5 section ESB will lose power supplies to No.2 Main Air Compressor and other non
relevant DP machinery and therefore will have no effect on the DP operation.
11.
No.1. Failures of LGSP No.6 will lose No.1 Pump Room Exh. Fan (STBD), No.1 WH Package Air
Cond Unit and other non relevant DP systems. Failure of LGSP 6 (section 1), will lead to one air
conditioning unit on the bridge, and one fan in the pump room. However this will have no effect on
the DP operation.
12.
No.2. Failures of LGSP No.6 will loss of No.2 Pump Room Exh. Fan (Port), No.2 WH Package Air
Cond Unit and other non relevant DP systems. Failure of LGSP 6 (section 2), will lead to the loss of
one air conditioning unit on the bridge, and one fan in the pump room. However this will have no
effect on the DP operation
13.
Failure of LGSP 7 (section 1):- LGSP No.7 (section 1) is fed from the emergency 440V feeder
panel No.1. Failure of LGSP No.7 will lose the ME LO auto filter, ME FO auto filter and other non
relevant to DP machinery. Failure of LGSP 7 (section 1), this will have no effect on the DP
operation.
14.
No.2. Failure of LGSP No.7 and will lose other non-relevant DP equipment. Therefore have no
effect on the DP operation.
15.
Failure of PD-2 :- PD-2 is fed from LV 440Vac main feeder panel No.1. Failure of PD-2 and will lose
the power supply to No.1 CPP Hyd. Pump Starter, No.3 CPP hyd. Pump Starter and other
machinery. Failure of two CPP hyd. Pumps will not lead to loss of the CPP in the DP system. The
CPP will continue operate with No.2 CPP Hyd. Pump, along with No.3 CPP hyd. Pump power
supplies can be changed over to backup supply from PD-3. Failure of PD-2, will not lose the CPP
as the hydraulic unit will still be operational.
GL Noble Denton
Page 102 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
16.
Failure of PD-3:- PD-2 is fed from LV 440Vac main feeder panel No.2. Failure of PD-3 will lose
power supply to No.2 CPP Hyd. Pump Starter, No.3 CPP hyd. Pump Starter, SAZ4 oil filtration
pump and other machinery. Failure of two CPP hyd. Pumps will not lead to loss of the CPP in the
DP system. The CPP will continue operate with No.1 CPP Hyd. Pump, along with No.3 CPP hyd.
Pump power supplies can be changed over to backup supply from PD-2. Failure of PD-3, will not
lose the CPP as the hydraulic unit will still be operational.
17.
Failure of EPD-1:- EPD-1 is fed from LV 440Vac ESB. Failure of EPD-1 will lose power supply to
No.1 and 3 GE LO Priming Pump, Hyd. Oil Auto Filter Cont. Panel. In the event failure of EPD-1 it
will have no effect on the DP operation
5.3.7.6
A short circuit on 440V emergency switchboard: will result in loss of supply to No.1 E/R Vent. Fan
(Reversible), the Emergency fire pump, steering gear room fan, No.2 Steering gear starter, Emergency
CPP hyd. Pump Starter, Emergency CPP Hyd. Filter Starter, engine control console, bridge control
console and other non related DP equipment. It also provides a second power supply to No.1 and No.2
UPS for MV Switchboard and the UPS will be backup by the battery bank. Losing steering gear No.1 will
not lead to loss of the rudder No.2 steering gear will be running as well.
5.3.8
Hidden Failures of the 440V Distribution System
5.3.8.1
Failure of the Emergency Generator to re-power the Emergency Switchboard on loss of its normal supply
from Bus 1 and Bus 2 is also a potential hidden failure.
5.3.8.2
Failure of the pumps that are unable to auto changeover is a potential hidden failure
5.3.9
Configuration Errors of the 440V Distribution System That Could Defeat Redundancy
5.3.9.1
The vessel safest mode of operation is to operate with the 440V busties open so that the fault remains
limited to one section of the switchboard.
5.3.9.2
The configuration of the engine and thruster pumps has to be configured accordingly during DP operation
to prevent loss of all thrusters in the same time.
5.3.10
Maloperation of 440V Distribution System
5.3.10.1 No potential acts of maloperation have been identified in this analysis that would exceed the WCFDI as
the transformer breakers are interlocked and the emergency generators are interlocked with the 440Vac
main bus bar.
5.3.11
Worst Case Failure of the 440V Distribution System
5.3.11.1 The WCFDI with respect to the low voltage distribution system is the failure of one of the LV switchboard.
This would result in failure of all the equipment including generators, main engines and thruster marine
auxiliaries powered from that switchboard. However all these systems are equipped with standby units
that are powered from the second low voltage switchboard. Refer to Tables 5-1, and 5-3 for details.
GL Noble Denton
Page 103 of 185
05-M07-3166-Rep-001
SUNGDONG
5.4
5.4.1
157K SHUTTLE TANKER
DP SYSTEM FMEA
220V DISTRIBUTION SYSTEM

Reference
1.
2.
3.
High Voltage Switchboard DWG: 20114235 MHSO67-8M34-1&2 HN1960s HMSB Rev. 0
4.
5.
6.
7.
AC220V Navi Inst Distribution Board (NID) DWG: 200E466010EB
8.
Diesel G/E Control & Monitoring System, DWG No: 200E364010EB
5.4.2
Location
5.4.2.1
The main 220V switchboard is located in the switchboard room
5.4.3
Description
5.4.3.1
The 220V switchboard consists of two main sections, Bus bar No.1 and Bus bar No.2. The 220V
switchboard is a 60Hz, three wire system which supplies power to vessel navigation / instrumentation,
engine control console, bridge control console, UPSs and 220V lighting distribution boards.
5.4.3.2
The 220Vac Feeder Panel No.1 is connected with 440V LGSP No.1 via a 440V/ 230V, 250kVA
transformer T1. The 220Vac Feeder Panel No.2 is connected with 440V GSP Panel No.2 via a 440V/
220V, 250kVA transformer T2.
5.4.3.3
There are two different section distribution panels for the accommodation AC 220Vac where the Accom.
AC 220V Section 1 board is fed from 220Vac Feeder panel no.1, whilst the 220V Section 2 board is fed
from 220Vac feeder panel No.2.
5.4.3.4
220V engine control console (ECC) and 220Vac No.1 Navigation & instrumentation distribution board can
be powered from either the 220Vac MSB 1 or 220Vac ESB. During DP operations, both distribution boards
are to be supplied from 220Vac MSB 1 and the backup supply is fed from 220Vac ESB.
5.4.3.5
The No.2 Navigation & Instrumentation distribution board (No.2 NID) can be supplied either from 220Vac
MSB 2 or the 220Vac ESB. During DP operations, the No.2 NID is to be supplied from the 220Vac MSB
No.2
5.4.3.6
The 220Vac Bridge control console can be fed by the 220Vac Accom. AC 220V Section 2 board or the
220Vac ESB. During DP mode, it is to be supplied from the Accommodation. AC 220V Section 2.
5.4.3.7
Refer to Table 5-6 and Table 5-7. For the consumer list
Table 5-6
220V feeder panel No.1 and No.2
220V SWITCHBOARD No.1
220V SWITCHBOARD No.2
MAIN INCOMING POWER FROM TRANSFORMER

440V
MAIN INCOMING POWER FROM TRANSFORMER

440V
Accommodation. AC 220V section board (Sec.1)
Accommodation AC 220V section Board (Sec.2)
ER & P/R High Expansion system (Source no.1)
No.2 Battery Charger & Discharge Board
No.1 NID
LD-5 Panel
No.2 NID
LD-4 Panel
No.2 Control Air Dryer
GL Noble Denton
Page 104 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
Sterilizer
Navigation Light Control Panel
Hydraulic Deck Stand
Fire Alarm Unit
Shaft Earthing Device
Lighting In ECR
MSB Bus Tie Panel No.2 Section
M.G.P.S Control Panel
Lighting in SWBD Room
MVSB-GPT Panel No.1 Section
Power Supply Unit For No.3 and No.4 D/G
Public Addressor
R.P in SWBD Room
No.1 Control Air Dryer
No.1 Boiler Local Control Panel
R.P in ECR
ME Power Supply B
Power Supply Unit for No1. And No.2 D/G

Cargo Oil Pump Control Panel
MGPS Control Panel for Thrusters C.S.W. Strainer
Table 5-7
220V Distribution Panel
220V NAV. & INST. DISTRIBUTION BOARD No.1
220V NAV. & INST. DISTRIBUTION BOARD NO.2
Navigation UPS 1
Navigation UPS 2
No.1 UPS for DP system
No.2 bow tunnel thruster
No.1 Bow tunnel thruster
Bow azimuth thruster
Aft tunnel thruster (T5)
Aft azimuth thruster

C-joy control cabinet
No.2 UPS for DP system
BRIDGE CONTROL CONSOLE 220V
ACCOM. AC 220V SECTION BOARD (SECTION 1)
Bcc dc 24v dist. Board
Bridge control console
No.4 ICMS UPS

No.1 battery charger & discharger board
ENGINE CONTROL CONSOLE 220V
ACCOM. AC 220V SECTION BOARD (SECTION 2)
ME power connection box
No.2 battery charger & discharger board
UPS for ME PMI PC

No.1,2 GE power supply unit
No.3,4 GE power supply unit
ME power supply A
GL Noble Denton
Page 105 of 185
05-M07-3166-Rep-001
SUNGDONG
5.5
5.5.1
157K SHUTTLE TANKER
DP SYSTEM FMEA
24VDC POWER DISTRIBUTION

Drawing reference
1.
200E466010EB : Battery Charger & Discharger Board (BCD)
5.5.2
Location
5.5.2.1
The 24Vdc system charging and discharging board located in the navigation locker.
5.5.3
24Vdc Distribution System
5.5.3.1
There are two 24Vdc systems on the vessel each with a 24Vdc system including battery charger and
battery bank. The No.1 battery charger is fed from the 220Vac Bridge Control Console Dist. board whilst
the No.2 battery charger is fed from the 220Vac No.2
5.5.3.2
The 24Vdc system distributes to the ECC 24Vdc power distribution panel and bridge control console
distribution board. The 24Vdc consumers are listed in Table 5-8.
5.5.3.3
The ECC 24V power distribution panel is connected with dual power supplies and is fitted with an auto
changeover function. The primary 24Vdc is from the 220Vac Feeder panel No.1 through a transformer to
the 24Vdc system whilst the second 24Vdc power supply is fed from the No.1 Battery Charging and
Discharging board.
5.5.3.4
The bridge control console panel has dual power supplies with auto changeover function. The primary
24Vdc is fed from the 220Vac Feeder panel No.2 and is then rectified to the 24Vdc power supply, whilst
the second 24Vdc power supply is fed from the No.1 Battery Charging and Discharging board.
GL Noble Denton
Page 106 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
24VDC SYSTEM
DC24V BATERY CHARGING & DISCHARGING BOARD
No.1
No.1 Gyro Compass
DC24V BATERY CHARGING & DISCHARGING

BOARD No.2
No.1 Wind Serial Splitter
PSU for DARPS Wing Display
No.2 Bow Tunnel Thruster
Bridge Control Console
Bow Azimuth Thruster
No.1 Bow Tunnel Thruster
Aft Azimuth Thruster
Aft Tunnel thruster
No.2 Gyro Compass

PSU for DARPS Wing Display
Fanbeam Serial Splitter
Emergency Switchboard
No.3 Gyro Compass
Gyro Switchover Unit

Bridge Control Console DC 24 DIST. BOARD
ENGINE CONTROL CONSOLE 24V POWER

DIST. BOARD
Non Relevant DP equipment
JME-1 [ME WIO Trans. Unit]

JME-2 [ME FO Leak Lvl Sw]
JME-3 [ME PCO Arm Monit. Box]
CPP Local & Zero Pitch Unit
Table 5-8
24Vdc Supplies to Engine Junction Boxes
5.5.4
UPS for MV switchboard
5.5.4.1
There are two UPS supplying the 110Vac control power supplies for the MV MSB VCB Control circuit,
while 24Vdc supplies for No.1 ICMS, LV Switchboard and MV switchboard. These 110Vdc / 24Vdc
systems are located in the main switchboard room.
5.5.4.2
Each of the UPS systems take dual redundancy from 440Vac Feeder panel and 440V Emergency
Switchboard.
i.
UPS No.1 takes its supply from No.1 440Vac Feeder Panel and 440Vac ESB
ii.
UPS No.2 takes its supply from No.2 440Vac Feeder Panel and 440Vac ESB
5.5.4.3
The 110Vdc supplies power to the MV MSB control circuit whilst the 24Vdc supplies to the MV MSB bus
tie panel control circuit, LV Switchboard control circuit and to No.1 ICMS.
5.5.4.4
MV MSB No.1 Control circuit is powered from the 110Vdc UPS No.1 and No.2. It is the same as MV MSB
No.2.
5.5.4.5
Each of the 110Vdc load circuits is supplied from both battery chargers and diode isolation is used for
switchboard control supplies. The shipyard has to provide the discrimination studies regarding this diode
isolation to ensure it will not cause a blackout of the vessel and not trip the upper stream.
GL Noble Denton
Page 107 of 185
05-M07-3166-Rep-001
SUNGDONG
5.5.5
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure Modes of the Power Distribution

1.
Short circuit of 220V Feeder Panel No.1.
2.
Short circuit of 220V Feeder Panel No.2.
3.
Power failure of 220V ECC Distribution board
4.
Short circuit of 220V Engine Control Console distribution board.
5.
Power failure of 220V Nav. & Instrumentation distribution board.
6.
Short circuit of 220V Nav. & Instrumentation distribution board.
7.
Short circuit of 24V battery charging and discharging board.
8.
Short circuit of 24V ECC board.
9.
Short circuit of 24V Nav. & Safety equipment distribution board.
10.
Short circuit on service transformer T1 feeder.
11.
Short circuit on service transformer T2 feeder.
12.
Short circuit on 220Vac emergency switchboard.
13.
Short circuit on emergency transformer.
14.
Failure of one of the battery charger to MV MSB.
15.
Short circuit of one of the 110Vdc / 24Vdc system to MV MSB.
16.
Failure of both 110Vdc / 24Vdc system to MV MSB.
5.5.6
Failure Effects of the Power Distribution
5.5.6.1
Short circuit of 220V Feeder Panel No.1: This would results in a loss of power supply to No.1 Navigation
Instrument Panel, ECC (UPS for No.2 ICMS), Engine control console, Accom. 220V Section board, No.1
MV SWBD GPT Panel, Power Supply unit for No1 & 2 DG and other non relevant DP equipment. Loss of
one of the power supply to No.1 & No.2 DG will not stop the DG operation.
5.5.6.2
Short circuit of 220V Feeder Panel No.2: This would result in a loss of No.2 Navigation Instrumentation
Distribution Panel, Accom. 220V Section board, No.2 MV switchboard, power supply unit for No.3 & 4 and
non-relevant DP equipment. Loss of one of the power supply to No.3 & No.4 DG will not stop the DG
operation.
5.5.6.3
Power failure to the 220V ECC distribution board: 220V ECC Dist. Board is supplied by LV220V MFP No.1
and ESB 220V, if one power supply fails it will then auto changeover to the other power source. This will
be a hidden failure when the auto changeover is not occurred, the failure effect will be loss of 220V ECC
Dist. Board. Refer to the Section 5.5.6.4 for the failure effects.
5.5.6.4
A short circuit of 220V Engine control console distribution board: would not lead to the loss of the ME as
there is a redundant power supply B which is supplied from the No.2 AC 220 V Feeder Panel. The ECC
supplies to all the Generator Control Systems are supplied via 24 VDC UPS. As such, there will be no
apparent effect on the loss of this distribution board apart from the loss of supply to the UPS supplying the
Generator Control System.
5.5.6.5
Power failure to 220V Navigation & Instrumentation distribution board No.1: 220V Navigation &
Instrumentation distribution board no.1 is supplied by 220Vac No.1 Feeder panel and ESB 220V, either
one power supply failure will be auto changeover to the other power sources. This will be hidden failure
when the auto changeover is not to occur, the failure effect will be loss of 220V Navigation &
Instrumentation distribution board. This will lead to loss of main supply to BT 1 control system, ST5 control
system, and No1 UPS for DP system. The thrusters will still continue operating as there will be backup
supply from the 24Vdc power supplies. This will not immediate affect the DP computer system, due to
failure of supply to No.1 UPS. There will be having minimum 30 minutes battery backup from the UPS.
GL Noble Denton
Page 108 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
5.5.6.6
Power failure to 220V Navigation & Instrumentation distribution board No.2: 220V Navigation &
Instrumentation distribution board no.2 is supplied by 220Vac No.2 Feeder panel and ESB 220V, either
one power supply failure will be auto changeover to the other power sources. This will be hidden failure
when the auto changeover is not to occur, the failure effect will be loss of 220V Navigation &
Instrumentation distribution board. This will lead to loss of main supply to BT 2 control system, BAT3
control system, SAT4 control system, C-Joy control cabinet and No2 UPS for DP system. The thrusters
will still continue operating as there will be backup supply from the 24Vdc power supplies. This will not
immediate affect the DP computer system, due to failure of supply to No.2 UPS. There will be having
minimum 30 minutes battery backup from the UPS.
5.5.6.7
Short circuit / Failure of No.1 24V battery charging and discharging board: This would result in the loss of
no.1 and no.3 Wind serial splitter, power supply to engine control console, one of the power supply to No.1
Gyro compass, power supply to bridge control console, lighting supply to emergency switchboard, PSU for
DARPS wing display, backup supply to BT 1 and backup supply to ST 5.
5.5.6.8
Short circuit of No.2 24V battery charging and discharging board: This would result in the loss of no.2
Wind serial splitter, power supply to engine control console, one of the power supply to No.2 & No.3 Gyro
compass, PSU for DARPS wing display, backup supply to BT 2, BAT3 and SAT 4.
5.5.6.9
Short circuit of 24V Engine control console distribution board: will cause loss of monitoring system for the
ME and will not lead to loss of ME or CPP. This has to be proven during the proving trials.
5.5.6.10 Short circuit of 24Vdc Bridge control console dist. Board: There will be no effect to the DP operation as the
consumers are not relevant to DP equipment.
5.5.6.11 Short circuit on service transformer T1 feeder: will result in loss of service transformer T1, all consumers
on 220V switchboard bus bar 1. All thrusters and generators will remain healthy as the control power
supply has redundancy.
5.5.6.12 Short circuit on service transformer T2 feeder: will result in loss of service transformer T2, all consumers
on 220V switchboard bus bar 2. All thrusters and generators will remain healthy as the control power
supply has redundancy.
5.5.6.13 Short circuit on 220V emergency switchboard: will result loss of one of the supply to No.1 & 2 nav. &
instrumentation dist. Board which will auto changeover to respective 220Vac feeder panel, and loss of
backup supply to 220Vac ECC Dist. Board and 220Vac bridge control console. All the thrusters and
generators will remain healthy as the control power supply has redundancy.
5.5.6.14 Short circuit in on emergency transformer: This will result loss of 220Vac emergency switchboard. All the
thrusters and generators will remain healthy as the control power supply has redundancy.
5.5.6.15 Failure of one of the No.1 UPS to MV MSB: This will result loss of one of the 110Vdc / 24Vdc power
supply to MV MSB. Upon this failure, alarm will be initiated in the ICMS system, and the 110Vdc/24Vdc
system will be backup by the battery.
5.5.6.16 Failure of one of the No.2 UPS to MV MSB: This will result loss of one of the 110Vdc / 24Vdc power
supply to MV MSB. Upon this failure, alarm will be initiated in the ICMS system, and the 110Vdc/24Vdc
system will be backup by the battery.
5.5.6.17 Short circuit of one of the 110Vdc / 24Vdc system to MV MSB: Short circuit of the 110Vdc / 24Vdc system
will result loss of one of the control supplies to the MV MSB. Upon failure, alarm will be initiated in the
ICMS system and backup by the other 110Vdc / 24Vdc control supplies from the other battery charger.
5.5.7
Hidden Failures of the Power Distribution System
5.5.7.1
Insufficient battery capacity is a creatable hidden failure. There should be an alarm for batteries on failure
of supply to battery charger.
5.5.7.2
Failure to change over the power supply at 220Vac Nav. & instrumentation distribution to LV 220Vac MFP
will be hidden failure and it may lead to loss all the main 220Vac power supply to all the thruster control
system.
GL Noble Denton
Page 109 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
5.5.7.3
When short circuit failure in the thruster control system, it may leads to trip the particular thrusters
breakers at 220Vac and 24Vdc panel. Assuming that selectivity analysis is been carried out and is
performed in satisfactory.
5.5.7.4
Failure changing over the power supply from LV 220Vac MFP No.1 to 220Vac ESB at ECC 220Vac
distribution board will be remain as hidden failure and it may lead to loss ME which will cause loss of T6.
Please refer to the effect at the section 5.5.6.4.
5.5.8
Common Mode Failures Affecting the Distribution System
5.5.8.1
There is no common mode failure will cause the effect exceed the WCFDI.
5.5.9
Configuration Errors of the Power Distribution System That Could Defeat Redundancy
5.5.9.1
The 220Vac feeder panel are powered by their own respective 440Vac MSB. Therefore no configuration
errors could defeat the redundancy.
5.5.10
Maloperation of the LV Distribution System
5.5.10.1 There is no maloperation that could be reasonably anticipated.

5.5.11
Worst Case Failure of the LV Distribution System
5.5.11.1 The worst case failure in the LV distribution system will be short circuit of 220V Engine control console
distribution board which leading to loss of ME where both of the control system power supplies are fed by
220V ECC distribution board. Loss of ME will cause loss of T6. Failure effect of the ECC dist. Board will
not excess than WCFDI. However there is another concern where one of the power supply unit for four
generators are fed from the common ECC AC 220Vac. In the event there is a short circuit at the board this
may lead over current through the system and this may damage all four generators supply unit. This has to
clarify with the vendors and recommended to have a discrimination analysis report.
GL Noble Denton
Page 110 of 185
05-M07-3166-Rep-001
SUNGDONG
THRUSTERS
6.1
INTRODUCTION
6.1.1
Drawing reference
157K SHUTTLE TANKER
DP SYSTEM FMEA
Approval drawings Brunvoll Tunnel Thruster Unit Type FU-100-LTC-2750-2200kW with Electric Drive
System
Approval drawings Brunvoll Tunnel Thruster Unit Type FU-100-LTC-2450-2200kW with Electric Drive
System
Approval drawings Brunvoll Retractable Azimuth Thruster Unit Type AR-100-LNC-2600 2500kW with
Electric Drive System
Approval drawings Brunvoll Thruster Units Type FU-100-LTC-2450, Type FU-100-LTC-2750, Type AR100-LNC-2600
Installation manual BCP with BCX
Technical Specification Steering Gear
Technical data sheet 04.43.01 Rev 18
6.1.2
Overview
6.1.2.1
The 157K Shuttle Tanker is equipped with six thrusters these include two bow tunnel thrusters, one bow
azimuth thruster, one stern azimuth thruster, one stern tunnel thruster and one engine driven main
propulsion CPP unit.
6.1.2.2
All thrusters, CPP and steering gear have independent sensors to the DP system as well as local
indicators for the pitch, azimuth and angle feedback.
6.1.2.3
Thrusters arrangement - please refer to figure 6-1 for details.
BT1
T1
BT2
T2
BAZ3
T3
SAZ4
T4
ST5
T5
CPP6
T6
Figure 6-1
GL Noble Denton
Arrangement of Thrusters
Page 111 of 185
05-M07-3166-Rep-001
SUNGDONG
6.1.3
157K SHUTTLE TANKER
DP SYSTEM FMEA
Thruster Particulars
Table 6-1
Tunnel Thruster Motor Particulars
Bow Tunnel Thruster Motor

Particulars
Stern Tunnel Thruster Motor

Particulars
Thruster Type
FU100LTC2750
(No.1 and No.2 Bow thruster,T1 & T2)
FU100LTC2450
(Stern Thruster, T5)
Prime Mover
Electric motor
Electric motor
Prime Mover
Vertical type, squirrel cage, induction

motor

motor
Rated Input Power
2200kW
2200kW
Rated Input Speed
890 RPM
890 RPM
Propeller Type
4 bladed, Kaplan design, controllable

pitch type
4 bladed, Kaplan design, controllable

pitch type
Thrust
285kN (nominal value)
275kN (nominal value)
Azimuth Thruster Motor Particulars
CPP & Rudder
Thruster Type
AR100LNC2600
(bow and stern T3 & T4)
Prime Mover
Electric motor
CPP :BCP 2000 (T6)

Steering Gear :IRV4200-2
MAN B&W 6S70ME-28.2 TIER II
main engine
Two stroke, single acting nonreversible, crosshead type marine
diesel engine with constant pressure
turbo charging
Prime Mover

motor
Rated Input Power
2500kW
15200 kW
Rated Input Speed
710 RPM
82 RPM
Propeller Type
4 bladed, Kaplan / Wageningen 37,

symmetric design, controller pitch type
4 Propeller blade, controller pitch type
Material of propeller
Nickel-Aluminium Bronze
Bronze
Thrust
400kN (bollard pull)
6.1.4
Redundancy concept
6.1.4.1
Although each thruster is almost entirely independent to other thrusters it is necessary to consider the
possibility that a loss of position or heading can occur due to malfunction of the Torque or Steering control
system. For the purpose of this analysis, discussions of thruster failure is divided into sections on:
1.
Lubrication
2.
Steering (Azimuth and CPP)
3.
Thruster auxiliaries
4.
Azimuth control
5.
Pitch control
6.
Emergency stops
GL Noble Denton
Page 112 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
6.2
THRUSTER MECHANICAL COMPONENTS AND MOTOR
6.2.1
Drawing reference
DP SYSTEM FMEA
Technical specification Brunvoll Tunnel Thruster Unit (Bow Tunnel Thrusters) Rev 16.11.2011
Technical specification Brunvoll Tunnel Thruster Unit (Stern Tunnel Thrusters) Rev 07.06.2011
Technical specification Brunvoll Retractable Azimuth Thruster Rev 07.10.2011
Piping diagram in Engine Room 200M241001MB Rev C
Hull Piping Diagram 200F241001PB Rev C
6.2.2
Tunnel Thruster motor
6.2.2.1
The tunnel thruster motor specifications are shown in Table 6-2.

Table 6-2
Tunnel Thruster Motor Details
Construction
Tunnel Thruster 1 & 2

Squirrel cage
Tunnel Thruster 5
Squirrel cage
Cooling
Fresh water cooled
Fresh water cooled
Rated Output
2200kW
2200kW
Operating voltage
6600V
6600V
Phases
1 x 3 phase
1 x 3 phase
Rated speed
890 RPM
890 RPM
Rated frequency
60 Hz
60 Hz
6.2.3
Azimuth Thruster Motor
6.2.3.1
The azimuth thruster motor specification details are shown in Table 6-3.
Table 6-3
Azimuth Thruster Motor Specifications
Azimuth Thruster Motor Particulars
GL Noble Denton
Construction
Squirrel cage
Cooling
Fresh water cooled
Rated Output
2500kW
Operating voltage
6600V
Phases
1 x 3 phase
Rated speed
710 RMP
Starting Method
Auto Transformer
Rated frequency
60 Hz
Input shaft speed
710 RPM
Propeller Speed
249 RPM
Page 113 of 185
05-M07-3166-Rep-001
SUNGDONG
6.2.4
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure modes of the thruster motors

1.
Motor fails to reach full speed
2.
Overheating of motor winding
3.
Excessive vibration
6.2.5
Effects of thruster motor faults
6.2.5.1
Motor fails to reach full speed: Insufficient line voltage at motor terminals or a fault (open, short, earth) on
a stator winding could affect motor operation. This could be caused by a number of faults and should be
investigated before continuing to use the motor. Some minor faults have the potential to develop into
major electrical and mechanical failures.
6.2.5.2
Overheating of motor winding: This may be caused by insufficient lubrication or contaminated lubricant.
This should be alarmed at the ICMS when it reaches the 1st stage level and will result in a drive trip if it
progresses to 2nd stage level.
6.2.5.3
Excessive vibration: This may be caused by mechanical damage. If this condition is detected, the cause of
the problem will have to be investigated as this could develop into a major mechanical failure.
6.3
TUNNEL THRUSTER COOLING SYSTEM
6.3.1
Drawing reference
Technical specification Brunvoll Tunnel Thruster Unit (Bow Tunnel Thrusters) Rev 16.11.2011
Technical specification Brunvoll Tunnel Thruster Unit (Stern Tunnel Thrusters) Rev 07.06.2011
6.3.2
Description
6.3.2.1
Refer to Figure 2.18, the electric motors for the tunnel thrusters are FW cooled and the hydraulic system
is air cooled. Therefore the temperature in the thruster compartment has to be kept in the certain
temperature to provide cooling for the hydraulic system.
6.3.2.2
The thruster lube oil system is cooled through heat transferred between the thruster and the surrounding
sea water.
GL Noble Denton
Page 114 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
Drain
Oil to Gear Housing
Oil to Shaft Seal System
Gravity Tank
Hand
Pump
Filter
Servo
Pump
Power Unit Servo used for

controllable pitch application
Air Bleeding
Drain from Shaft Sealing System
Drain from Gear Housing
Shaft Seal
Arrangement
Figure 6-2
6.3.3
Tunnel Thruster Hydraulics
Failure modes of the tunnel thruster mechanical part and its auxiliaries
1.
Loss of one of the thruster hydraulic oil pump.
2.
Blocked hydraulic oil suction filter.
3.
Pipe failure on the thruster hydraulic oil system.
4.
Contamination of the hydraulic oil system.
5.
expected lifespan).
6.3.4
Tunnel thrusters failure effects (thruster mechanical part and its auxiliaries)
6.3.4.1
Loss of one of the thruster hydraulic oil pump: The failure of one of the thruster hydraulic oil pumps would
be indicated on the local control panel and the ICMS. On the failure of running hydraulic pump, the
standby hydraulic pump will auto start.
GL Noble Denton
Page 115 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.3.4.2
Blocked hydraulic oil suction filter: A blocked hydraulic oil suction filter would restrict flow through the
pump to the hydraulic oil system. When the pressure switch detects the pressure drop it will initiate the
standby hydraulic pump to start running.
6.3.4.3
Pipe failure on the thruster hydraulic oil system: Pipe work failure in the hydraulic system on the supply to
the thruster would drain the system and limit the circulation of hydraulic oil. This would be alarmed on the
local control panel and ICMS as a low lube oil level alarm. Leaks in the pipe work are likely to start as a
relatively low flow rate which should be detected during regular watch keeping. Piping is considered as
passive components and would not be considered for the review of Dynpos AUTR.
6.3.4.4
Contamination of the hydraulic oil system: This is not a consideration as the hydraulics are air cooled and
not considered to be susceptible in contamination.
6.3.4.5
Unforeseen catastrophic failure of a component part (manufacturers component fails within its expected
lifespan): It is difficult to quantify this type of failure as, provided all manufacturing processes are properly
adhered to, then it should not happen. Areas where this would be most critical are the bearings, gear teeth
and the internal pipe work.
6.4
AZIMUTH THRUSTER COOLING SYSTEM
6.4.1
Drawing reference
GL Noble Denton
Page 116 of 185
05-M07-3166-Rep-001
SUNGDONG
6.4.2
157K SHUTTLE TANKER
DP SYSTEM FMEA
Description
To F.W Exp Tk
From FW Cooling Pump
GRAVITY TANK
CJC Filter Seperator
Hyd. Power
Pack
Figure 6-3
Azimuth Thruster Hydraulic System
6.4.2.1
Azimuth Thruster Hydraulic System: The Brunvoll AR100LNC2600 retractable azimuth thruster is rotatable
through 360 with a Kaplan design controllable pitch propeller in a symmetric nozzle for optimal thrust
performance in both directions. The thruster unit can be lowered into the operating position and retracted
into the hull by means of hydraulically operated lifting equipment. There are two hydraulic pumps that are
used for the azimuth turning motors, propeller pitch mechanism, lowering/retracting of thruster and
operating of locking devices.
6.4.2.2
The Steering hydraulic motor is governed by solenoid valves in order to ensure rapid and precise
response. Steering direction and azimuth rate of turn are controlled by changeover type proportional
solenoid valves which are electronically controlled system controls. As for the CPP system, pitch directions
(ahead and astern) and control speed (pitch response time) are controlled by changeover type
proportional solenoid valve.
6.4.2.3
The hydraulic oil from the brake valve and proportional solenoid valve will flow to the oil cooler and cooled
by the fresh water. After cooling, the hydraulic oil is directed to the thrusters.
GL Noble Denton
Page 117 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.4.2.4
Fresh water supplied from the forward freshwater cooling system supplies cooling to (T3) azimuth thruster
hydraulic oil coolers. SAZ4 (T4) is part of the GE No.3/4 freshwater cooling system. Both fresh water
cooling systems have local temperature monitoring only..
6.4.3
Failure modes of the azimuth thruster mechanical part and its auxiliaries
1.
Loss of one of the hydraulic oil pump.
2.
Failure of thruster retraction pump
3.
Blocked hydraulic oil suction filter.
4.
Blocked hydraulic oil line filter.
5.
Contamination of the hydraulic oil system.
6.
Pipe work failure on the hydraulic system.
7.
Failure of the steering actuator 3-4 way proportional valve to one position.
8.
Loss or reduction of cooling water to the thruster lube oil cooler.
9.
expected lifespan).
6.4.4
Azimuth Thrusters failure effects (thruster mechanical part and its auxiliaries)
6.4.4.1
Loss of one of the hydraulic oil pump: The failure of the thruster hydraulic oil pump would be indicated on
the local control panel and the ICMS as a low lube oil pressure alarm. When the hydraulic oil pressure is
low, the standby pump will auto start to continue operate.
6.4.4.2
Failure of retraction pump: will have no effect on the operability of the thruster.
6.4.4.3
Blocked hydraulic oil suction filter A blocked suction filter would restrict flow through the pump and the
hydraulic system. This can be detected if the pressure drop across the filters is high.
6.4.4.4
Blocked hydraulic oil line filter: A blocked line filter would restrict the flow through the steering and CPP
system. Alarm will be given on the local control panel and ICMS as a Low Hydraulic Oil level alarm
caused by a relatively low flow rate of the hydraulic oil.
6.4.4.5
Contamination of the hydraulic oil system: Core failure on the thruster hydraulic oil cooler could result in
water contamination of the thruster hydraulic oil system; this would emulsify and reduce the lubricating
properties of the oil. Prolonged exposure to emulsified hydraulic oil could cause oxidation of thruster
components over time. The increase in volume of the hydraulic oil system would be alarmed on the local
control panel and the ICMS as a high hydraulic oil level alarm.
6.4.4.6
Pipe work failure on the hydraulic system: Pipe work failure on the hydraulic piping would drain the system
and limit the circulation of hydraulic oil. Low oil level in the reservoir would initiate an emergency stop of
the drive motor. This would be alarmed on the ICMS and local control panel. Leaks in the pipe work are
likely to start as a relatively low flow rate which should be detected during regular watch keeping. Piping is
considered as passive components and would not be considered for the review of Dynpos AUTR.
6.4.4.7
Failure of the steering actuator 3-4 way proportional valve to one position: If the 3-4 way proportional valve
were to fail to the neutral position, the swash plate would be kept in the neutral position where charge oil
supply, through the sequence pressure limiting bypass valves, would keep the steering motors and loop
flushing valve hydraulically locked. If the proportional valve was to fail in an active position the swash plate
would be maintained to direct the variable displacement pump to continue pumping in that direction. This
would cause the thruster to rotate clockwise or anti- clockwise and eventually is alarmed on the DP system
as a prediction error. Eventually the thruster is automatically deselected from DP. This was unable to be
tested during the proving trials as per the attending Brunvoll Engineers advise, this failure would not be
achieved as the terminals are located on the Brunvoll thruster PCB itself.
GL Noble Denton
Page 118 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.4.4.8
Loss or reduction of cooling water to the oil cooler: Loss or reduction of fresh water to the thruster
hydraulic oil cooler would be indicated by higher operating temperatures. High hydraulic fluid temperatures
in the hydraulic reservoir would initiate an emergency stop of the drive motor. This is alarmed on the local
control panel and ICMS.
6.4.4.9
adhered to, then it should not happen. Areas where this would be most critical are the winding, motors,
and the internal pipe work.
6.4.5
Hidden azimuth thruster failures
6.4.5.1
The contamination of the steering hydraulic system by fresh water from the cooler cores on the hydraulic
oil cooler would not be detected if the hydraulic oil reservoir is not monitored for high tank level. This could
be remedied through regular sampling and testing.
6.4.5.2
Inability to auto changeover the power supply to hydraulic pumps due to power failure may lead to loss of
particular azimuth thruster.
6.4.6
Common mode failure affecting the azimuth thrusters
6.4.6.1
Tunnel thrusters No.1 and No.2 and azimuth thruster No.3 are part of the forward freshwater cooling
system. A burst cooler in those systems would result in some of the thrusters eventually tripping on high
operating temperatures. On the forward freshwater system there are four manually operated crossover
valves between section 2 (Bow thrusters No.2 and azimuth thruster No.3) and section 1 (thruster 1). If
these valves could be operated in time this would prevent loss of consumers in the system. Mitigation to
aid this is a low level alarm in the head tank, a bilge alarm in the near vicinity of the cooler and a
differential pressure alarm across the cooler.
6.4.6.2
Thruster No.4 is part of the GE No.3/4 freshwater cooling system. A burst cooler in the system would
result in the failure of these and other thrusters fed from MSB 2 as Generators No.3 and No.4 are in the
same circuit.
6.4.7
Azimuth thruster configuration errors that could defeat redundancy
6.4.7.1
Bow azimuth thruster no.3 can be connected to either MSB1 or MSB2. Normal operation is to run it on
MSB2. If the thruster is run on MSB1 and the board were lost it would most likely cause loss of position
due to having only Bow Tunnel thruster No. 2 and stern azimuth thruster No. 4 remaining. In mitigation, the
configuration has to be recorded in the operation procedures and a sign to be made in the ECR.
6.4.8
Maloperation of the azimuth thrusters
6.4.8.1
As the hydraulic oil systems could be exposed to water contamination; failure to take regular samples for
testing of the lubricating oil/hydraulic oil could lead to multi-system failure.
6.4.9
Worst case failure Azimuth thruster (motor and mechanical part)
6.4.9.1
Catastrophic mechanical failure or motor failure will be the worst case failure for the Azimuth thruster
(motor and mechanical part) as this will lead to loss of particular Azimuth thruster. The remaining thrusters
will compensate for the failure of the azimuth thruster and maintain station.
GL Noble Denton
Page 119 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
6.5
MAIN PROPULSION CONTROLLABLE PITCH PROPELLER AND STEERING GEAR
6.5.1
Reference:
DP SYSTEM FMEA
Berg Propulsion Installation manual BCP with BCX

6.5.2
Description
6.5.2.1
Refer to figure 6-4, the vessel has one controllable pitch propeller engine supplied by Berg Propulsion
6.5.2.2
For more information on the Main Engine auxiliary systems please refer to section 2. The propeller system
consists of three main parts:
1.
Mechanical parts for power transformation of propeller rotation.
2.
Hydraulic parts for lubrication and hydraulic control of the equipment.
3.
Electronic control system.
6.5.2.3
The Berg Propulsion controllable pitch propeller can rotate the propeller blades about their own axis. The
rotation of the propeller blades are controlled from the bridge or the engine room. The propeller blades are
hydraulically actuated.
6.5.2.4
The controllable pitch propellers are actuated by pressurised hydraulic oil to control the pitch angle of the
propeller blades. The pressurised oil is guided to the propeller hub through a twin tube which runs through
a hollow bored shaft line. The turning of the propeller blades is managed by applying hydraulic oil pressure
to either side of the piston, which in turn moves the piston rod back and forth.
6.5.2.5
The twin tube, propeller shaft and bearings are installed in a stern tube which is filled with pressurised oil
for lubrication purposes. The stern tube header tank contains the oil at a certain height above sea level to
achieve the required head pressure.
GL Noble Denton
Page 120 of 185
05-M07-3166-Rep-001
SUNGDONG
6.5.3
157K SHUTTLE TANKER
DP SYSTEM FMEA
Main Propulsion Mechanical and Hydraulic System
BCX Leakage TAnk
Oil Distributer
Gravity Tank
3 Bar
Moisture
Transmitter
Solenoid
Valve
Water In
Water Out
Propeller
CPP Hyd.
Pump No.3
Propeller
CPP Hyd.
Pump
No.2
M3
CJC
Circulation Unit
M2
E
M1
Hydraulic Tank
Figure 6-4
GL Noble Denton
Propeller
CPP Hyd.
Emergency
pump
Propeller
CPP Hyd.
Pump
No.1
Propulsion Controllable Pitch Propeller Hydraulic Diagram

Page 121 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.5.3.1
The lubrication of the propeller hub is maintained by static pressurised hydraulic oil, guided to the propeller
hub by the hollow bored shaft line. The oil is contained in the hydraulic power pack, which is equipped with
a supplementary gravity tank. The static pressure is achieved by a pump unit on the power pack.
Pressurised oil is necessary to prevent ingress of water in the propeller hub and to maintain sufficient
blade bearing lubrication. To prevent the hydraulic system from over pressure. Safety valves are included
in the hydraulic system.
6.5.3.2
The hydraulic system pressurised oil enables the turning of the propeller blades. It consists of a hydraulic
power pack unit, three hydraulic oil electrical driven pump units and piping. The three electrical pumps are
fitted in the hydraulic unit. All three hydraulic pumps need to be running in order to run maximum pitching
speed.
6.5.3.3
Pump 1 and pump 2 are variable displacement pumps and pump 3 is used for fixed displacement and for
the unloading valve to activate the pitching function.
6.5.3.4
The CPP hydraulic system is equipped with oil cooler. The medium for cooling is fresh water from the
auxiliary freshwater cooling system which also is used to cool the stern tube.
6.5.4
Steering Gear
6.5.5
Reference:
Working drawing, Kongsberg Maritime, Steering Control System
Rolls Royce rotary Vane Steering Gear
GL Noble Denton
Page 122 of 185
05-M07-3166-Rep-001
SUNGDONG
6.5.6
157K SHUTTLE TANKER
DP SYSTEM FMEA
Description
COMMON TANK
Interconnecting /isolating valve
POWER UNIT 1
Interconnecting /isolating valve
RELIEF VALVE
RELIEF VALVE
M
POWER UNIT 2
Figure 6-5
Steering Gear
6.5.6.1
Refer to figure 6-5; the vessel is fitted with a Becker Rudder and one Rolls Royce Frydenbo Steering
Gear, interfaced to the DP Control System, joystick control unit and emergency manual steering controls.
6.5.6.2
The steering gear has two electric driven hydraulic pumps. The pumps can operate the steering gear
independently or both pumps running together. In DP mode, both pumps are to be running. Failure on one
pump will not have any effect on steering gear apart from slower response.
GL Noble Denton
Page 123 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.5.6.3
There are two control panels, one mounted on the wheelhouse and the other in the ECR. The wheelhouse
control panel is equipped with start / stop push buttons, steering mode selections, non-follow-up push
buttons and follow-up controllers for independent or simultaneous steering of the rudders. Emergency
controls are located in the steering gear room.
6.5.7
Failure Modes of the CPP and Steering Gear

1.
Failure of one of the CPP hydraulic pump.
2.
Failure of proportional valve.
3.
Contamination of the CPP hydraulic oil system.
4.
Pipe work failure on the CPP hydraulic system.
5.
Loss or reduction of cooling water to the CPP hydraulic oil cooler.
6.
expected lifespan).
7.
Failure of one of the rudder steering gear pump
8.
Contamination of the hydraulic oil in steering gear system.
9.
Pipe work failure on the steering gear hydraulic oil system.
6.5.8
Failure Effects of the CPP and Steering Gear
6.5.8.1
Failure of one of the CPP hydraulic oil pump: The failure of the CPP hydraulic oil pump would be indicated
on the local control panel and the ICMS as a low lube oil pressure alarm. During DP operations all 3 pumps
need to run as failure of one pump will reduce the pitching ability of the CPP and cause it to not be able to
operate to full pitch.
6.5.8.2
Failure of proportional valve: If the proportional valve were to fail to the neutral position, the swash plate
would be kept in the neutral position; pitch will fail at neutral position. If the proportional valve was to fail in
an active position the swash plate would maintain the pitch in the last position. This would cause an alarm
on the DP system with prediction error.
6.5.8.3
Contamination of the CPP hydraulic oil system: Core failure on the CPP hydraulic oil cooler could result in
water contamination of the CPP hydraulic oil system; this would emulsify and reduce the lubricating
properties of the oil. Prolonged exposure to emulsified hydraulic oil could cause oxidation of CPP
components over time. The system is fitted with a water monitoring sensor to activate a warning in the
event of water contamination.
6.5.8.4
Pipe work failure on the CPP hydraulic system: Pipe work failure on the CPP hydraulic piping would drain
the system and limit the circulation of hydraulic oil. Low oil level in the reservoir would initiate an alarm on
the ICMS and local control panel. Leaks in the pipe work are likely to start as a relatively low flow rate
which should be detected during regular watch keeping. Piping is considered as passive components and
would not be considered for the review of Dynpos AUTR.
6.5.8.5
Loss or reduction of cooling water to the CPP Hydraulic oil cooler: Loss or reduction of fresh water to the
CPP hydraulic oil cooler would be indicated by higher operating temperatures. High hydraulic fluid
temperatures in the hydraulic reservoir would initiate an emergency stop of the CPP. This is alarmed on
the local control panel and ICMS.
6.5.8.6
adhered to, then it should not happen. Areas where this would be most critical are the pumps, proportional
valve and the internal pipe work.
6.5.8.7
Failure of one of the rudder hydraulic pump: In the event failure of one of the rudder hydraulic pump, it
would not result in loss of the rudder as there is another backup steering gear hydraulic pump in operation.
(Assumption: both pumps running at same time whilst on DP).
GL Noble Denton
Page 124 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.5.8.8
Contamination of the hydraulic oil in steering gear system: Bacteria contamination in the oil tank could
emulsify and reduce the lubricating properties of the oil. Prolonged exposure to emulsified hydraulic oil
could cause oxidation of thruster components over time. Regular testing of the oil would highlight any
contamination problems.
6.5.8.9
Pipe work failure on the steering gear hydraulic oil system: Pipe work failure in the hydraulic oil system
would drain the system and limit the circulation of oil. Low oil level would be alarmed on the ICMS and
local control panel. Leaks in the pipe work are likely to start as a relatively low flow rate which should be
detected during regular watch keeping. Piping is considered as passive components and would not be
considered for the review of Dynpos AUTR.
6.5.9
Hidden Failures of the CPP and Steering Gear
6.5.9.1
The contamination of the CPP and steering gear hydraulic system by fresh water from the cooler cores on
the hydraulic oil cooler would not be detected as the hydraulic oil reservoir is not monitored for high tank
level. This could be remedied through regular sampling and testing.
6.5.10
Common Mode Failures of the CPP and Steering Gear
6.5.10.1 No common mode failure has been identified.

6.5.11
Configuration Errors of the CPP and Steering Gear
6.5.11.1 There is no configuration error for the CPP and steering gear as the CPP is driven by the engine.
6.5.12
Maloperation of the CPP and Steering Gear
6.5.12.1 The hydraulic oil system could be exposed to water contamination; regular samples for testing of the
hydraulic oil should be conducted.
6.5.13
Worst Case Failure of the CPP and Steering Gear
6.5.13.1 Catastrophic mechanical failure or failure of engine will be the worst case failure for the CPP (mechanical
part) as this will lead to loss of CPP. The remaining thrusters will take over the failure of CPP role for
position keeping capability.
GL Noble Denton
Page 125 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
6.6
THRUSTER ELECTRICAL SYSTEMS
6.6.1
References
DP SYSTEM FMEA
Approval Drawings Brunvoll Tunnel Thruster Unit Type FU-100-LTC-2750-2200kW with Electrical Drive
system rev. Date 07.10.2011
Approval Drawings Brunvoll Retractable Azimuth Thruster Unit Type AR-100-LNC-2600-2500kW with
Electrical Drive system rev. Date 07.10.2011
S7001s CPP Tech Data and System Diagram
Wiring Diagram of Navi & Comm System
6.6.2
General
6.6.2.1
The Shuttle Tanker is equipped with six thrusters these include two bow tunnel thrusters, one bow azimuth
thruster, one stern azimuth thruster, one stern tunnel thruster and one engine driven main propulsion CPP
unit. The three tunnel thrusters and two azimuth thrusters are electrically driven. Please refer to table 6-1
and table 6-2 for details.
6.6.3
Tunnel Thruster Remote Control system

Thruster
manual
Control
24Vdc
Backup
power
DP
IJS
Thruster Controller
220Vac
Main
power
Blade
Solenoid
Angle
Valve
Transmitter
Figure 6-6
6.6.3.1
Thruster Remote Control System
Refer to Figure 6-6, this tunnel thruster (Controllable Pitch Propeller type) remote control system is
designed to control the thruster blade angle by operating the control levers provided in the wheelhouse,
independent joystick and DPS. This is done by employing microcomputers with overload protection
functions for the main motor. In addition the main motor and auxiliaries can be started and stopped from
the W/H.
GL Noble Denton
Page 126 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.6.3.2
There are two electronic cabinets for each Brunvoll Tunnel Thruster, one unit on the Bridge and the other
in the thruster room. Power supply for the electronic cabinets and the man and auxiliary control panels are
taken from a 220 VAC source and a backup 24VDC supply. These sources are fed to the electronic
cabinet on the bridge and from this cabinet supplied to the other consumers described earlier.
6.6.3.3
The thruster control system provides communications between the thruster and thruster control unit. In
addition to the control signals; multiple sensors and transducers are provided for monitoring. The
Kongsberg system controls the thrust of the tunnel thrusters through the Brunvoll Electronic Cabinet
located on the bridge.
6.6.3.4
Hydraulic pitch control: The propeller blade pitch is used to adjust the magnitude and direction of thrust
from each tunnel thruster. Pitch angle is set by the position of a hydraulic piston mounted in each propeller
hub. The hydraulic pressure to change the pistons position is provided by redundant hydraulic pumps and
electro-hydraulic control valves to change the flow of oil to the oil distribution box and increase or decrease
the piston position. An electronic control system controls each thruster electro-hydraulic control valve.
Other hydraulic valves regulate pressure and release overpressures. The pitch system has high and low
pressure switches for alarm only and an oil pressure failure switch that stops the drive motor. Pitch
position is given via mechanical feedback and transducers supply the pitch feedback for display and
control.
6.6.3.5
Electronic Pitch Control: Each thruster has an electronic control system for monitoring and control. Each
electronic control system monitors which system is in command, the pitch request from the system in
command and the control transducer feedback showing the current pitch setting. The system compares
the current pitch setting with the required pitch setting and uses the pitch difference to operate the valve.
This pitch difference is sent as a 10V control valve command, opening the valve by a proportional
amount in the direction to correct the command feedback difference. As the actual pitch approaches the
commanded value the proportional control will slow down the rate of change. The 10V valve command
can be seen as a rate of change command. When the pitch feedback is within tolerance of the pitch
command, the controller sends a 0V command and the valve is closed. The signal to the Brunvoll thruster
control unit is 10V however the signal is converted to a 4-20mA DP feedback signal. The order signal
from DP to the thruster is a 4-20mA command signal. The Brunvoll thrusters will trip or will issue an open
ready signal when the pitch control fails. The thruster will be deselected from the DP system.
6.6.3.6
Drive Control: The starters are auto transformers. The thrusters can be started and stopped from the
wheelhouse control panel. The drive motor starter interlocks for zero pitch, starter ready, and sufficient
pitch pressure prevents the motor from starting up until the required criteria is met. Once the motor has
started, its starter closes the running contact to the ECU to indicate it is ready for use. The starter provides
a load signal to the ECU for overload protection.
6.6.3.7
Each thruster control system monitors the health of its thruster system and controls the pitch to match the
local or remote commands. If DP control is selected, then the DP system controls and monitors the
thrusters over dedicated hardwire connections. If IJS control is selected, the IJS system controls and
monitors the thrusters over its own set of dedicated hardwire connections which are separate from DP. If
the system does not meet the criteria for safe and reliable operation then it will shutdown. It highlights
system alarms on the local panel and thrusters remote panels on the bridge. The thruster control system
supplies pitch indication to the bridge and DP control system.
6.6.3.8
Adequate protection is assumed to be in place to protect the thrusters control system and selectivity
analysis has conducted and is approved by the class society.
6.6.3.9
Interface: each tunnel thruster has a separate DP request contact from the DP/ Manual/ Joystick
changeover switch to thruster control unit. The DP controller interface consists of the thruster ready signal
4-20mA pitch command and feedback signals.
6.6.4
Failure modes of the tunnel thrusters Control System

1.
Failure of 220Vac supply to thruster control panel.
2.
Failure of 24Vdc supply to thruster control panel.
3.
Failure of the thruster control unit.
4.
Wire break or failure of thruster ready signal.
GL Noble Denton
Page 127 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
5.
Wire break or failure of thruster pitch command signal from DP.
6.
Wire break or failure of thruster pitch command signal from ECU signal to thruster.
7.
Wire break or failure of thruster pitch feedback signal from DP signal.
8.
Wire break or failure of thruster pitch feedback signal from ECU signal to thruster.
6.6.5
Failure Effects of the Tunnel Thrusters Control System
6.6.5.1
Failure of 220Vac supply to thruster control panel: Loss of 220V supply to the thruster control panel will
not affect the operation of the thruster; the control system continues to run on back up 24Vdc power
supply. An alarm will be generated for 220V AC power supply failure.
6.6.5.2
Failure of 24Vdc supply to thruster control panel: Loss of 24Vdc supply to the thruster control panel will not
affect the operation of the thruster; the control system continues to run on 220Vac power supply. An alarm
will be generated for 24Vac power supply failure.
6.6.5.3
Failure of Thurster control unit: As each thruster is independent in terms of its control philosophy. Failure
of one thruster control unit will not affect the other units. The thruster pitches to zero and an alarm will be
generated on the thruster control panel and deselected from the DP system.
6.6.5.4
Wire break or failure of thruster ready signal: will initiate a thruster not ready for DP alarm, thruster pitch
will go to zero and DP deselects the thruster. An alarm will be generated on the thruster control panel and
DP system.
6.6.5.5
Wire break or failure of thruster pitch command signal from DP: will not cause the thruster drive motor to
stop. A thruster not ready alarm is initiated on the DP panel, thruster pitch to freeze and deselected from
DP.
6.6.5.6
Wire break or failure of thruster pitch command signal from ECU to thruster: will not cause the thruster
drive motor to stop. Thruster pitch is freezes and the thruster is rejected from DP.
6.6.5.7
Wire break or failure of thruster pitch feedback signal from DP: Will receive Thruster X input error force,
RIO:Open loop/cable break alarms on DP, but predicted calculated value on the main DP mimic showing
in red text.
6.6.5.8
Wire break or failure of thruster pitch feedback signal from ECU to thruster: will not cause the thruster
drive motor to stop. A thruster not ready alarm is initiated on the DP panel, thruster pitch to freeze and
deselected from DP.
6.7
AZIMUTH THRUSTER ELECTRICAL SYSTEMS
6.7.1
Thruster Electrical Systems
6.7.2
References
Approval Drawings Brunvoll Retractable Azimuth Thruster Unit Type AR-100-LNC-2600-2500kW with
Electrical Drive system rev. Date 07.10.2011
S7001s CPP Tech Data and System Diagram
Wiring Diagram of Navi & Comm System
GL Noble Denton
Page 128 of 185
05-M07-3166-Rep-001
SUNGDONG
6.7.3
157K SHUTTLE TANKER
DP SYSTEM FMEA
Azimuth Thruster Remote Control system

Thruster
manual
Control
24Vdc
Backup
power
DP
IJS
Thruster Controller
220Vac
Main
power
Blade
Solenoid
Angle
Valve
Transmitter
Stg
Gear
Azi
Transmitter
Figure 6-7
Stg
Gear
Azi
Transmitter
Azimuth Thruster Remote Control System
6.7.3.1
Refer to figure 6-7, this retractable azimuth thruster remote control system is designed to control the
steering and thruster blade angle by operating any of control levers provided in the wheelhouse,
independent joystick and DPS. This is done by employing microcomputers with overload protection
functions for the main motor. In addition the main motor and auxiliaries can be started and stopped from
the Wheelhouse.
6.7.3.2
There are two electronic cabinets for each Brunvoll Azimuth Thruster, one unit on the Bridge and the other
in the thruster room. Power supply for the electronic cabinets and the man and auxiliary control panels are
taken from a 220 VAC source and a backup 24VDC supply. These sources are fed to the electronic
cabinet on the bridge and from this cabinet supplied to the other consumers described earlier.
6.7.3.3
The thruster control system provides communications between the thruster and thruster control unit. In
addition to the control signals; multiple sensor and transducers are provided for monitoring. The
Kongsberg system controls thruster direction and pitch through the Brunvoll Electronic Cabinet located on
the bridge.
6.7.3.4
Hydraulic Steering control: The steering hydraulic system houses the steering thruster control box which
the controller converts the command signal from the DP system to control the hydraulic steering by
solenoid valve. Steering hydraulic motor is governed by solenoid valves. Steering direction and speed are
controlled by changeover type proportional solenoid valve. The thruster control box also houses the
terminal connections for the switches, sensors, and transducers to be monitored by the vessel monitoring
system.
6.7.3.5
Hydraulic pitch control: CPP direction and control speed are controlled by changeover type proportional
solenoid valve which allows the electronic control system to make rapid and precise changes.
GL Noble Denton
Page 129 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.7.3.6
Electronic Pitch Control: Each thruster has an electronic control system for monitoring and control. Each
electronic control system monitors which system is in command, the pitch request from the system in
command and the control transducer feedback showing the current pitch setting. The system compares
the current pitch setting with the required pitch setting and uses the pitch difference to operate the valve.
This pitch difference is sent as a 4-20mA control valve command, opening the valve by a proportional
amount in the direction to correct the command feedback difference. As the actual pitch approaches the
commanded value the proportional control will slow down the rate of change. The 4-20mA valve command
can be seen as a rate of change command. When the pitch feedback is within tolerance of the pitch
command, the controller sends a 12mA command and the valve is closed. The signal between the
Brunvoll azimuth thruster control unit with the DP system is 4-20mA feedback signal. The azimuth
thrusters will trip or will issue an open ready signal when the pitch control fails. The thruster will be
deselected from the DP system.
6.7.3.7
Electronic azimuth control: The thruster control box monitors which system is in command, the azimuth
request from the system in command and the control transmitter feedback showing the current thruster
direction. The system compares the current thruster direction with the required azimuth setting and uses
the azimuth difference to operate the proportional valve. This azimuth difference is sent as a 4-20mA
control valve command, opening the valve by a proportional amount in the direction to correct the
command feedback difference. As the actual direction approaches the commanded value the proportional
control will slow down the rate of change. The 4-20mA valve command can be seen as a rate of change
command. When the azimuth feedback is within tolerance of the azimuth command, the controller sends a
12mA command and the valve is closed.
6.7.3.8
Drive Control: The starters are auto transformers. The thrusters can be started and stopped from the local
controller or the bridge panel. The drive motor start interlocks for, the thruster at its lowered position, zero
pitch and sufficient pitch pressure prevents the motor from starting up until the required criteria is met.
Once the motor has started, its starter closes the running contact to the ECU to indicate it is ready for use.
The starter provides a load signal to the ECU for overload protection.
6.7.3.9
Each thruster control system monitors the health of its thruster system and controls the pitch to match the
local or remote commands. If DP control is selected, then the DP system controls and monitors the
thrusters over dedicated hardwire connections. If IJS control is selected, the IJS system controls and
monitors the thrusters over its own set of dedicated hardwire connections which are separate from DP. If
the system does not meet the criteria for safe and reliable operation then it will shutdown. It highlights
system alarms on the local panel and thrusters remote panels on the bridge.
6.7.3.10 The thruster control system supplies pitch indication to the bridge and DP control system. Bow azimuth
thruster No.3 control unit receives 220Vac supply from the No.2 AC220 navigation instrument distribution
panel in parallel with the No.2 battery charger and discharger board 24Vdc Distribution board. The Stern
Azimuth thruster No.4 control unit receives 220Vac supply from the No.1 AC 220 navigation instrument
distribution panel in parallel with the No.1 battery charger and discharger board 24Vdc distribution board.
The control is transferred between the bridge as well as given to the DP or IJS system.
6.7.3.11 Interface: each tunnel thruster has a separate DP request contact from the DP/ Manual/ Joystick
changeover switch to thruster control unit. The DP controller interface consists of the thruster ready signal,
4-20mA pitch command and feedback signals.
6.7.4
Failure modes of the azimuth thrusters control system

1.
Failure of 220Vac supply to thruster control panel.
2.
Failure of 24Vdc supply to thruster control panel.
3.
Failure of the thruster control unit.
4.
Wire break or failure of thruster ready signal.
5.
Wire break or failure of thruster pitch command signal from DP.
6.
Wire break or failure of thruster pitch command signal from ECU signal to thruster.
7.
Wire break or failure of thruster Azimuth command signal from DP.
8.
Wire break or failure of thruster Azimuth command signal from ECU signal to thruster.
GL Noble Denton
Page 130 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
9.
Wire break or failure of thruster pitch feedback signal from DP signal.
10.
Wire break or failure of thruster pitch feedback signal from ECU signal to thruster.
11.
Wire break or failure of thruster azimuth feedback signal from DP signal.
12.
Wire break or failure of thruster azimuth feedback signal from ECU signal to thruster.
6.7.5
Failure Effects of the Azimuth Thrusters
6.7.5.1
Failure of 220Vac supply to thruster control panel: Loss of 220V supply to the thruster control panel will
not affect the operation of the thruster, the control system continues to run on back up 24Vdc power
supply. An alarm will be generated for 220V AC power supply failure.
6.7.5.2
Failure of 24Vdc supply to thruster control panel: Loss of 24Vdc supply to the thruster control panel will not
affect the operation of the thruster; the control system continues to run on 220Vac power supply. An alarm
will be generated for 24Vac power supply failure.
6.7.5.3
Failure of Thurster control unit: Failure of one thruster control unit will not affect the other units. The
thruster pitch to zero and an alarm will be generated on the thruster control panel and deselected from the
DP system.
6.7.5.4
Wire break or failure of thruster ready signal: will initiate a thruster not ready for DP alarm, thruster pitch to
zero and DP deselects the thruster. An alarm will be generated on the thruster control panel and DP
system.
6.7.5.5
Wire break or failure of thruster pitch command signal from DP: will not cause the thruster drive motor to
stop. A thruster not ready alarm is initiated on the DP panel, thruster pitch to zero, azimuth to 0 / 180
and deselected from DP
6.7.5.6
Wire break or failure of thruster pitch command signal from ECU to thruster: will not cause the thruster
drive motor to stop. A thruster not ready alarm on the DP panel is issued, thruster pitch is frozen, azimuth
goes to zero and is deselected from DP. Vessel maintains position with remaining thrusters.
6.7.5.7
Wire break or failure of thruster azimuth command signal from DP: will not cause the thruster drive motor
to stop. A thruster not ready alarm on the DP panel is initiated, the thruster is deselected from DP,
thruster azimuth freezes and pitch to zero. Vessel maintains position with remaining thrusters.
6.7.5.8
Wire break or failure of thruster azimuth command signal from ECU to thruster: will not cause thruster
drive motor to stop. A thruster not ready alarm on the DP panel is initiated, the thruster is deselected
from DP, thruster azimuth is frozen and pitch to zero. Vessel maintains position with remaining thrusters.
6.7.5.9
Wire break or failure of thruster pitch feedback signal from DP: A prediction error alarm is initiated on the
DP panel, thruster pitch follows the command signal.
6.7.5.10 Wire break or failure of thruster pitch feedback signal from ECU to thruster: will not cause the thruster
drive motor to stop. A thruster not ready alarm is initiated on the DP panel, thruster pitch is frozen,
azimuth to zero and deselected from DP. Vessel maintains position with remaining thrusters.
6.7.5.11 Wire break or failure of thruster azimuth feedback signal from DP: A prediction error alarm is initiated on
the DP panel, thruster azimuth continues to follow the command signal.
6.7.5.12 Wire break or failure of thruster azimuth feedback signal from ECU to thruster: will cause the thruster drive
motor to stop. A thruster not ready alarm is initiated on the DP panel, thruster pitch to zero, azimuth is
frozen and deselected from DP. Vessel maintains position with remaining thrusters.
GL Noble Denton
Page 131 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.8
PROPULSION CONTROLLABLE PITCH PROPELLER CONTROL SYSTEM
6.8.1
References
Berg Propulsion Installation manual Controllable Pitch Propeller and Propulsion equipment
S7001 AC C20(MAKER DWG)
Remote Control
System
Main Engine
Local Control or zeropitch System
Hub lubrication
Gravity Tank
BCX Leakage Tank

Oil Distributor
Type:BCX
Hydraulic Tank
Moisture Monitoring
Sterntube and bearings
Propellor and hub
GL Noble Denton
Page 132 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Figure 6-8
DP SYSTEM FMEA
Propulsion CPP Control System
6.8.1.1
The propeller in this vessel is controlled by Berg local and zero pitch CPP control unit EC60629. It is
interfaced with Kongsbergs bridge manoeuvring system - Auto chief C20 for the purpose of remote control
operation and monitoring.
6.8.1.2
All user interfaces during normal operations are via control panels located at various locations. The
propeller can be controlled and monitored from the following control stations:
1.
ME LOP cabinet
2.
Wheelhouse CPP backup control panel
3.
ECR CPP backup control panel
4.
Berg CPP Control LCU
6.8.1.3
All these cabinets/control panels are connected to Kongsbergs bridge manoeuvring system - Auto chief
C20.
6.8.1.4
Auto Chief C20 is the main engine monitoring and control system used in this vessel. The main engine
monitoring information is available in K-Chief 600 Alarm monitoring and control system as well.
6.8.2
Failure Modes of Controllable Pitch Propeller Control System

1.
Loss of main 24V DC supply to Auto Chief C20.
2.
Loss of backup 24V DC supply to Auto Chief C20.
3.
Loss of 24V DC supply to Berg local and zero pitch CPP control unit EC60629 or the failure of the
control unit .
4.
LAN Communication failure between DP OS1 and Auto Chief C20
5.
LAN Communication failure between DP OS2 and Auto Chief C20
6.
Wire break or failure of command signals from Berg CPP control unit to pitch valve ahead and pitch
valve astern.
7.
Wire break or failure of feedback signals.
6.8.3
Failure Effects of Controllable Pitch Propeller Control System
6.8.3.1
Loss of main 24V DC power supply to Auto Chief C20: Loss of main 24Vdc to Power Switch Over modules
PSO-P1, PSO-P2 and PSO-P3. This will not affect Auto chief C20 system, as continued operation is made
possible by the backup 24V DC power supply. An alarm will be generated for the 24Vdc power supply
failure.
6.8.3.2
Loss of backup 24V DC power supply to Auto Chief C20: Loss of backup 24Vdc supply to Power Switch
Over modules PSO-P1, PSO-P2 and PSO-P3. This will not affect Auto chief C20 system with continued
availability of the main 24Vdc power supply. An alarm will be generated for the 24Vdc power supply
failure.
6.8.3.3
Loss of 24V DC supply to Berg local and zero pitch CPP control unit or the failure of the control unit: This
will loss the control and monitoring of propeller pitch. Propeller blades pitch will be frozen at the last
position. Propeller will be rejected from DP and a prediction error alarm will be initiated in the DP system.
Vessel maintains position with remaining thrusters.
6.8.3.4
LAN Communication failure between DP OS1 and Auto Chief C20: This will not affect the operation of
propeller as the communication continues through redundant LAN communication link between DP OS2
and Auto Chief C20.
6.8.3.5
LAN Communication failure between DP OS2 and Auto Chief C20: This will not affect the operation of
propeller as the communication continues through redundant LAN communication link between DP OS1
and Auto Chief C20.
GL Noble Denton
Page 133 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.8.3.6
Wire break or failure of command signals Berg CPP control unit to pitch valve ahead and pitch valve
astern: Pitch fail as set in last command, the DP console will issue a pitch prediction error alarm and the
propeller ready signal to DP will lose. Consequently the propeller will be deselected from DP.
6.8.3.7
Wire break or failure of feedback signals: There are two sets of feedback signals, one from the propeller to
the Berg CPP control unit and the other from the propeller to the Local Control Unit (LCU). Failure of either
one has no effect on the CPP and it still follows DP commands.
6.8.4
Hidden Failures of the Controllable Pitch Propeller Control System
6.8.4.1
No hidden failures were found during the analysis.
6.8.5
Common Mode Failure of the Controllable Pitch Propeller Control System
6.8.5.1
Even though there is redundant 24V DC power supplies provided for Auto Chief C20 system, the failure of
24V DC supply to Berg local and zero pitch CPP control unit will defeat the redundancy as the control is
performed by this unit.
6.8.6
Configuration Errors of the Controllable Pitch Propeller Control System
6.8.6.1
Any initial configuration, reconfiguration or replacement of equipment following equipment failure or

unplanned maintenance will allow for the possibility of configuration errors. However, correct procedures
and vigilance will alleviate configuration errors.
6.8.7
Maloperation of the Controllable Pitch Propeller Control System
6.8.7.1
Typical operating circumstances and conditions would not give rise to any opportunity for maloperation of
any of the human machine interface with competent and adequately trained operators. Maloperation would
only be possible in the event of unplanned maintenance or inspection of other systems within close
proximity to the enclosed operator stations components.
6.8.8
Worst Case Failure of the Controllable Pitch Propeller Control System
6.8.8.1
The worst case failure of the CPP control system is the loss of Berg local and zero pitch CPP control unit
EC60629. This will not exceed the WCFDI as vessels position still can be maintained by remaining
thrusters.
6.9
STEERING GEAR CONTROL SYSTEM
6.9.1
References
Working drawing, Kongsberg Maritime, Steering Control System
Rolls Royce rotary Vance Steering Gear
GL Noble Denton
Page 134 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
Stbd Wing Console
FU Controller
Port Wing Console

FU Controller
Control Panel
Dual RPC 400
220 Vac from Nav UPS No.1
Control
Cabinet
Port
No.1
Rudder Order
Pump Running
RR Control
Cabinet
Motor Pump
Starter Unit
Feedback
Unit No.1
Figure 6-9
Rudder Order
Pump Running
Control
Cabinet
Stbd
No.2
Feedback
Unit No.2
Steering Gear Control System
6.9.1.1
The K-Bridge Steering Control System integrates the Rolls Royce Steering gear to the manual controls,
DP system and the independent joystick.
6.9.1.2
The control cabinets (port and Stbd) are connected via two redundant networks each (Net A and Net B) to
the DP system. The DP system gives 4-20mA order signal to the steering gear control and alarm panel.
That is fed to the directional pilot valves to command the steering.
6.9.1.3
The DP ready signal has been arranged such that they are fed through the steering gear control and alarm
panel and a failure of both pumps will result in the ready signal being removed.
6.9.1.4
The DP feedback 4-20mA signals come from the feedback units that connected to the steering gear
starter panel. The feedback unit will send the signal to steering gear control panel thru transformer box.
Incorrect rudder control feedback will cause and incorrect rudder angle. The DP system compares the
rudder feedback with its command and will given prediction error alarm.
6.9.2
Failure Modes of Rudder

8.
Loss of main 24V DC supply.
9.
Loss of backup 24V DC supply.
10.
Wire break or failure of command signals from DP.
11.
Wire break or failure of command signals from steering control and alarm panel to directional pilot
valve.
12.
Wire break or failure of feedback signals from DP.
13.
Wire break or failure of feedback signals from feedback unit to potentiometer.
14.
Failure of steering control and alarm panel.
6.9.3
Failure effects of rudder
6.9.3.1
Loss of main 24Vdc power supply: Loss of main 24Vdc to the steering gear control and alarm panel will
not affect the control system of the steering control, as continued operation is made possible by the back
up 24V DC power supply. An alarm will be generated for the 24Vdc power supply failure.
GL Noble Denton
Page 135 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.9.3.2
Loss of backup 24Vdc power supply: Loss of backup 24Vdc supply to the steering gear control and alarm
panel will not affect the control system of the control steering with continued availability of the main 24Vdc
power supply. An alarm will be generated for the 24Vdc power supply failure.
6.9.3.3
Wire break or failure of command signals from DP: Rudder will be frozen at the last position. An alarm
prediction alarm will be initiated in the DP system. Vessel maintains position with remaining thrusters.
6.9.3.4
Wire break or failure of command signals from Steering gear control panel to directional pilot valve:
Rudder steering will go to zero, the DP console will issue a rudder prediction error alarm and the rudder
ready signal remains in DP. The DPO should manually deselect the rudder from DP.
6.9.3.5
Wire break or failure of feedback signals from DP: The rudder will continue to follow the steering command
signals on failure of the feedback. The DP console will alarm for thruster prediction error.
6.9.3.6
Wire break or failure of feedback signals from feedback unit to the potentiometer: Rudder steering is
frozen at the last order, the DP console will issue a prediction error alarm in DP. This may possible
causing the vessel loss of heading and position. Consideration maybe given to fail the rudder into midship.
6.9.3.7
Failure of steering control and alarm panel: As the rudder control system is independent from others in
terms of its control philosophy, failure of the steering electronic control unit will only affect the respective
rudder.
6.9.4
Hidden Failures of the Steering Control System
6.9.4.1
No hidden failures were found during the analysis.
6.9.5
Common Mode Failure of the Steering Control System
6.9.5.1
There is only one rudder driven by two steering pumps during DP operation. Those failures are identified
in the analysis.
6.9.6
Configuration Errors of the Steering Control System
6.9.6.1
Both steering gear pumps should be operating during DP operation.
6.9.7
Maloperation of the Steering Control System
6.9.7.1
Kongsberg equipment is protected against single accidental maloperations by requiring vital push buttons
to be pressed twice to operate.
6.9.7.2
Manual rudder levers should be zeroed during DP so a rudder that fails to local control, fails to zero angle.
6.9.8
Worst Case Failure of the Rudder System
6.9.8.1
The worst case failure of the rudder would be uncontrolled thrust by a rudder producing the correct angle
in the wrong direction due to a control or feedback error.
GL Noble Denton
Page 136 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
6.10
THRUSTER EMERGENCY STOPS
6.10.1
Description
DP SYSTEM FMEA
6.10.1.1 Emergency stop buttons for all three tunnel thrusters and two azimuth thrusters are provided at the bridge
wing stbd, bridge wing port, bridge centre thrusters remote control panels and DP consoles. The main
engine emergency stop buttons are provided at Autochief C20 control station fitted on bridge centre
thrusters remote control panel, ECR Autochief C20 control panel, DP console and local.
6.10.1.2 The thruster E-stop circuit is fitted with a wire break detection module to ensure that an open circuit on the
emergency stop cable will not stop the thruster. This module gives an alarm if it detects a cable wire break.
This function also provides protection against multiple thrusters tripping as a result of a fire in the
navigation bridge or in the cable routes to the thrusters.
6.10.2
Failure Modes of the Emergency Stops
6.10.2.1 The failure modes of the emergency stops are considered to be:
6.10.3
1.
Failure to operate.
2.
Spurious operation of one stop.
3.
Failure of 24V DC to the E stops panels.
4.
Wire break or short in emergency stop circuit.
Failure Effects of the Emergency Stops
6.10.3.1 Failure to operate: Clearly, this could lead to a critical situation if there was a need to shut down a rogue
thruster. Such a fault could occur in the circuit after the Emergency Stop relay, where there is no
monitoring of faults. However, these areas are relatively small and well protected inside the panels. It is
acceptable mitigation to test the emergency stops periodically.
6.10.3.2 Spurious operation of one stop: The vessel always operates in such a way that the failure of one thruster
can be tolerated.
6.10.3.3 Failure of 24V dc to the E stop panels: There is a single 24V DC supply to the E stop panels. Failure of
this supply will only affect the illumination on E stop panels.
6.10.3.4 Wire break or short circuit in emergency stop circuit: Emergency stop facility will be disabled and there is
loop monitoring function for the wire break failure. If there is a short circuit on a loop, it will shutdown the
corresponding thrusters/engine.
6.10.4
Common mode failure of the thrusters
6.10.4.1 Thrusters No.1 No.2 and No.3 are part of the forward freshwater cooling system. This system is divided
into two systems with 4 manually operated crossover valves. The tunnel thruster no.2 and Bow azimuth
thruster no.3 are on section 2 forward thruster fresh water cooler and the bow thruster no.1 is on the
section 1 forward thruster fresh water cooler. A burst cooler in this system would result in the thruster(s)
using that cooler eventually tripping on high operating temperatures. This has been explained in detail in
section 2. Thruster no.6 (Main Engine CPP) has its own freshwater cooling system.
6.10.4.2 The forward and aft sea water cooling system has only one discharge valve each. Blockage of this
discharge valves will cause the respective thrusters cooled by it to fail due to high temperature. Further
details can be found in section 2.7.
6.10.4.3 Thruster No. 5 (Stern Tunnel Thruster) is part of No.1 & No.2 G/E freshwater cooling system. A burst
cooler in the system would result in the failure of this and other thrusters fed from MSB 1 as Generators
No.1 and No.2 are on the same circuit.
6.10.4.4 Thruster No.4 (Aft Azimuth Thruster) is part of the GE No.3/4 freshwater cooling system. A burst cooler in
the system would result in the failure of this and other thrusters fed from MSB 2 as Generators No.3 and
No.4 are in the same circuit.
GL Noble Denton
Page 137 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
6.10.4.5 Mains switch board No.1 powers thrusters T1, T5 and T6 (the engine and CPP essential pumps are dual
supply) and Main switchboard No.2 powers thrusters T2, T3 and T4 (dual supply).
6.10.4.6 Thruster Control Systems: The No.1 bow tunnel thruster and No.5 aft tunnel thruster are fed from the No.1
AC 220VAC feeder panel as well as the 24vdc No.1 Battery charger and Discharger board. No.2 bow
Tunnel thruster, No.3 Bow Azimuth Thruster and No.4 Stern Azimuth Thruster are supplied from No.2 AC
220VAC feeder panel as well as the 24Vdc No.2 Battery Charger and Discharger board. This is in line with
the split design of having the thruster motors for Bow tunnel No1 and Stern Tunnel No.5 supplied from the
No.1 MSB. Bow tunnel thruster No.2, Bow Azimuth No.3 and No.4 are supplied from No.2 MSB.
6.10.4.7 Thruster Emergency Stop: Provided the fault detection circuit is effective then there will be no risk of fire
damage causing the loss of all thrusters.
6.10.4.8 Main 6.6kV switchboard: A short circuit, or other fault, has the potential to cause voltage dips on the 6.6kV
boards, which could disrupt thruster operation. Such a failure of a common 6.6kV switchboard could fail
two or three thrusters:
6.10.5
1.
Failure of MV MSB No.1 leading to loss of thrusters T1, T5 and T6 or
2.
Failure of MV MSB No.2 leading to loss of thrusters T2, T3 and T4. (T3 can be manual changeover
and to be supplied by MV MSB No.1)
Hidden thruster failures
6.10.5.1 Hidden failure of the power supply to the auto-changeover unit supplying the hydraulic pumps may lead to
loss of a thruster.
6.10.5.2 The emergency stops for the thrusters are an important protection against drive off. The system is
protected against wire breaks by wire break protection circuits but should still be regularly tested.
6.10.6
Thruster configuration errors that could defeat redundancy
6.10.6.1 If there is pipe leakage or cooler burst and the isolation valves are not configure accordingly, this may lead
to high temperature for the forward thrusters. The DP configuration setup has to be placed in order to have
the correct setup for the isolation valves
6.10.6.2 Improper operation that defeats the redundancy concept with respect to the isolation and crossover valve
are identified as configuration errors. If the 4 crossover valves and the two cooler isolation valves could be
operated in time this would prevent loss of thrusters in the system. Mitigation to aid this is a low level alarm
in the head tank, a bilge alarm in the vicinity of the cooler and a differential pressure alarm across the
coolers.
6.10.6.3 Thruster Control system software: Configuration errors would only be evident in the event of a corrupted
software install. As software is not being investigated in this analysis, configuration errors resulting from
software have not been investigated further.
6.10.7
Maloperation of the Thruster
6.10.7.1 Thruster emergency stop: Inadvertent operation could cause the loss of at least one thruster but there are
guards around the pushbuttons on the manual control panel. The risk of inadvertent operation of the
wrong thruster is unlikely as the panel layout is intuitive.
6.10.7.2 Taking any part of the thruster control system into local control would cause the thruster to be deselected
by the DP system, however, each thruster has its own individual set of local / remote selectors, therefore
no more than one thruster should be affected by a single act of maloperation.
6.10.8
Worst Case Failure of the Thruster
6.10.8.1 Loss of a cooler in the central FW cooling system would result in the loss of GE 1 and 2. This would result
in the loss of MSB 1 which would result in loss of thrusters 1, 5 and 6. This is considered to be a
consequence of failure of the power to the thrusters. A component failure within each thruster will at most
fail that particular thruster.
GL Noble Denton
Page 138 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
K-CHIEF 600 INTEGRATED CONTROL AND MONITORING SYSTEM
7.1
GENERAL
7.1.1
Drawing References
DP SYSTEM FMEA
SSME S7001-2 Reapproval dwg-1 (K-CHief 600)221636A_FDS for control system

344794a_K-Chief 600 FMEA
S7001 Alarm point list
7.1.2
Description
7.1.2.1
The vessel is fitted with a Kongsberg K-Chief 600 system which contains the auxiliary systems and PMS
systems specified to comply with the requirements for control systems in DP Dynpos-AUTR notation.
7.1.2.2
The basic function of K-Chief 600 is to monitor ship alarms, process control and power management.
7.1.2.3
The K-Chief 600 system architecture has a modular design, and builds on Operator Stations and I/O/
control modules interconnected by local data networks. Figure 7-1 shows the general architecture of the KChief 600 system.
7.1.2.4
Modular design allows flexibility in configuring the system to individual requirements, covering the whole
range from low complexity alarm systems to highly integrated alarm and monitoring systems with advanced
process control.
7.1.2.5
The K-Chief system has included the following functions/controls.
Alarm and monitoring system.
Auxiliary control system
Power management system
Cargo control system
Ballast automation system
Main Engine monitoring system
7.1.2.6
The control is done locally by the Distributed Processing Units (DPU), while the operator interface is done
by the Operator Stations (OS).
7.1.2.7
The Watch Call System (extension alarm system) is provided to give alarms to the bridge and
accommodation when the system is set to UMS mode (Unmanned Machinery Space). The Watch Call
system includes a Watch Bridge Unit (WBU) and several Watch Cabin Units (WCUs). The number of
WCUs depends on the ship configuration.
7.1.2.8
The key components of the PMS have been discussed within Section 4. However certain aspects of the
PMS, such as networking and power supply are discussed within this section for completeness.
GL Noble Denton
Page 139 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Figure 7-1
GL Noble Denton
DP SYSTEM FMEA
General Architecture of K-Chief 600 System
Page 140 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
7.2
K-CHIEF 600 OPERATOR STATIONS:
7.2.1
Description:
7.2.1.1
The K-Chief Operator Stations are the main interface between the operator and the process that are under
the operators control. An OS has three main parts:
1. Main Computer Unit (MCU- Windows XP marinised industrial computer).
2. Operator panel with buttons and position controls.
3. Colour monitor.
7.2.1.2
The main MCUs are functionally linked to one or more DPUs (Distributed Processing Units). A DPU
provides the MCU with process signals or the capability to control parts of the process.
7.2.1.3
For redundancy purposes, one more MCU is linked in a similar way to the same DPUs.
7.2.1.4
All field/local DPUs are interfaced with MCU through SCU DPUs (Segment Controller Unit Distributed
Processing Units. Each DPU has two independent communication channels (CAN A and CAN B).
7.2.1.5
All MCUs are interlinked by a dual LAN network (LAN A and LAN B). The two MCUs work in parallel and
collect simultaneously data by using both communicating channels (CAN networks) through SCU DPU. All
other MCUs connected in the network are continuously updated with data from the Master MCU through
the dual LAN communication link. Network switches are used to galvanically isolate the operator stations
from each other.
7.2.1.6
Master/slave functionality is used to define whether data from CAN A or CAN B is to be used. The MCU
communicating on CAN A is defined as master. Whenever the Master MCU fails to communicate with one
or more DPUs, the Slave MCU automatically undertakes the communication, and the data retrieved from
the CAN B network is used.
7.2.1.7
There are total six operator stations used in this vessel; two operator stations (K-Chief OS1 and K-Chief
OS2) are in the Engine Control Room (ECR), two are in the Cargo Control Room (K-Chief OS 3 and KChief OS 4) and the rest two (K-Chief OS 5 and K-Chief OS 6) are located on the wheelhouse.
7.2.1.8
The operator stations provide the operator with a number of standard display pictures containing
information about the engine and surrounding equipment, cargo control systems, ballast automation
system etc. Control of different systems can be done from the corresponding operator stations.
7.2.1.9
The default operator control stations for engine and surrounding equipment are OS1 & OS2, for ballast
system and cargo system are OS3 & OS4 and for thrusters and DP system are OS5 & OS6. However the
commands can be transferred from one control position (i.e., ECR or CCR or WH OSes) to another by
access & transfer control facility provided in K-chief 600 operator stations.
7.2.1.10 Each Operator stations contain a Process Data Server (PDS). The PDS is a software program containing
updated process data for all signals, states and events. The PDS in each of the Operator Station is always
synchronized.
7.2.1.11 When a signal or state is changed, the PDS in the corresponding OS will be updated, information about the
change will be transmitted to the other Operator Stations via the LAN network and the PDS in those
stations will be updated (as all PDSs are synchronized).
7.2.1.12 The table below (table 7-1) gives the list of operator stations with its location and power supply details.
GL Noble Denton
Page 141 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 7-1
DP SYSTEM FMEA
Operating Stations Power Supply
Operator Station
Location
Power Source
OS1
Engine Control Room
K-Chief UPS1
OS2
Engine Control Room
K-Chief UPS2
OS3
Cargo Control Room
K-Chief UPS3
OS4
Cargo Control Room
K-Chief UPS4
OS5
Wheelhouse
K-Chief UPS1
OS6
Wheelhouse
K-Chief UPS2
7.2.2
Failure Modes of Operator Station:
7.2.2.1
Failure modes have been assessed for each operator station and all failures assessed are listed below:
Loss of 230V UPS supply to operator station.
MCU Failure.
Failure of network connection.
Network connection fails with errors.
7.2.3
Failure Effects of Operator Station:
7.2.3.1
Loss of 230V UPS supply to operator station: Alarm on IAS for loss of supply. As the power supply for
each K-Chief OS in wheel house, Cargo Control Room and Engine Control room are fed from different
UPSes, there will be a loss of only one OS at a time if there is a failure in one UPS or any single failures to
power supply. It will not affect to loss of control as operator still can use the other OS which is supplied by
the second UPS.
7.2.3.2
MCU failure: As there are two operator stations available on every location, loss of one OS due to a
hardware failure will not lead to a loss of control.
7.2.3.3
Failure of network connection: communications error alarm on the K-chief OS. Network communications
maintained on remaining healthy network.
7.2.3.4
Network connection fails with errors; Communications error alarm on K-chief OS. Network communications
maintained on remaining healthy network.
7.2.4
Common Mode Failures of the Operator Stations
7.2.4.1
No common mode failure of the operator stations has been identified.
7.2.5
Hidden Failures of the Operator Stations
7.2.5.1
Software failure will remain hidden; however software is not part of this analysis.
7.2.6
Maloperation of the Operator Stations
7.2.6.1
Typical operating circumstances and conditions would not give rise to any opportunity for maloperation of
any of the human machine interface with competent and adequately trained operators. However,
mechanical wear or damage to components from repeated use is possible and should be considered.
Maloperation would only be possible in the event of unplanned maintenance or inspection of other systems
within close proximity to the enclosed operator stations components.
GL Noble Denton
Page 142 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
7.2.7
Configuration Errors of the Operator Stations
7.2.7.1
Configuration errors would only be possible as a result of accidental or inappropriate reconfiguration as a

result of unplanned maintenance.
7.2.8
Worst Case Failure of the Operator Stations
7.2.8.1
The worst case scenario on failures assessed is total loss of an operator station. Loss of an operator
station will only mean that commands are entered at another station. Any loss of hardware or network data
will produce alarms on the system.
7.3
K-CHIEF 600 DISTRIBUTED PROCESSING UNITS (DPUS) AND DPU CABINETS:
7.3.1
Description:
7.3.1.1
A DPU is an intelligent unit performing signal conditioning, scaling, alarm detection and control functions by
itself. The data is then transmitted to the operator stations.
7.3.1.2
All control and monitoring in K-Chief 600 is carried out by the DPUs. The DPUs are located close to the
controlled machinery to minimise cable installation. K-chief 600 consists of a number of DPUs distributed
in different field stations.
7.3.1.3
The DPUs communicate with each other by a dual redundant Control Area Network (CAN). The CAN
network is an event-based multi master network. The DPUs can intercommunicate with each other even
when both operator stations are not functioning.
7.3.1.4
The interconnection between the DPU and the OSs is made by two independent wire connections in order
to achieve a redundant connection to the source of information. A local DPU is functionally linked to two
Operator Stations (OS) that presents the sensor information provided by the DPU.
7.3.1.5
The SCU DPU (Segment Controller Unit Distributed Processing Unit) may include overall process control
such as sequential control. In PMS, SCU includes the logics for overall power management system
including control of auto sequences, while other DPUs in the PMS field stations are controlling each power
generator.
7.3.1.6
The SCU DPU can also act as a gateway between operator station and process net (CAN). Separate sets
of SCU DPUs are used for this purpose.
7.3.1.7
The SCU DPUs are mounted in OS consoles while other DPUs are mounted in distributed DPU cabinets
those are located close to the controlled machinery to minimise cable installation.
7.3.1.8
There is a combination of several types of DPUs are mounted in a DPU cabinets depending on the
process. There is a common SCU DPU (can be either single or redundant) for each control segments (eg:
PMS, Cargo control, Pump control etc.) and an independent redundant local CAN for each
control/monitoring segments. All SCU DPUs are linked by a redundant process net called global CAN.
7.3.1.9
The K-Chief 600 DPUs meant for the cargo monitoring and controls are connected to redundant operator
stations OS3 and OS4 in the cargo control room through a pair of SCU DPUs. All of the rest DPUs are
connected to redundant operator stations OS1 and OS2 in the engine control room through another set of
SCU DPUs.
7.3.1.10 All SCU DPUs and field stations are powered from UPS units, which maintain power without interruption if
the vessels power system is lost. In the event of a power outage, the UPSs supply power for at least 30
minutes as required. The loss of any one power supply will activate an appropriate alarm on the IAS. SCU
DPUs and field stations are supplied from a range of UPS units, which are detailed as can be seen in
Table 7-2.
Table 7-2
DPUs
GL Noble Denton
DPUs Location and Power Supplies
Location
Page 143 of 185
Power Supply
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
SCU A DPU 0500/0600/ Engine Control Console (ECR)

0700/ 0800/1900
K-Chief UPS1
SCU B DPU 5500/5600/ Engine Control Console (ECR)

5700/ 5800
K-Chief UPS2
SCU A DPU 0900
Cargo Control Console (CCR)
K-Chief UPS3
SCU B DPU 5900
Cargo Control Console (CCR)
K-Chief UPS4
DPU 0520-0531
No.1 DPU Cabinet (ECR)
K Chief UPS1 & UPS 2
DPU 0720-0739
No.7 DPU Cabinet (H.V.S.B)
DPU 0820-0834
No.6 DPU Cabinet (GSP)
DPU 0532 - 0545
No.2 DPU Cabinet (Engine Room)
DPU 0546 - 0552
No.3 DPU Cabinet (Engine Room)
DPU 0920-0937
No.4 DPU Cabinet (Valve Control/Alarm - K Chief UPS3 & UPS 4

CCR)
DPU 0938-0944
No.5 DPU Cabinet (Valve Control/Alarm - K Chief UPS3 & UPS 4

CCR)
7.3.1.11 The DPUs require 24Vdc for its operation. The supply is fed from 230V AC UPSs via rectifier units installed
in consoles. The output from the rectifier unit is single 24Vdc.
7.3.1.12 Engine Control Console DPUs (DPU 0520 to DPU 0531): The basic functions of these DPUs are generator
engine monitoring and control through ICMS.
7.3.1.13 H.V.S.B DPUs (DPU 0720 to DPU 0739): The basic functions of these DPUs are switchboard monitoring
and control through the PMS (C4 modules).
7.3.1.14 GSP (Group Starter Panels) DPUs (DPU 0820 to DPU 0834): The basic functions of these DPUs are for
pump control and monitoring.
7.3.1.15 Engine Room DPUs (DPU 0532 to DPU 0552): The basic functions of these DPUs are for alarm
monitoring.
7.3.1.16 Valve Control /Alarm DPUs (DPU 0920 to DPU 0944): The basic functions of these DPUs are for cargo
control and monitoring.
7.3.1.17 The AC C20 module communicates with the Main Engine for control and monitoring of the Main Engine
and propeller.
7.3.2
Failure Modes of DPUs and DPU Cabinets:
7.3.2.1
Failure modes have been assessed for each group of DPUs are listed below:
SCU DPUs power supply failure.
Failure of SCU DPU.
24V dc supply failure in DPU cabinets.
DPU modules failure in FS.
Network connection fails low.
GL Noble Denton
Page 144 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
Network connection fails with errors (jabber, etc).
7.3.3
Failure Effects of DPUs and DPU Cabinets:
7.3.3.1
SCU DPUs power supply failure: As almost all SCU DPUs are redundant and power supply for each unit
is fed from two different sources as shown in table 5-1, a single failure in power supply will not affect the
operation. If the master SCU DPU losses supply, there will be an alarm on operator station and operation
resumes on the slave SCU DPU without redundancy. AC C20 SCU DPU is an exception to redundant SCU
DPU as it is a single. The loss of power supply to this DPU will not lead to loss of vessel position as vessel
can be still positioned from DP control system.
7.3.3.2
Failure of SCU DPUs will have the same effects of power supply failure as described above.
7.3.3.3
24V dc supply failure in DPU cabinets: The effect of the power supply failure will be that the DPUs in
cabinet will no longer communicate with either the operator station or the field instrumentation and loss of
control over equipment routed through affected cabinet. 24V dc supply failure in no.1 DPU cabinet will loss
all serial line communications such as VDR, Tank level system, G/E alarm and monitoring, thrusters alarm
and monitoring information etc. However this should not trip any generators or thrusters and loss of vessel
position. The control distribution should be in such a way that the loss of DPU cabinet supply should not
lead to loss of vessel position.
7.3.3.4
DPU module failure in FS: As there is no redundancy built into the DPU modules in FS, total failure of a
DPU module will cause any connected field instrumentation to fail to a pre-defined fail safe state and will be
alarmed in operator stations.
7.3.3.5
Network connection fails low: As the networks are dual networks any single connection failure will produce
an alarm but have no effect on operation of the system. The communication resumes through the
redundant network.
7.3.3.6
Network connection fails with errors (jabber/Multiple collisions): The term Jabber is used to describe a
condition where a faulty transceiver continuously transmits random data on to the network inhibiting or
corrupting all other transmissions. Errors in individual transmissions should be rejected and initiate
retransmission.
7.3.4
Common Mode Failures of the DPUs and DPU Cabinets
7.3.4.1
No common mode failures directly associated with the DPU cabinets themselves were revealed by this
analysis.
7.3.5
Hidden Failures of the DPUs and DPU Cabinets
7.3.5.1
Hidden failures in a dual system occur when a failure of a component does not show up until a subsequent
failure causes a loss of the dual system.
7.3.5.2
DPU cabinets (Dual Supply) - A dual powered DPU cabinet has internal semiconductors that connect the
two power supplies together. A failure of these internal circuits is not alarmed and may not be detectable by
the system. Regular maintenance and testing of DPU cabinet power supply redundancy (e.g. tested during
annual DP trials) will identify a failed power supply. Loss of one DPU cabinet will not exceed the WCFDI.
7.3.6
Configuration Errors of the DPUs and DPU Cabinets
7.3.6.1
Configuration errors of the DPUs are prevented by each DPU having a different MAC address so the
program changes sent by the Operator Station are specific to that station.
7.3.6.2
Each DPU module has a unique identification code in the system. This ID code identifies how the module is
configured, i.e. as digital I/O, analogue I/O or a mixture of both, and where it is installed. The IAS system
can, therefore, monitor at all times that the correct module is installed in the correct position.
7.3.7
Worst Case Failure of the DPUs and DPU Cabinets
7.3.7.1
The worst case failure of the DPUs and DPU cabinets is failure of the power supply. This will loss the
control and monitoring of associated equipments routed through affected DPU cabinet. However this
should not trip any generators or thrusters and loss of vessel position.
GL Noble Denton
Page 145 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
7.4
K-CHIEF 600 NETWORK COMMUNICATIONS
7.4.1
Description:
7.4.1.1
The K-Chief 600 marine automation system uses three networks for the communication between different
nodes; Local Area Network (LAN), Global Controller Area Network (Global CAN) as process net and Local
Controller Area Network (Local CAN) as local subnet. All are dual redundant networks. Refer Fig 7-2 for a
detailed drawing.
7.4.1.2
By using a Fleet Master workstation it is possible to send process data from the K-Chief 600 system to the
administrative network and then to shore via satellite communication. The Fleet Master workstation
contains a Process Data Gateway (PDG), a software program acting like a firewall, separating and
protecting the process data from the data on the administrative network.
7.4.1.3
The redundant LAN, Net A and Net B are used to communicate between the Operator Stations and other
PC based equipments. Switches are used to galvanically isolate the Operator Stations from each other.
There are two network switches used in this vessel; OS switch A1 located in OS 1 for Net A and OS Switch
A2 located in OS 2 for Net B.
7.4.1.4
The redundant LAN is an open net employing international standard protocol (Ethernet, TCP/IP) that
permits connection and data exchange using Kongsberg Maritime standard interface programs.
7.4.1.5
Process net, also called Global CAN, is connecting the sub segments using redundant CAN bus running on
125 kbps. It is a highly reliable process bus and used for communication between different sub segments.
Each sub segment has a pair of redundant SCU DPUs, working as a local gateway and routing the signals
from process network to local network.
7.4.1.6
The local subnet is connecting the different IO DPUs to the SCU DPU and is using redundant CAN bus
running on 125 kbps, also called as Local CAN.
7.4.1.7
PMS, Cargo Control, Alarm and Monitoring Control etc. are normally arranged as separate CAN segments
(local segments), where the input and output signals are connected to DPUs separated from the global
CAN segment by two redundant Segment Controller Units(SCU).
GL Noble Denton
Page 146 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
DUAL LAN
ECR
CCR
K-CHIEF
OS 1
K-CHIEF
OS 2
K-CHIEF
OS 5
K-CHIEF
OS 6
K-CHIEF
OS 1
K-CHIEF
OS 2
LAN
LAN
LAN
LAN
WHEEL HOUSE
DUAL GLOBAL CAN
SCU A
DPU 0500
SCU B
DPU 5500
AMC 1
SCU A
DPU 1900
AC C20
SCU A
DPU 0600
SCU B
DPU 5600
SCU A
DPU 0700
BWCMS
LOCAL
CAN
SCU A
DPU 5700
PMS
LOCAL
CAN
SCU A
DPU 0800
SCU B
DPU 5800
PUMP CONTROL
LOCAL
CAN
SCU A
DPU 0900
CARGO CONTROL
LOCAL
CAN
DPUS IN
NO.1 DPU
CABINET
DPUS IN
NO.7 DPU
CABINET
IN HVSB 1
DPUS IN
NO.6 DPU
CABINET
IN GSP 1
DPUS IN
DPU CAB.
IN V/V CTRL
CAB 1
DPUS IN
NO.3 DPU
CABINET
8" AIPC
IN HVSB 1
DPUS IN
NO.6 DPU
CABINET
IN GSP 2
DPUS IN
DPU CAB.
IN V/V CTRL
CAB 2
DPUS IN
NO.7 DPU
CABINET
IN HVSB 2
LAN
NET A
NET B
CAN1
CAN2
Figure 7-2
GL Noble Denton
Page 147 of 185
157K Shuttle Tanker K-Chief Networks

05-M07-3166-Rep-001
SCU B
DPU 5900
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
7.4.2
Failure Modes of Network communication
7.4.2.1
Failure modes have been assessed for each OS network switch, and other network components on KChief networks and all significant failures assessed are listed below:
1.
OS network switch failures
2.
Loss of power or other failure of an OS network switch
3.
Network connection Failure (LAN, Global CAN and Local CAN)
4.
Jabber/multiple collisions
5.
NIC failure
7.4.3
Failure Effects of Network Communications
7.4.3.1
Effects of OS network switch failures: As networks are dual network with completely redundant cabling and
components, any failure will have minimal effect on the DP system. A failure in any OS network switch will
only affect either Net A or Net B. However it should be noted that any failure that results in the loss of either
network channel, the DP system will no longer be fault tolerant.
7.4.3.2
Loss of power or other failure of OS network switch: This will only affect either Net A or Net B.
Communication will continue as normal through the redundant network.
7.4.3.3
Network connection failure (LAN Global CAN and Local CAN): As all networks are dual, any single
connection failure will produce an alarm but have no effect on operation of the system.
7.4.3.4
Jabber/multiple collisions: The term Jabber is used to describe a condition where a faulty transceiver
continuously transmits random data on to the network inhibiting or corrupting all other transmissions. Errors
in individual transmissions should be rejected and initiate retransmission.
7.4.3.5
NIC failure: The network interface cards have several protective functions built in, including line overload,
line under load, jabber, etc. The detection of a failure will cause the appropriate network node(s) to cease
transmitting. This state will remain until the failure disappears when a reset is sent to the transmitter
watchdog to allow it to recommence sending.
7.4.4
Common Mode Failures
7.4.4.1
Network Storms: Ethernet networks have been historically problematic as a result of network storms. These
can be caused when incorrect packets broadcast on to a network that causes multiple stations to respond
all at once; typically each node will answer, which causes the storm to grow exponentially. When this
happens there are too many frames on the network for any data to be able to be processed. Protective
functions built into the NIC will filter out some types of packets not destined for the host but multicasts and
broadcasts are sent to the processor. The switches and Ethernet converters on board are equipped with
multicast filtering technology to solve this problem.
7.4.5
Hidden Failures
7.4.5.1
Hidden failures in a dual system occur when a failure of a component does not show up until a subsequent
failure causes a loss of the dual system.
7.4.5.2
Hidden failures are guarded against by alarming faults to the operator at any of the consoles.
7.4.5.3
This analysis has not uncovered any potential hidden failures in the communication network for IAS System
fitted to the vessel.
7.4.6
Maloperation of the Network
7.4.6.1
Network components responsible for communications are positioned within contained units or housed
within the contained aspect of other systems. Maloperation would therefore only be possible in the event of
maintenance or inspection of other systems within close proximity to networking components.
GL Noble Denton
Page 148 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
7.4.7
Configuration Errors of the Network
7.4.7.1
Any incorrect initial configuration or reconfiguration of equipment following equipment failure or unplanned
maintenance will allow for the possibility of configuration errors, however the risk of such errors is reduced
with maintenance procedure and vigilance.
7.4.8
Worst Case Failure of the Network
7.4.8.1
Loss or failure of network switch is effectively a complete loss of one network, either Network A or Network
B for a range of operator stations. This is not critical if the alternate network is operational.
7.5
K-CHIEF 600 UN-INTERUPTABLE POWER SUPPLIES
7.5.1
Reference:
20120229 SSME S7001-2 Reapproval dwg-4 (Kongsberg
configuration)
sensor Power consumption, UPS
7.5.2
Description:
7.5.2.1
The K-Chief 600 system is fitted with three UPSs labelled as K-Chief UPS 1, K-Chief UPS 2, K-Chief UPS
3 and K-Chief UPS 4.
7.5.2.2
The UPSs can withstand to full load for 30 minutes if the main incoming supply failed.
7.5.2.3
The consumers from each UPS are listed in table below.

Table 7-3
K-Chief UPS #1
K-Chief UPS Distribution
K-Chief UPS #2
K-Chief UPS #3
K-Chief UPS #4
Operator Station 1
Operator Station 2
Operator Station 3
Operator Station 6
Operator Station 5
Cargo Cabinet GLN-300
ECC
ECC
V/v Control Cab. 1
V/v Control Cab. 1
HVSWBD 1
HVSWBD 1
V/v Control Cab. 2
V/v Control Cab. 2
HVSWBD 2
HVSWBD 2
GSP 1
GSP 1
GSP 2
GSP 2
Cabinet 2
Cabinet 2
Cabinet 3
Cabinet 3
7.5.3
Failure Modes of the K-Chief UPSs
7.5.3.1
The following failure modes have been analysed for this report:
Operator Station 4
Failure of input power supply to zero Volts.

Battery faults.
Failure of Individual Outputs
Failure of all outputs from a K-Chief UPS due to internal short circuit.
GL Noble Denton
Page 149 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
7.5.4
Failure Effects of the K-Chief UPSs
7.5.4.1
Failure of input power supply to zero Volts: UPS should continue to operate for at least 30 minutes. Alarm
will appear on K-Chief operator station. This will not affect any K-Chief operation as there is no loss of
power to any K-Chief components.
7.5.4.2
Battery failure: This will results in loss of power supply to all outputs from respective UPS if the main
supply to the UPS fails. This can be deal by performing battery endurance test regularly. A single failure of
UPS will not affect any K-Chief operation as all K-Chief components are either redundant (eg: operator
station, SCU DPUs) or supplied by two UPSs (eg: DPU cabinets).
7.5.4.3
Failure of Individual Outputs: This also will not affect any K-Chief operation as all K-Chief components are
either redundant (eg: operator station, SCU DPUs) or supplied by two UPSs (eg: DPU cabinets).
7.5.4.4
Failure of all outputs from a UPS: Due to redundant supplies to each UPS supply consumer, the failure of
all outputs from single UPS will not fail the system. In summary any single point failure of K-Chief UPSs
will not affect the station keeping.
7.5.5
Hidden Failures of the K-Chief UPSs
7.5.5.1
The most common hidden failure of UPS arises when the UPS batteries fail to provide the expected life.
Provided they are replaced about every two years and regularly checked this should not happen.
7.5.6
Common Mode Failures of K-Chief UPSs
7.5.6.1
No common mode failures directly associated with the UPSs themselves were revealed by this analysis.
7.5.7
Worst Case Failure of the K-Chief UPSs
7.5.7.1
The worst case failure of a K-Chief UPS is the total loss of UPS due to short circuit or battery failure.
However as all K-Chief components are either redundant (eg: operator station, SCU DPUs) or supplied by
two UPSs (eg: DPU cabinets), a single point failure will not affect any K-Chief operation.
GL Noble Denton
Page 150 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP CONTROL SYSTEM
8.1
SYSTEM DIAGRAM AND OVERVIEW
8.1.1
Reference
DP SYSTEM FMEA
Cable Layout Drawing, K-Pos DP 22 System:- 1180307 Rev E

Cable Layout Drawing, K-Pos DP 22 Reference System(s):- 1180309 Rev C
Cable Layout Drawing, cJoy System:- 1180308 Rev C
Cable Layout Drawing, BlomPMS:- 1181712 Rev D
FMEA Document, K-Pos DP-21 and cJoy:- 1180321 Rev B
Kongsberg K-Pos DP-21 and cJoy Cable Information:- 1203503 Rev A
S7001-Navi.Diagram
8.1.2
Introduction
8.1.2.1
The dynamic positioning control system maintains the vessels position with respect to the seabed by use
of vectored thrusts. The DP control system computes a thrust magnitude (motor torque) and direction for
each thruster to counteract the effects of wind, tidal current and wave motion. The calculation is based on
information received from position reference systems and vessel sensors. The dynamic positioning control
system is also the subject of a detailed FMEA by Kongsberg Maritime.
8.1.3
Description
8.1.3.1
The shuttle tanker uses a dual redundant Kongsberg K-POS dynamic positioning control system. Refer to
figure 8.1 for a simplified diagram.
8.1.3.2
The heart of the K-Pos system is a DPC-2 dual controller. The DPC-2 controller is located in the electrical
equipment room and the two DP operator stations K-Pos OS 1 and OS 2 are located in the wheel house.
In addition to the duplex system, there is a Kongsberg cJoy system (joystick) operator terminal which has
an independent hardwired connection to the thrusters. The cJoy cC-1 controller is located in the converter
room with a cJoy operator terminal housed in the forward wheelhouse. The cJoy system has a manual
joystick and can only be used for auto heading; it is not a backup DP system.
8.1.3.3
Switching between DP control, cJoy independent joystick and manual operation is carried out by a
changeover switch which is located at the DP operator console OS1. This switch is protected by a clear
sprung plastic to prevent accidental tempering.
GL Noble Denton
Page 151 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DARPS 132 System Antenna

DP
GPS
Antenna
(1)
DP UHF
Antenna
(1)
DP
IALA
Antenna
(1)
Spotbeam
Antenna
Demod
Wind 1
DARPS 200 System Antenna

DP
GPS
Antenna
(2)
DP UHF
Antenna
(2)
DP
IALA
Antenna
(2)
Wind 2
Wind 3
DP UHF
464
Antenna
(3)
Demod
Spotbeam
Serial Splitter
DARPS
1
Remote
Cabinet
Inmarsat
Antenna
DP SYSTEM FMEA
Inmarsat Serial
Splitter
DARPS 132
DARPS 200
KPOS-OS1
KPOS-OS2
Net
DPC- 2
Net
B
A
B
MRU D(3)
Gyro 1
MRU D(2)
Cyscan
Gyro 2
Gyro 3
Artemis MK5
Antenna
MRU 5(1)
Figure 8-1
GL Noble Denton
Simplified Drawing of DP Control System
Page 152 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.1.3.4
The DPC-2 is the heart of the K-Pos DP system, it is interfaced to the thrusters via the independent
hardwired connections to dedicated thruster control stations. The DPC-2 had dual redundant controllers
and two identical but independent operator stations (K-Pos OS). Redundancy is also built into the
interface units for connection of sensors and position reference systems.
8.1.3.5
K-Pos Operator Stations (OS) are marinised computers running the Windows XP operating system. As
the Operator Stations are process independent they can be located anywhere on the vessel.
8.1.3.6
Design Redundancy: The DPC-2 comprises of two identical single board computers (SBC). These are
also called RCUs. On the 157K Shuttle Tanker, two units of RCU 502 serve as the DP controllers. The
SBC runs the dynamic positioning application programme.
8.1.3.7
The two controllers have a shared I/O. This is a mixture of serial (NMEA), analogue and digital inputs.
The redundant system components are configured via software and hardware voters to ensure continued
operation in the event of a single failure. All two controllers are online operating in parallel. If one
controller fails, the other controllers continue working and take over. The two controllers work in a
master/slave configuration with the DPO designating which one is master.
Table 8-1
DP Power Supply Matrix
UPS
DPC-2
Location
cJoy (cC-1)
K-Pos OS1
Converter room (supplied from No.2 Navigation

Instrumentation panel)
X
Wheelhouse
K-Pos OS2
cJoy-OT
Electrical equipment room
X
Supplied from cC-1
Wheelhouse
Wheelhouse
8.1.3.8
As can be seen Table 8-1 above, the DPC-2 is dual supplied from separate UPSs. The UPS inputs feed
separate 24V power supply units (PSU) within the cabinet. Each RCU is then supplied from both PSUs,
with either unit being powerful enough to supply the whole cabinet.
8.1.3.9
To maintain operation in the event of a total DP UPS system failure, the cC-1 independent joystick is fed
from a separate supply.
8.1.3.10 The DP-OSs are not dual power supplied, but within the DP system, the installation of two DP operator
stations provides redundancy. Any OS can transfer control by either a take control or a give control
command provided it has the required Command Control configuration. This can be done gracefully or by
force as required.
8.1.3.11 The power supply for the cJoy independent joystick system and its operator terminal is taken from the
independent ICMS UPS No.2. The cJoy system has no redundancy.
GL Noble Denton
Page 153 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.2
DP CHANGEOVER SWITCH
8.2.1
Description
8.2.1.1
The DP changeover switch is used for transfer of control from manual thruster station to main DP or the
independent joystick. This mechanical switch is supplied by Kongsberg. The switch is supplied with
24Vdc which is converted from the UPS1 supply to DP OS1. This supply is only to light up the buttons
that indicate DP, Manual and cJoy.
8.2.1.2
The reliability for the changeover switch is considered high and probability for critical failure low.
8.2.2
Failure modes of the DP Changeover Switch
8.2.2.1
For the purposes of this FMEA, the significant failure modes of the DP Changeover switch are taken to
be:
1. Loss of 24Vdc power supply to DP changeover switch
2. Wire break on the contact
3. Mechanical Failure
8.2.3
Failure effects of the DP Changeover Switch
8.2.3.1
Loss of 24Vdc power supply to DP changeover switch: Failure of 24Vdc power supply to the DP
changeover switch will result in only loss of the indication lights on the DP changeover switch.
8.2.3.2
Wire break on the contact: If the switch is already in the DP position, the contacts are closed and the
thrusters are already receiving analogue commands from the DP controllers. An open circuit of the
contact ( on request for Manual mode or cJoy mode) will not change the thruster mode. An open contact
on the request for DP mode connections will take the affected thruster out of DP.
8.2.3.3
Mechanical Failure: This failure will cause the switch to be unable to changeover to other modes. If the
switch fails, the thrusters will be on their last mode of operation.
8.2.4
Hidden failures of the DP Changeover Switch
8.2.4.1
No significant hidden failures have been detected within the mechanical changeover switch. The switch is
guarded with a proper sprung transparent cover therefore the reliability for this changeover switch is
considered high and probability for critical failure is low.
8.2.5
DP Changeover Switch configuration errors
8.2.5.1
There is no configuration error as the switch is a mechanical switch.
8.2.6
Maloperation of the DP Changeover Switch
8.2.6.1
There is no maloperation of the DP changeover switch as the switch is guarded with a transparent sprung
cover to avoid accidental tempering.
8.2.7
Worst Case failure of DP Changeover Switch
8.2.7.1
The worst case failure is a complete failure for the DP changeover switch. The operation of the thrusters
will fall under the last mode of operation before the switch failed. It would not be possible to change
modes of operation via the changeover switch until the switch has been rectified.
8.3
DP OPERATOR STATIONS
8.3.1
Description
8.3.1.1
The Operator Stations (OS) are the main interface between the operator and the processes that are
under the operators control. An Operator Station has three main parts:
8.3.1.2
1.
Windows XP marinised industrial computer.
2.
Operator panel with buttons and a trackball / joystick.
3.
Colour monitor.
The Operator Stations are installed as standard Kongsberg consoles, and are located in the wheelhouse
(OS1 and OS2).
GL Noble Denton
Page 154 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.3.1.3
Each operator station runs the Kongsberg DP Software. This is a tailored software suite enabling
configuration of DP functions within the DPC-2 Controller. These include the settings of some alarm
levels, vessel sensor settings, manual draught settings and reference sensor weighting.
8.3.1.4
The DP Operator Stations can display a number of different mimics including Thruster View, Power View
and Sensor View. Each mimic has several sub views providing more detailed information as required.
These are available from drop down menus accessed by using the trackball and left and right buttons
located on the DP operator panels.
8.3.1.5
Both OS are designated as RCU Servers for the DPC-2 Controller. After they are switched on, the two
RCUs will request configuration load and standard file load from one of the operator stations. These files
are stored on the MP7900 computers hard disk.
8.3.1.6
All operator stations are powered from UPS units, which maintain power without interruption if the vessel
power system is lost. In the event of a power outage, the UPSs can supply power for at least 30 minutes
as required by DNV rules. A power supply table listing the UPS supplies is given in Table 8-1.
8.3.1.7
Both the DP Operator Stations are each installed with a capacitor capable of sounding an alarm horn for
one minute following a power loss to the Operator Station. Therefore no separate power supply is needed
for audible alarms in the event of power failure.
8.3.2
Failure modes of the DP Operator Stations
8.3.2.1
For the purposes of this FMEA, the significant failure modes of the operator stations are taken to be:
1.
Failure to accept operator commands (full or partial).
2.
Failure to display data (Screen failure).
3.
Console dead Power Supply fault/Internal Fault.
4.
Network failure.
5.
Software Corruption.
8.3.3
Failure effects of DP Operator Station failures
8.3.3.1
Failure to accept operator commands (full or partial): This will be apparent to the DPO and he will simply
take command at another OS. As this is probably due to faulty logic or a faulty switch it is unlikely that it
will be alarmed.
8.3.3.2
Failure to display data (Screen failure): Again this is self-evident. No alarm will be given for the loss of a
display.
8.3.3.3
Console dead (internal power supply failed): In the event that the online console fails catastrophically
this is alarmed and the DPO will take command at another station.
8.3.3.4
Network Failure: Loss of Net A or Net B is alarmed and has no effect on the DP system, as the same
information is transmitted on the remaining network. However the system is now operating with no
redundancy.
8.3.3.5
Software Corruption: Software design is not considered in the DP FMEA, however software corruption
due to a faulty hard disk or other hardware issue has been considered. It is not expected that such a
failure would affect more than a single operator station. The DPO would have to take command on the
next OS.
8.3.4
Hidden failures of the DP Operator Consoles
8.3.4.1
It is possible for a fault to remain dormant, for example until a button is pressed. The risk of a hidden fault
can be reduced by testing all the control positions and modes on the consoles on a regular basis and
carrying out frequent lamp, key and audible alarm tests. Such a fault could also cause a double press
button to only require a single press, however for the double push buttons require to activate a command,
the control system requires the receipt of two pulses from that button. For the command to activate on a
single pulse (two pulses need to be within a set time period) there would have to be an internal software
issue with the DP Operator Station which is out with the scope of this FMEA.
GL Noble Denton
Page 155 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.3.5
Common mode failures affecting the DP Operator Consoles
8.3.5.1
There is no common mode failures affecting the DP operator consoles identified.
8.3.6
DP Operator Console configuration errors
8.3.6.1
Configuration errors would only be evident in the event of a corrupt operator system or software installed.
As the software is not being investigated in this analysis, configuration errors pertaining to software have
not been considered.
8.3.7
Maloperation of the DP Operator consoles
8.3.7.1
Maloperation can be caused by badly designed features or inexperienced personnel. This analysis
cannot account for inexperience but can verify that the design of the operator station minimises the
chances for maloperation.
8.3.7.2
Within sensor settings of the K-Pos DP controller there are options in the gyro setup dialog box and the
VRS setup dialog box to configure the Reject/Alarm limits. There may be occasions when the DPO
changes the default settings. It is important that procedures are in place to regulate any changes from the
defaults and ensure they are communicated to all operators.
8.3.8
Worst Case failure of DP Operator Stations
8.3.8.1
The worst case failure is a completely dead console; the DPO will have to take command at an alternate
console. There is no effect on position or heading control during this time.
8.4
DPC-2 CONTROLLER
8.4.1.1
As discussed earlier The DPC-2 comprises of two identical single board computers (SBC) called RCU
502s. The dual controllers are nominally called DPC A and DPC B. Although the controllers are the heart
of the DP system they need to communicate with the rest of the system. This is accomplished by utilising
several different mediums:
1.
Ethernet
2.
Serial Communication
3.
Analogue / Digital Communication
8.4.1.2
The controllers have a shared I/O. The redundant system components are configured via software and
hardware voters to ensure continued operation in the event of a single failure. Both controllers are online
operating in a master/slave configuration. If one controller fails, the other controller assumes operation
as the master.
8.4.2
Ethernet:
8.4.2.1
Ethernet network is installed to allow communication between the operator station and RCU controller
within the DP Cabinet. Communication from the DPC to the rest of the system is via a dual redundant
Ethernet network operating at 100M full duplex. Each RCU 502 has a dual Ethernet IEEE 802.3
type10BASE-T/100BASE-TX interface. These are separate isolated Ethernet controllers.
8.4.3
Serial communication:
8.4.3.1
The DPC-2 cabinet has four RSER200-4 serial line interface modules that are linked to both RCUs. Each
of these modules can have up to 4 serial inputs, all of which are galvanically isolated. The serial inputs
are spread across the RSER units and the RBUS dual-rail racks to enhance redundancy. Data is fed via
two wire connections from the RSER to serial inputs on the RCU502.
8.4.3.2
Serial data is received as a proprietary NMEA 0183 sentence. The National Marine Electronics
Association has developed a specification that defines the interface between various pieces of marine
electronic equipment. The standard permits marine electronics to send information to computers and to
other marine equipment. Vendors, such as Kongsberg in this case, can adapt the string to feed their own
equipment.
GL Noble Denton
Page 156 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.4.4
Analogue/Digital communication:
8.4.4.1
The DPC-2 is equipped with eight RMP200-8 multipurpose I/O modules. Communication between the
RMP201-8 and field equipment is via software configurable digital or analogue I/O ports. Communication
between the RMP201-8 and the RCU502 is on a dual-rail RBUS interface designated RBUS A and RBUS
B. The RBUS interface is a standard multi drop RS485 serial line. Each RMP houses a processor and an
RBUS driver. Analogue inputs are MRU inputs (+/-10V), UPS common alarms, Gyro ready signals and
Thruster feedback signals. Digital inputs (DI) are MRU ready, gyro ready and Thruster / Rudder ready.
8.4.4.2
To transfer the data from the RBUS to the RCU502 an RHUB module is used. This is a 5-channel
galvanically isolated repeater for connection to the RBUS dual-rail connections (downstream), and the
two RCU controllers (upstream).
8.4.4.3
All modules described above, the RMP201-8, RHUB200-5 and RSER200-4 are part of Kongsbergs
RIO200 module family. RIO200 modules are the same shape and are mounted on a DIN dual-rail system.
The modules snap onto the rails with a double spring action making them secure. The rails provide a dual
power supply to the modules and in the case of the RMP201-8; it provides the interface to the RBUS.
From the drawing below it can be seen that PSU 1 supplies RBUS A and PSU 2 supplies RBUS B. Within
the modules, semiconductors connect the two supplies together. RMP and RSER units monitor if power
is available on the respective rails and initiate an alarm if power is missing. Figure 8-2 below illustrates
the internal connections within the DPC-2 controller.
GL Noble Denton
Page 157 of 185
05-M07-3166-Rep-001
GL Noble Denton
Page 158 of 185
Figure 8-2
DPC-2 Simplified Drawing
05-M07-3166-Rep-001
UPS 2 Alarms
MRU 2 Signals
Gyro 3 Ready
RMP (U66)
RMP (U65)
NDU A1
Thruster 4 signals
Power Limitation
RMP (U64)
Serial Inputs
Power Limitation
RSER (U63)
RCU 501 A
Gyro 2 Ready
Thruster 2 signals
Gyro 3
CyScan
RBUS
A
RSER (U62)
Hub B
Serial Outputs
RHUB (U61)
RMP (U41)
RMP (U37)
RMP (U36)
RMP (U35)
RMP (U34)
157K SHUTTLE TANKER
Wind 2
Gyro 2
DGPS 2
DARPS (2)
MRU 3 Signals
MRU 1 Signals
Power Limitation
Thruster 5 signals
Power Limitation
Thruster 3 signals
Thruster 1 signals
UPS 1 Alarms
Pwr limitation
Gyro 1 Ready
DP UPS 1
RSER (U33)
24V DC
RSER (U32)
PSU 1
Hub A
NET A
to rest of DP
System
Artemis
Gyro 1
Wind 3
Blom PMS
Wind 1
DARPS (1)
DARPS (1)
DGPS 1
DP UPS 1
RHUB (U31)
SUNGDONG
DP SYSTEM FMEA
Redundant RCU Net
NDU B1
NET B
to rest of DP
System
24V DC
24V DC
RCU 501 B
24V DC
Serial Inputs
Serial Outputs
PSU 2
DP UPS 2
24V DC
RBUS B
24V DC
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.4.4.4
In the DPC-2, the two controller computers operate in parallel, each receiving the same input from the
sensors, thrusters, reference systems etc. Both controllers independently compute the required
information to maintain station and pass this information across the network to the field stations. The field
stations take the median value. In the event of the loss of a controller, the system drops to simplex mode
configuration.
8.4.4.5
The master controller can be selected by the DP operator. If a failure of the master occurs the slave
controller will automatically take over with a bumpless transfer of command.
8.4.5
Dynamic Position Controller failure modes
8.4.5.1
Failure modes have been assessed for the DP Controllers and the failures assessed are listed below:
1.
Failure of a DP Controller RCU
2.
Failure of a DP cabinet Power Supply
3.
Total failure of DP system
4.
Communication fault on one network interface (within the cabinet)
5.
Failure of an RMP module
6.
Failure of an RHUB module
7.
Failure of a common RSER module
8.
Failure of RBUS rail
9.
Failure of Red Net node or cable
8.4.6
Dynamic Position Controller failure effects
8.4.6.1
Failure of a DP Controller RCU: The failure of a single RCU controller is the most likely failure whether its
due to a power failure or hardware failure. This will cause a bumpless transfer to one of the redundant
processors and will therefore not cause any loss of position. The system will drop down to simplex
mode as described above.
8.4.6.2
Failure of DP Cabinet Power Supply: All units within the DPC Cabinet are dual supplied from PSU 1 and
PSU 2. In the event of a loss of either supply the DPC will continue to operate without a redundant power
supply. Alarms will alert the operator of the failure.
8.4.6.3
Total failure of DP System: In the event of a total loss of the DP system requiring changeover to Manual
Thruster Control, lever control may be taken for all thrusters via the cJoy system.
8.4.6.4
Communication fault on one network interface: The DP system will alarm for the loss of an appropriate
network (A or B) from the faulty RCU. The DP system will still operate as a duplex system but with no
redundancy.
8.4.6.5
Failure of an RMP module: Information from the specific module will not be available to the DP system.
As can be seen from figure 8-2, the loss of a single RMP module would at most cause the loss of a
thruster, a gyro and UPS alarm monitoring to the DP system (i.e. U34). See Table 8-3 below.
8.4.6.6
Failure of an RHUB module: Failure of an RHUB module will result in a loss of redundancy in the DPC I/O
setup. The two controllers will still receive data but only from either RBUS A or RBUS B. The RCU
controllers are alarmed to indicate loss of RBUS input.
8.4.6.7
Failure of a common RSER module: Four separate RSER modules are used to accept inputs from the
different sensors and PME. In the event of failure of a module, data from the sensor will not be available
to any of the RCUs. As table 8-2 below illustrates, sensor inputs have been distributed to ensure loss of a
RSER module will not have a major impact. Loss of a RSER is also alarmed to the operator. All RSER
modules are dual supplied from the dual-rail within the DPC-2 cabinet.
8.4.6.8
Failure of an RBUS Rail: Each RBUS rail provides power to the snap-on I/O modules and carries data
from the RMP units to the RHUB. In the event of a failed power supply this would be detected by the
attached RIO modules. A fault on the RBUS RS485 link would mean the RHUBs would have differing
information. This would be detected when the signal is sent to the RCUs. The failure of a rail or a
difference between the two RBUS networks will be alarmed to the operator.
GL Noble Denton
Page 159 of 185
05-M07-3166-Rep-001
SUNGDONG
8.4.6.9
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure of Red Net node or cable: Alarm on DP, DPC-2 still operates on remaining network.
Table 8-2
RSER/RMP Module Assignments for Ref Sys/Sensors
DPC-A
RSER
(U32)
Gyro 1
RSER
(U33)
RMP
(U34)
NMEA
Ch2
Ready
(DI)
Ch7
DPC-B
RMP
(U37)
RMP
(U41)
RSER
(U62)
NMEA
Ch2
Gyro 2
RMP
(U65)
RMP
(U66)
Ready
(DI)
Ch 7
NMEA
Ch1
NMEA
Ch1
Wind 2
NMEA
Ch3
Wind 3
Ch1:R
Ch2:P
Ch3:H
CH4:D
MRU 1
Ch1:R
Ch2:P
Ch3:DI
MRU 2
Ch1:R
Ch2:P
Ch3:DI
MRU 3
DGPS1
NMEA
Ch4
Darps1
NMEA
Ch2,3
DGPS2
NMEA
Ch4
Darps2
NMEA
Ch3,3
NMEA
Ch1
Fanbeam
Arthemis
NMEA
Ch1
Blom
PMS
NMEA
Ch4
GL Noble Denton
RMP
(U64)
Ready
(DI)
Ch 5
NMEA
Ch 4
Gyro 3
Wind 1
RSER
(U63)
Page 160 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Table 8-3
RMP (U34)
Thrs 1
RMP (U35)
RMP Module Assignments for Thrs/machinery

RMP (U36)
RMP (U64)
RMP (U64)
RMP (U65)
Ch1:Rdy
Ch2:FB
Ch3:P.red
Ch6: Cmd
Ch1:Rdy
Ch2:ThrFB
Ch3: P.red
Ch4: AziFB
Ch6:ThrCmd
Ch8:AziCmd
Ch1:Rdy
Ch2:ThrFB
Ch3: P.red
Ch4: AziFB
Ch6:ThrCmd
Ch8:AziCmd
Thrs 4
Thrs5
RMP (U65)
Ch1:Rdy
Ch2:FB
Ch3:P.red
Ch6: Cmd
Thrs 2
Thrs 3
DP SYSTEM FMEA
Ch1:Rdy
Ch2:FB
Ch3:P.red
Ch6: Cmd
8.4.6.10 As can be seen from the table above, the rudder and Thruster 6 (CPP) are not hardwired to the DPC 2.
The CPP is hardwired to the K-Chief AC C20 and the rudder is controlled by the KM Navigation unit.
The DP controller gives commands and receives feedback from these units via Net A and B.
GL Noble Denton
Page 161 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.4.7
Hidden Failures in the DPC-2 Controller
8.4.7.1
Due to the complexity of the software it is never possible to test all functions in all situations. There is
always a risk that a situation will arise that could cause both processors to give an undesirable output.
The only protection against this is the many systems in use all running the same core software which has
been developed over many years and the tests and trials that are done.
8.4.7.2
The RMP and RSER units monitor the DIN-rails and give an alarm if power is missing from the rail. The
RHUB module does not monitor the power supply and it is conceivable that either a bad connection or
incorrect seating of the unit could cause the RHUB to have only one supply. This is not alarmed or
detectable by the unit. Redundancy tests by failing one of the main DPC PSUs (PSU 1 or PSU 2) would
reveal this fault. In mitigation, for this to be critical, both RHUBs would have to fail the same way (i.e. both
with bad connection to the same rail) there will not initiate alarm however when the other DPC power
supply fail, it will lose contact between both RHUBs and the RCU502 controllers. Failure of RHUB will not
exceed worst case design failure intent, and it reduces the fault tolerance.
8.4.8
Common Mode Failures Affecting the DPC-2 Controller
8.4.8.1
The RMP200-8 has eight multipurpose I/O channels, two of the channels are galvanically isolated to
handle individually configured analogue I/O. The other six channels have a common ground so there is
the potential for a common mode failure. This is not critical as a failure is no worse than loss of a
complete RMP module.
8.4.8.2
As all modules within the DPC-2 share the same dual power source, there is a common point within each
module where internal diodes connect to provide dual redundant power. For internal faults, current
limiting circuits within the module prevent it from drawing excessively high currents or causing significant
voltage dips. These might affect both power supplies and thus the performance of other redundant
modules in the DPC-2. Although the DPC would recover, there would be no automatic DP control until
reboot was complete which would be a matter of several minutes.
8.4.8.3
The following information is taken from the K-Pos FMEA. An internal short circuit between power and
ground (behind the internal diodes and before the internal current limiter) on a module PCB is considered
to be highly unlikely. In a system with two PSUs such a fault will cause both A and B fuses for the short
circuited module to blow, and both 24 VDC supplies may dip. Depending on fuse selectivity, this may
result in complete reset of the DPC. All modules not connected to the blown fuses will return online. This
fault is less likely than the above mentioned semiconductor fault, and is therefore not treated further. For
more details, refer to FMEA document for each module.
8.4.9
Maloperation of the DPC-2 Controller
8.4.9.1
Maloperation of the DPC-2 is not expected as there is no operator input.
8.4.10
Configuration Errors of the DPC-2 That Could Defeat Redundancy
8.4.10.1 Configuration errors would only be evident in the event of a corrupt load install. As software is not being
investigated in this analysis, configuration errors resulting from software have not been investigated
further.
8.4.11
Worst Case Failure of the DP Controllers
8.4.11.1 The worst case prescribed for the DPC2 controllers is the loss of one RCU 502. In this case there will be
audible as well as text alarms on both of the operator station stating the loss of communication/network
failure. There will be no loss in station keeping as there is redundancy for the RSER/RMP modules being
fed to both the controllers.
GL Noble Denton
Page 162 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
8.5
DP SYSTEM SENSORS MRU ANEMOMETER - GYROCOMPASS
8.5.1
References
DP SYSTEM FMEA
Cable Layout Drawing, K-Pos DP 22 System:- 1180307 Rev E

Cable Layout Drawing, cJoy System:- 1180308 Rev C
Cable Layout Drawing, BlomPMS:- 1181712 Rev D
FMEA Document, K-Pos DP-21 and cJoy:- 1180321 Rev B
Kongsberg K-Pos DP-21 and cJoy Cable Information:- 1203503 Rev A
8.5.2
Description
8.5.2.1
157K Shuttle Tanker is fitted with a range of environmental sensors as required for DP 2 classification.
There are sensors for heading, pitch roll heave and wind speed and direction. Heading is measured by
gyro compasses, while pitch and roll are detected by motion reference units. Wind speed and direction is
measured by an array of anemometers. Information on heading and vessel motions are used to correct
position reference information for GPS antenna orientation. Wind speed and direction (wind force) is used
as input to the DP systems mathematical model as a feed forward term to improve the DP control
systems response to sudden increases or decreases in wind velocity or rapid changes in direction.
8.5.2.2
The following sensors are available to the main DPC-2 dual controller on the vessel:
3 x Gyro Compasses (C.Plath Navigat X Mk 1)
3 x Motion Reference Units ( 2 x MRU-D, 1 x MRU 5)
3 x Wind Sensors (3 x Gill Ultrasonic Sensors)
8.5.2.3
There is a sensor integrator (SINT) on board this vessel that has inputs from the three DP Gyros and
wind sensor 1 (via serial splitter 1). The SINT has no effect on DP equipment and is primarily used for
navigation equipment. Failure on the SINT has no effect on the DP systems.
8.5.3
Gyro compasses
8.5.3.1
There are three gyro compasses to provide heading information; all three are C.Plath Navigat X Mk 1.
Gyro 1, Gyro2 and Gyro 3 are located in the instrument room.
8.5.3.2
The C.Plath Navigat X Mk 1 unit can remain north stabilised during power interruptions of within three
minutes. A 2 deviation could be expected after a three minute failure. Once power is re-established the
compass will quickly find the correct heading. Latitude error is virtually eliminated due to the liquid
damping system used in the gimbals array.
8.5.3.3
Gyros 1, 2 and 3 are fed to the DP control system as well as the Blom PMS. Gyro 1 feeds the OMC 146
IO box as well as the independent joystick.
8.5.3.4
Heading input is also required for the DARPS systems. The headings required from the DARPS systems
is not taken directly off the Gyros but from the DP system itself in order to ensure that the DARPS
heading is the same heading utilised by the DP system.
8.5.3.5
Gyro 1 and Gyro 2 are also interfaced to the Gyro switchover unit. However, the telegram to the DP from
these gyros are not from the switchover unit but rather, hardwired from the Gyros itself to the DPC
cabinet. As such any failure with the switchover unit will have no effect on the DP system. Gyro No. 3 is
not connected to the switch over unit. As the Gyro switch over unit has no effect on the DP system, it is
not investigated further.
8.5.4
Power supplies and distribution

Table 8-4
GL Noble Denton
Power supplies for Gyros
DP Sensors
Main supply
Gyro 1
Gyro 2
DP UPS 1
DP UPS 2
Page 163 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER

Gyro 3
DP SYSTEM FMEA
DP UPS 2
8.5.4.1
All three gyro units feed the DPC-2 RSER cards using an NMEA 0183 sentence.
8.5.4.2
The gyro compasses are probably the most critical of the vessel reference sensors, failure of the vessel
heading reference can cause the vessel to oscillate or lose heading and position control altogether with
serious consequences if near other vessels/structures.
8.5.5
Motion Reference Units
8.5.5.1
There are two Seatex MRU D (MRU No.2 and MRU No.3) motion reference units and one MRU 5 (MRU
No.1) motion reference unit. MRU X is located in the fire control station room on the accommodation
upper deck, MRU X is located in the air conditioning room also on the accommodation upper deck. MRU
X is located in the 1 to 3 are located in the room next to the Battery room on the accommodation D-Deck.
8.5.5.2
MRU-5 units provide high performance motion data with a high reliability achieved by using solid-state
sensors with no moving parts and proven electrical and mechanical construction. The MRU5 measures
Pitch and Roll with an accuracy of + 0.05 up to a pitch and roll angle of 5. Pitch, Roll and heave data is
sent as analogue inputs (+/-10V) to the DPC-2.
8.5.5.3
MRU D is similar to the MRU 5 but only outputs roll and pitch data to the DP control system at a reduced
accuracy of 0.35 for a 5 amplitude on either axis.
8.5.6
Power supplies and distribution

Table 8-5
Power supplies for MRUs
DP Sensors
Power supply
MRU 1 (MRU 5)
MRU 2 (MRU D)
MRU 3 (MRU D)
DPC -2 cabinet PSU 1 (DP UPS 1)

8.5.6.1
The MRUs are fed from the DPC-2 power supplies which are supplied from DP UPS1 and DP UPS 2.
PSU 1 supplies MRU 1 and MRU 3, PSU 2 supplies MRU 2, please refer to table 8-5.
8.5.6.2
Various reference systems such as DGPS use accurately measured angles relative to the hull for their
calculations.
8.5.6.3
There is no direct MRU input to DGPS, instead the MRU input to the DP Controller is used to
compensate the raw DGPS signals and correct it taking into consideration the angle of the hull, fore and
aft, port and starboard, relative to the horizontal. The importance of the MRU signal increases as the
weather worsens and the ships movements become more severe.
8.5.6.4
The Seatex MRUs are alarmed for pitch/roll difference and loss of power (MRU ready) and with a three
sensor system, a defective or inaccurate MRU will be deselected from DP if there is a discrepancy. If the
system has degraded to two MRUs and a difference of more than 2 is present, there will be an alarm for
difference and it will be up to the DPO to decide which MRU is correct and take appropriate action.
8.5.7
Wind sensors
8.5.7.1
There are three wind Gill Ultrasonic Wind Sensors installed on the 157K Shuttle Tanker. The wind
sensors should be distributed in areas where environmental and physical obstructions will not cause loss
of all sensors. Wind Sensor 1 and 2 are mounted on the main mast and Wind Sensor 3 is mounted on the
forward mast.
8.5.7.2
The Gill wind sensor used on the 157K Shuttle Tanker is an ultrasonic unit that uses four transducers to
calculate wind speed and direction by measuring the time taken for an ultrasonic pulse of sound to travel
between these four transducers.
GL Noble Denton
Page 164 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.5.7.3
The Wind Sensors transmit the wind speed and direction to the wind indicators. The winds indicators
supply power to the sensors and also transmit the wind telegram to the DP controller. Wind indicators 1,
2 and 3 are mounted overhead in the wheelhouse. Wind indicators 2 and 3 forward their data directly to
the DPC-2 controller. Wind indicator 1 transmits the data to the DP control system via a powered serial
splitter unit. Data is sent in an NMEA 0183 string. Wind sensor 1 also transmits wind data to the
independent cJoy via the serial splitter unit.
8.5.8
Power supplies
Table 8-6
Power supplies for wind sensor
DP Sensors
Wind 1
Wind 2
Wind 3
Serial Splitter 1
Serial Splitter 2
Serial Splitter 3
Power supply
DP UPS 1
DP UPS 2
DP UPS 1
No.1 24VDC Battery Charger and Discharger
Board
Board
Board
8.5.8.1
The Gill wind sensors operate on 15V DC supply, receiving this from their corresponding wind indicator.
All power for the wind indicators is provided from UPS 1 and UPS 2. These indicators output 15Vdc for
wind sensors 1, 2 and 3 respectively, please refer to table 8-6.
8.5.8.2
Wind serial splitters are in line with the redundancy split. As wind sensors 1 and 3 are fed off UPS 1 and
wind sensor 2 fed off UPS 2, their respective wind serial splitters should be fed off the same side of the
switchboard. Serial splitter 1 and 3 are fed off No.1 24vdc battery charger and discharger board and
serial splitter 2 is fed off the no.2 24vdc battery charger and discharger board.
8.5.9
Sensor rejection/alarms
8.5.9.1
The DPC-2 makes extensive use of software checks and voting to validate the data on which position
calculations and thrust orders depend. Should any of the sensors produce an anomalous output, the
sensor will be alarmed or rejected by the DP system. A wind sensor is alarmed if direction does not
change within 20 seconds, an MRU is rejected if one of the readings jump >7.5 or freezes for more than
20 seconds. A gyrocompass is rejected if heading jumps by >7.5.
8.5.9.2
There is an option for the DPO to configure some Reject/Alarm limits in the DP software. These
alarms/rejections are vessel, and sometimes, environmentally specific. Mimics are available for each
sensor group. The following limits are normal:
8.5.9.3
Gyro compasses A compass is rejected if the heading deviates > 2 from the median in a three gyro
system, and alarms if in a two gyro system.
8.5.9.4
MRUs An MRU is rejected if the pitch or roll deviates >3, or the heave >2m, from the median in a three
MRU system, and alarms if in a two MRU system.
8.5.9.5
Wind sensors A difference alarm is registered if a discrepancy of >6m/Sec or a direction of >45 is

detected between sensors for a set period. (1m/Sec 1.95Knots)
8.5.9.6
It is normal for the three Gyros and MRUs to be selected into DP at all times. However as discussed
above the DPO has control of this through DP mimics on the online operator station. The operator can
Enable which sensors to select; can set a Preference, set Alarm Limits and Rejection Limits.
8.5.9.7
The wind sensor settings do not give the option to reject a specific wind sensor. This is because it is not
uncommon for differences to occur between them. Alerting the operator to the discrepancy is enough of a
warning. This allows the DPO to deselect a sensor if required.
GL Noble Denton
Page 165 of 185
05-M07-3166-Rep-001
SUNGDONG
8.5.10
157K SHUTTLE TANKER
DP SYSTEM FMEA
Failure modes of the DP sensors
8.5.10.1 Failure modes of the gyrocompasses
8.5.11
8.5.12
8.5.13
1.
No heading information (Serial data)
2.
Heading incorrect (frozen, unstable, offset, jump)
3.
Serial link continuously active
4.
Electrical fault on power supply
Failure modes of the motion reference units

1.
No output for pitch, roll and/or heave (10V)
2.
Incorrect or unstable output for pitch, roll and/or heave
3.
Combinations of the above
4.
Failure modes of the wind sensors

1.
Speed fails high/low
2.
Speed incorrect (frozen, unstable)
3.
Direction incorrect (frozen, unstable)
4.
Combinations of the above
5.
Failure effects of the DP sensors
8.5.13.1 Failure effects of the gyrocompasses: The gyro compasses inputs into the DP via the RSER200-4
modules within the DPC-2. RSER modules have watchdogs installed which alarm for several input faults
including, empty packet no data but power present, no input on terminals, multiple contiguous corrupt
telegrams. Any one of these failures would indicate to the operator that the relevant sensor was faulty.
8.5.13.2 In the event of an incorrect heading, this would be detected by voters within the DP system and the
sensor would be deselected.
8.5.13.3 A failure of a gyro compass will have no effect on position if all other systems are operating as required.
8.5.13.4 Failure effects of the motion reference units: All of the failures listed above will be alarmed at the DP
system.
8.5.13.5 A failure of an MRU will have no effect on DP operations. However when down to two units in the event of
another failure the DPO must be aware and select the correct unit for DP. DPO awareness is therefore
important.
8.5.13.6 Failure effects of the wind sensors: There is always the possibility of a false reading from a wind sensor.
This should not be a serious problem to the DP as wind sensors are routinely deselected. Wind sensor
accuracy is often impaired when large structures such as cranes cause unpredictable wind eddy currents
and have a destabilising effect on the DP system. Good operational practices and awareness can, to a
large extent, negate this problem. Great care must be taken when there are only two wind sensors in use.
8.5.13.7 The wind sensor inputs into the DP via the RSER200-4 modules within the DPC-2. The protective
functions built into the RSER modules are discussed above. A corrupt/missing NMEA string would be
detected and the wind sensor deselected from DP.
8.5.14
Hidden failures of the DP sensors
8.5.14.1 There are no significant hidden failures of this system because the sensors are independent and any
failure that causes a false reading will trigger DP alarms.
8.5.15
Common mode failures of the DP sensors
8.5.15.1 All three gyros are identical C.Plath Navigat X Mk 1units and may be subject to a common mode failure of
hardware or firmware.
GL Noble Denton
Page 166 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.5.15.2 All three MRUs are similar Seatex units and may be subject to a common mode failure of hardware or
firmware, however as these are industry standard units that have been in service for many years this is
considered unlikely.
8.5.15.3 Correct positioning of the wind sensors helps prevent common mode failures caused by the environment.
On the Shuttle Tanker sensors are located on the port and starboard sides at the RADAR mast. Lightning
strike on wind sensors are common mode failures, mitigated by the use of lightning protectors.
8.5.16
Maloperation of the DP sensors
8.5.16.1 Maloperation is not considered a high risk with automatic systems such as the equipment above.
8.5.17
DP Sensor configuration errors
8.5.17.1 Setting the latitude incorrectly on the gyro compasses.

8.5.17.2 Incorrect mounting angle offset on the MRUs.
8.5.17.3 Within sensor settings there are options in the Gyro setup dialog box and the MRU setup dialog box to
configure the Reject/Alarm limits. There may be changes in environmental conditions that require the
DPO to change the default settings. It is important that procedures are in place to regulate any changes
from the defaults and ensure they are communicated to all DP operators.
8.5.17.4 The default settings have been selected to ensure any excursion from the norm caused by a faulty sensor
has minimal effect on vessel heading or position. Changing these settings, for whatever reason, to allow
a greater deviation between sensors, degrades the level of protection provided and may have a critical
effect on vessel heading or position if another sensor fails.
8.5.17.5 Scaling of Wind Sensors: Where wind sensors are mounted at different heights scaling is necessary.
Wind force experienced by the vessel at sea level may be different to that calculated using a reading from
an anemometer high up on the vessel. Scaling is normally done to the standard 10 meter height, that is to
say that the DP system computes the model by using the wind speed at 10m. If anemometers are located
above or below this level, a correction must be applied to produce a wind speed signal which is
equivalent to that produced by an anemometer mounted at 10m. If this scaling is not carried out,
switching between wind sensors at different heights can produce vessel movement.
8.5.17.6 Wind sensor scaling should be checked after any software or parameter updates.
8.5.17.7 The purpose of the scaling is to correct for different sensor heights, it does not change the wind
coefficient of the vessel. Wind is stronger with higher elevation, as shown in Figure 8-3 below. This graph
shows how a wind sensor at 10m would register a wind speed of 10m/s but if it is located higher or lower
it will read differently.
8.5.17.8 The thrust produced by the model to hold position is directly related to the forces acting on the vessel
therefore any unknown forces will be presumed to be due to the current or the sea state. Using figures
from the Beaufort scale as an example, at the 10m reference if the wind speed was 5m/s for a required
duration sea state would be described as moderate. An uncorrected or incorrect reading of 10m/s for a
similar duration would indicate a sea state of very rough, a difference which could have significant effect
on the DP model if a change in heading was requested.
GL Noble Denton
Page 167 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
Variation of Wind Speed with Elevation Above Sea Level

100
90
Elevation Above Sea Level (m)
80
70
60
50
40
30
20
10
0
Figure 8-3
8.5.18
9
10
11
Wind Speed (m/s)
12
13
14
15
Variation of wind Speed with elevation above sea level
Worst case failure of the DP sensors

The worst case failure will be loss of either one DP UPS which will cause the failure of the sensors that is
supplied by it. However this will not have immediate effect to the DP system and operation but the DP
system will be with reduced redundancy.
8.5.18.1 The DP UPS consumers are listed as follows:

I.
DP UPS 1: MRU 1, MRU 3 ( both MRUs supplied via DP PSU 1), Wind 1, Wind 3 and Gyro 1
II.
DP UPS 2: MRU 2 ,wind 2, Gyro 2 and Gyro 3
8.6
DP POSITION REFERENCE SENSORS DGPS, FANBEAM, AND ARTEMIS
8.6.1
Drawing reference
Cable Layout Drawing, K-Pos DP 22 System: - 1180307 Rev E
Cable Layout Drawing, cJoy System: - 1180308 Rev C
Cable Layout Drawing, BlomPMS: - 1181712 Rev D
FMEA Document, K-Pos DP-21 and cJoy: - 1180321 Rev B
Kongsberg K-Pos DP-21 and cJoy Cable Information: - 1203503 Rev A
8.6.2
Description:
8.6.2.1
DNV requires at least three sources of position references of which two must use different measurement
principles. This requirement is satisfied by the provision of satellite, laser system and microwave system.
In the case of the DGPS systems, satellite data to receivers on the vessel translates to the position of the
vessel with respect to the Earths surface. Range and bearing systems like the Fanbeam and Artemis
systems, measure the position of a moving object relative to a fixed point.
8.6.2.2
On the 157K Shuttle Tanker, there are six sources of position information, two Differential, Absolute and
Relative Positioning Systems (DARPS), one Fanbeam and one Artemis systems.
GL Noble Denton
Page 168 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.6.3
DGPS
8.6.3.1
The DGPS systems consists of a DARPS 200 and a DARPS 132 both receiving corrections from IALA
and two Seastar demodulators. The UHF 450 (450MHz) and UHF 455 (455MHz) radio that come
together with the DARPS systems provide the communication gateway between a DARPS unit on the
157K Shuttle Tanker and an independent second DARPS unit or a portable DARPS Transponder on
another installation. The DARPS 200 on this vessel is also interfaced with a UHF 464 Radio (for use in
Brazil) in addition to the UHF 450.
8.6.3.2
DARPS uses the difference in range as observed from the FPSO and the Shuttle Tanker and thus these
two vessels need to track the same satellites.
8.6.3.3
From each DARPS unit, there will be two outputs to the DP system, one for absolute DGPS position and
another for relative range-bearing positioning.
8.6.3.4
The DARPS 200 system is a GPS/GLONASS based positioning system that combines range
measurements from two different DARPS units in order to compute the relative position between them.
The DARPS 132 system is a similar system but operates on the GPS L1/L2 & SBAS frequency band.
8.6.3.5
Range measurements from each of the two units can also be used to calculate absolute positions and
interface of differential corrections improves position accuracy.
8.6.3.6
Output data from a DARPS system on board a Shuttle Tanker that is doing offloading operations from an
FPSO are:
1. Distance and Bearing from Shuttle Tanker to FPSO
2. Absolute position of Shuttle Tanker
8.6.3.7
In order for the DARPS system on the 157K Shuttle Tanker to identify a DARPS Transponder or a
separate DARPS unit on a FPSO, the DP software has to be configured to identify the ID and coordinates for different loading sites.
8.6.3.8
When the computed distance between the 157K Shuttle Tanker and the loading site is less than 10km,
the UHF radio on the 157K Shuttle Tanker starts searching for contact with the DARPS system or
DARPS transponder on the installation to be references off from.
8.6.3.9
The UHF radio only receives data from the FPSO or buoy. A TDMA (Time Division Multiple Access)
transceiver transmits and receives data from the fixed installation to the 157K shuttle Tanker. The main
benefit of using the TDMA protocol would be in having more Shuttle Tankers and FPSOs operating in the
same area and on the same frequency without interference should both the fixed installation and mobile
vessel come equipped with a TDMA transceiver. This is because the TDMA protocol enables several
units to operate on the same frequency but within different time-slots.
8.6.3.10 When contact has been established between both stations, the following information is transmitted
between the units before Distance to Target (DT) and Bearing to Target (BT) are calculated :
1. GPS range data
2. Gyro heading (roll & pitch)
3. Offset vector arms
4. Vessel dimensions
5. Units ID and Name
8.6.3.11 Before relative calculations are carried out by the DP system, the reference system data needs to be
transferred to a common reference point Centre of Gravity before transforming the co-ordinates to the
Loading Point for final calculations.
8.6.3.12 The location of the GPS antenna for the DARPS unit is used as the reference point to be transformed to
the Loading Point.
8.6.3.13 No offsets to reference points on the 157K Shuttle Tanker are added in the DARPS system before
transmission to the DP system. All lever arm offsets are added on the DP system.
GL Noble Denton
Page 169 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.6.3.14 Gyro heading is fed to the both the DARPS systems from the DP and not from individual gyros so as to
ensure that both the DP system and the DARPS systems have the same heading data.
8.6.3.15 When DARPS data from the FPSO/buoy have been combined with the Shuttle Tanker data, relative
positions between the two vessels can be computed. See fig 8.4 below.
Loading
Point
Figure 8-4
Simplified calculation of relative DARPS data
8.6.3.16 As with any line of sight system it is important that the antenna are not masked from the satellite by
sections of the vessel, particularly in the more northern latitudes where the line of sight is closer to the
horizon. All antennas for the DARPS 200 system are located on the main antenna mast above the
wheelhouse. All antennas for the DARPS 132 are located on the mast on the bow. The DARPS 132
receiver is located on the wheelhouse and the GPS and UHF antennas for this unit is located on the bow
mast. Lightning protectors should be installed in the lines between the antennas and the DGPS racks.
8.6.3.17 It is possible to select which correction sources are used to compute the vessels position. To enhance
redundancy, it is normal practice to have DARPS 132 and DARPS 200 in different correction modes. In
addition, the two DGPS should use different elevation masks whenever possible. This will force the two
systems to use different satellites. This helps eliminate common mode failures due to the use of the same
satellite stations.
8.6.3.18 On the K-POS Operator Station, there are two buttons related to each DARPS unit as a position
reference. One of the buttons is to enable the absolute position reference, DGPS and the other button is
to enable the relative measurement of the DARPS unit as a position reference for the DP system. Serial
NMEA position data is continuously transmitted (1Hz) to the K-POS DPC 2 via RSER200-4 to allow
station keeping.
8.6.3.19 The IALA correction signal to either DARPS unit is a free signal that is transmitted form base stations on
land. This signal depends on an obstruction free path between the antenna and the base station in order
to be received by the DARPS systems.
8.6.3.20 The Seastar Spotbeam / Inmarsat demodulators take the compressed signal from the correction stations,
decode it and send the RTCM data to the DGPS processor. The signal is a proprietary signal only
decodable by Seastar software. From this data the DPO can determine which stations are strongest and
possibly nearest and select them as reference stations if he chooses to do so manually. The default
range for usable correction signal to the demodulators is 2000km.
8.6.3.21 Corrections from Inmarsat, Spotbeam, IALA are available and can be independently selected to either or
both systems. This gives a measure of redundancy.
8.6.3.22 In addition to the above correction signals to the DARPS units, as the DARPS 132 is of dual frequency
type, either the Spotbeam or Inmarsat demodulator will be able to supply ionospheric corrections as well
as XP corrections to the unit.
GL Noble Denton
Page 170 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.6.3.23 On the 157K Shuttle Tanker, the DARPS 132 outputs NMEA DGPS information to the K-POS DPC 2,
OMC 146 (Wind 1 Logging Unit), Wing Display 1 and 4 and Blom PMS. Relative positioning data is only
fed to the K-POS DPC 2.
8.6.3.24 The DARPS 200 outputs NMEA DGPS information to K-POS DPC 2, Wing Display 2, Wing Display 3 and
to Blom PMS. Relative positioning is also only fed to the K-POS DPC 2.
8.6.3.25 Power Supplies: Power to the DARPS 200 is from UPS 2 and for DARPS 132 is from UPS 1. Both
systems can be connected to the DP system at the same time.
8.6.4
Fanbeam
8.6.4.1
The Fanbeam system is a laser based position reference system.
8.6.4.2
The fanbeam system consists of a laser-scanning unit mounted on a motorised yoke that can rotate 360
at up to 50 per second. The Fanbeams laser unit can measure to a range of 1000m to within an accuracy
of 10 cm.
8.6.4.3
Pulses reflected from a retro-reflector are timed and multiplied by the speed of light to give distance. The
electro-optical encoder is read at the time the reflected pulse is received to determine the bearing.
8.6.4.4
An autotilt mechanism incorporated into the yoke of the Fanbeam laser unit allows the laser scanning
head to be adjusted by 15 vertically.
8.6.4.5
The Fanbeam laser is located on the bow mast. The universal control unit (UCU) is located in the
wheelhouse.
8.6.4.6
Operation: The fanbeam laser, as the name suggests, uses a laser to detect and lock on to a reflective trip
on a fixed platform. The control unit which is Universal Control Unit (UCU) then calculates the angle and
range of the reflective strip from the vessel and converts this information into a position reference that can
be used by DP.
8.6.4.7
Power Supplies: The Fanbeam laser unit and UCU is powered from UPS 2. The serial splitter that
transmits the Fanbeam data to DP is fed from No.2 Battery Charger and Discharger Board.
8.6.4.8
Serial NMEA position data is continuously transmitted to the K-POS 22 via RSER200-4 to allow station
keeping.
8.6.5
Artemis
8.6.5.1
Artemis MK5 is installed on the 157K Shuttle Tanker. The Artemis MK5 is an accurate, microprocessor
based microwave position reference system of the range bearing type. It measures the absolute distance
and the relative angle between two Artemis stations, using microwaves in the frequency band 92009300MHz.
8.6.5.2
On the 157K Shuttle Tanker, the Artemis Mobile Station consists of:
1. An antenna unit, type: A5AU
2. An antenna, type: A5AN
3. An operating panel
4. A windows based PC
8.6.5.3
The Mobile Station on board can be operated with a hand held operating panel which is connected to the
Antenna unit to read or set specific system parameters. It can also be used to read the position data from
the Antenna unit once the system is operational. The Mobile Station is connected to a PC to enter and/or
change settings and to read the position data and system parameters.
8.6.5.4
The total system consists of two stations; one configured as the Mobile Station, and one as a Fixed
Station. The Fixed Station of the Artemis Mk5 usually comprises of the same components of the Mobile
Station minus the PC. The Mobile Station can also measure the range and bearing to an Artemis Beacon.
8.6.5.5
The Fixed Station is always installed on a fixed (stationary) point, usually on a platform or rig.
8.6.5.6
The position of the 157K Shuttle Tanker is determined by the range and bearing of the vessel from the
Fixed Station or Artemis Beacon.
GL Noble Denton
Page 171 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Figure 8-5
DP SYSTEM FMEA
Principle of standard Artemis
8.6.5.7
With the Fixed Station, both Antennas on the Mobile Station and Fixed Station maintain a continuous
wave (CW) microwave link and keep the system in lock mode. The tracking is such that the imaginary
line connecting the antenna centres is always perpendicular to the two antennas, even when the Mobile
Station moves (see fig 8.5).
8.6.5.8
The microwave link is used for:

1. Tracking of the antennas;
2. Distance measurement;
3. Data transmission between the stations (9600 bits/s)
8.6.5.9
Distance between the vessel and the Fixed Station is derived from the time elapse of coded interruptions
in the microwave signals transmitted by both stations. The standard system has a range of 10 to 5000
meters with an overall accuracy of 1m.
8.6.5.10 A precision shaft coupled to the main shaft of the Fixed Station, measures the angle of the Fixed Stations
antenna with respect to North or another reference direction. See figure 8.5. If the reference direction is
north, the angle measured is referred to as the azimuth. The reference direction is obtained by initial
alignment of the antenna to a reference object of which the bearing with respect to north (or another
reference direction) is known, using the optional telescope. The reference azimuth (or bearing) is then
keyed-in, after which the bearing measured is the bearing with respect to that reference direction.
8.6.5.11 The standard system has an azimuth range of 0 - 360 with an overall accuracy of 0.02.
8.6.5.12 A precision shaft encoder, coupled to the main shaft of the Mobile Station, measures the angle of the
Mobile Stations antenna with respect to the bow (0) or stern (180) of the vessel. The angle is referred to
as the relative Mobile antenna bearing.
8.6.5.13 With the Artemis Beacon, the position of the vessel is determined by the distance (range) between the
Mobile Station and the Beacon and the azimuth computed at the Mobile Station from the relative Mobile
antenna bearing and the vessels heading, as measured by the vessels gyrocompass (see fig 8.6).
GL Noble Denton
Page 172 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
Figure 8-6
DP SYSTEM FMEA
Principle of Artemis Beacon system
8.6.5.14 The distance between the Mobile Station on the vessel and the beacon is derived from the time elapse of
coded interruptions in the microwave signals transmitted by the Mobile Station and the Beacon. The
beacon system has a range of 10 to 2000m, depending on the type of beacon antenna fitted. There are
three different antenna types to suit specific application. Overall accuracy of the distance measurement is
1 m.
8.6.5.15 Unlike the Fixed Station the Beacon does not provide the azimuth, but only the distance to the Mobile
Station. The azimuth is obtained by combining the relative mobile antenna bearing with the heading of the
vessel as measured by her gyrocompass. To obtain a true relative mobile antenna bearing, the Mobile
antenna must be aligned with the vessels centre line. The accuracy of the azimuth depends on the
individual accuracies of the relative mobile antenna bearing and the heading. An overall accuracy of 0.4
is possible.
8.6.5.16 The communication between the Artemis unit and the Windows based PC is through a RS422 serial line
connection.
8.6.5.17 The PC outputs a BCD telegram to the kPos DPC 2.
8.6.5.18 On the 157K Shuttle Tanker the Mobile Station Antenna is mounted on the bow mast.
8.6.5.19 Power Supply: The Artemis MK 5 Antenna and Computer are supplied from DP UPS 1.
8.6.6
Failure modes of the position references
8.6.6.1
The position references can be considered to have the following significant failure modes.
1.
No position information output
2.
False position information output
3.
Loss of Input Power or internal fault
4.
Serial link continuously active
GL Noble Denton
Page 173 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.6.7
Failure effects of the position reference systems
8.6.7.1
General: The DGPS systems feed two serial input each into the DPC 2 on separate RSER modules.
RSER modules have watchdogs installed which alarms for several input faults including, empty packet
no data but power present, no input on terminals and multiple contiguous corrupt telegrams. Any one of
these failures would indicate to the operator that the relevant DGPS input was faulty.
8.6.7.2
No position information output: This would alarm loss of sensor, the vessel will be operating with a
minimum of 2 sensors. DPO would select another sensor as required. No effect on position as other PME
sensors will be selected.
8.6.7.3
False position information output/ blockage of line of sight: This would alarm as a discrepancy and loss of
one position reference that the vessel will be operating with a minimum of 2 sensors. The DPO would
select another sensor or make sure the position reference sensors are operate as required. No effect on
position as other PME sensors will be selected.
8.6.7.4
Loss of Input Power or internal fault: This would alarm a loss of sensor in DP system. The DPO would
select another sensor or make sure the position reference sensors are operate as required. No effect on
position as other PME sensors will be selected.
8.6.7.5
Serial link continuously active: This would alarm loss of sensor in DP system. The RSER would reject
inputs from that set of terminals. No effect on position as other PME sensors will be selected.
8.6.8
Hidden failures of the position reference systems
8.6.8.1
There are no known hidden failures of the position reference system that would affect redundancy.
8.6.9
Configuration errors and maloperation of the position reference systems
8.6.9.1
General: Reference system problems and configuration errors are one of the most common causes of
loss of position. In addition to manufacturers recommended operating practice, there is a great deal of
industry guidance on how to avoid such problems. Such information is available to DPOs and other users
from the IMCA website and similar sources.
8.6.9.2
As the DARPS system communicates with a secondary unit or DARPS Beacon on the station to be
references off from, the offsets and loading point has to be defined very accurately on the DP system on
both the master and slave units.
8.6.9.3
On the Fanbeam, depending on the orientation of the laser unit, the Bow/Stern switch on the connector
board must be set accordingly. This would be verified during the DP tuning or CAT.
8.6.9.4
The variance setting on the Reference Systems Settings mimic is a new concept. The DPO must ensure
he is aware of the consequences of setting different values. This will impact on the Status and
Weighting of the PME in use.
8.6.10
Common mode failure associated with position reference systems
8.6.10.1 DGPS/DARPS:
1.
Lightning strike to DGPS antennae.
2.
Ionospheric scintillation can render satellite based systems unusable. This is somewhat mitigated
by the use of dual frequency GPS.
Severe weather conditions such as tropical rain storms or line of sight communication blockage
between UHF/TDMA antenna.
Jump in satellite derived position due to constellation change, etc.
3.
4.
8.6.10.2 Fanbeam:
1.
Lightning strike to Fanbeam Laser Unit.
2.
Fanbeam laser unit tracking onto other reflective sources.
3.
Severe weather conditions or line of sight communication blockage between Laser Unit and
reflective tube/prism or dirty optical window on Laser Unit.
8.6.10.3 Artemis:
GL Noble Denton
Page 174 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
1.
Lightning strike to Artemis Antenna.
2.
Line of sight communication blockage between Mobile Station and Fixed Antenna/Beacon.
8.6.10.4 As can be seen above, changing environmental factors can have an effect on the accuracy of the PME.
The DP software has a variance setting on the Reference System Settings mimic where the DPO can
set a value (1-5) for each reference source. This variance setting combined with quality of signal for the
reference source provides a weighting for each PME. Thereby ensuring the DP model is computed using
the most accurate information available.
8.6.11
Worst case failure of the position reference systems
8.6.11.1 Loss of either UPS 1 or UPS 2 will cause the loss of one DGPS/DARPS and one Fanbeam or one
DGPS/DARPS and one Artemis, this is mitigated by the fact that there are 6 PME outputs when DNV
rules only require three, so following failure of UPS 1 or UPS 2, two sensors remain using different
measuring principles.
8.7
CJOY INDEPENDENT JOYSTICK SYSTEM
8.7.1
References
S7001DP Cable Layout
1180308 Rev C cJoy System Cable layout
8.7.2
Description
8.7.2.1
The independent joystick system (IJS) is the Kongsberg cJoy system controlled by a cC-1 compact
controller equipped with single RCU502 processor. It is located in the instrument room. The cC-1 can be
used as a manual joystick and in auto heading mode but has no DP capability. The IJS takes heading
information from Gyros 1 and wind information from Wind sensor 1. There is no input of pitch or roll. A
single 230V power supply is provided from the Ships supply.
8.7.3
Operation
8.7.3.1
The cC-1 controller utilises 6 galvanically isolated analogue modules to control the 6 thrusters and the
steering gear for command, feedback and system ready.
8.7.3.2
A cJoy Operator terminal serves as the main operator interface for the cJoy Compact Joystick system.
There is one installed at the forward bridge. Power for these units is supplied from the cC-1 via cJoy
junction boxes. Communication with the cC-1 via the Ethernet network.
8.7.3.3
As with the DPC-2 the cC-1 RCU502 requires a download of configuration files to become active, in this
case a cJoy Operator Terminal. The download is carried out across the dedicated Ethernet network. The
operator terminal will act as a boot server for the controller.
8.7.3.4
The cJoy operator terminal is basically a PC104+ embedded PC running Microsoft Windows XP
embedded operating system with the KM application on top. User interfaces include:
1.
2.
3.
4.
3 axis joystick.
Heading wheel.
6.5 inch colour display.
Heading alarms and buzzers.
8.7.4
Failure modes of the IJS
8.7.4.1
For the purposes of this FMEA the significant failure modes of the independent joystick are taken to be:1.
Failure of the cC-1 controller
2.
Failure of a cJoy OT
3.
Failure of an RIO module
4.
Faulty network
GL Noble Denton
Page 175 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.7.5
Failure effects of the IJS
8.7.5.1
Failure of the cC-1 controller: Whether due to a processor fault or a total power failure will stop the IJS
system from operating.
8.7.5.2
Failure of a cJoy OT: The vessel hardware list shows that only one OT is available, therefore failure of the
OT will prevent operation of the IJS.
8.7.5.3
Failure of an RIO module: Failure of an RMP module will cause loss of control to one thruster. Failure of
an RSER module will cause the loss of sensors inputs. Without a heading or wind input the IJS is
inoperative. Failure of the RBUS network will also stop the IJS operating as the RMP modules cannot be
addressed.
8.7.5.4
Faulty network: A faulty cable or network node between the cC-1 and the junction box will fail
communication between the operator terminal and the controller rendering the OT inoperable.
8.7.6
Hidden failures of the IJS
8.7.6.1
The IJS system is not monitored/alarmed whilst it is not selected so a cC-1 fault, a cJoy terminal fault or a
network fault will not be detected until the system is required for use.
8.7.7
Maloperation of the IJS
8.7.7.1
Not expected to be an issue.
8.7.8
Common mode failure of the IJS
8.7.8.1
See common mode failure of the DPC-2 system, section 8.4.8.
8.7.9
Worst case failure of the IJS
8.7.9.1
No IJS failure should affect operations in DP mode but several events could fail the whole of the IJS as it
is not redundant, apart from that, as each thruster receives a separate discrete analogue signal worst
case failure would be loss of control to a single thruster.
8.8
BLOM PMS
8.8.1
Reference
8.8.1.1
05000848 Rev F BLOM PMS / BLOM RPMS Installation manual

1181712 Cable Layout- Blom Logger Rev D
8.8.2
Description
8.8.2.1
Blom PMS (Blom Position Monitoring System) is a real time data acquisition, calculation, logging and
display system designed to monitor vessel position during offshore oil loading. The system interfaces all
navigational sensors:- Artemis, Fanbeam, DGPS, Gyros, Wind sensors, MRUs and the DP system.
8.8.2.2
The BLOM PMS comprises TFT / LCD Monitor, Interface box, Controller, Telemetry, Alarm / Buzzer,
Trackball.
8.8.2.3
Data is fed into the computer through the interface box. Data is read by the controller and processed. The
operator may control it using the trackball device. Results and activities are presented on the monitor and
on certain conditions, alarms will be given.
8.8.3
Operation
8.8.3.1
BLOM PMS calculates position and quality of the various navigation systems and displays the results on
a user configurable display screen by means of various information panels. The system integrates all
available positioning information and computes the best combined position for all connected systems.
8.8.3.2
The telemetry system is used for data transmission between two vessels operating in tandem positions
(One behind the other). For BLOM PMS, the free sector should be 180 centred on the bow direction. It is
recommended to place the telemetry on the bridge roof or the main mast. It is not advisable to place the
telemetry within 2 meters of other antennas and pay attention to the RF exposure. Commissioning of the
BLOM system was not complete during the vessels proving trials.
GL Noble Denton
Page 176 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.8.4
Failure modes of the BLOM
8.8.4.1
For the purposes of this FMEA the significant failure modes of the BLOM PMS are taken to be:1.
Failure of the BLOM PMS Controller
2.
Failure of the BLOM PMS Interface Box
3.
False data send to BLOM PMS
4.
Faulty network
8.8.5
Failure effects of the BLOM PMS
8.8.5.1
Failure of the BLOM PMS Controller: A processor fault or a total power failure will stop the BLOM PMS
system from operating.
8.8.5.2
Failure of the BLOM Interface Box: The BLOM PMS system will not have any position reference system
input to process.
8.8.5.3
False data sent to BLOM PMS: The system will calculate different position and display wrong
information. There will be no effect to the DP system
8.8.5.4
Faulty network: There will be no network communication between the BLOM system and the DP system.
The network is connected to net A via K-POS OS 1. This will not affect DP system.
8.8.6
Hidden failures of the BLOM PMS
8.8.6.1
There are no known hidden failures for the BLOM PMS which could affect redundancy.
8.8.7
Maloperation of the BLOM PMS
8.8.7.1
BLOM PMS is a real time data acquisition, calculation, logging and display system designed to monitor
vessel position during offshore oil loading. This system is purely for monitoring purposes and therefore
any fault that leads to maloperation has no effect on the DP system and DP operation.
8.8.8
Common mode failure of the BLOM PMS
8.8.8.1
BLOM PMS does not have any redundancy as the system is purely a position monitoring system.
Therefore failure of BLOM PMS will have no effect to DP system.
8.8.8.2
When connecting external memory drives to the BLOM PC, care has to be taken to ensure that no
viruses are introduced to the system as this may potentially affect the rest of the DP systems as the
BLOM computer is connected to the DP network via net A through the K-POS OS1.
8.8.9
Worst case failure of the BLOM PMS
8.8.9.1
Failure of BLOM PMS will lead no effect to DP system.
8.9
DP UNINTERRUPTIBLE POWER SUPPLIES
8.9.1
Drawing Reference
1180307 Rev.E Cable Layout
8.9.2
Description
8.9.2.1
To comply with the redundancy requirements of class, the vessel essentially utilizes two DP UPS,
designated UPS 1 and UPS 2. Each UPS is powered by a 220V 1 60Hz supply. The main supply for
UPS 1 is from LV 220V MFP No.1, and the main supply for UPS 2 is from LV 220V MFP No.2. Each UPS
distributes 230V single phase regulated AC supply to the related consumers.
8.9.2.2
All the UPS are identical Powerware single 1 3KVA units. These are tower units with a built in
maintenance bypass switch. The battery bank and breaker panel for each UPS is also housed in the UPS
cabinet.
GL Noble Denton
Page 177 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.9.2.3
Operation: The Powerware UPS is an on-line UPS supplying continuous, clean, single-phase power to
the DP system and critical equipment required to maintain station. While feeding the load it also
maintains the charge in the battery pack. If the input supply should fail the UPS will continue to supply
clean power to the load without interruption. Class requirements state the UPS must supply critical DP
equipment for a minimum of 30 minutes following a power interruption.
8.9.2.4
Each UPS consists of the following:

1.
Input Filter
2.
AC to DC converter
3.
Battery system
4.
DC to AC inverter
5.
Maintenance Bypass switch (S2)
6.
Output filter
7.
Controller
8.
ESD Trip Switch (K2)
8.9.2.5
The switched AC to DC converter allows the charging of the battery backup supply & supply of normal
power. The static inverter changes the DC supply into regulated AC output power. The static bypass
switch provides an alternative route for the input power to reach the consumers if the converters fail. The
battery system uses a DC to DC converter to control charge and discharge, and convert the battery
voltage to the DC bus voltage.
8.9.2.6
Control and monitoring of the UPS is achieved by a digital signal processor that commands the
converters/inverter switches and monitors voltage control. It can quickly detect main supply power
problems and shut down the AC to DC converter to prevent potential issues. The keypad on the front of
the UPS in conjunction with the controller software can be used as a diagnostic aid. For example it can
be utilised to test battery fitness every 30 days. With the relevant alarms if required.
Table 8-7
DP UPS Distribution
UPS
DPC-2
Location
Instrument room
cJoy (cC-1)
K-Pos OS1
Instrument room
X
Bridge
X
K-Pos OS2
Gyro 1
Bridge
Instrument room
Gyro 2
Instrument room
Gyro 3
Instrument room
Wind 1
Bridge overhead panel
Wind 2
Wind 3
X
X

DARPS 200 Cabinet
Bridge
DARPS 200 monitor
Bridge
DARPS 132 Cabinet
Bridge
DARPS 132
RemoteCabinet
Forward Bow Mast
GL Noble Denton
Page 178 of 185
05-M07-3166-Rep-001
SUNGDONG
DARPS 132 Monitor
157K SHUTTLE TANKER
DP SYSTEM FMEA
Bridge
Fanbeam UCU
Bridge
Fanbeam Laser J/B
Forward Mast
Artemis Antenna
Forward Mast
Artemis Computer
Bridge
Alarm Printer
Bridge
OMC 146 Display
CCR
X
BLOM
8.9.3
Failure modes of the DP UPSs
8.9.3.1
The following failure modes have been analysed for this report:
1.
DC supply low.
2.
Inverter output low.
3.
Inverter output high.
4.
Bypass.
5.
Battery faults.
Bridge
8.9.4
Failure Effects of the DP UPSs
8.9.4.1
The Control and monitoring circuits of the UPS will detect the failures above and alert the DPO via the DP
alarms. As would be expected the UPS(s) feed multiple consumers and total loss of a UPS would be a
significant failure. The table in the narrative above indicate consumers which would be affected following
loss of the relevant UPS.
8.9.5
Hidden Failures of the DP UPSs
8.9.5.1
UPS hidden failures are guarded against by having a UPS common alarm to the DP system. This alarm
should be set to alarm for main supply failure, UPS in bypass and battery low. It is important to resolve
any issues with the UPS as any further failures are not alarmed until the original common alarm is
cleared.
8.9.6
Maloperation of the DP UPSs
8.9.6.1
If a UPS is left in manual bypass for extended times this could have a detrimental effect on consumers
as raw supply is provided, this is not recommended when supplying sensitive electronic equipment.
8.9.7
Worst Case Failure of the DP UPSs
8.9.7.1
The worst case failure will be internal parts failure of the UPS 1 or UPS 2. Loss of either UPS 1 or UPS 2
will cause the loss of one DGPS and one Fanbeam or one DGPS and one Artemis, this is mitigated by the
fact that there are 4 PME sensors when DNV rules only require three, so following failure of UPS 1 or UPS
2, two systems remain using different measuring principles.
8.10
DP COMMUNICATIONS
8.10.1
Description
8.10.1.1 The DP communication systems allow verbal communication between the Bridge, DP room and the other
locations. Communications from and to the wheelhouse on the 157K Shuttle Tanker includes:
1.
PA/GA with Talkback System
2.
Sound Powered Telephone Systems
3.
Automatic Telephone Exchange
4.
UHF Radio System
5.
VHF
GL Noble Denton
Page 179 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
8.10.1.2 Redundancy/Commonality: There are several different methods of voice communication available at
each location. The systems are independent in method with minimal crossover of power supplies.
8.10.2
Failure modes of the communications systems
8.10.2.1 The design of the voice communication system has been analysed by examining the relevant system
components, considering the failure modes of each component and determining the effect of that failure
on the ability to communicate with important spaces during the proving trials.
8.10.2.2 The failure causes considered included supply faults and component failures. The ability to use the autotelephone and the sound powered telephones on the bridge to contact thruster spaces, and ECR will be
tested during the proving trials.
8.10.3
Hidden failures of the communications systems
8.10.3.1 Most of these systems will be tested by being used regularly. Less popular systems such as the talkback
system must be regularly tested to assure operation and battery backup.
8.10.4
Maloperation of the communications systems
8.10.4.1 It is not expected that maloperation of these systems could affect position keeping.
8.10.5
Worst case failure of the communications systems
8.10.5.1 No single failure should lead to total loss of communication but one system may be affected at a time.
GL Noble Denton
Page 180 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
EMERGENCY SHUTDOWN (ES) SYSTEM
9.1
ES SYSTEM
9.1.1
Reference
DP SYSTEM FMEA
S7001-Power Diagram
Local Group Starter
9.1.2
Description
9.1.2.1
The ES system is used to provide a safe and rapid shutdown of systems and equipment. The ES system
processes input signals from manual push button.
9.1.2.2
The Emergency stop boxes are located at the following locations below.
ES 1A
ES 1B
ES 2A
ES 2B
ES 3
ES 4
Entrance
changing
E/R
Entrance
(Officer changing
room)
FCS
E/R
(Crew
room)
Galley Entrance
9.1.2.3
The ES system divided into 6 groups which are the ES 1A, ES 1B, ES 2A, ES 2B, ES3, and ES4. The
ES is wired in series in each group.
9.1.2.4
The emergency stops are grouped based on the two way split design for MSB1 and MSB2. Operation of
ES1A will stop G/Es 1/2 and M/E from running. Operation of ES1B will stop G/Es 3 and 4 from running.
9.1.2.5
The emergency stop consumers are listed in table 9-1:Table 9-1
ES System
ES1-A
ES1-B
No.1 Main L.O Pump
SV FOR NO.2 G/E M.D.O FLUSHING PUMP
No.1 Stern Tube L.O Pump
NO.2 AUX. BLOWER
No.1 M/E F.O Circ Pump
NO.2 I.G BLOWER FAN
No.1 M/E F.O Supply Pump
NO.2 ECR PACKAGE AIR CONDITIONING UNIT
NO.1/2 G/E DO SUPP PUMP
NO.2 SWBD ROOM PACKAGE AIR CONDITIONING

UNIT
NO.2 & 3 E/R FAN
REMOTE V/V HYD. POWER UNIT
NO.1 AUX. BLOWER
NO.2 M/E HYD. STARTUP PUMP
NO.1 I.G BLOWER FAN
CYL. LUB. OIL HEATING UNIT
NO.1 ECR PACKAGE AIR CONDITIONING UNIT
NO.4 THRUSTER HPP STARTER CABINET (A7)
NO.1 SWBD ROOM PACKAGE AIR CONDITIONING

UNIT
NO.4 THRUSTER HPP STARTER CABINET (A8)
GL Noble Denton
Page 181 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
NO.1 M/E HYD. STARTUP PUMP
NO.4 THRUSTER CIRC. PUMP STARTER CABINET

(A9)
NO.4 G/E L.O PRIM. PUMP
ODME SAMPLING PUMP
ODME SAMPLING PUMP
NO.2 MAIN L.O PUMP
NO.2 STERN TUBE L.O PUMP
INCINERATOR
NO.2 M/E F.O CIRC. PUMP
W.O TANK CONT. PANEL
NO.2 M/E F.O SUP. PUMP
SV FOR NO.1 G/E M.D.O FLUSHING PUMP
NO.3/4 G/E D.O SUP. PUMP
NO.1 E/R VENT. FAN(REVERIBLE)
NO.4 E/R VENT. FAN(NONREVERIBLE)
EMCY CPP. HYD. PUMP STARTER
M.D.O TRANS. PUMP
EMCY CPP. HYD. FILTER STARTER
H.F.O TRANS. PUMP
NO.1 COPT PRIM. L.O PUMP
OILY WATER SEPARATOR CONTROL PANEL
DRAIN TRANS. PUMP
NO.2 COPT PRIM. L.O PUMP
PROV. REF. FAN
SOOT BLOWER CONT. PANEL
L.O TRANS. PUMP
NO.4 THRUSTER OIL FILTRATION PUMP
NO.5 THRUSTER HPP STARTER CAB. SERVO

PUMP 1(A7)
NO.2/3 CPP. HYD. PUMP STARTER
NO.5 THRUSTER HPP STARTER CAB. SERVO

PUMP 2(A8)
NO.2 H.F.O PURIFIER
NO.2 H.F.O PURI. SUP. PUMP
BILGE CIRC. PUMP
NO.2 MAIN L.O PURIFIER
OILY BILGE PUMP
NO.2 MAIN L.O PURI. SUP. PUMP
SLUDGE PUMP
NO.2 G/E L.O PURIFIER
WELDING SPACE EXH. FAN
NO.2 G/E L.O PURI.SUP. PUMP
NO.1/3 CPP. HYD. PUMP STARTER
M/E M.G.O CHILLER UNIT
NO.1/2/3 G/E L.O PRIM. PUMP
NO.2 G/E D.O AUTO FILTER
HYD. OIL AUTO FILTER CONT. PANEL

M/E L.O AUTO FILTER
M/E F.O AUTO FILTER
No.1 H.F.O Purifier
NO.1 H.F.O PURI. SUP. PUMP
NO.1 MAIN L.O PURIFIER
NO.1 MAIN L.O PURI. SUP. PUMP
NO.1 G/E L.O PURIFIER
NO.1 G/E L.O PURI.SUP. PUMP
GL Noble Denton
Page 182 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
PURI. ROOM EXH. FAN

HIGH EXP. FOAM PANEL
NO.1 G/E D.O AUTO FILTER
CALORIFIER
ES2A
ES2B
NO.1/2/3/4 DUCT HEATER
ACCOM. AC220V SUB DIST. BOARD
NO.1/2/3/4 W/H WINDOW DEFROSTING FAN
NO.5/6/7/8 DUCT HEATER
STEERING GEAR ROOM FAN
NO.5/6/7/8 W/H WINDOW DEFROSTING FAN
FOAM ROOM EXH. FAN
SANITARY & LAUNDRY SPACE EXH. FAN
PAINT STORE EXH. FAN
GALLEY PACKAGE AIR CONDITIONING UNIT
CHEMICAL STORE EXH. FAN
NO.2 W/H PACKAGE AIR CONDITIONING UNIT
AIR HANDLING UNIT (1)
GALLEY EXH. FAN
NO.1 W/H PACKAGE AIR CONDITIONING UNIT
GALLEY SUP. FAN

PROV. REF. PLANT FAN CONTROL PANEL
AIR HANDLING UNIT (2)
ES3
ES4
G2 PANEL
ACCOM. AC220V SECTION BOARD (NO.2 SECTION)
GALLEY PACKAGE AIR CONDITIONING UNIT
GALLEY EXH. FAN
BOW THRUSTER ROOM SUP. FAN
GALLEY SUP. FAN
WATCHMAN CABIN SUP. FAN

BOSUN STORE SUP. FAN
NO.1 PUMP ROOM EXH. FAN (STBD)
NO.2 PUMP ROOM EXH. FAN (PORT)
9.1.2.6
The system is split to match the redundancy concept. Such an arrangement in the ES system might
cause the failure of half the systems pumps and fans which may equal the WCFDI.
9.1.2.7
The system is designed with the circuits normally closed. Activation of the emergency stop push button,
opens the circuit and causes that consumers in that group to stop.
9.1.2.8
Failure modes of the ES System and Fire Detection System

1.
Short Circuit of the ES circuit
2.
Open Circuit of the ES circuit
9.1.3
Failure effects of the ES System
9.1.3.1
Short circuit of the ES circuit:- Once there is short circuit in one group of the ES system, there will be no
effect on the equipment as the contact used in pushbuttons are NC contacts. There are no alarms
provided in the ICMS for detecting the short circuit on ES pushbuttons and this will fail the functioning of
ES pushbuttons. To mitigate this problem it is advised to test the functions of these pushbuttons
periodically
GL Noble Denton
Page 183 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
DP SYSTEM FMEA
9.1.3.2
Open circuit of the ES circuit:- Once there is open circuit in one group of the ES system, it will stop the
machinery in that particular group. Alarm will be initiated in the ICMS system. The system is being split to
match the redundancy concept. Such an arrangement in the ES system might cause the failure of half the
systems which may not exceed WCFDI .
9.1.4
Hidden failures of the ES System
9.1.4.1
No hidden failures identified.
9.1.5
Maloperation of the ES System
9.1.5.1
Maloperation is guarded against by fitting protective coverings on all ES buttons.
9.1.6
ES System configuration errors that could defeat redundancy
9.1.6.1
There is no configuration that will defeat redundancy.
9.1.7
Common mode failure associated with the ES System
9.1.7.1
There is no common mode failure that associates with the ES system.
9.1.8
Worst case failure of the ES System
9.1.8.1
The system is being split to match the redundancy concept. Such an arrangement in the ES system might
cause half of the pumps of generators and main engine fail. This will not affect the engines and DP
operation as there are standby pumps take over the duty.
GL Noble Denton
Page 184 of 185
05-M07-3166-Rep-001
SUNGDONG
157K SHUTTLE TANKER
10
CONCLUSIONS AND RECOMMENDATIONS
10.1
CONCLUSIONS
10.1.1
Worst Case Failure Design Intent:
DP SYSTEM FMEA
10.1.1.1 The vessels worst case failure design intent can be summarised as:No single failure (as defined for Dynpos AUTR) will lead to a failure effect exceeding:
o
o
o
10.1.2
Failure of up to two generators due to fuel contamination.

One common 6.6kV bus MV 6.6 MSB No.1
Three thrusters one bow tunnel thruster (T1), one stern tunnel thruster (T5) and one CPP (T6)
Worst Case Failure
10.1.2.1 No single failure as defined for DP Equipment Class 2 has been identified that has an effect exceeding
the Worst Case Failure Design Intent.
10.1.3
Compliance
10.1.3.1 On the basis of the desktop analysis, the design of the DP system is considered to comply with the
requirements of IMO DP Equipment Class 2 and Dynpos AUTR.
10.1.4
Conclusion
10.1.4.1 No single failure as defined for DP Equipment Class 2 has been identified that has an effect exceeding
the Worst Case Failure Design Intent. Therefore, provided the vessel is operated within its post failure
environmental envelope, position and heading should be maintained following the worst case failure. For
this to be true at the environmental limits, all machinery must be capable of its rated capacity.
GL Noble Denton
Page 185 of 185
05-M07-3166-Rep-001

05 M07 3166 REP 001 Rev O Shuttle Tanker FMEA

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

05 M07 3166 REP 001 Rev O Shuttle Tanker FMEA

Enviado por

Direitos autorais:

Formatos disponíveis

180 Clemenceau Avenue

03-03 Haw Par Centre

Update after FMEA proving trial

Update according to yards comments

Update according to yards comments

Update according to yards comments

Update according to yards comments

Update according to DNV comments

Update according to DNV comments

Release for Client review

Document No. 05/M07/3166/Rep-001/Rev. O

157K SHUTTLE TANKER

157K SHUTTLE TANKER

ENGINES AND AUXILIARY SERVICES ......................................................................................................... 18

POWER GENERATION ............................................................................................................................... 77

POWER MANAGEMENT ............................................................................................................................. 83

POWER DISTRIBUTION ............................................................................................................................. 87

Overview of the power distribution system ................................................................................................................................ 88

THRUSTERS .......................................................................................................................................... 111

Introduction ............................................................................................................................................................................. 111

K-CHIEF 600 INTEGRATED CONTROL AND MONITORING SYSTEM ............................................................... 139

General ................................................................................................................................................................................... 139

DP CONTROL SYSTEM ............................................................................................................................ 151

System Diagram and Overview ............................................................................................................................................... 151

157K SHUTTLE TANKER

DP Position Reference Sensors DGPS, Fanbeam, and artemis ........................................................................................... 168

EMERGENCY SHUTDOWN (ES) SYSTEM ................................................................................................... 181

ES System .............................................................................................................................................................................. 181

CONCLUSIONS AND RECOMMENDATIONS................................................................................................ 185

Conclusions ............................................................................................................................................................................ 185

ME LO pump power sources ...................................................................................................................................... 20

General Arrangement 157K Shuttle Tanker ................................................................................................................ 10

157K SHUTTLE TANKER

Main Engine Fuel Oil System ..................................................................................................................................... 40

157K SHUTTLE TANKER

157K SHUTTLE TANKER

Group Starter Panel

157K SHUTTLE TANKER

Programmable Logic Controller

157K SHUTTLE TANKER

Conduct of the work

DNV Rules for Classification of Ships July 2010, Part 6, Chapter 7.

IMCA Guidelines on Failure Modes & Effects Analyses M166, 2002.

FMEA Document history

157K SHUTTLE TANKER

General Arrangement 157K Shuttle Tanker

Principal dimensions:Length overall

157K SHUTTLE TANKER

Length between perpendiculars :

Machinery and DP equipment list:Main Engine

Hyundai Himsen 7H32/40 (No.1 and No.4)

Hyundai Himsen 9H32/40 (No.2 and No.3)

HSJ7 805-10P (No.1 and No.4) - 2 x 3300 kW

HSJ7 913-10P (No.2 and No.3) - 2 x 4300 kW

Emergency Generator (Engine) :

Leroy Somer M 47.2 S4 1 x 350 kW

2 x Bow Tunnel Thrusters Brunvoll FU-100-LTC-2750 2200 kW CPP

Stern Tunnel Thruster Brunvoll FU-100-LTC-2450 2200 kW CPP

Bow and Stern Azimuth Thruster Brunvoll AR-100-LNC-2600

Berg BCP 2000 CPP

Steering gear (Rudder Rolls Royce IRV 4200-2)

Kongsberg K Pos DP-22

FMEA proving trials